An automated system repair framework with signal temporal logic

We present an automated system repair framework for cyber-physical systems. The proposed framework consists of three main steps: (1) system simulation and fault detection to generate a labeled dataset, (2) identification of the repairable temporal properties leading to the faulty behavior and (3) repairing the system to avoid the occurrence of the cause identified in the second step. We express the cause as a past time signal temporal logic (ptSTL) formula and present an efficient monotonicity-based method to synthesize a ptSTL formula from a labeled dataset. Then, in the third step, we modify the faulty system by removing all behaviors that satisfy the ptSTL formula representing the cause of the fault. We apply the framework to two rich modeling formalisms: discrete-time dynamical systems and timed automata. For both of them, we define repairable formulae, the corresponding repair procedures, and illustrate them over case studies.


Introduction
is detected, first the model is analyzed to identify the root cause, and then the system is improved ("repaired") to eliminate the cause. Both cause identification and system repair steps are challenging, and they are, in general, performed manually. As the system gets more complex, identifying the causes and modifying the system manually become even more challenging and time-consuming for the system designers. In this work, we propose a repair framework to automate these steps with formal guarantees.
The proposed framework consists of three mains steps: (1) generation of a labeled dataset via simulation and testing, (2) synthesis of a "repairable" past time signal temporal logic (ptSTL) formula that describes the labeled events and (3) performing the associated repair process for the identified formula. Repairable formula and the associated repair process are the core concepts of the framework. A formula is called repairable if there exists a Repairer that can modify the system to guarantee that the formula will not be satisfied, i.e., the root cause will not occur, along the modified system's traces. Furthermore, we require that the repair process does not introduce any new behavior. We formalize these requirements over the system traces and parametric ptSTL formulae.
We illustrate the framework over two rich modeling formalisms, namely, discrete-time dynamical systems and timed automata [4,5]. For dynamical systems, we define a repairable formula as a conjunction of a control formula and system formula and define Repairer as a controller-refinement procedure. On the other hand, for timed automata, we identify formula templates that address absence of timing constraints and define associated Repairer procedures that introduce new clocks and timing constraints. Hence, we present a fully automated framework to find the causes of faulty behaviors and repair the system to avoid these causes for discrete-time dynamical systems and timed automata.
As a part of the proposed framework, we present an efficient method to synthesize a ptSTL formula from a given set of parametric formulae and a labeled dataset of system traces such that the evaluation of the resulting formula matches the labels. Past time fragment of temporal logics includes only past operators, thus when evaluating a ptSTL formula φ at time t, only events occurred prior to time t are considered, which is essential in cause-effect relation. Considering that the faulty behavior can have multiple causes, our synthesis method iteratively generates a formula as a disjunction of optimized formulae from the given set. At each iteration, a candidate set of parametric formulae are optimized, and the best formula is added to the final formula via disjunction until it is not possible to further improve the final formula.

Related work
Following the success in automated fault detection methods [8,18,29,39], automated repair problem is getting more attention. In [3], machine learning and verification techniques are combined to repair system specifications. Similarly, in [13], a machine learning-based approach is developed to automatically repair system models written in B formal specification language. Automatic repair has also been studied for software, see [21] for a recent survey. The automated software repair methods include fixing an existing code, e.g., a genetic programming-based approach in [37], introducing new expressions as in [32]. In this work, we present a repair framework using ptSTL for CPSs.
Signal temporal logic (STL) is a rich specification language used for describing temporal properties of real-time signals [16]. Due to its expressivity and efficient algorithms for checking continuous signals against STL formulae, it is used in different areas including monitoring [10,11], fault detection via falsification [18] and formal control [33]. Synthe-sizing an STL formula from a dataset is studied in the literature in different forms such as finding a formula that is satisfied by all system traces to identify the system requirements [24,25], finding a formula that differentiates the given sets of good and bad signals [31], signal clustering [36] or finding a formula that would identify the bad events as they occur [10,17]. The proposed formula synthesis method as a part of the repair framework extends [17] by performing parameter synthesis in each iteration and eliminating formulae that cannot be part of the result for efficiency. In a recent work [12], STL formula synthesis is used as a part of a fault explanation framework for CPSs, where the authors synthesized a formula describing the "good" behaviors and checked it against the faulty behaviors to find a fault explanation. Their results also support the use of STL formulae for cause explanation.
In this work, we find explanatory formulae in a special form, which we call repairable, and define automated procedures to fix the system to avoid the satisfaction of the formula. Thus, while we limit the synthesis to specific formula types, we present auto-repair procedures, which was not possible in [12]. Identification of the temporal pattern leading to the violation of a temporal logic formula over a signal is studied in [20]. Different from our work and [12], a particular signal (execution) is analyzed in [20]. As in [12], fault localization for Simulink models is studied in [28], where a test case selection process is defined to identify the Simulink blocks causing the observed fault. A fault localization method accompanied with a repair approach for Simulink models is presented in [35], where the fault is localized by applying a matrix decomposition approach over the internal signals leading to the fault and the system is repaired by tuning the parameters of the blocks identified in the localization step. In [40], fault localization for autonomous mobile systems composed of a set of sub-systems is considered. The authors of [40] define a library of parametric STL formulae for specifying system requirements and develop a localization technique that identifies the likeliest subsystem that has a fault leading to the violation of the requirement. In this work, we propose an STL-based fault localization and repair framework and apply it to discrete-time dynamical systems and timed automata.
The repair for dynamical systems is defined as a controller-refinement procedure guaranteeing satisfaction (or violation) of a ptSTL formula. Control strategies from STL specifications are synthesized by solving mixed integer linear programs [33]. A main difference of the developed refinement method is that it only restricts possible control choices to guarantee that new behavior is not formed via the repair mechanism. The repair framework for discrete-time dynamical systems improves the controller-synthesis approach presented in [34] by generalizing the constraints defined over the template formula and control set definitions.
Repair of timed automata (TA) models has not been studied until recently [6,26,27]. In [26,27], a repair suggestion is generated by analyzing a faulty timed trace of a TA. The analysis is based on running an SMT solver on a linear arithmetic encoding of the trace. The repair suggestions include changing the clock bounds in constraints and modifying clock resets. As such modifications can significantly change the TA behavior, they perform an additional step to check the equivalence of the resulting and original models. In our case, instead of modifying existing constraints or clocks, we introduce new clocks and constraints over the new clocks, which allows us to prove that the traces of the repaired TA A R is a subset of the traces of the original TA A . Thus, if A satisfies a universal property such as a metric temporal logic formula, then A R is also guaranteed to satisfy the same property. In [6], the authors assume that the causes of the faults are the incorrect timing constraints. In order to repair the system, they parametrize these constraints and generate parameters by analyzing the traces via an oracle that can decide whether a trace belongs a system (i.e., good) or not. While the procedure from [6] only modifies existing constraints, we propose to identify fault causes as a ptSTL formula and repair the system in an automated way by introducing new clocks and constraints.
The contribution of this work is fourfold. First, it defines an automated system repair framework based on ptSTL. The framework includes dataset generation, synthesis of repairable causes as ptSTL formula and system repair steps. The second contribution is the efficient formula synthesis method employed in the second step. Finally, the application of the framework to the discrete-time dynamical systems and timed automata together with the repairable formula sets and automated repair procedures constitute the third and the fourth contributions, respectively. We implemented the developed methods in a proof-of-concept tool [1].
The paper is organized as follows. Preliminary information on signal temporal logic is given in Sect. 2. In Sect. 3, the proposed system repair framework is presented in detail. Repairable cause identification method is explained in Sect. 4. In Sects. 5 and 6, application of the proposed method for dynamical systems and timed automata is presented, respectively. Finally, the paper is concluded with closing remarks and future research directions in Sect. 7.

Signals
An n-dimensional continuous signal x is defined as a mapping from time domain R ≥0 to the real numbers R n . For any given time t from the time domain of a signal, the value of the signal is denoted by x(t), and the prefix of the signal from 0 to t is denoted by The projection of the state on the ith dimension at time t is denoted by x i (t).

Past time signal temporal logic
A past time signal temporal logic (ptSTL) formula is: where x i is a signal variable, ∼ ∈ {>, ≥, <, ≤, =}, and c is a constant. T is the Boolean constant true, ¬ and ∧ are the Boolean operators negation and conjunction, respectively. S I is the temporal operator since with time interval I that can be any open or closed interval from the time domain R ≥0 . For a ptSTL formula φ, a continuous signal x, and a time value t, the satisfaction relation | is defined by (where Two additional temporal operators F − I ( previously) and G − I (always) are defined as F − I φ := T S I φ and G − I φ := ¬F − I ¬φ.
In case of a discrete-time signal x = x 0 x 1 . . ., that is defined as a mapping from N to R n , ptSTL semantics are interpreted over the piece-wise constant continuous signal x PW C derived from x as x PW C (t) = x i when t ∈ [i, i + 1). With a slight abuse of notation, we Parametric past time signal temporal logic is an extension of ptSTL [9]. In a parametric ptSTL formula, parameters can be used in place of numerical constants (c in (1)) or time bounds (interval bounds in (1)). For a parametric formula φ and a suitable parameter valuation, v, φ(v) denotes the ptSTL formula obtained by replacing each parameter with the corresponding value from v. As an example, consider the parametric formula

System repair framework
In this work, our goal is to repair a system such that the resulting system does not generate a faulty behavior. The overall framework that includes system S, fault detection mechanism IsFaulty, template formula set F , and the repair mechanism Repairer is introduced in this section.
The system is denoted by S. A trace of S is a finite n-dimensional signal x, and the set of all traces of S is denoted by Traces(S). IsFaulty is a fault detection mechanism that takes a trace (or a partial trace) as input and generates a label indicating whether a faulty behavior is encountered at the end of the given trace (t e denotes the last time point): Here, we do not make any additional assumptions on the fault detection mechanism. As illustrated in the examples, it can be a safety specification checking a property of the last state (e.g., x i ≤ c), a temporal logic formula (e.g., F − [0, 3] x i > 0-the value of x i should be positive at least once within the last 3 time units), or it can compute a function that cannot be encoded as temporal formula (e.g., k j=0 x i t− j ≤ 0). We assume that F consists of a set of repairable parametric ptSTL formulae over the system S such that the Repairer can modify the system S to avoid the satisfaction of an instance of a formula from the set F as stated in Assumption 1.

Assumption 1
For a parametric ptSTL formula φ ∈ F and a valid parameter valuation v for φ, the repaired system S = Repairer(φ(v), S) satisfies the following conditions: The first condition states that the formula φ(v) will not be satisfied at any time step of a trace of the repaired system. In particular for each template φ, Repairer has a mechanism to avoid φ in S. Thus, when the cause of the faulty behavior is expressed as a formula φ(v), the repaired system will not generate this cause. The second condition guarantees that the changes performed by the Repairer will not introduce any new behavior.
An important step of the proposed system repair framework is the identification of the fault cause in the form of a ptSTL formula. To achieve this, first a dataset of labeled signals is produced by simulating system S and labeling the generated traces with IsFaulty where t e is the last time point of trace x and Simulation(S) ⊆ Traces(S) is a set of traces generated by simulating S: Then, the optimal formula representing D(S) (4) from F is computed. Here, we assume that the faulty behavior can have multiple causes, for this reason we synthesize a formula in a disjunctive form (5) such that φ i ∈ F for each i.
The process of finding a ptSTL formula Φ (5) that would identify the cause(s) of the faulty behavior boils down to identifying a set of sub-formulae (φ i ) from F and finding a valuation v i for the parameters in each sub-formula φ i such that, the label generated by evaluating Φ mimics the label given in the dataset D(S). As the dataset labels are generated according to the fault identification process (3), if the formula evaluation along the traces matches the labels of the dataset, we can modify the system for each φ i (v i ) from Φ according to Assumption 1 such that the traces of the modified system will satisfy ¬φ i (v i ) for each φ i (v i ). Thus, the modified system will not generate the identified causes.
The proposed system repair framework is summarized in Fig. 1. It requires a system S, a fault detection mechanism IsFaulty, a set of repairable formulae F and the corresponding repairer Repairer. The first step is the computation of a labeled dataset as in D(S) (4). In the second step, a ptSTL formula Φ (5) explaining the causes of the faulty points in The framework can remove the causes of the faults observed in the dataset D(S) (4), i.e., it guarantees that the repaired system will not generate the identified causes. However, the repaired system S can still have faults as the synthesized formula represents a set of causes and these might mask others. Furthermore, due to the particular dataset generation (simulation) process, some of the faults might not be observed in the considered dataset D(S). To gain confidence that the repaired system has no faults, falsification techniques [8,19] can be used during the dataset generation step. In addition, if S has faults, the overall process can be repeated to further refine the system.

Example 1
We illustrate the proposed framework with a toy example. Consider a twodimensional discrete-time switched system S : The signal variables are x 0 , x 1 and u. Thus, we have a three-dimensional signal that contains the state x and the control input u. The system is assumed to operate under normal conditions Our goal here is to find state-based constraints on u to keep the system in normal conditions. To achieve this, we apply our framework as follows. First, we generate a labeled dataset by simulating S. Each trace is initialized randomly, at each time step t, u t ∈ {1, 2} is picked randomly and the labels are assigned according to the fault detection mechanism: where t e is the last time point of signal x. The dataset D(S) consists of 200 traces of length 50. A trace from D(S) is shown in Fig. 2. As seen in Fig. 2, the trace leaves the "safe" set [0.1, 0.9] × [0.1, 0.9] several times that we aim to avoid. We define four parametric ptSTL formula to form F = {φ (0,<) , φ (1,<) , Each formula has two parameters p x ∈ [0, 1] and p u ∈ {1, 2}. Let g : R 2 → 2 {1,2} be a set valued feedback control strategy for S. The system is controlled in closed loop with g(·) when u(t) ∈ g(x(t)) for each t. Given a formula φ (i,∼) ∈ F , a parameter valuation v, and a control strategy g(·) of S, Repair procedure generates a new strategy g R defined by: The Fig. 2 A trace of system (6), its label according to (8), and the evaluation of Φ toy along the trace (in green) We iteratively apply the repair procedure (10) for each sub-formula φ i from Φ toy and obtain the repaired system S . In Fig. 3, to visualize the modification we plot arrows from x to A u x, u ∈ g(x) for both systems, that mimics a vector field representation. The subsystems are shown with different colors (red for A 1 and blue for A 2 ). The normal operating conditions are shown with green bounds, and the restrictions imposed by φ i are highlighted. As it is clearly seen in Fig. 3 (right plot), the system stays in the green box.
Example 1 explains the proposed framework over a toy example by defining S, IsFaulty, F and Repairer for it. While the system is quite simple, it illustrates how the framework can be used in an automated way once the required components are defined. The idea of restricting the controller as a repair mechanism is generalized in Sect. 5.

Repairable cause identification
In this section, the proposed formula generation method is explained in detail. The goal is to generate a ptSTL formula Φ in the form of (5) from a set of parametric ptSTL formulae F and a set of labeled traces D(S) such that evaluation of Φ along the traces matches the labels. To generate such a formula (5), an iterative approach is designed. At each iteration, a set of candidate parametric ptSTL sub-formulae are optimized and the optimized ptSTL formula (φ i (v i )) with the highest evaluation score over the given dataset is added to the final formula Φ via disjunction.
First, the formula evaluation metrics that are used in the formula synthesis method are explained. For a finite signal x, the binary label signal l φ(v) for a parametric ptSTL formula φ and a valuation v is defined as follows: where 1 maps the Boolean evaluation result to a binary value. The total duration of correctly identified positives (True Positives) (13) and the total duration of incorrect positive results (False Positives) (14) by a formula φ(v) over the given dataset D(S) are defined with respect to the labels generated by the formula φ(v) and the dataset labels: Fig. 3 Arrows from x to A u x, u ∈ g(x) for the original (on the left) and the repaired system (on the right) when the dataset is clear in the context. In formula synthesis, the goal is to find a formula Φ that identifies all positive labels in the dataset, which maps to maximization of the total TP (13). In addition, as in the subsequent steps of the repair framework, the system will be modified to avoid the satisfaction of the generated formula, it is important to minimize FP (14) to limit unnecessary restrictions. An optimal formula would match all labels. However, due to the particular labeling process or non-determinism of the underlying system, it might not be possible to find such a formula.
Here, our goal is to maximize TP (13) of the resulting formula, while bounding FP (14). The proposed synthesis method starts from Φ := False, and iteratively finds a formula φ(v) Within the repair framework, F is a set of repairable parametric ptSTL formulae satisfying Assumption 1 and it depends on the considered system. We provide how F is generated for dynamical systems and timed automata in Sects. 5 and 6, respectively. Since the disjunction operator (∨) carries error (FP) to the resulting formula, the error is bounded in the parameter optimization step to bound the error in the resulting formula Φ.
The iterative synthesis method is summarized in Algorithm 1. Initially, the optimal parameter valuation v and the corresponding optimal T P(φ(v )) (13) values, denoted as (14) is less than a predefined bound B. The diagonal parameter synthesis method based on monotonicity properties from [17] is used in this step. Then, starting from i = 0, Φ 0 = False and F 0 = F ; Φ i+1 and F i+1 are computed iteratively via Algorithm 2. Here, Φ i is in the form of (5) and it represents the optimal formula found in the i-th iteration, and F i is the set of parametric ptSTL formulae to be used in the following iteration. Algorithm 2 finds φ i ∈ F i and valuation v i , that maximize the number of true posi- while bounding the cumulative error. Furthermore, it computes F i+1 ⊆ F i for the next iteration with a guarantee that no formula from F i \ F i+1 can be selected in the subsequent iterations. The iteration continues until there is no more increase in T P(Φ) (line 4).

Algorithm 2 I terate
In Algorithm 2, parameter optimization of the combined formula φ ∨ Φ i (line 5) for each φ ∈ F i is performed in a loop and the best known formula is stored in Φ i+1 (line 6). Note that at each iteration, only the parameters of the formula φ ∈ F i are optimized. While considering parametric formulae used to form Φ i and optimizing the whole formula could potentially lead to a higher TP count, due to the computational complexity, it is not feasible. In addition, the optimization is only performed for the formulae that can have a higher score than the current best solution Φ i+1 , which is checked in line 3 via inequality (15) that holds for any valuation v.
Lastly, it might not be possible to increase the total TP count of Φ i by optimizing parametric formula φ (line 7). In particular, it might be the case that all positive labels that can be identified by φ are already identified in previous iterations and integrated to Φ i . Thus, it is no longer necessary to perform parameter optimization for φ in the subsequent iterations (line 7). Note that both F i reduction in line 7 and TP check in line 3 reduce the total number of parameter optimizations that is the computationally expensive step of the overall algorithm. Algorithm 1 iteratively selects parametric formulae from F and optimizes their parameters to maximize the total TP while bounding FP. If the set F is not sufficiently general, i.e., if the cause is not expressible with the formulae from F , Algorithm 1 generates an over approximation of the actual cause. The approximation error is captured in FP and it can be adjusted via B.

Application to dynamical systems
In this section, we describe how the proposed repair framework is applied to dynamical systems with a finite control set via controller refinement.
We consider a discrete-time control system S: where the state is ∈ U ⊂ R m that takes value from a finite set U and it is determined by a set valued feedback control strategy with a finite memory g : , u(t − 1)), and K = min(t, K ), that is necessary to guarantee that indices are positive when t < K . A finite trace of system (16) is denoted by A repairable parametric ptSTL formula for system S (16) is in the following form: where b and c are parameters, u i is a control variable and φ is any parametric ptSTL formula over the state {x 0 , . . . , x n−1 } and control {u 0 , . . . , u m−1 } variables of system S (16). The set of all parametric ptSTL formulae F ≤oc that contain up to oc operators (temporal or Boolean) over a given set of variables is defined in [10]. By using F ≤oc over {x 0 , . . . , x n−1 } and {u 0 , . . . , u m−1 }, a set of formulae in the form of (17) is defined as: Remark 1 Both control and system formulae are shifted by 1 time unit relative to the fault location so that the controller can avoid the fault before it occurs if the fault is state based, which is the case for the considered examples. Based on the studied system, different relative time values can be used, e.g., or it can be embedded into the F ≤oc set. The repair method presented in this section applies to formulae in the form of i.e., k = 1 is used to simplify the notation as it is also used in the examples. In addition, the repair method also applies to the case when Next, we describe a repair procedure for an instance φ(v) of a parametric formula φ ∈ F (18). The procedure is based on the refinement of the control strategy g(·) (16) such that the trajectories of the resulting system are guaranteed to violate φ(v). The refined strategy g R : (X × U)K × X → 2 U is also a finite memory feedback controller, whereK = max(K , K φ ) and K φ is the oldest time relative to k that is required to evaluate φ(v) at time k. The refined strategy is defined as: where i.e., shifts the evaluation by k = 1 time unit (see Remark 1). The refined strategy simply removes the control inputs that lead to satisfying φ(v) at the next time step. We first state an assumption to guarantee that g R (x, x) = ∅ for any (x, x) ∈ (X × U)K × X, and then prove that g R (·) guarantees the satisfaction of ¬φ(v) at each time step.

Assumption 2
The strategy g(·) (16) satisfies Definition 1 (Repaired system) Let S (16) be a control system, φ be a parametric ptSTL formula over the state and control variables of S as in (17), v be a valuation for φ, and g R (·) be a strategy as defined in (19) with respect to S and φ(v). Then, the repaired system S is defined as Proposition 1 Given a control system S (16), a ptSTL formula φ as in (17) over S, a valuation v, if Assumption 2 holds, then the traces of the repaired system S as given in Definition 1 satisfy ¬φ(v) at each time step.
Proof By construction of the refined strategy g R (·) (19) is guaranteed to satisfy ¬φ(v) . Note that any control input u with u i = c is sufficient to satisfy ¬φ(v) at the next time step due to the first part G − [1,b] (u i = c) of φ. Consequently, by Assumption 2, we conclude that g R (x [t−K ,t−1] , x(t)) = ∅ and ¬φ(v) is satisfied at each time step.
Proposition 1 ensures that the proposed repair procedure satisfies the first condition of Assumption 1. Next, we show that the second condition holds. Proposition 2 Given a control system S (16), a ptSTL formula φ as in (17) over S, its valuation v, let be S the repaired system as given in Definition 1, then Traces(S ) ⊆ Traces(S).
The proof trivially follows from this set inclusion property.
As stated in Sect. 3, the repair procedure is iteratively applied for a set of formulae from F . We first present a stronger version of Assumption 2, and then present a sufficient condition such that refinement g R (·) of a refined strategy g R (·) satisfies Proposition 1 under the stronger assumption.

Assumption 3
The strategy g(·) (16) satisfies Assumption 3 states that when g(x, x) is filtered with an inequality (up to) each control dimension, the resulting set is not empty.

Proposition 3 For a system S (16) with g(·) satisfying Assumption 3, let φ
. . , M be instances of the parametric ptSTL template given in (17) with b j ≥ 2 for each j, and let g R j (·) (19) be the refinement of g R j−1 (·) w.r. to φ j for j ≥ 1 and g R 0 (·) = g(·). Then, Proof First, observe that applying the refinement procedure iteratively maps to applying the procedure for φ 1 ∨ . . . ∨ φ M , i.e., the control strategy g R M (·) found at the end of the iterative procedure equals to the refined strategy w.r.to φ 1 ∨ . . . ∨ φ M . Consider an arbitrary control dimension α ∈ {0, . . . , m − 1}, and let α M ⊆ {1, . . . , M} be the indices of the formulae restricting u α , e.g., if j ∈ α M then i = α for u j,i = c j part of the formula. For any α 1 , α 2 ∈ α M , u ∈ U and (x, As it holds for an arbitrary control dimension α, and two arbitrary formulae along this dimension, we reach that at most one c j is eliminated for each j = 0, . . . , m − 1. By, Assumption 3, we conclude that g R M (·) is not empty for any (x, x).
By Propositions 1, 2 and 3, we reach that for a control system S (16), the repair framework outlined in Sect. 3 can be applied with the set of repairable formulae F as in (18), and repairer that implements controller refinement as given in Definition 1.

Case study: traffic system
As a case study, we consider a traffic system that consists of 6 links and 2 traffic signals shown in Fig. 4. The state variables are x i (number of vehicles on link i) for each link i and the control variables are u 0 and u 1 (configuration of traffic signals). Thus, a trace of the system is an eight-dimensional signal over the state and the control variables. The dynamics of the traffic network is modeled as piece-wise affine system: In (21), the number of vehicles that leave link i at time step t is computed as The ratio of the free space in link j that is reserved for link i is denoted as α i j (when the flow from i to j is alloweddetermined w.r.to u(t)), the ratio of vehicles in link i that flow to j is denoted by β i j , and the following values are used to define the network: and the other ratio parameters are 0. We refer the interested reader to [14] for more information on the system dynamics.
A faulty behavior is defined as a traffic congestion on link-1, and it is assumed that congestion occurs when the number of vehicles is greater than 75% of the link's capacity. Thus, we define the fault detection mechanism as: A dataset D(S) of 20 labeled traces as in (4) is generated with (22) by simulating the system from random initial conditions for 100 time steps with g( for each x. Out of 2000 data points, 217 of them are labeled with 1, which means that link-1 is congested 10.85% of the time. A sample trace of the system is given in Fig. 4. Our aim in this example is to modify the faulty system to avoid the congestion on link-1. We generate the set F ≤1 of all parametric ptSTL formulae with at most 1 operator over the system variables as in [10] which contains 133 parametric ptSTL formulae, and define F w.r. to F ≤1 as in (18). The parameter domains are defined as: Each sub-formula explains a condition that leads to congestion on link-1. The sub-formulae read as there will be a congestion (φ 1 ) when there are more than 23 vehicles on x 1 and u 1 does not allow the traffic flow from link-1 at the current and previous time steps, or (φ 2 ) when the flow from link-0 to link-1 is allowed, link-1 to link-2 is blocked and there are more than 15 vehicles on link-1. T P(Φ tn , D(S)) and F P(Φ tn , D(S)) are 217 and 59, respectively, and there are no false negatives. Thus, Φ tn identifies all conditions leading to a congestion on link-1.
For each iteration of Algorithm 2, the number of parametric formulae (|F i |), the number of optimized formulae (i.e., number of formulae that satisfies the condition from line 3), the resulting formula Φ i and its T P(Φ i , D(S)), and F P(Φ i , D(S))) values are given in Table 1. As seen in Table 1, the number of parameter optimizations performed in the second iteration is dropped drastically to 101 from 266 thanks to the formula analysis.
We iteratively refine the strategy g(·) to repair the system as in the repair procedure defined in Definition 1 for φ 1 and φ 2 from (23). Let g R 1 (·) and g R 2 (·) denote the strategies obtained after the first and the second refinement. Note that even though Φ tn does not satisfy the condition from Proposition 3 (b = 1), the resulting strategy g R 2 (·) is not empty for any x since g R 1 (·) satisfies Assumption 2. The congestion rate drops to 3.7% when the system is run in closed loop with g R 1 (·), and it drops to 0% when the system is run in closed loop with g R 2 (·). Thus, we are able to identify the cause of the congestion on link-1 and repair the system to avoid it in a fully automated way. The computation took 332 s on the same machine as Example 1. Table 1 Numerical results of Algorithm 2 over the traffic example for each iteration Over the same traffic network, we apply our framework to avoid congestion on any link. For this purpose, we define the fault detection mechanism as: A dataset D (S) of 20 labeled traces as in (4) is generated with (24) by simulating the system from random initial conditions for 100 time steps with the same control strategy g(·). Out of 2000 data points, 1093 of them are labeled with 1, which means that the traffic network is congested 54.65% of the time. Algorithm 1 generates Φ tn when run with D (S), the formula set F and parameter domains introduced for the first case (with the exception of p b ∈ {2, 3, 4}), and bound B = 150.
T P(Φ tn , D(S)) and F P(Φ tn , D(S)) are 982 and 111, respectively. This formula states that if a traffic signal (u 0 or u 1 ) is kept the same for two consecutive time steps, there will be a traffic congestion. As in the previous case, we obtain a strategy g R 4 (·) from Φ tn by iteratively refining g(·) with respect to each sub-formula. We simulate the system in closed loop g R 4 (·) and there are no time points labeled with 1, thus the congestion is avoided. The computation took 586 s on the same machine as Example 1. In addition, the analysis of the system dynamics reveals that a congested state is unreachable. Thus, the proposed data-driven repair framework is able to avoid the unsafe (congested) states without explicitly considering the system dynamics.
The size of the set F (18) increases with the number of system variables and the number of operators (oc). The traffic system has 6 states and 2 control variables, and each formula φ ∈ F 1 has up to 6 parameters. Formula Φ tn (23) includes 8 operators and 7 parameters and formula Φ tn (25) includes 3 operators and 8 parameters. An alternative approach to Algorithm 1 is to perform a parameter optimization for each parametric ptSTL formula in the form of (5). However, due to the complexity of the parameter optimization step, only 4% of the formulae from Φ ∈ {φ 1 ∨ φ 2 | φ 1 , φ 2 ∈ F 1 } are optimized over the dataset D(S) (congestion on link-1) in 10 hours on the same machine. In addition, we run the synthesis method from [17] on D(S). The computation takes 306s, the resulting formula Φ tn−c includes 18 operators, T P(Φ tn−c , D(S)) = 201 and F P(Φ tn−c , D(S)) = 101. These results show that the proposed method achieves higher TP with more compact formulae compared to [17]. Finally, the resulting formulae show that the proposed method can generate complex formulae in an efficient way. Even though the size of F increases with the number of system variables, the formula synthesis is parallelizable.

Application to timed automata
In this section, we first introduce the timed automata formalism and then define repairable formulae together with the corresponding repair mechanisms.
A timed automaton (TA) [4,5] is a finite-state machine extended with a finite set of realvalued clocks progressing monotonically and measuring the time spent after their latest resets.

Φ(C) is a set of clock constraints over a set of clocks C. A clock constraint ϕ ∈ Φ(C) is given by the grammar:
where c, c 1 , c 2 ∈ C, n ∈ N, and ∼ ∈ {<, ≤, >, ≥, =}. A clock interpretation ν for a set of clocks C is a mapping from C to R ≥0 , i.e., it assigns a nonnegative real value to each clock in C. ν satisfies a clock constraint ϕ (shown as ν | ϕ) if and only if that constraint evaluates to true when ν is used. Two operations are defined for clock interpretations: delay and reset. For ν and δ ∈ R ≥0 , the delay operation ν := ν + δ increments each clock by δ, i.e., ν (c) = ν(c) + δ for each c ∈ C. For ν and λ ⊆ C, the reset ν[λ] operation assigns 0 to each c ∈ λ and agrees with ν for each c ∈ C \ λ. A = (L, l 0 , C, I nv, T ), where (i) L is a finite set of locations, (ii) l 0 ∈ L is an initial location, (iii) C is a finite set of clocks, (iv) I nv :

Definition 2 (Timed Automata) A timed automaton 1 is a tuple
The semantics of a TA A is given by a timed transition system (TTS) induced by A : A run ρ of A is an alternating sequence of delay and discrete transitions

Definition 3 (Timed Transition System) A timed transition system of a TA
Run ρ induce a time sequence τ ρ = τ 0 τ 1 τ 2 . . . such that τ 0 = 0 and τ i+1 = τ i + δ i for i ≥ 0. We define a one-dimensional signal x from an automaton run ρ (26) as follows: where q j = (l j , ν j ) is a state from run ρ as in (26) for a clock interpretation ν j . The set of all such signals is denoted as Traces(A ). A network of timed automata (NTA) , is used to model complex systems. The behavior of the overall system is defined via the product automaton We refer the interested reader to [4] for a detailed product automaton definition. The product is also a timed automaton as defined in Definition 2. Thus, the same derivations (e.g., Definition 3) and the same analysis apply. For the proposed data-driven repair framework, when the automaton A is defined as a product of N automata, we map a run ρ (26) of A into an N -dimensional signal x: where q j = ((l 1 j , l 2 j , . . . , l N j ), ν j ) is a state from ρ. The projection of the state on the ith dimension, i.e., ith TA, at time t is denoted by x i (t), i.e., x i (t) = l i j for t ∈ [τ j , τ j+1 ). Consequently, ptSTL formulae over {x 1 , . . . , x N } can be interpreted over signal x as in (2).
We continue by defining the parametric formula set F for the repair framework. The set F contains two types of parametric formulae: where φ l is defined as: First part of (29) (and (30)) is satisfied when automaton A i takes a transition to l i . Notice that, φ l consists of potential locations for the same TA and j can be equal to i, i.e., φ l is used to refer a set of locations on a particular TA. Given a valuation v for φ l (or for (29), (30)), the set of locations is denoted as locs(φ l (v)) = {v(l j,1 ), . . . , v(l j,n )}. Next, we define repair procedures and prove that they satisfy Assumption 1 for (29) and (30).
We start with formula (29) which indicates that the source of the error is the time spent in a set of locations being more than or equal to a threshold before entering a target location, i.e., it addresses the absence of a constraint on a transition. The proposed repair procedure is given in Definition 4.

Definition 4 (TALessThanGuardRepair) Given an NTA
, a parametric ptSTL formula φ as in (29) and a valuation v, the repaired system A 1,r , . . . , A N ,r is defined as follows with A k,r = (L k , l k 0 , C k,r , I nv k , T k,r ).
-For k = i and k = j, A k,r = A k .
-Introduce new clocks c 1 and c 2 shared by A i,r and A j,r .
T enter = {(l s , l t , λ ∪ {c 1 }, ϕ) | (l s , l t , λ, ϕ) ∈ T j , l s / ∈ locs(φ l (v)), and l t ∈ locs(φ l (v))} The repair procedure given in Definition 4 creates two clocks c 1 and c 2 shared by A i and A j , resets c 1 on each transition from L j \ locs(φ l (v)) to locs(φ l (v)), resets c 2 on each transition from locs(φ l (v)) to L j \ locs(φ l (v)), and checks these clocks on transitions end in l i in A i . The clock resets imply that when c 1 < c 2 , A j is in a location from locs(φ l (v)) and c 1 measures the time spent in locs(φ l (v)). On the other hand, when c 1 > c 2 , A j is not in a location from locs(φ l (v)) and c 2 measures the time passed since locs(φ l (v)) is left. For each transition that ends in v(l i ) on A i , three transitions are added to A i,r in (35) to handle different cases with respect to the clocks c 1 and c 2 2 . Fig. 5 visualizes the given procedure over two partial TA by demonstrating placements of c 1 and c 2 . Now, we prove that the repair procedure given in Definition 4 satisfies Assumption 1, i.e., after the repair procedure is executed, ptSTL formula φ(v) is never satisfied and no new behavior is introduced.

Proposition 4 Given an NTA
, a parametric ptSTL formula φ as in (29) and a valuation v, let A 1,r , . . . , A N  Proof Assume by contradiction that a trace x ∈ Traces(A r ) satisfies φ(v) at time t, i.e., (29) and (2). As x i is changed to v(l i ) at time t, a discrete transition (l s , v(l i ), λ, ϕ r ) ∈ T i,r is taken at t. Since for each t ∈ [0, t), or (2) a transition from L j \ locs(φ l (v)) to locs(φ l (v)) is taken at some time in (0, t − v(b)). We first analyze case (1). The condition implies that l j 0 ∈ locs(φ l (v)) since x j (0) ∈ locs(φ l (v)).
By (32), at time t, c 1 = t and c 2 = t. By construction of T i,r (35), each transition to v(l i ) includes c 1 < c 2 ∧ c 1 < v(b), c 1 > c 2 or ¬T (i.e., false) in its guard when l j 0 ∈ locs(φ l (v)), and each guard evaluates to false at x(t) since c 1 = c 2 . Now consider case (2). Let t be the time of the last transition from L j \ locs(φ l (v)) to locs(φ l (v)) along x prior t , i.e., t < t − v(b) and x j (t ) ∈ locs(φ l (v)) for t ∈ (t , t). By (33), c 1 is reset at t , and by (34) c 2 is not reset during (t , t). Thus, c 2 > c 1 , and c 1 is t − t at time t, which implies c 1 ≥ v(b) As in the previous case, none of the constraints (e.g., c 1 < c 2 ∧ c 1 < v(b), c 1 > c 2 , or c 1 = c 2 ) introduced on transitions that end in v(l i ) is satisfied at x(t), thus we reached a contradiction. As we considered all cases, we conclude that each trace of the repaired system always satisfies ¬φ(v).

Proposition 5 Given an NTA
, a parametric ptSTL formula φ as in (29), and a valuation v, let A 1,r , . . . , A N ,r be the repaired network of TA as defined in Definition 4, then Proof For each k / ∈ {i, j}, A k and A k,r are the same. For j (when i = j), the traces of A j and A j,r are the same since the changes only concern the new clocks and no new constraint is introduced (see (32), (33), (34)). For i, the changes only restrict the behavior via new transition constraints. Essentially, for each transition of (l s , l t , λ, ϕ r ) of A i,r , there exists a transition (l s , l t , λ, ϕ) of A i (see (35)) such that if a clock valuation ν | ϕ r , then ν | ϕ. Hence, each trace of the product of the repaired system is also a trace of the product of the original system.
We continue with formula (30) which indicates that the source of error is the time spent out of a set of locations being less than or equal to a threshold before entering a target location. In particular, it states that a location from locs(φ l ) should not be visited within the last b time units before entering l i in A i . The proposed repair procedure is given in Definition 5.

Definition 5 (TAMoreThanGuardRepair) Given an NTA
, a parametric ptSTL formula φ as in (30) and a valuation v, the repaired system A 1,r , . . . , A N ,r is defined as follows with A k,r = (L k , l k 0 , C k,r , I nv k , T k,r ). -For k = i and k = j, A k,r = A k . -Introduce new clocks c 1 and c 2 shared by A i,r and A j,r . -For k = j, A j,r = (L j , l j 0 , C j,r , I nv j , T j,r ), where C j,r = C j ∪ {c 1 , c 2 } and T j,r = T enter ∪ T leave ∪ T rest , where T rest , T enter and T leave are as defined in (32), (33) and (34), respectively.
where ϕ is defined as in (36).
The repair procedure given in Defn 5 is similar to the one given in Defn 4. Again c 1 > c 2 implies that A j is not in a location from locs(φ l (v)), c 2 > c 1 implies that A j is in a location from locs(φ l (v)) and c 2 measures the time passed since locs(φ l (v)) is left if it was entered 3 . In particular, c 1 = c 2 means that locs(φ l (v)) is never entered from a location L j \ locs(φ l (v)). Thus, it is safe to take a transition to v(l i ) when l j 0 / ∈ locs(φ l (v)) 2 . However, it should be avoided when (36). Fig. 6 demonstrates the repair method by showing placements of c 1 and c 2 . Now, we prove that the repair procedure given in Definition 5 satisfies Assumption 1, i.e., after the repair procedure is executed, ptSTL formula φ(v) is never satisfied and no new behavior is introduced.

Proposition 6 Given an NTA
, a parametric ptSTL formula φ as in (30) and a valuation v, let A 1,r , . . . , A N ,r be the repaired network of TA as defined in Definition 5, then each x ∈ Traces(A 1,r | . . . | A N ,r ) always satisfies ¬φ(v).
Proof A similar argument to the proof of Proposition 4 applies to this proof as well. Assume by contradiction that x(t) | φ(v) for some t. Similar to the proof of Proposition 4, the satisfaction of φ(v) at t implies that a transition (l s , v(l i ), λ, ϕ r ) ∈ T i,r is taken at t. Since for each t ∈ [0, t], or (2) a transition from L j \ locs(φ l (v)) to locs(φ l (v)) is taken at some time in (0, t ]. Case (1) implies that l j 0 ∈ locs(φ l (v)) since x j (0) ∈ locs(φ l (v)). By (32), at time t, c 1 = t and c 2 = t. Construction of T i,r (37) implies that each transition to v(l i ) includes c 1 > c 2 ∧ c 2 > v(b) or ¬T in its guard when x j (0) ∈ locs(φ l (v)), and neither is satisfied since c 1 = c 2 . For case (2), lett be the largest time point up to t such that x j (t) ∈ locs(φ l (v)), by assumptiont > t − v(b). Let t ∈ (0,t] be the time of the last transition from L j \ locs(φ l (v)) to locs(φ l (v)) prior tot, thus x j (t ) ∈ locs(φ l (v)) for Proposition 7 Given an NTA A 1 , . . . , A N with A k = (L k , l k 0 , C k , I nv k , T k ), a parametric ptSTL formula φ as in (30), and a valuation v, let A 1,r , . . . , A N ,r be the repaired network of TA as defined in Definition 5, then Proof A similar argument to the proof Proposition 5 applies, i.e., for each automaton A i,r , and for each transition of (l s , l t , λ, ϕ r ) of A i,r , there exists a transition (l s , l t , λ, ϕ) of A i (see (37)) such that if a clock valuation ν | ϕ r , then ν | ϕ. Hence, no new behavior is introduced by the procedure.
We present two types of ptSTL formulae (29) and (30) and the corresponding repair procedures for applying the proposed repair framework to TA. Both repair procedures add two new clocks and up to four unique simple clock constraints (c 1 < c 2 , c 1 > c 2 , c 1 = c 2 , c 1 < v(b)) to the model; therefore, the number of clocks and the number of unique simple constraints in the repaired TA increase linearly with the number of sub-formulae synthesized by Algorithm 1. The increase in the number of clocks can be reduced by applying a clock reduction algorithm [22,38]. In the case studies, we run the algorithm from [38] on the repaired models and report the results.
Next, we present case studies to demonstrate our framework on TA. In our case studies, we borrow well-known UPPAAL [15] models from the literature, i.e., Fischer's protocol [23], DB from [26], SBR from [26,27], and nuclear plant and train models from [7]. To observe a faulty behavior; for Fischer's protocol and SBR, we instantiate the model with a faulty configuration; DB is already faulty; and for nuclear plant and train examples, we randomly delete guards and invariants. Our experiment setup consists of five steps: (i) trace generation using UPPAAL SMC; (ii) formula synthesis using Algorithm 1; (iii) automatic repair according to synthesized formula; (iv) verification of the repaired model using UPPAAL; and (v) running the clock reduction algorithm from [38] on the repaired model.
In Table 2, we report the results for the case studies. The second column presents the runtime of steps (ii) and (iii). Note that step (iii) takes significantly less time than (ii). The third, fourth and fifth columns present the number of clocks of the original model, the number of clocks after the repair and the number of clocks after running the clock reduction algorithm on the repaired model, respectively.

Case study: Fischer's protocol
We apply the proposed repair framework on a TA shown in Fig. 7 which models Fischer's mutual exclusion protocol [23]. The protocol provides a timed mechanism without any block- ing structure for processes sharing the same resource and no two processes are allowed in the critical section simultaneously, i.e., a non-reachability property is satisfied. Implementation of the protocol in Fig. 7 is a generic template for each process in the system, i.e., for each process, the template is instantiated with a different id to form an NTA. Each process has its own clock for the timed behavior and processes share global variables: max_r w, min_r w, max_delay, min_delay and lock. max_r w and min_r w limits the time spent in the start and set locations. Similarly, max_delay and min_delay limits the time spent in try_enter location. Integer variable lock indicates which process is currently in its critical section. The necessary condition for a correct implementation of the protocol is max_r w ≤ min_delay [23]. For demonstration, we instantiated two processes with the following configuration: max_r w = 5, min_r w = 3, max_delay = 6, min_delay = 2.
This configuration does not satisfy the necessary condition for the protocol since both processes can simultaneously be in the critical section, i.e., P1.cs ∧ P2.cs is reachable. Our goal is to repair the system so that P1.cs ∧ P2.cs will be unreachable. We define the fault detection mechanism with respect to this requirement (see (3)): In particular, we only mark the starting point of the violation (i.e., the first time step that the violation appears). We generate 100 traces with duration 100 of the model in Fig. 7 using the configuration in (38) with UPPAAL SMC toolbox [15], and label the traces according to (39). The total duration for the positive label is 29, i.e., 0.29%. As both processes share the same template TA and the model is designed to avoid the unsafe state (e.g., fault (39)) via delay parameters, we define the parametric formulae over a single TA, e.g., only use x 1 in (29) and (30) to form F . Note that, the repair procedure will affect both TA since they share the same template. Algorithm 1 generates Φ ta when run on this dataset and F .
By Definition 5, formula Φ ta implies the following repair procedure: create two new clocks c 1 and c 2 ; reset c 1 on the transition entering set and c 2 on the transition leaving set; and control c 1 and c 2 on two new transitions replacing the transition entering cs with constraints c > min_delay∧lock = id∧c 1 = c 2 and c > min_delay∧lock = id∧c 1 where v(b) = 5. Our automated implementation outputs the repaired TA as described.
Observe that c 1 is always more than c 2 since c is checked with c > min_r w, where min_r w = 3, on the transition from set to try_enter. Then, condition c 1 > c 2 is always satisfied; hence, c 1 can simply be discarded which leaves us with c 2 and a transition entering cs with the constraint c > min_delay ∧ lock = id ∧ c 2 > 5. Since c is reset on the same transition as c 2 , they have the same value when they are checked on the transition entering cs. On that transition, c is check with c > min_delay, where min_delay = 3, and c 2 is checked with c 2 > 5. Clearly, the constraint on c 2 dominates the constraint on c. Therefore, discarding c 2 and redefining min_delay = 5 gives us the same semantic behavior as the repaired model. Notice that, redefining min_delay induces the following configuration which satisfies the necessary condition for a correct instantiation of the protocol: After the repair, P1.cs ∧ P2.cs is not reachable (verified by UPPAAL [15]) and the condition max_r w ≤ min_delay from [23] is satisfied. Hence, our framework is able to repair the model in a fully automated way.
First row of Table 2 reports the performance results of this case study. Our framework repairs the model in 1.11s (0.94s for Algorithm 1), increases the number of clocks to six (three for each instance of the model), and running [38] on the repaired model reduces this number to four (two for each instance of the model). Notice that, integrating expression simplification methods [22] into [38] can further reduce the number of clocks to two (one for each instance of the model) by automating the presented detailed clock analysis.

Case study: DB
After the detailed demonstration of the Fischer's protocol, we present our results on an NTA modeling the communication between a database server and a database from [26]. Due to space limitations, we cannot describe the model in detail and refer the reader to [26]. First, we make two minor modifications on the model in order to generate traces for our tool. We convert the channels to broadcast channels (a requirement of UPPAAL SMC) and introduce an error location error that is only reachable from serReceiving when the safety specification ( A[] (not dbServer.serReceiving) or (x <= 4) ) from the running example of [26] is violated. We generate 100 traces with duration 100 and feed these traces to our framework. Our framework repairs the model by introducing two new clocks c 1 and c 2 . c 1 is reset on the transition entering serReceiving and c 2 is reset on the transitions leaving serReceiving. Both clocks checked on two new transitions replacing the transition entering error with constraints x > 4 ∧ c 1 > c 2 and x > 4 ∧ c 1 < c 2 ∧ c 1 < 1. By carrying a simple clock analysis similar to the previous example, one can observe that c 1 < c 2 is always satisfied and c 2 can be discarded which leaves us with the new clock c 1 and the new transition to error with constraint x > 4 ∧ c 1 < 1. In [26], the model was repaired by introducing the invariant z < 1 in serReceiving. For both repairs, the resulting systems satisfy the safety specification. Notice that, although our method does not suggest any invariant repairs, it accurately finds the source of the error in the model and repairs the model with the invariant-free counterpart of the repair procedure of [26]. Table 2 presents the results of the case study. Proposed framework repairs the model in 2.11s (1.90s for Algorithm 1), increases the number of clocks to five, and this number is reduced to four after running [38].

Case study: SBR
Our next case study is an NTA implementing three cyclic processes, a processor and a feature deployment machine [26,27]. Due to space limitations, we invite interested reader to [27] for the details of the model. The safety specification of the model is that all processes shall finish their execution before their corresponding deadlines. We instantiated the worst case execution times of each process to ten so that, in their hyper-period (which also has the duration of ten time units), at least one of the processes misses the deadline. To observe a violation of the specification, we converted the safety specification to a non-reachability property by introducing three new locations error1, error2 and error3 only reachable from processor_idle in the processor TA. Each of these error locations corresponds to a deadline miss for one of the three processes. To run our framework on the model, we generate 100 traces with duration 100. Our framework synthesizes three formulae of the form (29) (one formula for each process). Essentially, each process is repaired by introducing two new clocks c 1 and c 2 (six new clocks in total) and the corresponding constraints limit the worst case execution time of each process to two. Since the repairs are identical of all three processes, the total execution time is limited by six, which is less than the duration of the hyper-period. The semantic analysis of the repaired model shows that our framework accurately finds the cause of the error. After the repair, we also check the model against the specification using UPPAAL and observe that no violation occurs. Therefore, we conclude that the proposed framework successfully repairs the model. SBR is a more complex example than the other case studies presented so far. Moreover, in the experiments of [26], SBR is the only example that reached their two minutes timeout limit for some of the timed diagnostic traces. Third row of Table 2 presents the overall results of this example.

Case study: nuclear plant model and train model
Finally, we present two more case studies on a nuclear plant model and a train model from the Imitator package [7]. For both examples, we run an experiment setup inspired from mutation testing [2]: we delete a guard or an invariant, if this modification causes a violation of the safety specification, we generate 100 traces with duration 100, run our framework, and finally, we verify the repaired model against the safety specification. The number of the mutated models violating the safety specification is six for the nuclear plant model and four for the train model. Interestingly, in most of the cases, suggested repairs are at the exactly same positions with the deleted ones but their content is different. Another difference is that since our framework does not suggest invariants for repairs, instead of the deleted invariants, the framework suggests guards with less than operators. The same approach is applied to generate invariant-free models in the literature. In spite of the differences between the original and suggested constraints, our framework successfully repairs the model in all cases, i.e., each repaired model satisfies its specification.
Fourth and fifth rows of Table 2 report the average computation time and the maximum number of clocks observed in the repaired models. In average, our framework repairs the models in 4.94s (4.69s for Algorithm 1) and 3.70s (3.42s for Algorithm 1).
The works from [6,26,27] also aim at repairing timed automata. In [6] and [26], bounds from the existing constraints are modified. The method from [26] is extended with additional repair operations including introducing resets, changing comparison operators and clock references in [27]. Our method adds new clocks and introduces new constraints over the new clocks, which allows us to detect errors of the model due to the missing clocks. The approaches relying on modifying existing clocks (resets/constraints) cannot capture such errors. On the other hand, while modification of the bound of an existing clock can be achieved via our approach in various cases (e.g., see Fischer's model), there exist some cases in which this is not possible. For example, if an automaton has transitions (l , l, λ, c < n) and (l , l, λ , c < n), then our approach cannot modify only one of the bounds from these transitions. Finally, resetting an existing clock or increasing an upper bound in a constraint can introduce new behaviors, which is not possible with our approach. As summarized here, one approach is not more general than the others. Introducing new clocks and constraints can be advantageous in a variety of cases as illustrated with the examples.

Conclusion
We presented an automated system repair framework for cyber-physical systems and showed its use on discrete-time dynamical systems and timed automata. The proposed framework first constructed a dataset of labeled system traces via simulation, identified repairable temporal properties leading the faulty behavior as a ptSTL formula, and finally repaired the system to avoid the satisfaction of the formula. We developed an efficient iterative method to generate a ptSTL formula from a labeled dataset. The case studies illustrated that the proposed STL-based repair framework can successfully repair discrete-time dynamical systems and timed automata. For both modeling formalisms, we defined repairable formulae and the corresponding repair procedures. Applying the repair framework to a new class of system requires defining repairable formulae for the considered system and the corresponding repair procedures, which, in general, are not trivial processes.
Future research directions include expanding the repairable parametric formula sets. For timed automata, we plan to consider clock values, and TA extensions such as discrete variables, which will allow us to apply our framework on a larger set of benchmarks. For dynamical systems, we plan to consider automata-based control strategies. Another research direction is applying the repair framework on Simulink models, which requires defining repairable formulae and the corresponding repair procedures.
Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.