Conference PaperPDF Available

Quantitative Regular Expressions for Arrhythmia Detection Algorithms

Conference Paper

Quantitative Regular Expressions for Arrhythmia Detection Algorithms

Abstract and Figures

Motivated by the problem of verifying the correctness of arrhythmia-detection algorithms, we present a formalization of these algorithms in the language of Quantitative Regular Expressions. QREs are a flexible formal language for specifying complex numerical queries over data streams, with provable runtime and memory consumption guarantees. The medical-device algorithms of interest include peak detection (where a peak in a cardiac signal indicates a heartbeat) and various discriminators, each of which uses a feature of the cardiac signal to distinguish fatal from non-fatal arrhythmias. Expressing these algorithms’ desired output in current temporal logics, and implementing them via monitor synthesis, is cumbersome, error-prone, computationally expensive, and sometimes infeasible.
Content may be subject to copyright.
Quantitative Regular Expressions for
Arrhythmia Detection Algorithms
Houssam Abbas1, Alena Rodionova2, Ezio Bartocci2,
Scott A. Smolka3, and Radu Grosu2
1Department of Electrical & Systems Engineering, University of Pennsylvania, USA
habbas@seas.upenn.edu,
2Cyber-Physical Systems Group, Technische Universit¨at Wien, Austria
{alena.rodionova,ezio.bartocci,radu.grosu}@tuwien.ac.at
3Department of Computer Science, Stony Brook University, USA
sas@cs.stonybrook.edu
Abstract. Motivated by the problem of verifying the correctness of
arrhythmia-detection algorithms, we present a formalization of these al-
gorithms in the language of Quantitative Regular Expressions. QREs are
a flexible formal language for specifying complex numerical queries over
data streams, with provable runtime and memory consumption guar-
antees. The medical-device algorithms of interest include peak detection
(where a peak in a cardiac signal indicates a heartbeat) and various
discriminators, each of which uses a feature of the cardiac signal to dis-
tinguish fatal from non-fatal arrhythmias. Expressing these algorithms’
desired output in current temporal logics, and implementing them via
monitor synthesis, is cumbersome, error-prone, computationally expen-
sive, and sometimes infeasible.
In contrast, we show that a range of peak detectors (in both the time
and wavelet domains) and various discriminators at the heart of today’s
arrhythmia-detection devices are easily expressible in QREs. The fact
that one formalism (QREs) is used to describe the desired end-to-end
operation of an arrhythmia detector opens the way to formal analysis
and rigorous testing of these detectors’ correctness and performance.
Such analysis could alleviate the regulatory burden on device developers
when modifying their algorithms. The performance of the peak-detection
QREs is demonstrated by running them on real patient data, on which
they yield results on par with those provided by a cardiologist.
Keywords: Peak Detection; Electrocardiograms; Arrythmia Discrimi-
nation; ICDs; Quantitative Regular Expressions
1 Introduction
Medical devices blend signal processing (SP) algorithms with decision algorithms
such that the performance and correctness of the latter critically depends on
that of the former. As such, analyzing a device’s decision making in isolation
of SP offers at best an incomplete picture of the device’s overall behavior. For
2
0 2000 4000 6000 8000 10000 12000
Time (ms)
0
50
100
150
200
250
300
Signal (V)
2000 4000 6000 8000 10000 12000
Time
50
100
150
200
250
300
350
400
450
500
Scale
100
200
300
400
500
600
700
Fig. 1: Rectified EGM during normal rhythm (left) and its CWT spectrogram (right)
example, an Implantable Cardioverter Defibrillator (ICD) will first perform Peak
Detection (PD) on its input voltage signal, also known as an electrogram (see
Fig. 1). The output of PD is a timed boolean signal where a 1 indicates a peak
(local extremum) produced by a heartbeat, which is used by the downstream
discrimination algorithms to differentiate between fatal and non-fatal rhythms.
Over-sensing (too many false peaks detected) and under-sensing (too many true
peaks missed) can be responsible for as much as 10% of an ICD’s erroneous
decisions [23], as they lead to inaccuracies in estimating the heart rate and in
calculating important timing relations between the beats of the heart’s chambers.
Motivated by the desire to verify ICD algorithms for cardiac arrhythmia dis-
crimination, we seek a unified formalism for expressing and analysing the PD and
discrimination tasks commonly found in ICD algorithms. A common approach
would be to view these tasks as one of checking that the cardiac signal satisfies
certain requirements, express these requirements in temporal logic, and obtain
the algorithms by monitor synthesis. For example, PD evaluates to 1 if the sig-
nal (in an observation window) contains a peak, while the V-Rate discriminator
evaluates to 1 if the average heart rate exceeds a certain threshold.
As discussed in Section 2, however, this approach quickly leads to a frac-
turing of the formalisms: PD algorithms and the various discriminators require
different logics, and some simply cannot be expressed succinctly (if at all) in
any logic available today. Thus, despite the increasingly sophisticated variety of
temporal logics that have appeared in the literature [11,6], they are inadequate
for expressing the operations of PD and discrimination succinctly. It should be
noted that PD is an extremely common signal-processing primitive used in many
domains, and forms of discrimination appear in several cardiac devices besides
ICDs, such as Implantable Loop Recorders and pacemakers. Thus the observed
limitations of temporal logics extend beyond just ICD algorithms.
PD and discrimination both require reasoning, and performing a wide range
of numerical operations, over data streams, where the data stream is the incom-
ing cardiac electrogram observed in real-time. For example, a commercial peak
detector (demonstrated in Section 6) defines a peak as a value that exceeds a
certain time-varying threshold, and the threshold is periodically re-initialized as
a percentage of the previous peak’s value. As another example, the Onset dis-
criminator compares the average heart rate in two successive windows of fixed
3
size. Thus, the desired formalism must enable value storage, time freezing, vari-
ous arithmetic operations, and nested computations, while remaining legible and
succinct, and enabling compilation into efficient implementations.
We therefore propose the use of Quantitative Regular Expressions (QREs) to
describe (three different) peak detectors and a common subset of discriminators.
QREs, described in Section 4, are a declarative formal language based on classical
regular expressions for specifying complex numerical queries on data streams [1].
QREs’ ability to interleave user-defined computation at any nesting level of the
underlying regular expression gives them significant expressiveness. (Formally,
QREs are equivalent to the streaming composition of regular functions [2]).
QREs can also be compiled into runtime- and memory-efficient implementations,
which is an important consideration for implanted medical devices.
To demonstrate the versatility and suitability of QREs for our task, we focus
on PD in the rest of the paper, since it is a more involved than any single dis-
criminator. Three different peak detectors are considered (Section 3): 1. detector
WPM, which operates in the wavelet domain,2. detector WPB, our own modifi-
cation of WPM that sacrifices accuracy for runtime, and 3. detector MDT, which
operates in the time domain, and is implemented in an ICD on the market today.
For all three, a QRE description is derived (Section 5). The detectors’ operations
is illustrated by running them on real patient electrograms (Section 6).
In summary, our contributions are:
We show that a common set of discriminators is easily encoded as QREs,
and compare the QREs to their encoding in various temporal logics.
We present two peak detectors based on a general wavelet-based characteri-
zation of peaks.
We show that the wavelet-based peak detectors, along with a commercial
time-domain peak detector found in current ICDs, are easily and clearly
expressible in QREs.
We implement the QREs for peak detection and demonstrate their capabil-
ities on real patient data.
2 Challenges in Formalizing ICD Discrimination and
Peak Detection
This section demonstrates the difficulties that arise when using temporal logic to
express the discrimination and peak-detection tasks common to all arrhythmia-
detection algorithms. Specifically: different discriminators require the use of dif-
ferent logics, whose expressive powers are not always comparable; the formulas
quickly become unwieldy and error-prone; and the complexity of the monitor-
synthesis algorithm, when it is available, rapidly increases due to nesting of freeze
quantification. On the other hand, it will be shown that QREs are well-suited
to these challenges: all tasks are expressible in the QRE formalism, the resulting
expressions are simple direct encodings of the tasks, and their monitors are ef-
ficient. The syntax and semantics of the logics will be introduced informally as
they are outside the scope of this paper.
4
An ICD discriminator takes in a finite discrete-timed signal w:{0, . . . , T } →
D. (Signal wwill also sometimes be treated as a finite string in Dwithout
causing confusion). The discriminator processes the signal win a sliding-window
fashion. When the window is centered at time instant t, the discriminator com-
putes some feature of the signal (e.g., the average heart rate) and uses this
feature to determine if the rhythm displays a potentially fatal arrhythmia in the
current window (at time t). The ICD’s overall Fatal vs Non-Fatal decision is
made by combining the decisions from all discriminators.
In what follows, several discriminators that are found in the devices of major
ICD manufacturers are described. Then for each discriminator, after discussing
the challenges that arise in specifying the discriminator in temporal logic, a
QRE is given that directly implements the discriminator. This will also serve
as a soft introduction to QRE syntax. Fix a data domain Dand a cost domain
C. For now, we simplify things by viewing a QRE fas a regular expression r
along with a way to assign costs to strings wD. If the string wmatches the
regular expression r, then the QRE maps it to f(w)C. If the string does not
match, it is mapped to the undefined value . The QRE’s computations can use
a fixed but arbitrary set of operations (e.g., addition, max, or insertion into a
set). Operations can be thought of as arbitrary pieces of code.
The first example of discriminator checks whether the number of heartbeats
in a one-minute time interval is between 120 and 150. This requires the use of
a counting modality like that used in CTMTL [16]. If pdenotes a heartbeat,
then the following CTMTL formula evaluates to true exactly when the number
of heartbeats lies in the desired range: C120
[0,59]pC150
[0,59]p.
This is equally easily expressed as a QRE: match 60 signal samples (at a 1Hz
sampling rate), and at every sample where pis true (this is a heartbeat), add 1
to the cost, otherwise add 0. Finally, check if the sum is in the range:
inrange(iter60 add(p?1 else 0))
The second discriminator determines whether the heart rate increases by at
least 20% when measured over consecutive and disjoint windows of 4 beats. In
logic, this requires explicit clocks, such as those used in Explicit Clock Temporal
Logic XCTL [14], since the beat-to-beat delay is variable. So let Tdenote the
time state (which keeps track of time) and let the xi’s be rigid clock variables
that store the times at which pbecomes true. The following XCTL formula
expresses the desired discriminator:
(p(x1=T)(p. . . (p(x9=T)[(x5x1)·0.8x9x5]) . . .))
Note the need to explicitly mark the 9 heartbeats and nest the setting of clock
variables 9-deep. This computation can be described in a QRE in a simpler, more
concise manner. Just like the usual regular expressions, simpler QREs can be
combined into more complex ones. We will now use the splitop combinator (see
Fig. 2): given the input string w=w1w2which is a concatenation of strings w1
and w2, and QREs f,g,splitop(f,g) maps wto the cost value op(f(w1),g(w2)),
where op is some operator (e.g., averaging). So let QRE fourBeats match four
5
consecutive beats in the boolean signal wand let it compute the average cycle
length of these 4 beats. Let inc(x, y) be an operation that returns True whenever
0.8xy. Then QRE suddenOnset does the job:
suddenOnset := splitinc(fourBeats,fourBeats)
fourBeats := iter4avg(intervalLength)
intervalLength := splitleft(countzeros,1) // lef t(a, b) returns a
The third discriminator takes in a three-vaued signal w:N→ {0, A, V }
where a 0 indicates no beat, an Aindicates an atrial beat, and a Vindicates
a ventricular beat. One simplified version of this discriminator detects whether
this pattern occurs in the current window: V0a:bA0c:dV0e:fA0g:hV. Here, aand
bare integers, and 0a:bindicates between aand brepetitions of 0. This can be
expressed in discrete-time Metric Temporal Logic [15]. E.g. the prefix V0a:bA
can be written as w=V=X((w= 0) U[a+1,b](w=A)). And so on. This
quickly becomes unwieldy as the pattern itself becomes lengthier and with more
restrictions on the timing of the repetitions. On the other hand, this is trivially
expressed as a (quantitative) regular expresssion.
Our final example comes from Peak Detection (PD), which takes in a real-
valued signal v:NR0. For one component of this PD, the objective is to
detect when v(t) exceeds a threshold value h > 0 which is reset as a function of
the previous peak value. Thus the logic must remember the value of that peak.
This necessitates freeze quantification of state variables, as used in Constraint
LTL with Freeze Quantification CLTL[10] (z=vmeans that we freeze the
variable zto the value of v):
(v > h =⇒ ↓BL=1 (ϕlocal-max =h= 0.8z2))
ϕlocal-max :=z1=vX(z2=vX(z2> z1z2> v))
The nesting of freeze quantifiers increases the chances of making errors when
writing the specification and decreases its legibility. More generally, monitoring
of nested freeze quantifiers complicates the monitors significantly and increases
their runtimes. E.g., in [6] the authors show that the monitoring algorithm for
STL with nested freeze quantifiers is exponential in the number of the nested
freeze operators in the formula. This becomes more significant when dealing
with the full PD, of which the above is one piece. On the other hand, we have
implemented an even more complex PD as a QRE (Section 5.1).
The reader will recognize that the operations performed in these tasks are
quite common, like averaging, variability, and state-dependent resetting of val-
ues, and can conceivably be used in numerous other applications.
This variety of logics required for these tasks, all of which are fundamental
building blocks of ICD operation, means that a temporal logic-based approach to
the problem is unlikely to yield a unifying view, whereas QREs clearly do. In the
rest of the paper, the focus is placed on peak detection, as it is more complicated
than discrimination, and offers a strong argument for the versatility and power
of QREs in medical-device algorithms.
6
3 Peaks in the Wavelet Domain
Rather than confine ourselves to one particular peak detector, we first describe a
general definition of peaks, following the classical work of Mallat and Huang [18].
Then two peak detectors based on this definition are presented. In Section 6, a
third, commercially available, peak detector is also implemented.
3.1 Wavelet Representations
This definition operates in the wavelet domain, so a brief overview of wavelets
is now provided. Readers familiar with wavelets may choose to skip this section.
Formally, let {Ψs}s>0be a family of functions, called wavelets, which are obtained
by scaling and dilating a so-called mother wavelet ψ(t): Ψs(t) = 1
sψt
s. The
wavelet transform Wxof signal x:R+Ris the two-parameter function:
Wx(s, t) =
+
Z
−∞
x(τ)Ψs(τt)(1)
An appropriate choice of ψfor peak detection is the nth derivative of a Gaussian,
that is: ψ(t) = dn
dtnGµ,σ(t). Eq. (1) is known as a Continuous Wavelet Transform
(CWT), and Wx(s, t) is known as the wavelet coefficient.
Parameter sin the wavelet ψsis known as the scale of the analysis. It can be
thought of as the analogue of frequency for Fourier analysis. A smaller value of
s(in particular s < 1) compresses the mother wavelet as can be seen from the
definition of Ψs, so that only values close to x(t) influence the value of Wx(s, t)
(see Eq. (1)). Thus, at smaller scales, the wavelet coefficient Wx(s, t) captures
local variations of xaround t, and these can be thought of as being the higher-
frequency variations, i.e., variations that occur over a small amount of time. At
larger scales (in particular s > 1), the mother wavelet is dilated, so that Wx(s, t)
is affected by values of xfar from tas well. Thus, at larger scales, the wavelet
coefficient captures variations of xover large periods of time.
Fig. 1 shows a Normal Sinus Rhythm EGM and its CWT |Wx(s, t)|. The
latter plot is known as a spectrogram. Time truns along the x-axis and scale s
runs along the y-axis. Brighter colors indicate larger values of coefficient magni-
tudes |Wx(s, t)|. It is possible to see that early in the signal, mid- to low-frequency
content is present (bright colors mid- to top of spectrogram), followed by higher-
frequency variation (brighter colors at smaller scales), and near the end of the
signal, two frequencies are present: mid-range frequencies (the bright colors near
the middle of the spectrogram), and very fast, low amplitude oscillations (the
light blue near the bottom-right of the spectrogram).
3.2 Wavelet Characterization of Peaks
Consider the signal and its CWT spectrogram |Wx(s, t)|shown in Fig. 1. The
coefficient magnitude |Wx(s, t)|is a measure of signal power at (s, t). At larger
7
scales, one obtains an analysis of the low-frequency variations of the signal,
which are unlikely to be peaks, as the latter are characterized by a rapid change
in signal value. At smaller scales, one obtains an analysis of high-frequency
components of the signal, which will include both peaks and noise. These remarks
can be put on solid mathematical footing [19, Ch. 6]. Therefore, for peak
detection one must start by querying CWT coefficients that occur at
an appropriately chosen scale ¯s.
Given the fixed scale ¯s, the resulting |Wxs, t)|is a function of time. The
next task is to find the local maxima of |Wx(¯s, t)|as tvaries. The times when
local maxima occur are precisely the times when the energy of scale-¯svaria-
tions is locally concentrated. Thus peak characterization further requires
querying the local maxima at ¯s.
Not all maxima are equally interesting; rather, only those with value above
a threshold, since these are indicative of signal variations with large energy
concentrated at ¯s.Therefore, the specification only considers those local
maxima with A value above a threshold ¯p.
Maxima in the wavelet spectrogram are not isolated: as shown in [19, Thm.
6.6], when the wavelet ψis the nth derivative of a Gaussian, the maxima belong
to connected curves s7→ γ(s) that are never interrupted as the scale decreases
to 0. These maxima lines can be clearly seen in Fig. 1 as being the vertical
lines of brighter color extending all the way to the bottom. Multiple maxima
lines may converge to the same point (0, tc) in the spectrogram as s0. A
celebrated result of Mallat and Hwang [18] shows that singularities in the signal
always occur at the convergence times tc. For our purposes, a singularity is a time
when the signal undergoes an abrupt change (specifically, the signal is poorly
approximated by an (n+ 1)th-degree polynomial at that change-point). These
convergence times are then the peak times that we seek.
Although theoretically, the maxima lines are connected, in practice, signal
discretization and numerical errors will cause some interruptions. Therefore,
rather than require that the maxima lines be connected, we only require them
to be (, δ)-connected. Given , δ > 0, an (, δ)-connected curve γ(s) is one such
that for any sin its domain, |ss0|<  =⇒ |γ(s)γ(s0)|< δ.
A succinct description of this Wavelet Peaks with Maxima (WPM) is then:
(Characterization WPM ) Given positive reals ¯s, ¯p, , δ > 0, a peak is said
to occur at time t0if there exists a (, δ)-connected curve s7→ γ(s) in the
(s, t)-plane such that γ(0) = t0,|Wx(s, γ(s))|is a local maximum along the
t-axis for every sin [0,¯s], and |Wx(¯s, γ(¯s))| ≥ ¯p.
The choice of values ¯s,,δand ¯pdepends on prior knowledge of the class of
signals we are interested in. Such choices are pervasive and unavoidable in signal
processing, as they reflect application domain knowledge. Such a specification
is difficult, if not impossible, to express in temporal and time-frequency logics.
In the next section we show how WPM can be formalized using Quantitative
Regular Expressions.
8
3.3 Blanking Characterization
For comparison, we modify WPM to obtain a peak characterization that is com-
putationally cheaper but suffers some imprecision in peak-detection times. We
call it Wavelet Peaks with Blanking (WPB). It says that one peak at the most
can occur in a time window of size BL samples.
(Characterization WPB) Given positive reals ¯s, ¯p > 0, a peak is said to occur
at time t0if |Wxs, t0)|is a local maximum along tand |Wxs, t0)|>¯p, and
there is no peak occurring anywhere in (t0, t0+BL].
Section 6 compares WPM and WPB on patient electrograms.
4 A QRE Primer
An examination of discrimination and PD (Sections 2 and 3) shows the need for
a language that: 1) Allows a rich set of numerical operations. 2) Allows matching
of complex patterns in the signal, to select scales and frequencies at which inter-
esting structures exist. 3) Supports the synthesis of time- and memory-efficient
implementations. This led to the consideration of Quantitative Regular Expres-
sions (QREs). A QRE is a symbolic regular expression over a data domain D,
augmented with data costs from some cost domain C. A QRE views the signal
as a stream wDthat comes in one data item at a time. As the Regular
Expression (RE) matches the input stream, the cost of the QRE is evaluated.
Formally, consider a set of types T={T1, T2, . . . , Tk}, a data domain D∈ T ,
a cost domain C∈ T , and a parameter set X= (x1, x2, . . ., xk), where each xiis
of type Ti. Then a QRE fis a function
JfK:D(T1×T2×. . . ×TkC)∪ {⊥}
where is the undefined value. Intuitively, if the input string wDdoes
not match the RE of f, then JfK(w) = . Else, JfK(w) is a function from
T1×T2×. . . ×Tkto C. When a parameter valuation ¯vT1×. . . ×Tkis given,
this then further evaluates to a cost value in C, namely JfK(w)(¯v). Fig. 2 provides
an overview of QREs and their combinators.
QREs can be compiled into efficient evaluators that process each data item
in time (or memory) polynomial in the size of the QRE and proportional to
the maximum time (or memory) needed to perform an operation on a set of cost
terms, such as addition, least-squares, etc. The operations are selected from a set
of operations defined by the user.It is important to be aware that the choice of
operations constitutes a trade-off between expressiveness (what can be computed)
and complexity (more complicated operations cost more). See [1] for restrictions
placed on the predicates and the symbolic regular expressions.
The declarative nature of QREs will be important when writing complex
algorithms, without having to explicitly maintain state and low-level data flows.
But as with any new language, QREs require some care in their usage. Space
limitations preclude us from giving the formal definition of QREs. Instead, we
9
Fig. 2: QREs and their combinators. a) Basic QRE ϕ?λmatches one data item dand
evaluates to λ(d) if ϕ(d) is True. b) QRE op(f1,...,fk) evaluates the kQREs f1,...,fk
on the same stream wand combines their outputs using operation op (e.g., addition).
fioutputs a value of type Ti. c) QRE f else g evaluates to fif fmatches the input
stream; else it evaluates to g. d) QRE splitop(f , g) splits its input stream in two
and evaluates fon the prefix and gon the suffix; the two results are then combined
using operation op. e) QRE iter[pi(f) iteratively applies fon substreams that match it,
analogously to the Kleene-operation for REs. Results are passed between iterations
using parameter p. f) QRE fgfeeds the output of QRE finto QRE gas fis being
computed.
will describe what each QRE does in the context of peak detection to give the
reader a good idea of their ease of use and capabilities. Fig. 2 illustrates how
QREs are defined and what they compute. Readers familiar with QREs will
notice that, when writing the QRE expressions, we occasionally sacrifice strict
syntactic correctness for the sake of presentation clarity.
5 QRE Implementation of Peak Detectors
We now describe the QREs that implement peak detectors WPM and WPB of
Section 3.2. It is emphasized that even complicated procedures such as these
two algorithms can be described in a declarative fashion using QREs, without
resorting to a programming language or explicitly storing state, etc.
10
( , , ( , ))
nn
s t Wx s t
22
( , , ( , ))
nn
s t Wx s t
1 2 1 2
...
( , , ( , ))
nn
s t Wx s t
33
( , , ( , ))
nn
s t Wx s t
1 3 1 3
...
( , , ( , ))s t Wx s t
1 3 1 3
( , , ( , ))
n k n k
s t Wx s t
( , , ( , ))
n k n k
s t Wx s t
11
...
( , , ( , ))
nn
s t Wx s t
11
...
( , , ( , ))
nn
s t Wx s t
1 1 1 1
( , , ( , ))s t Wx s t
1 1 1 1
( ( , ), ( , ) , ( ( , )), ... ( , ), ... )
i i i i i k
repeatSelectCoef Wx s t Wx s t Wx s t Wx s t
1 2 3
...
...., ( , , , , , , , ....)
i
oneMax 0 1 0 0 1 1 0
...
...
...., ({}, { }, { }, { }, { , }, { , , }, { , , , ...}, ....)
i
peakTimes 2 2 2 2 5 2 5 6 2 5 6
i
selectCoef
i
selectCoef
i
selectCoef
i
selectCoef
localMax
localMax
localMax
w
...
Fig. 3: QRE peakWPM
5.1 QRE for WPM
A numerical implementation of a CWT returns a discrete set of coefficients. Let
s1< s2< . . . < snbe the analysis scales and let t1, t2, . . . be the signal sampling
times. Recall that a QRE views its input as a stream of incoming data items. A
data item for WPM is d= (si, tj,|Wx(si, tj)|)D:= (R+)3. We use d.s to refer
to the first component of d, and d.|Wx(s, t)|to refers to its last component. The
input stream wDis defined by the values from the spectrogram organized
in a column-by-column fashion starting from the highest scale:
w= (sn, t1,|Wx(sn, t1)|),...,(s1, t1,|Wx(s1, t1)|)
| {z }
wt1
. . .
. . . (sn, tm,|Wx(sn, tm)|),...,(s1, tm,|Wx(s1, tm)|)
| {z }
wtm
Let sσ, 1 σn, the the scale that equals ¯s. Since the scales si> sσare not
relevant for peak detection (their frequency is too low), they should be discarded
from w. Now, for each scale si,iσ, we would like to find those local maxima
of |Wx(si,·)|that are larger than threshold pi4. We build the QRE peakWPM
bottom-up as follows. In what follows, i= 1, . . . , σ. See Fig. 3.
4pσ= ¯p,pi<σ = 0, since we threshold only the spectrogram values at scale ¯s. After
this initial thresholding, tracing of maxima lines returns the peaks.
11
QRE selectCoefiselects the wavelet coefficient magnitude at scale sifrom
the incoming spectrogram column wt. It must first wait for the entire colum
to arrive in a streaming fashion, so it matches ndata items (recall there are
nitems in a column – see Fig. 3) and returns as cost d.|Wx(si, t)|.
selectCoefi:= (dndn1. . . d1?di.|Wx(si, t)|).
QRE repeatSelectCoefiapplies selectCoefito the latest column wt. To do so,
it splits its input stream in two: it executes selectCoefion the last column,
and ignores all columns that preceded it using (dn). It returns the selected
coefficient |Wx(si, t)|from the last column.
repeatSelectCoefi:= splitright((dn),selectCoefi)
Combinator splitright returns the result of operating on the right-hand
side of the split, i.e. the suffix.
QRE localMaximatches a string of real numbers of length at least 3: r1...rk2rk1rk.
It returns the value of rk1if it is larger than rkand rk2, and is above some
pre-defined threshold pi; otherwise, it returns 0. This will be used to detect
local maxima in the spectrogram in a moving-window fashion. In detail:
localMaxi:= splitright(R?0,LM3) (2)
localMaxisplits the input string in two: the prefix is matched by Rand is
ignored. The suffix is matched by QRE LM3:LM3matches a length-three
string and simply returns 1 if the middle value is a local maximum that is
above pi, and returns zero, otherwise.
QRE oneMaxifeeds outputs of QRE repeatSelectCoefito the QRE localMaxi.
oneMaxi:= repeatSelectCoefilocalMaxi
Thus, oneMaxi“sees” a string of coefficient magnitudes |Wx(si, t1)|,|Wx(si, t2)|, . . .
generated by (streaming) repeatSelectCoefi, and produces a 1 at the times
of local maxima in this string.
QRE peakTimesicollects the times of local maxima at scale siinto one set.
peakTimesi:= oneMaxiunionTimes
It does so by passing the string of 1s and 0s produced by oneMaxito
unionTimes. The latter counts the number of 0s separating the 1s and puts
that in a set Mi. Therefore, after kcolumns wthave been seen, set Mi
contains all local maxima at scale siwhich are above piin those kcolumns.
QRE peakWPM is the final QRE. It combines results obtained from scales
sσdown to s1:
peakWPM := connδ(peakTimesσ, ..., peakTimes1)
Operator connδ5checks if the local maxima times for each scale (produced
by peakTimesi) are within a δof the maxima at the previous scale.
5Operator connδcan be defined recursively as follows: connδ(X, Y ) = {yY:x
X:|xy| ≤ δ}, connδ(Xk, .., X1) = connδ(connδ(Xk, .., X2), X1)
12
Wx(s,t
2)
Wx(s,t
1)
Wx(s,t
3)
Wx(s,t
k+1)
Wx(s,t
k)
Wx(s,t
2)
Wx(s,t
1)
Wx(s,t
3)
Wx(s,t
k)
Wx(s,t
k+1)
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Wx(s,t
k+1)
Wx(s,t
k1)
1
0
oneMax
1
0
0
1
latestPeak
1
1
BLANKING PERIOD
0
BLANKING PERIOD
Fig. 4: QRE peakWPB
In summary, the complete QRE is given top-down by:
peakWPM := connδ(peakTimesσ, ..., peakTimes1)
peakTimesi:= oneMaxiunionTimes
oneMaxi:= repeatSelectCoefilocalMaxi
localMaxi:= splitright(R?0,LM3)
repeatSelectCoefi:= splitright((dn),selectCoefi)
selectCoefi:= (dn. . . d1?d.|Wx(si, t)|)
5.2 QRE Implementation of WPB
Peak characterization WPB of Section 3.2 is implemented as QRE peakWPB.
See Fig. 4. The input data stream is the same as before.
QRE oneMaxσ(defined as before) produces a string of 1s and 0s, with the
1s indicating local maxima at scale ¯s=sσ.
QRE oneBL matches one blanking duration, starting with the maximum that
initiates it. Namely, it matches a maximum (indicated by a 1), followed by a
blanking period of length BL samples, followed by any-length string without
maxima (indicated by 0): oneBL := (1 ·(0|1)BL ·0)
QRE latestPeak will return a 1 at the time of the latest peak in the input
signal: latestPeak =splitright(oneBL?0,1?1). It does so by matching all
the blanking periods up to this point using oneBLand ignoring them. It
then matches the maximum (indicated by 1) at the end of the signal.
QRE peakWPB feeds the string of 1s and 0s produced by oneMaxσto the
QRE latestPeak:peakWPB =oneMaxσlatestPeak
6 Experimental Results
We show the results of running peak detectors peakWPM and peakWPB on real
patient data, obtained from a dataset of intra-cardiac electrograms. We also
13
Time, ms
500 1000 1500 2000 2500 3000 3500 4000
Signal (V)
0
50
100
150
200
250
(a) ¯p= 400
Time, ms
500 1000 1500 2000 2500 3000 3500 4000
Signal (V)
0
50
100
150
200
250
(b) ¯p= 150
Fig. 5: peakWPM-detected peaks (red circles) and peakWPB-detected peaks (black
circles) on a VT rhythm.
specified a peak detector available in a commercial ICD [22] as QRE peakMDT,
and show the results for comparison purposes. The implmentation uses an early
version of the StreamQRE Java library [20]. Comparing the runtime and memory
consumption of different algorithms (including algorithms programmed in QRE)
in a consistent and reliable manner requires running a compiled version of the
program on a particular hardware platform. No such compiler is available at the
moment, so we don’t report such performance numbers.
The results in this section should not be interpreted as definitively establish-
ing the superiority of one peak detector over another, as this is not this paper’s
objective. Rather, the objective is to highlight the challenges involved in peak
detection for cardiac signals, an essential signal-processing task in many medical
devices. In particular, by highlighting how different detectors perform on differ-
ent signals, it establishes the need for a formal (and empirical) understanding of
their operation on classes of arrhythmias. This prompts the adoption of a formal
description of peak detectors for further joint analysis with discrimination.
Fig. 5 presents one rectified EGM signal of a Ventricular Tachycardia (VT)
recorded from a patient. Circles (indicating detected time of peak) show the
result of running peakWPM (red circles) and peakWPB (black circles). These
results were obtained for ¯s= 80, BL = 150, and different values of ¯p. The first
setting of ¯p(Fig. 5 (a)) for both QREs was chosen to yield the best performance.
This is akin to the way cardiologists set the parameters of commercial ICDs:
they observe the signal, then set the parameters. We refer to this as the nominal
setting. Ground-truth is obtained by having a cardiologist examine the signal
and annotate the true peaks.
We first observe that the peaks detected by peakWPM match the ground-
truth; i.e., the nominal performance of peakWPM yields perfect detection. This
is not the case with peakWPB. Next, one can notice that the time precision of
detected peaks with peakWPM is higher than with peakWPB due to maxima
lines tracing down to the zero scale. Note also that the results of peakWPM are
stable for various parameters settings. Improper thresholds ¯por scales ¯sdegrade
the results only slightly (compare locations of red circles on Fig. 5 (a) with Fig. 5
14
Time, ms
500 1000 1500 2000 2500 3000 3500 4000
Signal (V)
0
200
400
600
Time, ms
500 1000 1500 2000 2500 3000 3500 4000 4500
Signal (V)
0
100
200
300
400
Fig. 6: WPM and peakMDT running on a VF rhythm (left) and peakMDT running on
an NSR rhythm (right).
(b)). By contrast, peakWPB detects additional false peaks (compare black circles
in Figs. 5 (a) and (b)).
Fig. 6 (left) shows WPM (red circles) running on a Ventricular Fibrillation
(VF) rhythm, which is a potentially fatal disorganized rhythm. Again, we note
that WPM finds the peaks.
Detector MDT works almost perfectly with nominal parameters settings on
any Normal Sinus Rhythm (NSR) signal (see Fig. 6 right). NSR is the “normal”
heart rhythm. The detected peak times are slightly early because peakMDT
declares a peak when the signal exceeds a time-varying threshold, rather than
when it reaches its maximum. Using the same nominal parameters on more
disorganized EGM signals with higher variability in amplitude, such as VF,
does not produce proper results; see the black circles in Fig. 6 left.
7 Related Work
Signal Temporal Logic (STL) [17] was designed for the specification of tem-
poral, real-time properties over real-valued signals and has been used in many
applications including the differentiation of medical signals [7,4]. In [6], STL was
augmented with a signal value freeze operator that allows one to express oscilla-
tory patterns, but it is not possible to use it to discriminate oscillations within
a particular frequency range. The spectrogram of a signal can be represented
as a 2D map (from time and scale to amplitude) and one may think to employ
a spatial-temporal logic such as SpaTeL [13] or Signal Spatio-Temporal Logic
(SSTL) [21] on spectrograms. However, both of their underlying spatial mod-
els, graph structures for SSTL and quadtrees for SpaTeL, are not appropriate
for this purpose. Logics for describing frequency and temporal properties have
been proposed, including Time-Frequency Logic (TFL) in [11] and the approach
in [8]. TFL is not sufficiently expressive for peak detection because it lacks the
necessary mechanisms to quantify over variables or to freeze their values. Timed
regular expressions [3,24,25] extend regular expressions by clocks and are ex-
pressively equivalent to timed automata, but cannot express the computations
required for the tasks covered in this paper. Even the recent work proposed in [12]
on measuring signals with timed patterns is not of help in our application, since
15
it does not handle, neither in the specification nor in the measurement, the no-
tion of local minima/maxima that is necessary for peak detection. Furthermore,
the operator of measure is separated by the specification of the pattern to match.
SRV [9] is a stream runtime verification language that requires explicit en-
coding of relations between input and output streams, which is an awkward way
of encoding the complex tasks of this paper. Moreover, unlike Boolean SRVs [5],
QREs allow multiple unrestricted data types in intermediary computations and
a number of their questions are decidable for these arbitrary types.
8 Conclusions and Future Work
The tasks of discrimination and peak detection, fundamental to arrhythmia-
discrimination algorithms, are easily and succinctly expressible in QREs. One
obvious limitation of QREs is that they only allow regular matching, though
this is somewhat mitigated by the ability to chain QREs (though the streaming
combinator ) to achieve more complex tasks. One advantage of programming
in QREs is that it automatically provides us with a base implementation, whose
time and memory complexity is independent of the stream length.
As future work, it will be interesting to compile a QRE into C or assembly
code to measure and compare actual performance on a given hardware platform.
Also, just like an RE has an equivalent machine model (DFA), a QRE has an
equivalent machine model in terms of a deterministic finite-state transducer [1].
This points to an analysis of a QRE’s correctness and efficiency beyond testing.
Two lines of inquiry along these lines are promising in the context of medical
devices.
Probabilistic analysis. Assume a probabilistic model of the QRE’s input
strings. For medical devices, such a model might be learned from data. We may
then perform a statistical analysis of the output of the QRE under such an input
model. In particular, we may estimate how long it takes the ICD to detect a fatal
arrhythmia, or the probability of an incorrect detection by the ICD.
Energy calculations. We may compute the energy consumption of an algo-
rithm that is expressed as a QRE, by viewing consumption as another quantity
computed by the QRE. Alternatively, we may label the transitions of the un-
derlying DFA by “energy terms”, and levarage analysis techniques of weighted
automata to analyze the energy consumption. Energy considerations are crucial
to implanted medical devices that must rely on a battery, and which require
surgery to replace a depleted battery.
Acknowledgments
The authors would like to thank Konstantinos Mamouras for insightful discus-
sions about QREs and for providing the QRE Java library we used in this paper.
This work is supported in part by AFOSR Grant FA9550-14-1-0261 and NSF
Grants IIS-1447549, CNS-1446832, CNS-1445770, and CNS-1445770.
16
References
1. R. Alur, D. Fisman, and Raghothaman. Regular programming for quantitative
properties of data streams. In Proc. of ESOP 2016: the 25th European Symposium
on Programming Languages and Systems, volume 9632 of LNCS, pages 15–40.
Springer, 2016.
2. R. Alur, A. Freilich, and M. Raghothaman. Regular combinators for string trans-
formations. In Proceedings of the Joint Meeting of the Twenty-Third EACSL An-
nual Conference on Computer Science Logic (CSL) and the Twenty-Ninth Annual
ACM/IEEE Symposium on Logic in Computer Science (LICS), CSL-LICS ’14,
pages 9:1–9:10, New York, NY, USA, 2014. ACM.
3. E. Asarin, P. Caspi, and O. Maler. Timed regular expressions. J. ACM, 49(2):172–
206, Mar. 2002.
4. E. Bartocci, L. Bortolussi, and G. Sanguinetti. Data-driven statistical learning of
temporal logic properties. In Proc. of FORMATS 2014, volume 8711 of LNCS,
pages 23–37. Springer, 2014.
5. L. Bozzelli and C. S´anchez. Foundations of boolean stream runtime verification.
In Proc. of RV 2014: the 5th International Conference on Runtime Verification,
volume 8734 of LNCS, pages 64–79, 2014.
6. L. Brim, P. Dluhos, D. Safr´anek, and T. Vejpustek. STL-*: Extending signal
temporal logic with signal-value freezing operator. Inf. Comput., 236:52–67, 2014.
7. S. Bufo, E. Bartocci, G. Sanguinetti, M. Borelli, U. Lucangelo, and L. Bortolussi.
Temporal logic based monitoring of assisted ventilation in intensive care patients.
In Proc. of ISoLA, volume 8803 of Lecture Notes in Computer Science, pages 391–
403. Springer, 2014.
8. A. Chakarov, S. Sankaranarayanan, and G. Fainekos. Combining time and fre-
quency domain specifications for periodic signals. In Runtime Verification: Second
International Conference, San Francisco, CA, USA, pages 294–309, Berlin, Hei-
delberg, 2012. Springer Berlin Heidelberg.
9. B. D’Angelo, S. Sankaranarayanan, C. S´anchez, W. Robinson, B. Finkbeiner, H. B.
Sipma, S. Mehrotra, and Z. Manna. LOLA: Runtime monitoring of synchronous
systems. In Proceedings of the 12th International Symposium of Temporal Repre-
sentation and Reasoning (TIME 2005), pages 166–174. IEEE Computer Society
Press, 2005.
10. S. Demri, R. Lazic, and D. Nowak. On the freeze quantifier in constraint LTL:
Decidability and complexity. Information and Computation, 205(1):2 – 24, 2007.
11. A. Donz´e, O. Maler, E. Bartocci, D. Nickovic, R. Grosu, and S. A. Smolka. On
Temporal Logic and Signal Processing. In Proc. of ATVA 2012, Thiruvanantha-
puram, India, October 3-6, volume 7561 of LNCS, pages 92–106, 2012.
12. T. Ferr`ere, O. Maler, D. Nickovic, and D. Ulus. Measuring with timed patterns.
In Proc. of CAV 2015: the 27th International Conference on Computer Aided Ver-
ification, Part II, volume 9207 of LNCS, pages 322–337. Springer, 2015.
13. I. Haghighi, A. Jones, Z. Kong, E. Bartocci, R. Grosu, and C. Belta. Spatel: A
novel spatial-temporal logic and its applications to networked systems. In Proc.
of HSCC ’15: the 18th International Conference on Hybrid Systems: Computation
and Control, pages 189–198. ACM, 2015.
14. E. Harel, E. Lichtenstein, and A. Pnueli. Explicit clock temporal logic. IEEE, 1990.
15. R. Koymans. Specifying real-time properties with metric temporal logic. Real-Time
Systems, 2(4):255–299, 1990.
17
16. S. N. Krishna, K. Madnani, and P. K. Pandya. Metric Temporal Logic with Count-
ing, pages 335–352. Springer Berlin Heidelberg, Berlin, Heidelberg, 2016.
17. O. Maler and D. Nickovic. Monitoring temporal properties of continuous signals. In
Proc. of FORMATS/FTRTFT 2004, volume 3253 of LNCS, pages 152–166, 2004.
18. S. Mallat and W. L. Hwang. Singularity detection and processing with wavelets.
IEEE Transactions on Information Theory, 38(2):617–643, March 1992.
19. S. G. Mallat. A Wavelet Tour of Signal Processing, Third Edition: The Sparse
Way. Academic Press, 2008.
20. K. Mamouras, M. Raghothaman, R. Alur, Z. Ives, and S. Khanna. StreamQRE:
Modular specification and efficient evaluation of quantitative queries over stream-
ing data. In Proc. 38th ACM SIGPLAN Conf. on Programming Language Design
and Implementation, pages 693–708, 2017.
21. L. Nenzi, L. Bortolussi, V. Ciancia, M. Loreti, and M. Mieke. Qualitative and
quantitative monitoring of spatio-temporal properties. In Proc. of RV 2015: the
6th International Conference on Runtime Verification, volume 9333 of LNCS, pages
21–37. Springer, 2015.
22. R. X. Stroobandt, S. S. Barold, and A. F. Sinnaeve. Implantable Cardioverter -
Defibrillators Step by Step. Wiley, 2009.
23. C. D. Swerdlow, S. J. Asirvatham, K. A. Ellenbogen, and P. A. Friedman. Trou-
bleshooting implanted cardioverter defibrillator sensing problems I. Circulation:
Arrhythmia and Electrophysiology, 7(6):1237–1261, 2014.
24. D. Ulus. Montre: A tool for monitoring timed regular expressions. In Monitoring
and Testing of CPS 2017.
25. D. Ulus, T. Ferr`ere, E. Asarin, and O. Maler. Timed pattern matching. In Proc.
of FORMATS 2014: the 12th International Conference on Formal Modeling and
Analysis of Timed Systems, volume 8711 of Lecture Notes in Computer Science,
pages 222–236. Springer, 2014.
... Apart from that, monitoring tools collecting statistics [1,4,30] become increasingly popular: Snort [55] is a commercial tool for rule-based network monitoring and computing efficient statistics, Beep Beep 3 [33] is a tool based on a query language allowing for powerful aggregation functions and statistical measures. On the downside, these tools impose the overhead of running a heavy-weight application on the monitored system. ...
... Let us begin the example with the word σ 1 = {p} ω . It is not hard to verify that V r (σ 1 , p) [1] = 1 because p always holds in σ 1 , i.e., min n≥0 V r (σ[n, ∞), p)[1] = 1 for n ≥ 0. Using the same argument, we also have V r (σ 1 , p) [ ...
... As another example, consider the word σ 2 = ∅{p} ω . In this case, we have [1] = 0 (p does not hold in the first symbol of σ 2 ). However, V r (σ 1 , p) [2] = 1 because p holds almost always, i.e., max m≥0 min n≥m V r (σ[n, ∞), p) [ [4] = 1 and, therefore, V r (σ 2 , p) = 0111. ...
Article
Runtime monitoring is commonly used to detect the violation of desired properties in safety critical cyber-physical systems by observing its executions. Bauer et al. introduced an influential framework for monitoring Linear Temporal Logic (LTL) properties based on a three-valued semantics for a finite execution: the formula is already satisfied by the given execution, it is already violated, or it is still undetermined, i.e., it can still be satisfied and violated by appropriate extensions of the given execution. However, a wide range of formulas are not monitorable under this approach, meaning that there are executions for which satisfaction and violation will always remain undetermined no matter how it is extended. In particular, Bauer et al. report that 44% of the formulas they consider in their experiments fall into this category. Recently, a robust semantics for LTL was introduced to capture different degrees by which a property can be violated. In this paper we introduce a robust semantics for finite strings and show its potential in monitoring: every formula considered by Bauer et al. is monitorable under our approach. Furthermore, we discuss which properties that come naturally in LTL monitoring - such as the realizability of all truth values - can be transferred to the robust setting. We show that LTL formulas with robust semantics can be monitored by deterministic automata, and provide tight bounds on the size of the constructed automaton. Lastly, we report on a prototype implementation and compare it to the LTL monitor of Bauer et al. on a sample of examples.
... Processing these huge amounts of data efficiently to extract useful information is an extremely challenging task. It is often the case that only specific segments of the time B Dejan Ničković dejan.nickovic@ait.ac.at 1 AIT Austrian Institute of Technology, Vienna, Austria 2 University of Southern California, Los Angeles, US 3 Imagination Technologies, Dacorum, UK series contain interesting and relevant patterns. For instance, an electricity provider may be interested in observing spikes or oscillations in the voltage signals. ...
... Figure 2 shows a specification of an ideal pulse. We characterize a pulse as a sequence of 5 segments: (1) constant segment at some b; (2) linearly decreasing segment with slope a 2 < 0; (3) constant segment at some b 3 ; (4) linearly increasing segment with slope a 4 > 0; and (5) constant segment at b. We observe that the above specification uses parametric shapes, where the parameters are possibly constrained (e.g., a 2 < 0) or shared between shapes (e.g., b), and describes a perfect shape without accounting for noise. ...
... In the context of CPS, timed regular expressions (TRE) [6,7], quantitative regular expressions (QRE) [2][3][4]19], Signal Temporal Logic (STL) [18] and various stream languages [10,11,[15][16][17] have been used as popular formalisms for specifying properties of CPS behaviors. QREs are a powerful formalism that combines quantitative computations over data with regular expression-based matching. ...
Article
Full-text available
Modern cyber-physical systems (CPS) and the Internet of things (IoT) are data factories generating, measuring and recording huge amounts of time series. The useful information in time series is usually present in the form of sequential patterns. We propose shape expressions as a declarative language for specification and extraction of rich temporal patterns from possibly noisy data. Shape expressions are regular expressions with arbitrary (linear, exponential, sinusoidal, etc.) shapes with parameters as atomic predicates and additional constraints on these parameters. We associate with shape expressions novel noisy semantics that combines regular expression matching semantics with statistical regression. We study essential properties of the language and propose an efficient heuristic for approximate matching of shape expressions. We demonstrate the applicability of this technique on two case studies from the health and the avionics domains.
... Apart from that, monitoring tools collecting statistics [1,4,26] become increasingly popular: Snort [48] is a commercial tool for rule-based network monitoring and computing efficient statistics, Beep Beep 3 [29] is a tool based on a query language allowing for powerful aggregation functions and statistical measures. On the downside, it imposes the overhead of running a heavy-weight application on the monitored system. ...
... ("p holds always") σ 2 = ∅{p} ω ("p holds almost always") σ 3 = (∅{p}) ω ("p holds infinitely often") σ 4 = {p}∅ ω ("p holds finitely often") σ 5 = ∅ ω ("p holds never") Let us begin the example with the word σ 1 = {p} ω . It is not hard to verify that V r (σ 1 , p) [1] = 1 because p always holds in σ 1 , i.e., min n≥0 V r (σ[n, ∞), p) [1] = 1 for n ≥ 0. Using the same argument, we also have ...
... ("p holds always") σ 2 = ∅{p} ω ("p holds almost always") σ 3 = (∅{p}) ω ("p holds infinitely often") σ 4 = {p}∅ ω ("p holds finitely often") σ 5 = ∅ ω ("p holds never") Let us begin the example with the word σ 1 = {p} ω . It is not hard to verify that V r (σ 1 , p) [1] = 1 because p always holds in σ 1 , i.e., min n≥0 V r (σ[n, ∞), p) [1] = 1 for n ≥ 0. Using the same argument, we also have ...
Conference Paper
Full-text available
Runtime monitoring is commonly used to detect the violation of desired properties in safety critical cyber-physical systems by observing its executions. Bauer et al. introduced an influential framework for monitoring Linear Temporal Logic (LTL) properties based on a three-valued semantics: the formula is already satisfied by the given prefix, it is already violated, or it is still undetermined, i.e., it can still be satisfied and violated by appropriate extensions. However, a wide range of formulas are not monitorable under this approach, meaning that they have a prefix for which satisfaction and violation will always remain undetermined no matter how it is extended. In particular, Bauer et al. report that 44% of the formulas they consider in their experiments fall into this category. Recently, a robust semantics for LTL was introduced to capture different degrees by which a property can be violated. In this paper we introduce a robust semantics for finite strings and show its potential in monitoring: every formula considered by Bauer et al. is monitorable under our approach. Furthermore, we discuss which properties that come naturally in LTL monitoring - such as the realizability of all truth values - can be transferred to the robust setting. Lastly, we show that LTL formulas with robust semantics can be monitored by deterministic automata and report on a prototype implementation.
... Apart from that, monitoring tools collecting statistics [1,4,26] become increasingly popular: Snort [48] is a commercial tool for rule-based network monitoring and computing efficient statistics, Beep Beep 3 [29] is a tool based on a query language allowing for powerful aggregation functions and statistical measures. On the downside, it imposes the overhead of running a heavy-weight application on the monitored system. ...
... Here, we again rely on the fact that the suffix u ω [n, ∞) is equal to (ρ(u, n mod |u|)) ω . By definition, V r (u ω , ϕ) [1] is equal to ...
... where the two equalities follow as before: the first by induction hypothesis and the second one by the fact that u ω has only finitely many suffixes, which all appear infinitely often in a cyclic order and which are all already realized by some u ω [n, ∞) for 0 ≤ n < |u|. Thus, we have derived the desired equality between V r (u ω , ϕ) [1] and V r (u ω , ϕ) [2]. ⊓ ⊔ ...
Preprint
Full-text available
Runtime verification is commonly used to detect and, if possible, react to the violation of desired properties in safety critical systems. Also common is the use of temporal logics to specify the desired properties. However, if properties are expressed in two-valued logics, such as Linear-time Temporal Logic (LTL), monitoring them often yields insufficient results: when the property is satisfied, there is nothing we need to do; once it is violated, there may be nothing we can do. To overcome this problem, logics such as robust LTL (rLTL) allow for detecting the degree of a violation: in this way, violations may be mitigated. In this paper we solve the rLTL monitoring problem by constructing a deterministic monitoring automaton for each possible degree of violation of the specification. The automaton indicates whether: 1) the property is already satisfied with respect to that degree and thus needs no further attention, 2) is still undetermined, or 3) is already violated. Violation of a property by a small degree can then be used to trigger appropriate safety measures preventing the violation of the same property to a higher degree. As the size of the monitoring automata is doubly-exponential in the size of the rLTL formula, robustly monitoring systems comes without penalty in terms of space or time when compared to classical LTL monitoring.
... For example, let us consider the property pDA: "The signal value shall be less than 3 between 2 tu and 6 tu and between 10 tu and 15 tu", where "tu" is a generic time unit (which has to be set according to the application domain, e.g., seconds). This property is a time-constrained data assertion over the two intervals [2,6] and [10,15]; it can be expressed in SFO as: SFO pDA ∀t ∈ [2, 6] : s(t) < 3 ∧ ∀t ∈ [10,15] : s(t) < 3 Figure 2 shows two signals, s 1 plotted with a thick line ( ), and s 2 plotted with a thin line ( ); the threshold on the signal value specified by the property is represented with a dashed horizontal line. Property pDA does not hold for s 2 as its value is above the threshold of 3 in the intervals [2,6] and [10,15]; however, it holds for s 1 because its value is below the threshold in both intervals. ...
... This property is a time-constrained data assertion over the two intervals [2,6] and [10,15]; it can be expressed in SFO as: SFO pDA ∀t ∈ [2, 6] : s(t) < 3 ∧ ∀t ∈ [10,15] : s(t) < 3 Figure 2 shows two signals, s 1 plotted with a thick line ( ), and s 2 plotted with a thin line ( ); the threshold on the signal value specified by the property is represented with a dashed horizontal line. Property pDA does not hold for s 2 as its value is above the threshold of 3 in the intervals [2,6] and [10,15]; however, it holds for s 1 because its value is below the threshold in both intervals. ...
Preprint
Full-text available
The behavior of a cyber-physical system (CPS) is usually defined in terms of the input and output signals processed by sensors and actuators. Requirements specifications of CPSs are typically expressed using signal-based temporal properties. Expressing such requirements is challenging, because of (1) the many features that can be used to characterize a signal behavior; (2) the broad variation in expressiveness of the specification languages (i.e., temporal logics) used for defining signal-based temporal properties. Thus, system and software engineers need effective guidance on selecting appropriate signal behavior types and an adequate specification language, based on the type of requirements they have to define. In this paper, we present a taxonomy of the various types of signal-based properties and provide, for each type, a comprehensive and detailed description as well as a formalization in a temporal logic. Furthermore, we review the expressiveness of state-of-the-art signal-based temporal logics in terms of the property types identified in the taxonomy. Moreover, we report on the application of our taxonomy to classify the requirements specifications of an industrial case study in the aerospace domain, in order to assess the feasibility of using the property types included in our taxonomy and the completeness of the latter.
... Quantitative Regular Expressions (QREs) [13,16], is yet another modeling and programming abstraction for specifying complex numerical queries over data streams. These have been used for analyzing complex behaviors such as arrhythmia in cardiac signals [4]. Finally, differential dynamic logic [120] is a logic for specifying and verifying correctness of hybrid systems. ...
Chapter
Full-text available
Modern cyber-physical systems (CPS) are often developed in a model-based development (MBD) paradigm. The MBD paradigm involves the construction of different kinds of models: (1) a plant model that encapsulates the physical components of the system (e.g., mechanical, electrical, chemical components) using representations based on differential and algebraic equations, (2) a controller model that encapsulates the embedded software components of the system, and (3) an environment model that encapsulates physical assumptions on the external environment of the CPS application. In order to reason about the correctness of CPS applications, we typically pose the following question: For all possible environment scenarios, does the closed-loop system consisting of the plant and the controller exhibit the desired behavior? Typically, the desired behavior is expressed in terms of properties that specify unsafe behaviors of the closed-loop system. Often, such behaviors are expressed using variants of real-time temporal logics. In this chapter, we will examine formal methods based on bounded-time reachability analysis, simulation-guided reachability analysis, deductive techniques based on safety invariants, and formal, requirement-driven testing techniques. We will review key results in the literature, and discuss the scalability and applicability of such systems to various academic and industrial contexts. We conclude this chapter by discussing the challenge to formal verification and testing techniques posed by newer CPS applications that use AI-based software components.
Article
Context Head and neck cancers are diagnosed at an annual rate of 3% to 7% with respect to the total number of cancers, and 50% to 75% of such new tumours occur in the upper aerodigestive tract. Purpose In this paper we propose formal methods based approach aimed to identify the head and neck tumour treatment stage by means of model checking. We exploit a set of radiomic features to model medical imaging as a labelled transition system to verify treatment stage properties. Main findings We experiment the proposed method using a public dataset related to computed tomography images obtained in different treatment stages, reaching an accuracy ranging from 0.924 to 0.978 in treatment stage detection. Principal conclusions The study confirms the effectiveness of the adoption of formal methods in the head and neck carcinoma treatment stage detection to support radiologists and pathologists.
Article
The behavior of a cyber-physical system (CPS) is usually defined in terms of the input and output signals processed by sensors and actuators. Requirements specifications of CPSs are typically expressed using signal-based temporal properties. Expressing such requirements is challenging, because of (1) the many features that can be used to characterize a signal behavior; (2) the broad variation in expressiveness of the specification languages (i.e., temporal logics) used for defining signal-based temporal properties. Thus, system and software engineers need effective guidance on selecting appropriate signal behavior types and an adequate specification language, based on the type of requirements they have to define. In this paper, we present a taxonomy of the various types of signal-based properties and provide, for each type, a comprehensive and detailed description as well as a formalization in a temporal logic. Furthermore, we review the expressiveness of state-of-the-art signal-based temporal logics in terms of the property types identified in the taxonomy. Moreover, we report on the application of our taxonomy to classify the requirements specifications of an industrial case study in the aerospace domain, in order to assess the feasibility of using the property types included in our taxonomy and the completeness of the latter.
Chapter
For two families of time-series constraints with the aggregator and features and , we provide parameterised sharp lower and upper bounds on the sum of the time-series variables wrt these families of constraints. This is important in many applications, as this sum represents the cost, for example the energy used, or the manpower effort expended. We use these bounds not only to gain a priori knowledge of the overall cost of a problem, we can also use them on increasing prefixes and suffixes of the variables to avoid infeasible partial assignments under a given cost budget. Experiments show that the bounds drastically reduce the effort to find cost limited solutions.
Chapter
Cyber-physical systems (CPS) and the Internet-of-Things (IoT) result in a tremendous amount of generated, measured and recorded time-series data. Extracting temporal segments that encode patterns with useful information out of these huge amounts of data is an extremely difficult problem. We propose shape expressions as a declarative formalism for specifying, querying and extracting sophisticated temporal patterns from possibly noisy data. Shape expressions are regular expressions with arbitrary (linear, exponential, sinusoidal, etc.) shapes with parameters as atomic predicates and additional constraints on these parameters. We equip shape expressions with a novel noisy semantics that combines regular expression matching semantics with statistical regression. We characterize essential properties of the formalism and propose an efficient approximate shape expression matching procedure. We demonstrate the wide applicability of this technique on two case studies.
Article
Full-text available
We present Signal Spatio-Temporal Logic (SSTL), a modal logic that can be used to specify spatio-temporal properties in linear time and for a discrete space. The logic is equipped with a Boolean and a quantitative semantics, and with accompanying monitoring algorithms. As such, it is suitable for real-time verification of both white box and black box complex systems. It can also be integrated into stochastic model checking routines. The logic combines the until temporal modality with two spatial modality, one expressing that something is true somewhere nearby and the other capturing the notion of being surrounded by a region with a given property. The monitoring algorithms are implemented in an open source Java tool. In the paper we present the logic at work to analyse the formation of patterns in a Turing reaction-diffusion system.
Article
Full-text available
We present Montre, a monitoring tool to search patterns specified by timed regular expressions in symbolic behaviors of real-time systems. We use timed regular expressions as a compact, natural and highly-expressive specification language for monitoring applications involving timing constraints. Our tool essentially incorporates online and offline timed pattern matching algorithms so it is capable of finding all occurrences of a given pattern over both logged and streaming behaviors. Executed standalone Montre provides a user experience similar to command line utilities such as grep and friends. Besides it is designed to work nicely with other tools via standard interfaces to perform more complex and versatile verification and validation tasks. As the first of its kind, we think Montre will enable a new line of inquiries and techniques to analyze real-time behaviors.
Article
Real-time decision making in emerging IoT applications typically relies on computing quantitative summaries of large data streams in an efficient and incremental manner. To simplify the task of programming the desired logic, we propose StreamQRE, which provides natural and high-level constructs for processing streaming data. Our language has a novel integration of linguistic constructs from two distinct programming paradigms: streaming extensions of relational query languages and quantitative extensions of regular expressions. The former allows the programmer to employ relational constructs to partition the input data by keys and to integrate data streams from different sources, while the latter can be used to exploit the logical hierarchy in the input stream for modular specifications. We first present the core language with a small set of combinators, formal semantics, and a decidable type system. We then show how to express a number of common patterns with illustrative examples. Our compilation algorithm translates the high-level query into a streaming algorithm with precise complexity bounds on per-item processing time and total memory footprint. We also show how to integrate approximation algorithms into our framework. We report on an implementation in Java, and evaluate it with respect to existing high-performance engines for processing streaming data. Our experimental evaluation shows that (1) StreamQRE allows more natural and succinct specification of queries compared to existing frameworks, (2) the throughput of our implementation is higher than comparable systems (for example, two-to-four times greater than RxJava), and (3) the approximation algorithms supported by our implementation can lead to substantial memory savings.
Conference Paper
We present Montre, a monitoring tool to search patterns specified by timed regular expressions over real-time behaviors. We use timed regular expressions as a compact, natural, and highly-expressive pattern specification language for monitoring applications involving quantitative timing constraints. Our tool essentially incorporates online and offline timed pattern matching algorithms so it is capable of finding all occurrences of a given pattern over both logged and streaming behaviors. Furthermore, Montre is designed to work with other tools via standard interfaces to perform more complex and versatile tasks for analyzing and reasoning about cyber-physical systems. As the first of its kind, we believe Montre will enable a new line of inquiries and techniques in these fields.
Conference Paper
Real-time decision making in emerging IoT applications typically relies on computing quantitative summaries of large data streams in an efficient and incremental manner. To simplify the task of programming the desired logic, we propose StreamQRE, which provides natural and high-level constructs for processing streaming data. Our language has a novel integration of linguistic constructs from two distinct programming paradigms: streaming extensions of relational query languages and quantitative extensions of regular expressions. The former allows the programmer to employ relational constructs to partition the input data by keys and to integrate data streams from different sources, while the latter can be used to exploit the logical hierarchy in the input stream for modular specifications. We first present the core language with a small set of combinators, formal semantics, and a decidable type system. We then show how to express a number of common patterns with illustrative examples. Our compilation algorithm translates the high-level query into a streaming algorithm with precise complexity bounds on per-item processing time and total memory footprint. We also show how to integrate approximation algorithms into our framework. We report on an implementation in Java, and evaluate it with respect to existing high-performance engines for processing streaming data. Our experimental evaluation shows that (1) StreamQRE allows more natural and succinct specification of queries compared to existing frameworks, (2) the throughput of our implementation is higher than comparable systems (for example, two-to-four times greater than RxJava), and (3) the approximation algorithms supported by our implementation can lead to substantial memory savings.
Conference Paper
Ability to count number of occurrences of events within a specified time interval is very useful in specification of resource bounded real time computation.
Conference Paper
We propose quantitative regular expressions (QREs) as a high-level programming abstraction for specifying complex numerical queries over data streams in a modular way. Our language allows the arbitrary nesting of orthogonal sets of combinators: (a) generalized versions of choice, concatenation, and Kleene-iteration from regular expressions, (b) streaming (serial) composition, and (c) numerical operators such as min, max, sum, difference, and averaging. Instead of requiring the programmer to figure out the low-level details of what state needs to be maintained and how to update it while processing each data item, the regular constructs facilitate a global view of the entire data stream splitting it into different cases and multiple chunks. The key technical challenge in defining our language is the design of typing rules that can be enforced efficiently and which strike a balance between expressiveness and theoretical guarantees for well-typed programs. We describe how to compile each QRE into an efficient streaming algorithm. The time and space complexity is dependent on the complexity of the data structure for representing terms over the basic numerical operators. In particular, we show that when the set of numerical operations is sum, difference, minimum, maximum, and average, the compiled algorithm uses constant space and processes each symbol in the data stream in constant time outputting the cost of the stream processed so far. Finally, we prove that the expressiveness of QREs coincides with the streaming composition of regular functions, that is, MSO-definable string-to-term transformations, leading to a potentially robust foundation for understanding their expressiveness and the complexity of analysis problems.
Article
Stream runtime verification (SRV), pioneered by the tool LOLA, is a declarative formalism to specify synchronous monitors. In SRV, monitors are described by specifying dependencies between output streams of values and input streams of values. The declarative nature of SRV enables a separation between the evaluation algorithms, and the monitor storage and its individual updates. This separation allows SRV to be lifted from conventional failure monitors into richer domains to collect statistics of traces. Moreover, SRV allows to easily identify specifications that can be efficiently monitored online, and to generate efficient schedules for offline monitors. In spite of these attractive features, many important theoretical problems about SRV are still open. In this paper, we address complexity, expressiveness, succinctness, and closure issues for the subclass of Boolean SRV (BSRV) specifications. Additionally, we show that for this subclass, offline monitoring can be performed with only two passes (one forward and one backward) over the input trace in spite of the alternation of past and future references in the BSRV specification.
Chapter
We address the specification and verification of spatio-temporal behaviours of complex systems, extending Signal Spatio-Temporal Logic (SSTL) with a spatial operator capable of specifying topological properties in a discrete space. The latter is modelled as a weighted graph, and provided with a boolean and a quantitative semantics. Furthermore, we define efficient monitoring algorithms for both the boolean and the quantitative semantics. These are implemented in a Java tool available online. We illustrate the expressiveness of SSTL and the effectiveness of the monitoring procedures on the formation of patterns in a Turing reaction-diffusion system.