SpaTeL: A Novel Spatial-Temporal Logic and Its

Applications to Networked Systems

Iman HaghighiBoston University

15 Saint Mary’s StreetBrookline, MA

haghighi@bu.edu

Austin JonesBoston University

15 Saint Mary’s StreetBrookline, MA

austinmj@bu.edu

Zhaodan KongUniversity of California, Davis

One Shields AvenueDavis, CA

zdkong@ucdavis.eduEzio Bartocci

TU WienTreitlstrasse 3

Vienna, Austriaezio@vmars.tuwien.ac.at

Radu GrosuTU Wien

Treitlstrasse 3Vienna, Austria

radu.grosu@tuwien.ac.at

Calin BeltaBoston University

110 Cummington StreetBoston, MA

cbelta@bu.edu

ABSTRACTNetworked dynamical systems are increasingly used as mod-els for a variety of processes ranging from robotic teams tocollections of genetically engineered living cells. As the com-plexity of these systems increases, so does the range of emer-gent properties that they exhibit. In this work, we define anew logic called Spatial-Temporal Logic (SpaTeL) that is aunification of signal temporal logic (STL) and tree spatialsuperposition logic (TSSL). SpaTeL is capable of describ-ing high-level spatial patterns that change over time, e.g.,“Power consumption in the northwest quadrant of the citydrops below 100 megawatts if the power consumption in thesouthwest quadrant remains above 200 megawatts for twohours.” We present a statistical model checking procedurethat evaluates the probability with which a networked sys-tem satisfies a SpaTeL formula. We also develop a synthesisprocedure that determines system parameters maximizingthe average degree of satisfaction, a continuous measure thatquantifies how strongly a system execution satisfies a givenformula. We demonstrate our algorithms on two systems:a biochemical reaction-di↵usion system and a demand-sidemanagement system for a smart neighborhood.

Categories and Subject DescriptorsD.2.1 [Software Engineering]: Requirements/Specifications;F.4.3 [Mathematical Logic and Formal Languages]:Formal Languages

General TermsAlgorithms, Theory

Permission to make digital or hard copies of all or part of this work for personal or

classroom use is granted without fee provided that copies are not made or distributed

for profit or commercial advantage and that copies bear this notice and the full cita-

tion on the first page. Copyrights for components of this work owned by others than

ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or re-

publish, to post on servers or to redistribute to lists, requires prior specific permission

and/or a fee. Request permissions from permissions@acm.org.

HSCC’15, April 14–16, 2015, Seattle, WA, USA.

Copyright 2015 ACM 978-1-4503-3433-4/15/04 ...$15.00.

http://dx.doi.org/10.1145/2728606.2728633.

KeywordsSpatial Temporal Logic; Statistical Model Checking; Param-eter Synthesis; Networked Dynamical Systems

1. INTRODUCTIONA networked system can be roughly defined as a system

whose components are distributed across space and con-nected via a communication network. Examples includeelectrical power grids, teams of robots, gene networks, andgroups of animals. The complicated dynamics of individualsystem components, e.g. the stochastic power consumptiondemand of individual buildings in a neighborhood, and theinteractions between these components via the network, e.g.load balancing between neighborhoods, allow networked sys-tems to produce rich, complicated behaviors, e.g. fulfillingthe overall demand for power consumption while ensuringthat no load on the network is high enough to trip a blackout.Such dynamic patterns have been studied by diverse commu-nities including physics, biology and computer science [23,15]. However, these approaches have been domain-specificand thus how to formally characterize and use dynamic pat-terns is still an open question.

In this paper, we propose a novel logic called Spatial Tem-poral Logic (SpaTeL) to describe such high-level behaviors ofnetworked systems. Our formulation combines spatial logic,which can be used to describe properties of the system acrossspace such as “The power consumption in neighborhood Aand in the adjacent neighborhood B remains below 150 MWand the combined power consumption of the two neighbor-hoods does not exceed 200 MW”, with temporal logic, whichcan be used to describe properties of the system across time,such as “The power consumption never exceeds 150 MW forlonger than 20 minutes and always exceeds 20 MW for 24hours.” With SpaTeL, we can express how a system evolvesacross space and time with properties such as “The powerconsumption in A and B each never exceeds 150 MW forlonger than 20 minutes and the combined consumption isalways between 20 MW and 200MW for 24 hours”.

The spatial component of SpaTeL is based on Tree SpatialSuperposition Logic (TSSL), which was introduced in [2] forsupervised classification of patterns. TSSL is defined withrespect to the quad tree data structure that is widely used

189

HSCC'15, April 14-16, 2015, Seattle, Washington

in pattern recognition. Quad trees are constructed by recur-sively partitioning images into quadrants. TSSL is based onLinear Spatial-Superposition-Logic (LSSL), which was de-veloped in [16]. LSSL was successfully employed to spec-ify and to detect the onset of electrical spirals in networksof cardiac myocytes, and the authors devised a method forlearning an LSSL formula from examples of spatial patterns.TSSL was introduced in order to deal with the entire quadtree representation of the space instead of just a path. Anexample of a TSSL property is “The average intensity of theimage is less than 0.5 and the average intensity of the north-west quadrant is less than 0.25”. Given a quad tree and aTSSL formula, the quantitative semantics of TSSL can beused to describe how well the given tree satisfies the for-mula. If this value is high and positive, then the tree is avery good example of the pattern; if this value is negative,then the tree does not satisfy the pattern; and if the valueis close to 0 a small change to the tree could a↵ect whetheror not it satisfies the given pattern. The authors of [2] per-formed parameter synthesis for a reaction di↵usion networkby optimizing the quantitative semantics of the steady-statesystem behavior with respect to a given TSSL formula thatdescribed desirable system behavior.The temporal component of SpaTeL is based on Signal

Temporal Logic (STL), a predicate temporal logic definedwith respect to continuous-valued signals [21, 11]. STL for-mulae describe how inequalities defined over a signal evolveover time, e.g. “The squared distance from the origin (x2 +y

2) is greater than or equal to 2 within 5 s of system initial-ization.” Quantitative semantics can also be defined for anSTL formula that quantify how well a given signal satisfies agiven STL formula. STL has proven a useful tool for super-vised learning from continuous signals. Parametric signaltemporal logic (PSTL) is a version of STL in which physicalconstants and time bounds are replaced with free parame-ters, e.g. “(x2 + y

2) < ⇡ within ⌧ seconds.” In [17], thequantitative semantics of STL was used to find a parameter-ization of a given PSTL formula that described system out-put data. In [19] and [18], these methods were extended tosupervised and unsupervised learning applications, respec-tively. A similar supervised learning problem with respectto Metric Interval Temporal Logic (MITL) was solved in [4].In this paper, we combine TSSL and STL to form SpaTeL.

SpaTeL describes how a networked system (whose state canbe encapsulated by an image) evolves over time. We de-fine quantitative semantics for this logic that describes howwell a given execution of a system satisfies the given for-mula. We show how SpaTeL can be used in the analysisof networked systems via statistical model checking and inthe control of systems via parameter synthesis. Our pro-posed algorithms are evaluated in simulations of a networkedreaction-di↵usion system used to describe skin pigmentationin animals and a smart electrical power grid.

2. RELATED WORKSeveral logics have been proposed for specifying the be-

havior and the spatial structure of concurrent systems [9]and for reasoning about the topological [5] or directional [7]aspects of the interacting entities. In topological reason-ing [5], the spatial objects are sets of points and the relationbetween them is preserved under translation, scaling and ro-tation. In directional reasoning, the relation between objectsdepends on their relative position. These logics are usually

highly computationally complex [7] or even undecidable [22].Even though there has been a lot work done in spatial logicsand temporal logics with applications to several domains [8,13], spatiotemporal reasoning is scarcely explored. To thebest of our knowledge, the available results are mainly theo-retical [5, 6, 20] and lack real practical applications such asthose provided in this paper.

3. NETWORKED DYNAMICAL SYSTEMSAND QUAD TRANSITION SYSTEMS

In this section, we formalize the notion of a networked dy-namical system and describe the process of abstracting sucha system to a quad transition system (QTS) [2], the modelwith respect to which SpaTeL is defined. A networked sys-tem S can be modeled as a K ⇥K square grid of K2 sub-systems Si,j . We use x(t) 2 RK⇥K⇥N

+ to denote the state

of the system at time t, t = 0, . . . , T where xi,j(t) 2 RN+ de-

notes the state of sub-system Si,j . Each sub-system evolvesaccording to a (possibly non-deterministic) di↵erence rela-tion. Without loss of generality, we will assume that K isa power of two, i.e. K = 2k. A square sub-system of S isa collection of adjacent subsystems of S denoted Si1:i2,j1:j2

where 1 i1 i2 K, 1 j1 j2 K and j2�j1 = i2�i1is a power of 2. The state of Si1:i2,j1:j2 at time t is denotedas xi1:i2,j1:j2(t) = [xi,j(t)]i=i1,...,i2,j=j1,...,j2 .A quad tree is a representation of x(t) given as a quar-

ternary tree structure T (t) = (V (t), R(t)) where each ver-tex v 2 V (t) represents the state of a square sub-systemof S. The set V (t) is constructed by recursively partition-ing x(t) into quarters, e.g. if V (t) is initially v1 = x(t), thenv2 . . . v5, which represent four K/2⇥K/2 square subsystemsof S would be added to V . The recursive partitioning hap-pens k = log2(K) times. The relation R ⇢ V (t) ⇥ V (t) isdefined such that (v, v0) 2 R(t) , v

0 was constructed frompartitioning v.The concept of a Quad Transition System (QTS) was in-

troduced in [2] as a compact representation of quad-trees. Aquad transition system is a tuple QTS := (A, a0, ⌧,⌃, [.], L)where A is a set of states, a0 2 A is an initial state, ⌧ ✓ A⇥Ais a transition relation such that for every state a 2 A,1 |{a|(a, a0) 2 ⌧}| 4. ⌃ is a set of variables, and[.] : A ! (⌃ ! [0, b]) is a function that assigns to eachstate a 2 A and variable m 2 ⌃ a value [a](m) 2 [0, b], andL : ⌧ ! 2D where D = {NW,NE, SW,SE} is a labelingfunction for the relation ⌧ with the extra constraint thatonly one successor exists for every direction.From the state of the system S at time t, we can con-

struct the QTS Q(t) := (A(t), a0(t), ⌧(t),⌃, [.](t), L(t)) viathe algorithm given in [2]. In this paper, we suppress thedependence of the relation [.](t) on time. We note that incontrast to transition systems typically used in formal meth-ods applications, the QTS constructed via this algorithmrepresents the spatial relationships (patterns) of the systemat a particular time. A trace corresponding to a trajectoryx : {0, . . . , T}! RK⇥K⇥N

+ is a function Q : {0, . . . , T}! Qwhere Q is the space of quad transition systems. The set ofall traces that a networked system S can produce is calledthe language of S and is denoted as L(S). The technicaldetails of the QTS construction are omitted, but the rela-tionship of the constructed QTS to the original networkedsystem S is illustrated in the following example.

190

HSCC'15, April 14-16, 2015, Seattle, Washington

pattern at t pattern at t+1

(a)

NENW

SESW

NENW

SESW

(b)

NE, NW, SE, SW

NE, NW, SE, SW

NE, NW, SE, SW

NW, SE

NE, SW

NE, NW, SE, SW

NE, NW, SE, SW

NE, NW, SE, SW

NW, SE

NE, SW

Q(t) Q(t+1)

0a 0a

1a1a

2a 2a

3a 3a

(c)

Figure 1: (a) Flipping checkerboard pattern. (b) Aportion a the quad tree corresponding to the patternat time t. (c) The derived QTSs at time t (beforethe flip) and t+ 1 (after the flip).

Example 1. A 4 by 4 checkerboard can be characterizedby the QTSs shown in Figure 1 [2]. Each subsystem Si,j

is the (i, j)th cell of the checkerboard with state xi,j(t) =[Ki,j(t),Wi,j(t)] 2 {0, 1}2, where xi,j(t) = [1, 0] if the squareis black and xi,j(t) = [0, 1] if the square is white. Theset of variables is defined as ⌃ = {K,W} which representthe proportion of cells of a particular subsystem that areblack and white, respectively. The QTS is constructed fromthe quad tree by first aggregating all of the states on thebottom level of the tree with equivalent values xi,j(t) intoQTS states. The valuations of these states are defined as[[a](K), [a](W )] = xi,j(t). a2(t) and a3(t) correspond to theblack and white cells of the checkerboard, respectively. Eachof these states is assigned a self-transition. Next, the statesin the next highest level of the quad tree are aggregatedinto QTS states. States at this level of the tree with identi-cal children are aggregated into the same QTS state. a1(t)is the only QTS state constructed from this level becauseevery state has identical children. Transitions from a newQTS state to an existing QTS state are constructed if the ex-isting state represented a child of the new state in the quadtree. The transitions are annotated with the direction ofthe child’s corresponding cell, e.g. the transition from a1(t)

to a2(t) is annotated with the directions NW,SE. The val-ues of [a](C) for the new states a and variables C 2 ⌃ arecalculated according to

[a](C) =[aNW ](C) + [aNE ](C) + [aSE ](C) + [aSW ](C)

4

where ad, d 2 D is such that (a, ad) 2 ⌧ and d 2 L((a, ad)).This process continues until a state a0(t) that denotes theroot of the quad tree is constructed.

At some point t 2 {0, . . . , T}, the color of all of the cellsinverts. This flipped colors are represented by the QTSQ(t+1). Note that in this case, the states a0(t + 1), a1(t + 1)have the same values of K and W and the same transitionbetween them as a0(t), a1(t). This is because both x(t) andx(t + 1) have the property that the neighbors of any givencell Si,j are the opposite color from Si,j . However, the valuesof K and W associated with a2(t+ 1) and a3(t+ 1) are theopposite of a2(t) and a3(t), which demonstrates the colorinversion at time t.

Definition 1. (Labeled paths) Given a set B of labels rep-resenting the spatial directions, a labeled path (lpath) of aQTS is an infinite sequence ⇡

B = a0a1a2 . . . of states suchthat (ai, ai+1) 2 ⌧ and L(ai, ai+1) \ B 6= 0, 8i 2 N. Wedenote the set of all labeled paths starting in state a(t) asLPath

B(a(t)) and the i-th element of a path ⇡

B as ⇡

Bi .

For example, in Fig. 1(c), LPath

B(a0) = {a0a1a2a2 . . .} ifB = {NW,SE}.

4. SPATEL: SPATIAL TEMPORAL LOGICIn this section, we define the syntax and qualitative and

quantitative semantics of Spatial Temporal Logic (SpaTeL).

4.1 SyntaxSpaTeL has a nested syntax where inner spatial formulae

are modified by temporal and logical operators. Spatial for-mulae are assertions about the spatial properties (patterns)of a networked system at a particular time instance, i.e. aredefined with respect to a QTS at a single time instance.When the spatial formulae are modified by temporal andlogical operators, the resulting SpaTeL formula express be-haviors of sequences of patterns, i.e. are defined with respectto traces of a networked system.

Definition 2. (SpaTeL syntax) The syntax of a spatial for-mula is defined as

' ::= >|m ⇠ d|¬'|'1 ^ '2|9B � '|8B � '|9B'1Uk'2|8B'1Uk'2,

(1)

where ⇠2 {�,}, d 2 [0, b], b 2 R+, k 2 N>0, B ✓ D :={NW,NE, SE, SW} with B 6= ;, and m 2 ⌃ where ⌃ is asdefined for a QTS. Uk and� are read as “until” and “next”.The syntax of a SpaTeL formula is defined as

� ::= '|¬�|�1 ^ �2|�1UI�2, (2)

where I is a time interval such that I := [I1, I2), I1, I2 arenon-negative and finite, and ' is a spatial formula.

Other spatial and temporal operators can be derived fromthe until operator as follows:

9BFk' := 9B>Uk'

9BGk' := ¬8BFk¬'8BFk' := 8B>Uk'

8BGk' := ¬9BFk¬'

FI� := >UI�GI� := ¬FI¬�. (3)

191

HSCC'15, April 14-16, 2015, Seattle, Washington

At this point, it becomes clear that SpaTeL is an integrationof TSSL [2] and Signal Temporal Logic (STL) [21, 19]. Itsspatial formulae share the same syntax with TSSL, while thetemporal operators are defined similarly to their STL coun-terparts with predicates replaced by spatial formulae. Atfirst glance, it may seem that requiring a spatial formula tobe nested inside a temporal formula unnecessarily diminishesthe expressivity of the logic, i.e. eliminates the interactionbetween temporal and spatial aspects. However, as pointedout in [20], allowing spatial and temporal operators to benested arbitrarily can lead to undecidable cases. To furthercombat undecidability, we bounded time and space.

4.2 SemanticsWe define the qualitative semantics of SpaTeL as follows.

Definition 3. (Qualitative Semantics of SpaTeL) Let Q bea trace of a networked system. The qualitative semantics ofSpaTeL are defined recursively as 1

(Q, t) |= ¬�, (Q, t) 6|= �(Q, t) |= �1 ^ �2 , (Q, t) |= �1 ^ (Q, t) |= �2

(Q, t) |= �1U[I1,I2)�2 , 9t0 2 [t+ I1, t+ I2) : (Q, t

0) |= �2

^8t00 2 [t, t0), (Q, t

00) |= �1

(Q, t) |= ', (Q, a0, t) |= '

(Q, a, t) |= >(Q, a, t) |= m ⇠ d, [a(t)](m) ⇠ d

(Q, a, t) |= '1 ^ '2 , (Q, a, t) |= '1 ^ (Q, a, t) |= '2

(Q, a, t) |= ¬', (Q, a, t) 6|= '

(Q, a, t) |= 9B � ', 9a0(t) : ((a(t), a0(t)) 2 ⌧(t) ^L(t)(a(t), a0(t)) \B 6= ;),(Q, a

0, t) |= '

(Q, a, t) |= 8B � ', 8a0(t) : ((a(t), a0(t)) 2 ⌧(t) ^L(t)(a(t), a0(t)) \B 6= ;),(Q, a

0, t) |= '

(Q, a, t) |= 9B'1Uk'2 , 9⇡B 2 LPaths

B(a(t)) :9i 2 (0, k] : (Q,⇡

Bi , t) |= '2 ^

8j 2 [0, i), (Q,⇡j , t) |= '1

(Q, a, t) |= 8B'1Uk'2 , 8⇡B 2 LPaths

B(a(t)) :9i 2 (0, k] : (Q,⇡

Bi , t) |= '2 ^

8j 2 [0, i), (Q,⇡j , t) |= '1.

The traceQ satisfies � if (Q, 0) |= �. The qualitative seman-tics can be used to check whether a model satisfies or violatesa dynamic pattern expressed in SpaTeL. However, it doesnot provide any information about how strongly the prop-erty is satisfied or violated. Quantitative semantics wereproposed in [14] and [12] to provide a measure of satisfia-bility of a trace with respect to a STL formula. Similarly,[2] proposes a quantitative semantics that measures satisfi-ability of a pattern with respect to a TSSL formula. In thefollowing, we integrate these two sets of semantics.

Definition 4. (Quantitative Semantics of SpaTeL) The quan-titative valuation ⇢t of a SpaTeL spatial formula can be cal-culated according to the recursive quantitative semantics

⇢t(¬�, Q, t) = �⇢t(�, Q, t)⇢t(�1 ^ �2, Q, t) = min(⇢t(�1, Q, t), ⇢t(�2, Q, t))

⇢t(�1U[I1,I2)�2, Q, t) = supt02[t+I1,t+I2)(min(⇢t(�2, Q, t

0),inft002[t+I1,t0) ⇢t(�1, Q, t

00)))⇢t(', Q, t) = ⇢s(', a0(t))

1(Q, t) is used to define the semantics of trace Q at time t

(not to be confused with the value of Q at time t, Q(t)).Similarly, (Q, a, t) is used to define the semantics of trace Q

at time t and state a.

and

⇢s(>, a) = b

⇢s(m ⇠ d, a) = (⇠ is �)?([m](a)� d) : (d� [m](a))⇢s(¬', a) = �⇢s(', a)

⇢s('1 ^ '2, a) = min(⇢s('1, a), ⇢s('2, a))⇢s(9B � ', a) = 0.25max⇡B2LPathB(a) ⇢s(⇡

B1 )

⇢s(8B � ', a) = 0.25min⇡B2LPathB(a) ⇢s(⇡B1 )

⇢s(9B'1Uk'2) = sup⇡B2LPathB(a),i2(0,k](min(0.25⇢s('2,⇡

Bi ), infj2[0,i) 0.25

j⇢s('1,⇡

Bj )))

⇢s(8B'1Uk'2) = inf⇡B2LPathB(a),i2(0,k](min(0.25⇢s('2,⇡

Bi ), infj2[0,i) 0.25

j⇢s('1,⇡

Bj ))).

With a slight abuse of notation, the quantitative seman-tics of a formula � with respect to a trace Q is denoted⇢t(�, Q) = ⇢t(�, Q, 0).

Remark 1. We restrict the spatial configuration to QTSsconstructed from a system S modeled as a K ⇥ K grid.The syntax and semantics of SpaTeL can easily be modifiedto describe a networked system with a spatial configurationthat can be represented as a transition system constructedfrom a generic tree structure. Extension to systems withgeneral configurations will be studied in the future.

Remark 2. The absolute value of this quantitative valua-tion can be viewed as a measure of ”distance to satisfaction”.In other words, larger values correspond to traces that sat-isfy the formula better than traces with smaller quantitativevaluation. Therefore, traces with a larger quantitative valu-ation are expected to conform quite strongly to the spatialand temporal patterns described by the given formula. Forthis reason, we refer to the value of the quantitative seman-tics of a formula with respect to a trace as its degree ofsatisfaction.

Remark 3. Discounting reduces the e↵ect of deeper nodesin a quad tree, which correspond to more local portions ofthe network. This leads to a better description of globalpatterns.

We now show that given a trace Q and a SpaTeL formula� the sign of the quantitative evaluation ⇢t is consistentwith the violation or satisfaction of the formula. That is, if⇢t(�, Q, 0) is positive, then Q satisfies � and if it is negative,Q does not satisfy �.

Theorem 1 (Soundness). Let � be a SpaTeL formulaand Q be a trace of a networked system. Then, the followingproperties hold for the two semantics:

⇢t(�, Q, 0) > 0) Q |= �⇢t(�, Q, 0) < 0) Q 6|= �

(4)

Proof. (Sketch) Our previous results in [2] showed thatthe following properties hold for the spatial fragment of Spa-Tel:

⇢s(', a0) > 0) (Q, a, t) |= '

⇢s(', a0) < 0) (Q, a, t) 6|= '

(5)

SpaTeL is a special case of STL [11] where the predicatesdefined over signals are substituted with a TSSL spatial for-mula. The proof of soundness for STL can be then derivedby structural induction on the operational semantics follow-ing the ideas from [11].

192

HSCC'15, April 14-16, 2015, Seattle, Washington

Now, we define the QTS max distance, a measure of sim-ilarity of two given QTSs.

Definition 5. (QTS Max Distance) The max distance of

two QTSs Q

(1) = (A(1), a

(1)0 , ⌧

(1),⌃, [.](1), L(1)) and Q

(2) =

(A(2), a

(2)0 , ⌧

(2),⌃, [.](2), L(2)) is defined as:

d1(Q(1), Q

(2)) = n1(a(1)0 , a

(2)0 , 0)

where n1 : A⇥A⇥ N! [0, b] such that:

n1(a

(1), a

(2), k) =

8>>><

>>>:

14k

max

m2⌃|[a(1)

]

(1)(m) � [a

(2)]

(2)(m)|

if (a

(1), a

(1)) 2 ⌧

(1) ^ (a

(2), a

(2)) 2 ⌧

(2)

maxd2Dn1(a

(1)d , a

(2)d , k + 1) otherwise

We now introduce a second theorem, showing that givena property �, if two bounded traces of QTS are similarenough, i.e. their max distance is less than the robustnessvalue for the given formula, then if one trace satisfies theformula � implies that the other trace satisfies the sameformula.

Theorem 2 (Correctness). Given two traces Q

(1)(t)and Q

(2)(t) of bounded length T then:

(Q

(1), 0) |= �^ k D1 k1< ⇢t(�, Q

(1), 0) ) (Q

(2), 0) |= �

with D1 defined as:

D1 = [d1(Q

(1)(0), Q

(2)(0)), · · · , d1(Q

(1)(T � 1), Q

(2)(T � 1))]

Proof. (Sketch) The proof for the temporal fragment ofSpaTeL is analogous to the one for STL in [14]. We providehere a sketch for the proof for the nested spatial fragment:

(Q

(1), t) |= '^ d1(Q

(1)(t), Q

(2)(t)) < ⇢s(', a

(1)0 (t)) ) (Q

(2), t) |= '

We can distinguish the following cases:

case ' := >: in this case the theorem is true following thedefinition of the qualitative semantics.

case ' := m ⇠ d: This proof assumes ⇠:= “ � ”. A similarproof can be derived from ⇠:= “ ”. We have that:

d1(Q

(1)(t), Q

(2)(t)) < ⇢s(m � d,Q

(1)(t)) = [a

(1)0 (t)]

(1)(m) � d

Moreover, by the definition of d1 we have that:

|[a(1)0 (t)]

(1)(m) � [a

(2)0 (t)]

(2)(m)| d1(Q

(1)(t), Q

(2)(t))

[a

(1)0 (t)]

(1)(m) � |[a(2)

0 (t)]

(2)(m) � [a

(2)0 (t)]

(2)(m)| � d > 0

[a

(1)0 (t)]

(1)(m)�|[a(2)

0 (t)]

(2)(m)�[a

(2)0 (t)]

(2)(m)| [a

(2)0 (t)]

(2)(m)

From Theorem 1 we have that:

[a

(2)0 (t)]

(2)(m) � d > 0 ) ⇢t(m � d,Q

(2)(t)) > 0 ) (Q

(2), t) |= '

all other cases:

if (Q(1), t) |= ' then we have:

⇢s(', a

(1)0 (t)) =

8>>>><

>>>>:

(1):

14j

b: j 2 N

or (2):

14j

([a

(1)(t)]

(1)(m) � d) : j 2 N, a(1) 2 A

(1),m 2 ⌃

Situation (1) may occur when one of the subformulae of' is > and the proof is equivalent to the case of ' := >.Situation (2) can be proved in a similar way as the case' := m ⇠ d.

Example 1. cont’d.The original checkerboard pattern can be described by a

TSSL formula

8B⇤F1((8{SW,NE}� ((W � 1)) ^ (8{NW,SE}� (W 0)))

where B

⇤ = {SW,NE,NW,SE}. With SpaTeL, we canformulate the spatial-temporal pattern “All the tiles in thecheckerboard flip their colors simultaneously at some timet 2 (0, T ]” as

� := F(0,T ] ((8B⇤F1((8{SW,NE}� (W � 1))

^(8{NW,SE}� (W 0))))^G(0,1](8B⇤

F1((8{NW,SE}� (W � 1))^(8{SW,NE}� (W 0)))))).

(6)

5. VERIFICATION AND SYNTHESISIn this section we show that standard model checking and

parameter synthesis algorithms presented in [29] and [2] caneasily be applied to SpaTeL.

5.1 Statistical Model CheckingWe are interested in determining whether the traces pro-

duced by a networked system S satisfy a given SpaTeL for-mula �. In general, a networked system produces tracesnon-deterministically due to variations in initial conditions,system parameters, or un-modeled dynamics. Let the non-determinism of the system be described by a random vari-able U with range space RU such that a given realization u

generates a unique trace Qu and L(S) =S

u2RUQu. Enu-

merating each trace Qu and checking Qu |= � is infeasible,as this set is (possibly) countably infinite. A traditionalmodel checking algorithm [3], in which a formal proof ofwhether or not all traces produced by S satisfy � is gener-ated, is also likely infeasible to implement due to the poten-tial size and complexity of networked systems. Further, thequestion of whether or not all traces of S satisfy � may betoo narrow of an inquiry, as we may only be interested inhow frequently � is satisfied. Therefore, we propose to char-acterize the behavior of S by using the model to randomlygenerate a finite number of traces and solving the broader(and more feasible) statistical model checking problem.

Problem 1. A model of a networked dynamical system S

and a SpaTeL formula � are given. Let p = Pr[Q |= �],c 2 ( 12 , 1) be a confidence level, and � > 0 be a half-intervalsize. Find an interval (p0, p1) where 0 p0 < p1 1 andp1 � p0 = 2� such that Pr[p 2 (p0, p1)] � c.

Problem 1 asks for a confidence interval (p0, p1) becausethis interval can be calculated from a finite number of tracesof S while explicitly calculating p in general would requirean infinite number of traces.

Example 1. cont’d.Each of the tiles Si,j flips its color at a random time Ti,j

distributed non-uniformly over the range li,j , . . . , hi,j . LetU be the random matrix [Ti,j ]. We want to estimate (via aconfidence interval) the probability that all the tiles in thecheckerboard flip their color simultaneously at some time t,i.e. the probability of satisfying (6).

Our statistical model checking procedure is summarizedin Algorithm 1. Algorithm 1 uses Bayesian Interval Estima-tion, an algorithm presented in [29] to recursively construct

193

HSCC'15, April 14-16, 2015, Seattle, Washington

a confidence interval for the mean of a Bernoulli randomvariable. We define an i.i.d. sequence of Bernoulli randomvariables {�i}Ni=1 such that

�i = I(Qui |= �), (7)

where ui is a sample drawn from U and I is the indicatorfunction. The sample mean of the variables {�i}Ni=1 thusapproaches p as defined in Problem 1 as N ! 1. For afinite value of N , we can estimate an interval [p � �, p + �]such that

Pr[p 2 (p� �, p+ �)] � c, (8)

where � and c are as defined in Problem 1. This intervalis called the “100c percent Bayesian interval estimate of p”.The Bayesian interval estimation algorithm proceeds by col-lecting samples of �i and recursively applying Bayes’ rule

f(p|�i, . . . ,�n) =f(�1, . . . ,�n|p)g(p)R 1

0f(�1, . . . ,�n|v)g(v)dv

, (9)

where f and g are probability density functions (pdfs), untilthe estimated interval achieves the desired confidence levelc. Recursively applying Bayes’ rule requires us to have someprior pdf of p over the interval [0, 1] before collecting the firstsample �1. We use � priors as suggested in [29], where a �

random variable has a pdf

8p 2 [0, 1] g(p,↵,�) = 1B(↵,�)p

↵�1(1� p)��1

B(↵,�) =R 1

0t

↵�1(1� t)��1dt.

(10)

and a cumulative density function (cdf)

F↵,�(p) =

Z p

0

g(t,↵,�)dt. (11)

In the absence of a principled guess of the prior density of p,we make the assumption of uniform density, e.g. F↵,�(p) =p, by setting ↵ = � = 1. If we use the � prior, the posteriormean p can be calculated as

p =X + ↵

n+ ↵+ �

(12)

where X =Pn

i=1 �i. The posterior probability is:

Pr[p 2 (p0, p1)] = F(X+↵,n�X+�)(p1)� F(X+↵,n�X+�)(p0).(13)

5.2 Parameter SynthesisConsider the case in which in addition to stochastic pa-

rameters U , the traces of S are influenced by some de-sign parameters ⇧ 2 P. Let Qu,⇧ be the unique traceassociated with realization u and parameters ⇧ such thatL(S) = S

u2RU

S⇧2P Qu,⇧. We wish to find a parameteri-

zation ⇧⇤ such that the traces {Qu,⇧⇤}u2RU strongly satisfysome desirable property � on average. Formally, we have:

Problem 2. A model of a system S, a SpaTeL formula �,and ranges of system parameters P = P1 ⇥ . . .P|⇧|,Pi ⇢R, i = 1, . . . , |⇧| are given. Determine the parameterization⇧⇤ 2 P such that the average degree of satisfaction of theresulting traces with respect to � is maximized.

Example 1. cont’d.Assume that the maximum possible flipping time hi,j for

each subsystem Si,j is randomly selected according to an

Algorithm 1: Statistical Model Checking

Input: �, S, � 2 (0, 1/2), c 2 (1/2, 1), ↵,�Output: (p0, p1)

1 n 0 (number of traces drawn so far) ;2 X 0 (number of traces satisfying �) ;3 � 0 (coverage probability of the interval (p0, p1)) ;4 while � < c do5 Qu draw a sample trace of the system ;6 n n+ 1 ;7 if (Qu |= �) then8 X X + 1;9 end

10 p (X+↵)/(n+↵+�) (compute posterior mean) ;11 (p0, p1) (p� �, p+ �) (interval estimate) ;12 if p1 > 1 then13 (p0, p1) (1� 2�, 1)14 else15 if p0 < 0 then16 (p0, p1) (0, 2�)17 end18 end19 � Posterior probability of p 2 (p0, p1) computed

by (13)20 end

exponential distribution with rate ⇧. A parameter synthesisproblem is to determine the value of ⇧ such that on averageeach tile flips its color as close to simultaneously as possible.

The temporal version of problem 2 has been solved in [1,26].We study the spatio-temporal case in this paper. Prob-lem 2 can be formulated as an optimization problem:

⇧⇤ = argmax⇧2P

EU [⇢t(�, Qu,⇧)]. (14)

We do not evaluate the expectation directly but rather ap-proximate it by generating N traces {Qui,⇧}Ni=1 and cal-culating the sample mean of the degree of satisfaction. Inpractice, we have found that relatively small sample sizes Nsu�ced for parameter synthesis.In [2], the minimum value of the degree of satisfaction over

all possible executions was maximized. The authors arguethat if we make sure that the lowest possible quantitativevaluation (which corresponds to the worst execution of thesystem with respect to the given specification) is still posi-tive, then every possible execution will satisfy the specifica-tion. We have replaced the minimum degree of satisfactionwith the sample mean because we deal with stochastic sys-tems such that even for the optimal parameters, there maystill be some traces among the samples where the specifica-tion is not satisfied. Further, the sample mean is a betterindicator of the behavior of a typical execution of the systemthan the robustness of the “worst case” trace.The process of parameter synthesis using particle swarm

optimization is summarized in Algorithm 2. Many continu-ous optimization methods can be used to solve (14). In thispaper, we use particle swarm optimization (PSO) [24], arandomized search algorithm in which a collection of pointsin the search space are updated at each iteration to movecloser (on average) to a global optimal solution. The choiceof PSO was motivated by [2] where it was chosen due to itsinherent distributed nature and its ability to operate on ir-

194

HSCC'15, April 14-16, 2015, Seattle, Washington

regular search spaces. In particular, PSO does not require adi↵erentiable objective function. The PSO procedure beginsby randomly initializing a set of m particles with positionszi 2 P and velocities vi 2 V ✓ R

|⇧|. The position of a par-ticle represents a candidate solution to (14) and the velocityrepresents a search direction from the current solution. Afterthe particles are generated, m sets of N traces {Quj ,zi}Nj=1

are produced and used to evaluate (14) for each point repre-sented by the particles. The position of the ith particle thathas performed the best so far is stored in the variable z

besti

and the optimal value of zbesti is stored in the variable z

best.After all particles have been evaluated, their positions andvelocities are updated according to the relations

vi Wvi + ⌘(0, rp)(zbesti � zi) + ⌘(0, rg)(z

best � zi)

zi zi + vi.

(15)⌘(0, rj) represents a random number uniformly distributedover the interval [0, rj ]. The parameters W 2 R, rp, and rg

are specified by the user. The iterative process of updatingparticles and evaluating their performance proceeds until atermination criterion is met, e.g., zbest does not change afterk consecutive iterations.

Algorithm 2: Parameter Synthesis

Input: �, S, P, N , (W, rp, rg,m), kOutput: ⇧⇤

1 for 1 j m do2 zi initialize particle positions;3 vi initialize particle velocities4 end5 while ⇧⇤ has changed during the last k iterations do6 for 1 j N do7 Quj ,zi draw a sample trace of the system ;8 ⇢t(�, Quj ,zi) calculate quantitative valuation

of Quj ,zi with respect to � ;9 end

10 [zi, vi] update particles according to (15) ;

11 ⇧⇤ the best position so far (zbest)12 end

5.3 ComplexityThe time complexity of executing either Algorithm 1 or 2

is di�cult to compute explicitly. Each algorithm proceedsin an iterative fashion until a convergence criterion is met.Thus, the complexity depends on system-dependent conver-gence rates that can vary widely among application areas.Some insight into how di↵erent stopping criteria a↵ect con-vergence of particle swarm optimization for a given objectivefunction is given in [28]. Here, we establish the complexity ofcomputing the degree of satisfaction for an execution traceof a networked dynamical system where the size of the net-work is K⇥K and the traces have a length of T . This is thecore computational procedure that is executed during everyiteration of each algorithm. The temporal and spatial por-tions of SpaTeL are inspired by STL and TSSL, respectively.The worst-case complexity of computing the degree of satis-faction of an STL formula was established as O(T 2lt) in [12]where lt is the maximum number of nested temporal untiloperators in the formula. The quantitative semantics of Spa-

TeL is defined in such a way that the quantitative valuationfor spatial and temporal until operators are computed usingthe same expressions. Therefore, computing the spatial por-tion of the SpaTeL quantitative valuation for a given quadtree has a complexity of O(4ns

.n

2lss ) where ns = logK is the

depth of the tree and ls is the maximum number of nestedspatial until operators. Finally, constructing of a quad treefrom a K ⇥ K grid needs O(K2 logK) operations. Conse-quently, the total complexity is O(T 2lt

K

4(logK)2ls+1).

6. CASE STUDIESThe matlab package SPATEL, which includes our imple-

mentations of Algorithms 1 and Algorithms 2 and the sim-ulation software we used in our case studies, is available athttp://sites.bu.edu/hyness/software/.

6.1 Reaction-Diffusion System

LS

SS

t=0 t=5 t=10 t=20 t=30 t=40 t=50 t=60

Figure 2: Patterns generated by system (16) withR = [1,�12,�1, 16] and di↵erent di↵usion parametersDLS = [5.6, 24.5] and DSS = [1.4, 5.3]. The steady stateobservations produce large spots (LS) and smallspots (SS).

Inspired by [27], we consider a reaction-di↵usion systemthat describe the generation of skin pigments that producespots in animals. Following [2], we consider a 32⇥32 reaction-di↵usion system with two species. The concentrations of thespecies in Si,j evolve according to the ODE

dx

(1)i,j

dt

= D1(µ(1)i,j � x

(1)i,j ) +R1x

(1)i,j x

(2)i,j � x

(1)i,j +R2

dx

(2)i,j

dt

= D2(µ(2)i,j � x

(2)i,j ) +R3x

(1)i,j x

(2)i,j +R4

(16)

where x(1)i,j and x

(2)i,j represent the concentration of each species

at cell (i, j), µ(1)i,j and µ

(2)i,j are the inputs of the (i, j)th sys-

tem Si,j from neighboring systems,

µ

(n)i,j =

1|⌫i,j |

X

⌫2⌫i,j

x

(n)⌫ , (17)

⌫i,j is the set of indices of systems adjacent to Si,j , Di, i =1, 2 are di↵usion coe�cients, and Ri, i = 1, . . . , 4 are the pa-rameters that define the local dynamics for the two species.

Fig. 2 shows the observed concentrations of species 1 atdi↵erent time points for two di↵erent parameter choices.The more black cell (i, j) is, the larger the value of x

(1)i,j .

The two corresponding steady-state spatial patterns presentat time t = 60 are called large spots (LS) and small spots(SS), respectively. In [2], the RIPPER supervised learningalgorithm was used to learn the TSSL formulae 'LS and'SS from examples of large and small spot patterns thatwere labeled manually. These formulae are too long to bedisplayed here. SpaTeL, a richer logic, can not only char-acterize these spatial patterns but also capture how theydevelop over time. Consider the following formulae:

�1 : F[0,30)G[0,60)'SS (18)

195

HSCC'15, April 14-16, 2015, Seattle, Washington

(D1, D2) � c p n

(1.44,5.27)

0.05 0.95 0.95 156

0.05 0.99 0.95 538

0.01 0.95 0.95 3766

0.01 0.99 0.96 284

(5.6,24.5)

0.05 0.95 0.11 98

0.05 0.99 0.13 71

0.01 0.95 0.11 279

0.01 0.99 0.11 318

(0.2,20)

0.05 0.95 0.03 28

0.05 0.99 0.02 43

0.01 0.95 0.007 148

0.01 0.99 0.004 228

Table 1: Satisfaction probabilities for �1. Each it-eration took on average approximately 0.74 secondson a machine with a 2.40 GHz processor and 8 GBRAM.

�2 : F[0,30)G[0,60)'LS ^G[0,60)¬'SS . (19)

(a)

0 2 6 10 20 30 40 50 60−2

−1

0

1x 10−3

Time

Deg

ree

of

sati

sfact

ion

'LS

'SS

(b)

Figure 3: Time evolution of TSSL quantita-tive semantics for an execution of the reaction-di↵usion system with parameter D = [D1, D2] =[5.6, 24.5] where LS emerges in steady state and SSemerges in transient state. (a) Generated patterns(b)⇢s('LS , Q(t)) and ⇢s('SS , Q(t)) with t = 0, . . . , 60.

Formula �1 specifies that the SS pattern appears withinthe first 30 seconds and persists for 60 seconds after it emerges.Formula �2 is the conjunction of an expression which statesthat LS pattern emerges within the first 30 seconds andremains for the next 60 seconds and an expression whichspecifies that the SS pattern never occurs during the first60 seconds, i.e. the large spots pattern is established unam-biguously. The valuations of the quantitative semantics ofa system execution with respect to 'LS and 'SS are plot-ted over time in Fig. 3(b). The figure shows that althoughthis particular set of parameter lead to large spots patternin steady state, the small spots pattern occur transientlyduring the system evolution.We applied the statistical model checking procedure (Al-

gorithm 1) to estimate the probability that formula �1 holdsfor the Turing system. The results from using three di↵erentsets of di↵usion rates, two di↵erent confidence levels c, andtwo di↵erent half-interval sizes � are summarized in Table 1.The system with the first set of parameters (1.44, 5.27)

(selected by an expert) satisfies �1 with high probability.The other two parameterizations hold with very low proba-bility. We also see that as c increases and � decreases, the

N (D

⇤1 , D

⇤2 ) p

1 (2.65, 10.00) 0.74

10 (1.90, 7.03) 0.88

100 (1.45, 5.12) 0.96

Table 2: Synthesized di↵usion rates for the reaction-di↵usion system when the objective is satisfaction of�1 with � = 0.01 and c = 0.99.

number of traces, and consequently the computation time,required to find the desired interval increases significantly.Next, we applied the parameter synthesis procedure (Al-

gorithm 2) to find a pair of di↵usion coe�cients that max-imized the expected degree of satisfaction with respect to�1. We increased the number of traces at each iteration N

and observed that the results improve as N grows (i.e., thesynthesized parameter values correspond to higher probabil-ity of satisfaction). The results are illustrated in Table 2.Notice that computing the average quantitative valuationfor only ten executions at every step results in a satisfactionprobability as high as 88 %.

6.2 Smart Neighborhood Power Management

commercial zone

residential zone

residential zone

residential zone

EV charging station

EV charging station

EV charging station

Figure 4: Smart neighborhood example: Configura-tion of the neighborhood.

In this section, we apply our procedures to a simulationof a smart neighborhood electricity grid whose power con-sumption is controlled by demand-side management (DSM).Due to the growing share of fluctuating renewable sourcessuch as wind and solar in power generation, it becomes in-creasingly di�cult to maintain the balance between powerproduction and consumption by only managing power gen-eration. Recent advent of the smart grid, a more flexible andreliable grid, enables DSM systems to play a more active rolein mitigating the e↵ects of such intermittent resources [25].A DSM system controls power distribution in a network byvarying the prices that consumers pay per unit of consumedpower in response to consumer demand. Thus, when thedemand for electricity is high, only those members of themarket (network) that highly prioritize power consumptionat that time will consume electricity.

Consider a Smart Neighborhood Operator (SNO) thatmanages loads in commercial and residential buildings ina neighborhood as shown in Fig. 4. The neighborhood hascommercial buildings located at the northwestern quarterand residential buildings in the other quarters. There is anelectrical vehicle (EV) charging station at the southeasterncorner of each residential quarter.

196

HSCC'15, April 14-16, 2015, Seattle, Washington

(RPD, RPN ) � c p n

(3.0,5.0)

0.05 0.95 0.95 117

0.05 0.99 0.95 238

0.01 0.95 0.94 3207

0.01 0.99 0.94 3291

(3.3,4.7)

0.05 0.95 0.69 103

0.05 0.99 0.72 104

0.01 0.95 0.72 1201

0.01 0.99 0.72 1200

(4,4)

0.05 0.95 0.04 45

0.05 0.99 0.02 43

0.01 0.95 0.02 113

0.01 0.99 0.02 110

Table 3: Satisfaction probabilities for �3. The pricefor the commercial district is fixed at 19. Each iter-ation required on average 0.85 seconds.

Following [10], at time t, inside each building ni(t) appli-ances are consuming actively with a rate ri kW with sub-scripts c, r and e denoting commercial building, residentialbuilding and EV station, respectively. The arrival distribu-tion of appliances for building class i over the period [t, t+1]is Poisson distributed with a rate �i(Ui�pj(t))/Ui, where Ui

is the utility of an appliance of class i and pj(t) is the broad-cast price for neighborhood class j, j 2 {c, r} with residentialbuilding and EV station charged by the same price. Onceconnected, an appliance continues to consume for a periodof time ⌧i which is exponentially distributed with rate µi.The goal of the SNO is to set the broadcast prices pj suchthat the loads of di↵erent areas and the whole neighborhoodsatisfy certain specified load constraints.The statistical model checking procedure was used to en-

sure that the power system conformed to the specification“Always ensure that for each of the four ‘neighborhoods’, thepower consumption level m is below 300 and the power con-sumption is below 200 in each of the neighborhoods’ quad-rants at least once per hour. Ensure that after 6 hours, thepower consumption in all residential areas is above level 3.”This is written in SpaTeL as

�3 := G[0,18)F[0,1)(8(NW,NE,SW,SE)� (m 300^8(NW,NE,SW,SE)�m 200))^G[6,18)(8(NE,SE,SW )�8(NW,NE,SW )�m � 3).

Table 3 shows the probability of satisfaction for the abovespecification for di↵erent choices of daytime and nighttimeresidential power prices (RPD, RPN ). The parameters (3,5)lead to a network that rarely violates the given specification.Altering these prices by even a small amount will cause thespecification to be violated often.Now consider the case where we want to synthesize power

prices so that: the total power consumption of the commer-cial buildings is always less than 150; the power consump-tion is below 150 in each EV station and below 25 in each ofthe residential neighborhoods in the first 12 hours; after 12hours, the power consumption of each EV station is between30 and 200; after 15 hours, the power consumption in all res-idential areas is above 5. In SpaTeL, these requirements are

�4 := G[0,18)(8NW � (m 150)) ^G[0,12)(8(NE,SE,SW )�(8(NW,NE,SW )�m < 25) ^ (8SE �m 150))^

G[12,18)(8(NE,SE,SW )�8SE � (m 200 ^m � 30))^G[15,18)(8(NE,SE,SW )�8(NW,NE,SW )�m � 5).

The design parameters are daytime and nighttime pricesof the residential areas RPD, RPN and nighttime power price

N (RP

⇤D, RP

⇤N , CP

⇤N ) p

1 (4.69, 4.41, 19.70) 0.43

10 (4.42, 4.74, 19.70) 0.75

20 (4.40, 4.75, 19.70) 0.73

50 (4.15, 5.05, 19.70) 0.90

Table 4: Synthesized power prices for the smartneighborhood example with � = 0.01 and c = 0.99.

of commercial areas CPN . We fixed the daytime power priceof factories at 19. Algorithm 2 results in prices specified inTable 4. The demand coe�cients shift from daytime values�i,d to nighttime values �i,n. The values of the simulationparameters were (rc,�c,d,�c,n, Uc) = (20, 0.33, 0.33, 20),(rr,�r,d,�r,n, Ur) = (4, 0.28, 1.02, 6), and (re,�e,d,�e,n, Ue) =(9, 0.28, 1.02, 8). Fig. 5 illustrates a few traces that are ex-ecuted with the final synthesized prices. The vast majorityof the simulated traces satisfy the required specifications.

0 2 4 6 8 10 12 14 16 180

25

50

100

150

200

Time (hr)

Pow

er c

on

sum

pti

on

Commercial District

EV Station

Residential District

Figure 5: Traces generated the smart neighbor-hood model when (RPD, RPN ) = (4.15, 5.05) and(CPD, CPN ) = (19, 19.70).

7. CONCLUSIONThe advent of spatially distributed and networked cyber-

physical systems has increased the demand for novel e�cientspatio-temporal reasoning techniques. SpaTeL provides anintuitive formal framework to specify the emergent behaviorsto be detected or to be enforced. We have demonstrated thatSpaTeL can be used to specify, verify, and enforce desiredsystem behaviors. Future research includes using SpaTeL tolearn dynamic patterns directly from data and synthesizingcontrol policies to ensure a given dynamic pattern.

8. ACKNOWLEDGMENTThis work was partially supported by ONR under grant

ONR N00014-14-1-0554 and NSF under grant CBET-0939511.E.B. and R.G. acknowledge the support of the Austrian FFGproject HARMONIA (nr. 845631) and the Doctoral Pro-gram Logical Methods in Computer Science funded by theAustrian FWF. The authors would like to acknowledge EbruAydin Gol from Google Inc. for providing software and datafor the reaction-di↵usion system presented in [2] and BowenZhang and Michael Caramanis from Boston University fortheir helpful insight on the smart neighborhood model.

9. REFERENCES[1] H. Abbas, B. Hoxha, G. Fainekos, and K. Ueda.

Robustness-guided temporal logic testing and

197

HSCC'15, April 14-16, 2015, Seattle, Washington

verification for stochastic cyber-physical systems. InCyber Technology in Automation, Control, andIntelligent Systems (CYBER), 2014 IEEE 4th AnnualInternational Conference on, pages 1–6. IEEE, 2014.

[2] E. Aydin Gol, E. Bartocci, and C. Belta. A formalmethods approach to pattern synthesis in reactiondi↵usion system. In IEEE 53rd Annual Conference onDecision and Control, 2014.

[3] C. Baier, J.-P. Katoen, et al. Principles of modelchecking, volume 26202649. MIT press Cambridge,2008.

[4] E. Bartocci, L. Bortolussi, and G. Sanguinetti.Data-driven statistical learning of temporal logicproperties. In Formal Modeling and Analysis of TimedSystems, pages 23–37. Springer, 2014.

[5] B. Bennett, A. Cohn, F. Wolter, andM. Zakharyaschev. Multi-dimensional modal logic as aframework for spatiotemporal reasoning. AppliedIntelligence, 17(3):239–251, 2002.

[6] L. Bortolussi and L. Nenzi. Specifying and monitoringproperties of stochastic spatio-temporal systems insignal temporal logic.

[7] D. Bresolin, P. Sala, D. Della Monica, A. Montanari,and G. Sciavicco. A decidable spatial generalization ofmetric interval temporal logic. In Proc. of TIME 2010:the 17th International Symposium on TemporalRepresentation and Reasoning, pages 95–102. IEEE,Sept 2010.

[8] S. Bufo, E. Bartocci, G. Sanguinetti, M. Borelli,U. Lucangelo, and L. Bortolussi. Temporal logic basedmonitoring of assisted ventilation in intensive care. InProc. of ISoLA 2014: 6th International Symposium onLeveraging Applications of Formal Methods,Verification and Validation, Part II, volume 8803 ofLNCS, pages 391–403. Springer, 2014.

[9] L. Caires and L. Cardelli. A spatial logic forconcurrency (part ii). Theoretical Computer Science,322(3):517–565, 2004.

[10] M. C. Caramanis, I. C. Paschalidis, C. G. Cassandras,E. Bilgin, and E. Ntakou. Provision of regulationservice reserves by flexible distributed loads. In IEEE51st Annual Conference on Decision and Control,pages 3694–3700, 2012.

[11] A. Donze, T. Ferrere, and O. Maler. E�cient robustmonitoring for STL. In Computer Aided Verification -25th International Conference, CAV 2013, SaintPetersburg, Russia, July 13-19, 2013. Proceedings,volume 8044 of Lecture Notes in Computer Science,pages 264–279. Springer, 2013.

[12] A. Donze and O. Maler. Robust satisfaction oftemporal logic over real-valued signals. Springer, 2010.

[13] A. Donze, O. Maler, E. Bartocci, D. Nickovic,R. Grosu, and S. A. Smolka. On temporal logic andsignal processing. In Proc. of ATVA 2012: the 10thInternational Symposium on Automated Technologyfor Verification and Analysis, volume 7561 of LNCS,pages 92–106, 2012.

[14] G. E. Fainekos and G. J. Pappas. Robustness oftemporal logic specifications for continuous-timesignals. Theoretical Computer Science,410(42):4262–4291, 2009.

[15] J. P. Gollub and J. Langer. Pattern formation in

nonequilibrium physics. Reviews of Modern Physics,71(2):S396, 1999.

[16] R. Grosu, S. A. Smolka, F. Corradini, A. Wasilewska,E. Entcheva, and E. Bartocci. Learning and detectingemergent betavior in networks of cardiac myocytes.Communication of ACM, 52(3):97–105, 2009.

[17] X. Jin, A. Donze, J. Deshmukh, and S. Seshia. Miningrequirements from closed-loop control models. InHybrid Systems: Computation and Control (HSCC),2013.

[18] A. Jones, Z. Kong, and C. Belta. Anamoly detectionin cyber-physical systems: A formal methodsapproach. In the 53rd IEEE Conference on Decisionand Control, 2014.

[19] Z. Kong, A. Jones, A. Medina Ayala, E. Aydin Gol,and C. Belta. Temporal logic inference forclassification and prediction from data. In Proceedingsof the 17th international conference on Hybridsystems: computation and control, pages 273–282.ACM, 2014.

[20] R. Kontchakov, A. Kurucz, F. Wolter, andM. Zakharyaschev. Spatial logic + temporal logic = ?Handbook of Spatial Logics, pages 497–564, 2007.

[21] O. Maler and D. Nickovic. Monitoring temporalproperties of continuous signals. In FormalTechniques, Modelling and Analysis of Timed andFault-Tolerant Systems, pages 152–166. Springer, 2004.

[22] M. Marx and M. Reynolds. Undecidability of compasslogic. Journal of Logic and Computation,9(6):897–914, 1999.

[23] J. K. Parrish and L. Edelstein-Keshet. Complexity,pattern, and evolutionary trade-o↵s in animalaggregation. Science, 284(5411):99–101, 1999.

[24] R. Poli, J. Kennedy, and T. Blackwell. Particle swarmoptimization. Swarm intelligence, 1(1):33–57, 2007.

[25] F. Sa↵re and R. Gedge. Demand-side management forthe smart grid. In Network Operations andManagement Symposium Workshops (NOMS Wksps),2010 IEEE/IFIP, pages 300–303. IEEE, 2010.

[26] S. Sankaranarayanan and G. Fainekos. Falsification oftemporal properties of hybrid systems using thecross-entropy method. In Proceedings of the 15th ACMinternational conference on Hybrid Systems:Computation and Control, pages 125–134. ACM, 2012.

[27] A. M. Turing. The chemical basis of morphogenesis.Philosophical Transactions of the Royal Society ofLondon. Series B, Biological Sciences, 237(641):37–72,1952.

[28] K. Zielinski and R. Laur. Stopping criteria for aconstrained single-objective particle swarmoptimization algorithm. Informatica (Slovenia),31(1):51–59, 2007.

[29] P. Zuliani, A. Platzer, and E. M. Clarke. Bayesianstatistical model checking with application tosimulink/stateflow verification. In Proceedings of the13th ACM international conference on Hybrid systems:computation and control, pages 243–252. ACM, 2010.

198

HSCC'15, April 14-16, 2015, Seattle, Washington