This document presents a method for trace-checking cyber-physical system (CPS) properties using Hybrid Logic of Signals (HLS) and a tool called ThEodorE. HLS allows expressing complex CPS requirements involving both software and physical behaviors. ThEodorE reduces trace-checking to a satisfiability modulo theories problem solvable by SMT solvers. The method was evaluated on requirements from a satellite system and shown to check more requirements than existing approaches within practical time limits.

1. Trace-Checking CPS Properties:
Bridging the Cyber-Physical Gap
Claudio Menghi
University of Luxembourg
Enrico Viganò
University of Luxembourg
Domenico Bianculli
University of Luxembourg
Lionel C. Briand
University of Luxembourg,
University of Ottawa

2. Trace-Checking CPS Properties:
Bridging the Cyber-Physical Gap
Claudio Menghi
University of Luxembourg
Enrico Viganò
University of Luxembourg
Domenico Bianculli
University of Luxembourg
Lionel C. Briand
University of Luxembourg,
University of Ottawa

3. !3 Introduction
LuxSpace: a space systems integrator based in Luxembourg
Preamble
ESAIL: a satellite that collects tracking information from vessels

4. !4 Introduction
Objective
Support engineers
in verifying and validating CPS

5. !5 Introduction
Requirements
Whenever the satellite mode switches
from “Idle Mode” to “Normal Mode”,
the angular rate shall reach a value lower than 1.5°/s within 10s.
Moreover, the angular rate shall stabilize around an arbitrary value c lower
than or equal to 1.5°/s.

6. !6 Introduction
Traces
A fragment of an execution trace of our case study

7. !7 Introduction
Trace Checking
Whenever the satellite mode switches
from “Idle Mode” to “Normal Mode”,
the angular rate shall reach a value lower than 1.5°/s within 10s.
Moreover, the angular rate shall stabilize around an arbitrary
value c lower than or equal to 1.5 °/s.

8. !8 Introduction
Trace Checking
Goal: automate the
trace checking activity
Whenever the satellite mode switches
from “Idle Mode” to “Normal Mode”,
the angular rate shall reach a value lower than 1.5°/s within 10s.
Moreover, the angular rate shall stabilize around an arbitrary
value c lower than or equal to 1.5 °/s.

9. !9 Introduction
Goals
Goal 1: Support a language that can express complex CPS requirements
Requirements that involve software and physical components
Goal 2: Applicable on industrial execution traces
Provides results within practical time limits

10. !10 Introduction
Contributions
Hybrid Logic of Signals (HLS)
ThEodorE
Goal 1: Support a language that can express complex CPS requirements
Requirements that involve software and physical components
Goal 2: Applicable on industrial execution traces
Provides results within practical time limits

11. Hybrid Logic of
Signals
11

12. !12 Hybrid Logic of Signals
Requirements
Whenever the satellite mode switches from “Idle Mode” to “Normal Mode”,
the angular rate shall reach a value lower than 1.5°/s within 10s.
Moreover, the angular rate shall stabilize around an arbitrary value c lower than or equal to 1.5°/s.

13. !13 Hybrid Logic of Signals
Requirements Indices - Software behaviour
Whenever the satellite mode switches from “Idle Mode” to “Normal Mode”,
the angular rate shall reach a value lower than 1.5°/s within 10s.
Moreover, the angular rate shall stabilize around an arbitrary value c lower than or equal to 1.5°/s.

14. !14 Hybrid Logic of Signals
Requirements
Timestamps - Physical behaviour
10s
Whenever the satellite mode switches from “Idle Mode” to “Normal Mode”,
the angular rate shall reach a value lower than 1.5°/s within 10s.
Moreover, the angular rate shall stabilize around an arbitrary value c lower than or equal to 1.5°/s.
Indices - Software behaviour

15. Whenever the satellite mode switches from “Idle Mode” to “Normal Mode”,
the angular rate shall reach a value lower than 1.5°/s within 10s.
Moreover, the angular rate shall stabilize around an arbitrary value c lower than or equal to 1.5°/s.
!15 Hybrid Logic of Signals
Requirements
Real-valued variables
Requirements
Timestamps - Physical behaviour
stabilizes
around
c
Indices - Software behaviour

16. exists 𝜌 such that (𝜌<1.5 and
forall σ0 in [0;5] such that
((mode @i σ0 ) = 0 and (mode @i (σ0 + 1)) = 3)
implies
exists τ0 in [0s;10s] such that
(ang-rate @t (τ0 + i2t(σ0 )) < 𝜌)))
!16 Hybrid Logic of Signals
Expressing CPS requirements

17. exists 𝜌 such that (𝜌<1.5 and
forall σ0 in [0;5] such that
((mode @i σ0 ) = 0 and (mode @i (σ0 + 1)) = 3)
implies
exists τ0 in [0s;10s] such that
(ang-rate @t (τ0 + i2t(σ0 )) < 𝜌)))
!17 Hybrid Logic of Signals
Expressing CPS requirements HLS allows using existential and universal
quantifiers with

18. exists 𝜌 such that (𝜌<1.5 and
forall σ0 in [0;5] such that
((mode @i σ0 ) = 0 and (mode @i (σ0 + 1)) = 3)
implies
exists τ0 in [0s;10s] such that
(ang-rate @t (τ0 + i2t(σ0 )) < 𝜌)))
!18 Hybrid Logic of Signals
Expressing CPS requirements HLS allows using existential and universal
quantifiers with
• timestamp variables

19. exists 𝜌 such that (𝜌<1.5 and
forall σ0 in [0;5] such that
((mode @i σ0 ) = 0 and (mode @i (σ0 + 1)) = 3)
implies
exists τ0 in [0s;10s] such that
(ang-rate @t (τ0 + i2t(σ0 )) < 𝜌)))
!19 Hybrid Logic of Signals
Expressing CPS requirements HLS allows using existential and universal
quantifiers with
• timestamp variables
• index variables

20. exists 𝜌 such that (𝜌<1.5 and
forall σ0 in [0;5] such that
((mode @i σ0 ) = 0 and (mode @i (σ0 + 1)) = 3)
implies
exists τ0 in [0s;10s] such that
(ang-rate @t (τ0 + i2t(σ0 )) < 𝜌)))
!20 Hybrid Logic of Signals
Expressing CPS requirements HLS allows using existential and universal
quantifiers with
• timestamp variables
• index variables
• real-valued variables

21. exists 𝜌 such that (𝜌<1.5 and
forall σ0 in [0;5] such that
((mode @i σ0 ) = 0 and (mode @i (σ0 + 1)) = 3)
implies
exists τ0 in [0s;10s] such that
(ang-rate @t (τ0 + i2t(σ0 )) < 𝜌)))
!21 Hybrid Logic of Signals
Expressing CPS requirements HLS allows using existential and universal
quantifiers with
• timestamp variables
• index variables
• real-valued variables
HLS supports specifications that use

22. !22 Hybrid Logic of Signals
Expressing CPS requirements
exists 𝜌 such that (𝜌<1.5 and
forall σ0 in [0;5] such that
((mode @i σ0 ) = 0 and (mode @i (σ0 + 1)) = 3)
implies
exists τ0 in [0s;10s] such that
(ang-rate @t (τ0 + i2t(σ0 )) < 𝜌)))
HLS allows using existential and universal
quantifiers with
• timestamp variables
• index variables
• real-valued variables
HLS supports specifications that use
• a signal at a certain timestamp

23. !23 Hybrid Logic of Signals
Expressing CPS requirements
exists 𝜌 such that (𝜌<1.5 and
forall σ0 in [0;5] such that
((mode @i σ0 ) = 0 and (mode @i (σ0 + 1)) = 3)
implies
exists τ0 in [0s;10s] such that
(ang-rate @t (τ0 + i2t(σ0 )) < 𝜌)))
HLS allows using existential and universal
quantifiers with
• timestamp variables
• index variables
• real-valued variables
HLS supports specifications that use
• a signal at a certain timestamp
• a signal at a certain index

24. !24 Hybrid Logic of Signals
Expressing CPS requirements
exists 𝜌 such that (𝜌<1.5 and
forall σ0 in [0;5] such that
((mode @i σ0 ) = 0 and (mode @i (σ0 + 1)) = 3)
implies
exists τ0 in [0s;10s] such that
(ang-rate @t (τ0 + i2t(σ0 )) < 𝜌)))
HLS allows using existential and universal
quantifiers with
• timestamp variables
• index variables
• real-valued variables
HLS supports specifications that use
• a signal at a certain timestamp
• a signal at a certain index
• the timestamp of an index (and vice versa)

25. HLS allows using existential and universal
quantifiers with
• timestamp variables
• index variables
• real-valued variables
HLS supports specifications that use
• a signal at a certain timestamp
• a signal at a certain index
• the timestamp of an index (and vice versa)
• expressions combining timestamps,
indices, and real-valued variables
!25 Hybrid Logic of Signals
exists 𝜌 such that (𝜌<1.5 and
forall σ0 in [0;5] such that
((mode @i σ0 ) = 0 and (mode @i (σ0 + 1)) = 3)
implies
exists τ0 in [0s;10s] such that
(ang-rate @t (τ0 + i2t(σ0 )) < 𝜌)))
Expressing CPS requirements

26. Section title
Text
Title in Arial Bold 24 pt
Optional: subtitle in Arial 14
!26
ThEodorE

27. !27 ThEodorE
Logic-based TracE checkEr for HLS
ThEodorE:
• Reduces trace-checking problem to a SMT problem
• Allows the use of efficient off-the-shelf SMT solvers

28. !28 ThEodorE
Logic-based TracE checkEr for HLS

29. !29
Optional: subtitle in Arial 14
Evaluation

30. !30 Evaluation
• RQ1 (Expressiveness): To which extent can Hybrid Logic of Signals
express requirements from industrial CPS applications?
• RQ2 (Applicability): Can ThEodorE verify CPS requirements on industrial
execution traces?
Research questions

31. !31 Evaluation
RQ1 (Expressiveness)
• We considered 212 industrial requirements from ESAIL
• We compared the expressiveness of the Hybrid Logic of Signals (HLS) with
SB-TempPsy-DSL and STL

32. !32 Evaluation
RQ1 (Expressiveness)
The answer to RQ1 is that
HLS could express all the requirements of our case study,
many more than SB-TemPsy-DSL (+31%) and STL (+51%).

33. !33 Evaluation
RQ2 (Applicability)
• We considered 747 trace-requirement combinations
• We compared the applicability of ThEodorE with SB-Tempsy-Check and
Breach

34. !34 Evaluation
RQ2 (Applicability)
The answer to RQ2 is that
ThEodorE computed a verdict for 74.5% trace-requirement combinations.
ThEodorE produced a verdict for 67.9% of the 337 trace-requirement
combinations that could not be checked by the other tools.

35. !35
Optional: subtitle in Arial 14
Conclusions

36. !36 Conclusions
Conclusions
• The goal of this work is to support engineers in verifying and validating CPS
• We proposed
• Hybrid Logic of Signals: a language to express complex industrial CPS
requirements
• ThEodorE: an efficient trace-checking tool that can analyse
requirements expressed using the Hybrid Logic of Signals

37. !37 Conclusions
Conclusions
• HLS was able to express all the CPS requirements
• HLS supported a much wider set of properties than other languages
• ThEodorE checked most of the requirements within practical time limits

38. Trace-Checking CPS Properties:
Bridging the Cyber-Physical Gap
Claudio Menghi
University of Luxembourg
claudio.menghi@uni.lu
Enrico Viganò
University of Luxembourg
enrico.vigano@uni.lu
Domenico Bianculli
University of Luxembourg
domenico.bianculli@uni.lu
Lionel C. Briand
University of Luxembourg,
University of Ottawa
lionel.briand@uni.lu