A spatio-temporal specification language and its completeness & decidability

In the past few years, significant progress has been made on spatio-temporal cyber-physical systems in achieving spatio-temporal properties on several long-standing tasks. With the broader specification of spatio-temporal properties on various applications, the concerns over their spatio-temporal logics have been raised in public, especially after the widely reported safety-critical systems involving self-driving cars, intelligent transportation system, image processing. In this paper, we present a spatio-temporal specification language, STSL PC, by combining Signal Temporal Logic (STL) with a spatial logic S4 u, to characterize spatio-temporal dynamic behaviors of cyber-physical systems. This language is highly expressive: it allows the description of quantitative signals, by expressing spatio-temporal traces over real valued signals in dense time, and Boolean signals, by constraining values of spatial objects across threshold predicates. STSL PC combines the power of temporal modalities and spatial operators, and enjoys important properties such as finite model property. We provide a Hilbert-style axiomatization for the proposed STSL PC and prove the soundness and completeness by the spatio-temporal extension of maximal consistent set and canonical model. Further, we demonstrate the decidability of STSL PC and analyze the complexity of STSL PC. Besides, we generalize STSL to the evolution of spatial objects over time, called STSL OC, and provide the proof of its axiomatization system and decidability.


Introduction
It is a challenging work to model cyber-physical systems, not only because cyber-physical systems integrate cyber systems, physical environment and the interactive part of them, but also because cyber-physical systems combine temporal and spatial aspects, discrete and continuous behaviors, and nondeterministic models [1]. Describing spatio-temporal aspects is one of the important areas in cyber-physical systems. Many works have been done with concurrent [2], hybrid [3][4][5] and stochastic [6,7] behaviors of motion-based spatially distributed systems [8], but fewer researchers concentrate on spatio-temporal aspects. The major problem is multidimensional expressiveness and expensive verifiability for modeling and analysis of the spatio-temporal behaviors of cyber-physical systems. This work aims at building a spatio-temporal specification language by solving spatio-temporal constraints concerning dense time and real-valued variables, because an intelligent object in physical environment is equipped with changes in specified space and continuous time. More specifically, we confine ourselves to the combination of topometric space [9] and time constraints with real-valued interval, which is a half-open and half-closed interval in a time flow of a strict partial ordering of time points. We adopt the modal spatial logic S4 u to express topometric constraints, which is one of the most influential form and the most expressiveness for topometric relations. For signal temporal logic (STL) [10,11], there are two interpretations for signals, quantitative semantics and Boolean semantics. Quantitative semantics obtains real-valued signals from satisfaction degree of a trace over real-valued interval. While Boolean semantics evaluates Boolean signals from a trace which can be booleanized through a set of threshold predicates. Because the changes of spatial entities and the flows of time are not independent, the combination between modal spatial and temporal logic is divided into two forms: STSL PC and STSL OC . STSL PC means the changes of spatial propositions over time, while STSL OC represents the changes or evolution of spatial objects over time. Each form is equipped with different expressiveness, so Boolean semantics and quantitative semantics for the two forms need to be provided respectively. Combining spatio-temporal constraints from temporal logic and modal spatial logic is a very important problem. Given a topometric temporal model M and an STSL PC formula ϕ, the satisfiability problem of the formula ϕ is to check whether ϕ is satisfiable against model M or not. We present the semantics for the proposed language according to the satisfaction relations.
Many works have been done on the axiomatization and completeness of combined logics. The completeness of normal modal logic is present through maximal consistent set and canonical model [12]. J.M. Davoren [13] proposes topological semantics for intuitionistic tense logics and multi-modal logic and provide the Hilbert-style axiomatization and the completeness result. F.D. David [14] proves the absolute completeness of S4 u for its measuretheoretic semantics. Based on our previous work [15], in this paper, we present an axiomatization system for STSL PC and prove the soundness and completeness result of the axiomatization system based on maximal consistent set and canonical model. Further, the notation of finite model property provides a basis for the decidability of logics. The filtration, which is similar to bisimulation quotients with respect to equivalences generated by sets of formulae [16], can serve as an approach to achieve the finite model property. By way of the finite frame property, decidability can be proved by applying subframe transformations and a variant of the filtration technique [17]. The decidability of STSL PC is proved according to the finite model property. For the decidable fragment, we present the complexity for the satisfiability problem and the decision procedure.
Compared with the another work [18] reasoning cyberphysical systems, DTL defines the trace to uniform discrete jumps and continuous evolution. Control operations in discrete jumps can control the continuous evolution along differential equations, which are interpreted in hybrid trace and verified through the differential invariant. Our proposed STSL PC is interpreted on the sampling trace of state-based cyber-physical systems, where the formulas are verified through monitoring partial trace, instead of classical model checking, which needs to achieve all the behaviors of the systems. Further, A time scale is defined as arbitrary nonempty closed subset of the real numbers [19]. The continuity is defined according to the density of time scale. A differential equations employ the notation of differentiation and density of a time scale by delta derivative of a function at time t, while STSL PC applies the time interval to express a duration. When STSL involves in dense time, we can use the notation of "time scale", but we never mention the notation of "differentiation". This paper is an expanded version of the SEKE 2019 conference paper [15], and includes all the notions required for the construction for proving the decidability. We reorganize the work to make the idea more clear for readers. Also, we provide incomplete and undecidable result of STSL OC and prove the result.
In this work, there are three contributions: 1 We propose a spatio-temporal specification language STSL PC , based on STL and S4 u , to specify the changes in topometric space and dense time. We present STSL PC , and provide syntax, Boolean semantics and quantitative semantics, 2 We present an axiomatization system and prove the completeness and decidability for the proposed STSL PC . 3 We extend the expressiveness of STSL PC , called STSL OC , to the changes or evolution of spatial objects over time, and prove the incompleteness and undecidability.
The next section introduces temporal logic STL and modal spatial logic S4 u . "Spatio-temporal specification language" section presents the spatio-temporal specification language STSL PC , and completeness of axiomatization system and decidability of STSL PC is proved in "Completeness and decidability of STSL PC " section. In "STSL OC " section, we present STSL OC through extending the expressiveness of STSL PC , and the completeness and complexity are provided. "Case study" section presents a case study about train collision avoidance system. "Related work" section compares the related works. We conclude the work and talk about the future work in "Conclusion and future work" section.

Preliminary
The section provides the background to the proposed spatio-temporal logic, including signal temporal logic (STL) and spatial logic S4 u .
Spatial logic: S4 u S4 [20] is a proposition modal logic and τ is a spatial term under the interpretation of topological space. In the absence of ambiguity, the terminology a spatial term denotes a spatial object. According to the observation by [21], S4 is a logic of topological spaces, and the propositional variable is interpreted as an element of a subset of the topological space. From the perspective of the topometric space [9], propositional variables of S4 will be understood as spatial variables [22]. In this paper, we restrict the formula of S4 to topometric space. The syntax of S4 can be defined on the topometric space as follows: where p is a spatial variable on topometric space and τ is the complementary of τ , τ 1 τ 2 the intersection operation of τ 1 and τ 2 . I is an interior operator under the topometric space interpretation. The union and closure operator can be defined by: C τ refers to the closure of a spatial object τ . The 1dimensional interpretation is shown in Fig. 1.
is a metric space, where M is a nonempty set denoting the universe of the space, and d is the metric operator on the elements of M, i.e., a function d : M × M → R such that for any spatial objects x, y, z ∈ M, the equations fol- . is a metric model and I d is the interior operator induced by (M, d). Therefore, we get the valuation of other spatial formulas as follows: The interpretation of region-based spatial entities and their relations between them in 2-dimensional space can be seen in Fig. 1. In the figure, a spatial entity τ is present and the spatial complementary, interior, closure operators is defined on τ , where the spatial term U means the universal set. Meanwhile, the spatial union and intersection on spatial terms τ 1 and τ 2 are present.
A spatial logic is a formal language interpreted over a class of structures featuring geometrical entities and relations. Among the well-known spatial logics such as RCC-8 [23,24], BRCC-8 and S4 u , the most expressive spatial form is S4 u [25]. S4 u extends S4 with the universal and existential quantifiers ∀ , ♦ ∃ based on a spatial term τ . ♦ ∃ τ refers to that there is at least one element in space τ , and ∀ τ means that all elements in the space belong to τ . The formula ϕ is defined in the form of BNF: where, ¬ϕ is the negation of ϕ and ϕ 1 ∧ϕ 2 the conjunction of ϕ 1 and ϕ 2 .
Correspondingly, the disjunction and existential operators and the spatial subset can be derived by: The axiomatization system for S4 u includes the classical propositional logic in topology L, the modal logic S4 and extended universal operator ∀ and inference rules.
and the inference rules The soundness and completeness of S4 u is given in [26]. It is worth noting that the current axiomatization is considerably different from the version in [26]. For one thing, the current logic S4 u can be used to interpret spatial logic, while Shehtman's work only employs it in modal logic. The interpretation in spatial domain makes S4 u enjoy more meanings. For another, we want to use soundness and completeness result of the axiomatization as a basic to consider quantitative axioms temporal axioms.

Signal temporal logic
LTL is proposed by Pnueli [27] to specify sequential and parallel programs. The logic is built on a finite set P of propositional letters. The Boolean connectives and temporal operators are defined based on the propositional letters. When the domain of time is extended from discrete time to dense time, the logic metric interval temporal logic (MITL) [28] emerges. While STL extends the signals of MITL [29] from Boolean value to real value. An STL signal [10,30] is defined on dense-time domain T, which depends on the sampling times and frequency within an interval. A signal function ε : T → E associates a set of time domain with a set of signals. Signals with E = B = {0, 1} are called Boolean signals, while these with E = R + are called real-valued or quantitative signals. A Boolean signal, transformed from real-valued one through a set of predicates, can be represented by MITL [31].
An execution trace w is a set of real-valued signals x w 1 , ..., x w k bound in some interval I of R + , which is called the time domain of w [11]. We constrain such an interval I ⊆ R + to be half-closed and half-open [ t 1 , t 2 ). The syntax of STL is given by where ap ∈ AP is a atomic predicate and AP a finite set of atomic predicates {x i c| ∈ {<, ≤, ≥, >}} whose truth value is determined by the sign of an evaluation based on the signal x i . Let y i = x i − c, an atomic predicate with the format x i ≥ c can be translated as y i ≥ 0. The Boolean operators ¬ and ∧ are negation and conjunction, respectively. The temporal bounded until operator U I is defined on the time interval I. The bounded temporal operators I and ♦ I , and binary disjunction ∨ can be derived as follows: Formula ♦ I ϕ indicates that ϕ is eventually satisfiable within the time interval I, while I ϕ denotes that ϕ is always satisfiable. The fundamental composition of the axiomatization system for LTL contains all the tautologies like atomic proposition, Boolean operators in first-order logic. Temporal expressiveness and inference rules are shown as follows: A0 All classical tautologies of first-order logic A1 and the inference rules: Gabbay et al. [32] present the completeness of the deductive systems of LTL. Also, Lichtenstein and Pnueli [33] prove the complete system of LTL from three parts: the general part, domain part and program part. The temporal operator next expresses dynamic behaviors in discrete time, so it is unsuitable to express dense time. So the axioms A2-A6 and the inference rule N will be ignored for the axiomatization of STL.

Spatio-temporal specification language
STL provides an approach that combines the truth value and quantitative value of general signals. But it is inadequate to represent the changes of a spatial entity and the binary relation between spatial entities and temporal aspects. We propose the spatio-temporal specification language that combines STL and S4 u to describe the evolution in spatial and temporal domain.

Spatio-temporal signals
A spatio-temporal signal is defined with continuous time and topometric space [29,34]. A real-valued interval [ 0, t) is defined in the dense time domain T, where t ∈ R ≥0 . Because the time domain inherits STL, it will keep consistency with the interval in STL. The signal function is extended to spatial-temporal domain with ε : T × L → E, where L denotes the topometric space. Firstly, an elementary signal evaluates a spatial entity or the connections between spatial entities. That is, the elementary signal is quantitative signals Secondly, a Boolean signal can be transformed from a quantitative signal by the threshold predicate x i ≥ 0. The signals stem from topometric space, therefore, the Boolean and quantitative signals are extended from the domain of STL signals to topometric space. An atomic spatial entity enjoys two meanings: pointbased interpretation, point set-based interpretation and region-based interpretation. The points interpret discrete location coordinates. It is consistent with your comment. But, the point set-based interpretation and region-based interpretation denote the discrete and continuous space respectively. When involving in changes of spatial entities, we are talking about motion. The motion of spatial entities can be discrete or dense time. We define a spatiotemporal trace w as the changes of spatial objects over time. Formally, a spatio-temporal trace assigns T × L to a multi-dimensional signal R n , where n refers to the number of variables.
A spatio-temporal trace provides a notation about execution sequence of temporal and spatial domain.
where B refers to the domain of Boolean signals and R ≥0 quantitative signals. For a spatio-temporal trace w, there are two different interpretations: • A trace represents a sequence of spatial objects and time point and each point in the trace evaluates a pair of spatial objects and time. • Another interpretation means that a spatio-temporal trace takes spatial objects as the basic entities and spatio-temporal primitive relations could be obtained by the changes of ontology of space over time.
In this work, we treat the spatio-temporal trace as the second interpretation. The changes of spatial objects are influenced by the flow of time.

The interpretation of the combined logic
It is essential that a combined spatio-temporal form should be provided with enough expressiveness to contain the three parameters [22]: 1 the expressiveness of the spatial component; 2 the expressiveness of the temporal component; 3 the interaction between the two components allowed in the combined logic.
Based on the principle of PC [22], which expresses that the language should be able to express changes over time of the truth-values of purely spatial propositions. We interpret an STSL PC formula based on the topometric temporal model, which is defined on topometric space and temporal interval structure in strict partial ordering with a set of sampling time point. The model can be treated as a set of sampling trace monitoring from state-based cyber-physical systems, rather than differential equations [18]. Firstly, the scene snapshot of a system is abstracted to be a topometric model. As the system executes, the system is sampled as a sequence of traces at dense time. in which M is a nonempty set, the universe of the space, and I d is the interior operator on M induced by the metric space (M, d), which satisfies the standard Kuratowski axioms [35]: • V is a valuation on the time domain T and the spatial term set L, i.e., ∀τ ∈ L, and t ∈ T. Formally, V(τ , t) = {μ i | ∀i ∈ N, x i ≥ 0} means the space occupied by a spatial term τ at time point t. As for the spatial term τ , the valuation can be defined as: The ontology of space includes the static spatial entities and dynamic spatial entities. We describe the ontology of static spatial entities with S4 u atomic spatial terms and spatial operators like complementary, intersection and union, interior and closure. And the spatial until operator is employed to represent the dynamic spatial ontology. However, the changes of ontology of space means that the evolution of spatial entities can be changed by external event or the arrival of a time slice. The changes of spatial terms in topometric model over time can be shown in Fig. 2. A topometric temporal model is an abstraction of a cyber-physical system, while a spatio-temporal trace is an execution of topometric temporal model. Generally, classical model checking provides an approach to verify whether a topometric temporal model, i.e., all the traces, satisfies spatio-temporal properties. However, the state space explosion makes it difficult for model checking to verify the reliability and security of real cyber-physical systems. Monitoring verifies whether the spatio-temporal signals on one execution of the system hold the specified spatio-temporal properties. Especially, online monitoring can provide the verification results to help analyze the potential hazards, which can avoid unnecessary loss. Example 3.1. One point represents a spatial entity and an edge between two points means the connection between spatial entities. The weight on the edge denotes the metric between spatial entities. At any time instant, the points, edges and weight on the edges consist a undirected weighted graph, which denotes the topological metric models. As time goes, the topometric model leads to the topometric temporal model. In this figure, a spatial term τ is characterized as a 2-dimensional space and the spatial terms change over time in the model M. Firstly, a cyber-physical system involves in discrete and continuous time. The cyber system describes the execution of an actual system, and the signal is sampled in discrete time. The physical system generally expresses the continuous changes of a spatial entity. A topometric temporal model is an abstract of a cyber-physical system.

Fig. 3 The changes of region-based spatial terms over time in topometric model
A spatio-temporal trace is sampled from the topometric temporal model. And the trace is an execution of a cyberphysical system. Further, when the trace describes spatial relations among spatial entities and is sampled in dense time, it will be able to be monitored by STSL formulas. The concurrency can be interpreted in topometric model. Mainly, we interpret the region through borrowing the notation from Milner's Bigraph [36], which presents the agent and the communication between different agents. We treat a spatial entity as an agent. Meanwhile, we define the concurrence of topometric model as the concurrency between spatial entities. We present the topometric model in region-based and point-based interpretation. So, we will illustrate the model from two perspectives.
Firstly, the point-based topometric model can consider a list of regions. For instance, S4 u terms can specify the properties that the region made by spatial entities a 6 , a 7 and a 8 exists in the region occupied by the union of the spatial entities a 5 , a 6 , a 7 , a 8 and a 9 as: Another properties can be that the spatial entity a 5 belongs to the intersection of the region that made up of spatial entities a 1 , a 2 , a 3 , a 5 and a 6 , and the region that made up of spatial entities a 5 , a 6 , a 7 , a 8 and a 9 . The property can be specified with S4 u as: From the perspective of agent, the spatial entities are hierarchical, which lead a tree-like structure. The treelike structure is a place graph in Bigraph. Here, we didn't define the interfaces or names between spatial entities for communication. Instead, we define the metric between the spatial entities. If we ignore the interfaces or names, the graph in Fig. 4 can be treated as a link graph. The place graph and link graph from topometric model compose the Bigraph. So, the topometric model is able to express concurrency.
Secondly, region-based topometric model is relatively concise with spatial complementary, intersection, union, interior, closure and until operators. So it is easier to be interpreted. Figure 5 shows the spatial relations between the spatial entities green, red and blue.
Based on the notation of Bigraph with sharing [37], the overlapping part between two spatial entities can be treated as the sharing part. The hierarchical relations between region-based topometric model are more clear. For instance, we can say that the spatial entity blue and The spatio-temporal signals are divided into Boolean and quantitative signals. According to the category of spatio-temporal signals, we will present syntax and semantics for the proposed spatio-temporal specification language from two sides: • The Boolean semantics returns true or false depending on whether the trace of topometric temporal model satisfies the properties or not. • The quantitative semantics returns a real value in different time that can be interpreted as an evaluation of satisfaction.
The Boolean semantics of the spatio-temporal specification language interprets that an STSL PC formula over spatio-temporal traces returns true or false, so it is able to express purely spatial propositions' changes with the truth-values. Meanwhile, the U I and I operators of the quantitative semantics of STSL PC are able to express satisfaction degree of spatial entities over some fixed finite periods and the whole duration of time, respectively.

The syntax of STSL PC
As usual, we define the real-value interval in temporal domain. Formally, we confine the temporal interval I to be left-closed right-open [ t, t ), ∀t, t ∈ T and t < t . The STSL PC fuses the temporal logic STL and modal spatial logic S4 u so that the language can express the changes of purely spatial propositions over time. Specifically, the language is defined on spatial terms τ and spatial operators complementary, intersection, union, interior and closure, atomic predicates, Boolean connectives and temporal operators globally, finally and until over the temporal interval I. There are two kinds of atomic predicates: the binary subset operator of two spatial terms τ 1 τ 2 and the threshold predicates on a signal x i ≥ 0. The spatial subset relation describes the relations between region-based spatial entities. Specifically, the binary subset can be derived by the unary spatial operator universal with the form ∀ τ = τ , where denotes the spatial universal set. The quantitative signals evaluate the spatial entities. The Boolean signals can be achieved from the quantitative signals by the threshold predicates. The atomic predicate τ 1 τ 2 means that the elements in the spatial term τ 1 must belong to τ 2 . And x i ≥ 0 is a threshold predicate, which transfers general real-valued signals to Boolean value. The syntax of STSL PC is given by: • I is the interior operator under the topometric space interpretation. Moreover, the dual operator of I is the closure operator C, which means possible or consistent, • τ 1 τ 2 implies the spatial subset relations, which means that for all points p, p ∈ τ 1 implies p ∈ τ 2 , • x i ≥ 0 is an atomic predicate, • ¬, ∨ and ∧ are the Boolean operators, • U I is the until operator. We can define equivalence of operators as syntactic abbreviations: Atomic predicates, Boolean operators, and the temporal bounded until operator U I are from STL. The new spatial operators are the interior operator I and the closure operator C with reference to S4 u . The ♦ I and I operators are derived unary operators. I ϕ denotes that ϕ holds within the whole interval I, and ♦ I ϕ means that ϕ holds in at least one time point of the interval I.

Example 3.3.
In the mobile blocking mode, the protection point is located behind the forward train to protect the position uncertainty and the back boundary. The protection point is the zero speed limit point, which is a limit that is absolutely not allowed to be crossed by the signal system control. The core of the train's automatic protection is the safe braking model of the train. It describes how to calculate the emergency braking curve and the normal braking curve of the train in Fig. 6. The emergency braking curve considers the emergency braking deceleration of the train protection, the current protection point calculated by the trackside ATP, the most restrictive speed curve and the slope section of the line. The normal braking curve takes into account the ATP response delay time and the cutoff traction after emergency braking. The ATP on-board computer unit dynamically calculates and continuously monitors the normal braking curve. The safe braking model ensures that the train will not exceed the most restricted speed and the train will stop in front of the protection point. Formally, the location of end of mobility authority is marked with EoA, and that of the end of protection is marked with EoP. The distance from the location of the following train to EoA denotes τ ma . The distance from the location of the beginning of following train to EoP means τ p . Also, the braking distance in normal and emergent braking mode is represented as τ nb and τ eb . A spatio-temporal property can be expressed as After receiving the signals, the train brakes in the normal braking mode and it keeps running in the region of τ ma . While the train keeps running without braking in emergent braking model within 10 seconds. After the train brakes in the emergent braking mode, there exists a moment that the velocity of normal braking is larger than that of the emergent braking mode. And the train keeps running in the emergent braking mode in the region of τ p within 40 seconds. The property can be specified with STSL PC formula as: where a nb and a eb denote the acceleration in normal and emergent braking mode, respectively. v nb and v eb represent the velocity in normal and emergent braking mode, respectively.
Example 3.4. In the example 3.1, we can employ an STSL PC formula to specify the properties that the region made by spatial entities a 6 , a 7 and a 8 exists in the region occupied by the union of the spatial entities a 5 , a 6 , a 7 , a 8 and a 9 , until the region made by spatial entities a 3 , a 6 and  ((a 6 a 7 a 8 ) (a 5 a 6 a 7 a 8 a 9 ))U [0,5) ∀ ((a 3 a 6 a 8 ) (a 3 a 5 a 6 a 7 a 8 )) Example 3.5. In Fig. 3 of example 3.2, we can specify the property that for any execution within 4 seconds, there is an inclusion between two spatial entities τ blue and τ grey , and it will follow an overlapping between them within 1.5 seconds. The property can be specified with STSL PC formula as The semantics of STSL PC The semantics of STSL PC is divided into Boolean semantics and quantitative semantics, which return the truth value of purely spatial propositions and real-valued spatial objects. We define μ i as a predicate because the spatial entities are a discrete set and each signal is evaluated by a threshold predicate μ i . The quantitative semantics can be transformed to Boolean semantics by a predicate μ i . The spatial element of the spatio-temporal specification language exists in spatial entity τ . The value of the spatial entity τ can be achieved by the definition V(τ , w, t). That is, we interpret a spatio-temporal formula in simulated trace rather than topometric temporal model. The satisfaction relation for an STSL PC formula ϕ over a topometric temporal model M is given by: A trace w satisfies an STSL PC formula ϕ at t, denoted by (w, t) |= ϕ. For the satisfaction relation, the "⇒" answers whether the implementation procedure of computation holds the specification relation. The "⇐" can be achieved from the definition of satisfaction relation of an STSL PC formula ϕ.
For a given formula ϕ and execution trace w, we define the satisfaction signal χ(ϕ, w, t) over a trace w(t, l): where and ⊥ respectively denote Boolean value true and false. Therefore, χ(τ 1 τ 2 , w, t) returns true if spatial subset relation τ 1 τ 2 holds over the model. For a general signal x i , χ(x i , w, t) returns true if x i ≥ 0 in the trace w(t). χ( I ϕ, w, t) means that for all t ∈ I, ϕ always returns trues in the interval I over the model. While χ(♦ I ϕ, w, t) denotes that there exists t ∈ I, ϕ returns trues in the interval I over the model.
In order to compute the satisfaction of a formula ϕ, we divide the formula ϕ into each subformula φ i until atomic formula so that formula ϕ can be computed through the subformula and atomic formulas instead of the entire sat- isfaction signal χ(ϕ, w, t). The procedure can be treated as a hierarchical structure from the full formula ϕ down to each atomic formula.
We define ρ to quantify the satisfaction degree of the property ϕ over the trace w(t), and it returns a real value ρ(ϕ, w, t). For an atomic spatial formula ∀ τ , the satisfaction degree can be evaluated as V (τ , w, t). And for a atomic predicate x i ≥ 0 can be evaluated as x w(t) i . The quantitative satisfaction relation for a formula ϕ over a spatio-temporal trace w at the time t by the notation of satisfaction degree is given by: The negation of a formula is evaluated as the negative of its satisfaction degree. The conjunction and disjunction of two formulas are evaluated as the minimum and maximum of the satisfaction degree of the two formulas. ρ( I ϕ, w, t) refers to that the infimum of ρ(ϕ, w, t ), ∀t ∈ t + I is always true in the interval I over the trace. Similar to ρ( I ϕ, w, t), ρ(♦ I ϕ, w, t) returns the truth value of the supremum of ρ(ϕ, w, t ), ∀t ∈ t+I. The satisfaction degree of until formula ϕ 1 U I ϕ 2 is evaluated complexly. Firstly, we achieve the satisfaction degree of the formula ϕ 2 in the time t , which belongs to the interval t + I. Secondly, the infimum of the formula ϕ 1 is evaluated in the interval of [ t, t ). Thirdly, the minimum of the result of first steps is achieved. At last, the satisfaction degree of until formula ϕ 1 U I ϕ 2 is evaluated as supremum of the minimum in the third step. It is worthy noting that the infimum of the satisfaction degree of a formula means that the minimum value of the signals within temporal interval I. Similarly, the supremum of the satisfaction degree of a formula denotes the maximum value of signals with a temporal interval I.
The connection between Boolean and quantitative signals is built by the way of predicate x i ≥ 0 and obtain the satisfaction signal χ(x i ≥ 0, w, t), which returns a real value of the quantitative signals x i representing the distance to satisfaction. Specifically, the satisfaction degree of quantitative signal can be derived from the Lemire's algorithm [38] through MAX-MIN filter of a running sequence.
Example 3.6. In Fig. 3, we can specify the property that for any execution within 4 seconds, there is an inclusion between two spatial entities τ blue and τ grey , and it will follow an overlapping between them within 1.5 seconds. The property can be specified as

Completeness and decidability of STSL PC
The language STSL PC describes the spatial changes in dense time, which is used to monitor the execution of continuous systems at run time. So we ignore the temporal next operator that describes the next step of the discrete systems.

An axiomatization system of STSL PC
We will present a Hilbert-style proof system for STSL PC according to expressiveness of the proposed language. STSL PC combines temporal logic and spatial logic, so the proof system will be introduced from spatial and temporal part. Further, the temporal operators I , ♦ I and U I are defined in an interval I in dense time, so we will add the quantitative part for the proof systems.

Spatial part
The spatial part of the axiomatization presents the subset relation of spatial terms with complementary, intersection and union operators: And the inference rules:

Temporal part
The temporal part of STSL PC in real time with interval implies that the temporal next operator is forbidden.
T0 All classical tautologies of propositional logic And the inference rules: Axiom (T0) and Modus Ponens (MP) are from the Hilbert-style axiomatization of propositional logic. Axioms (T1-T4) are achieved from by Manna and Pnueli's temporal logic [39]. A complete proof system for quantitative version is proposed in [40].

Quantitative part
The quantitative part of spatio-temporal logic involves the execution of system in dense time , so the quantitative axioms need to be provided. We follow the way of [41] to present the quantitative axioms for STSL PC . However, we forbid the appearance of the punctuality in interval as the metric logic MITL and ban the temporal next operator because of the continuous time. The quantitative axioms characterize the translation from the intersection, union of intervals into conjunction, disjunction of temporal operators with interval. Specifically, the intersection of two intervals is bounded in finally operator with the form ♦ I∪J ϕ, and it implies the disjunction of finally operator bounded with their respective interval. Conversely, the disjunction of finally operator bounded with their respective interval implies the finally operator bounded with the union of the two intervals. However, the globally operator bounded with the intersection of the two intervals and the conjunction of globally operator bounded with their respective interval imply each other. For until operator, the axiom generalizes φU I ϕ → ♦ I ϕ with the union of two intervals I ∪ J.

Soundness and completeness of the axiomatization system
Once an axiomatization system is present, the soundness and completeness of the axiomatization system need to be proved, including spatial, temporal and quantitative axioms. Soundness refers to that all the theorems in STSL PC are logically valid. Equivalently, a spatio-temporal logic is sound with respect to topometric temporal model if for all the formulas φ, ST Proof The soundness theorem proof need guarantee each axiom is sound and the inference rules preserve soundness from the sound hypothesis. This follows the fact that all axioms are valid and all rules preserve validity. We provide the proof in Appendix A.
It is well-known that weak completeness plus compactness implies strong completeness [42]. The lexicographic products of modal logic with linear temporal logic are sound and complete [43]. MTL, which empowers more expressiveness in punctuality operator than MITL, is complete in two-sorted model [44]. But temporal logic in the flow of real time has weak completeness [45], which proposes finitely complete and expressively complete, but fails compactness theorem. These conclusions contribute to the result of weak completeness.
Theorem 4.2. The system for STSL PC is weakly complete with respect to topometric temporal model, i.e., for every STSL PC formulas, ST φ implies φ. Before presenting the complete proof of the axiomatization system of STSL PC , we will introduce the notation of maximal consistent set [46].
The axiomatization system of STSL PC is a logical system. A proof in STSL PC is a sequence of finite formula: A 0 , A 1 , ..., A n , where each of them is an axiom, or there exists j, k < i, such that A i is the conclusion derived from A j and A k using MP inference rule. The last term A n is a theorem in STSL PC , using the sign A n , where n is the length of proof.
The concepts of deducibility and consistency from [12,47] are fundamental to deduce the logic system STSL PC . A formula A is deducible from a set of formulas  If is a maximal ST -consistent set of formulas then we say it is an ST -MCS. The (ii) condition refers to that any set of formulas properly containing is ST -inconsistent.
The canonical model is defined in [47] to induce the soundness and completeness of modal logics. We extend the notation of canonical model to spatio-temporal systems for completeness of STSL PC .

Lemma 4.3 (Truth Lemma). Let ST -canonical model be a class of topometric temporal model. For all
Proof The proof is by induction on the structure of φ. Base case: Suppose φ is a spatial formula ∀ τ or an atomic predicate Inductive step: Suppose φ is an atomic predicate ¬φ, We show the proof of the case I φ, and leave the others to reader. We have (ST , s) I φ ⇔ I φ ∈ s (assuming the inductive hypothesis).
we need to show that I φ ∈ s ⇔ ∀s , sR s ⇒ φ ∈ s . ⇒ follows immediately from the Definition 4.2. As for ⇐: suppose I φ / ∈ s. We need to show ∃s , sR s and φ / ∈ s ⇔ ∃s , sR s and ¬φ ∈ s ⇔ ∃s , {ϕ | I ϕ ∈ s} ⊆ s and ¬φ ∈ s it follows I φ ∈ s. This contradicts the hypothesis that The proof of the weakly complete system of STSL PC is immediately the result of Lemma 4.3.

Decidability of of STSL PC
We present the decidability of STSL PC based on the finite model property [12]. A decision procedure for the decidable fragment will be present.
We denote the equivalence class of a state with respect to

l) p} for all proposition letters p in ϕ.
Then M f is a filtration of M through ϕ.  Proof If φ is satisfiable in the filtration is immediate from Theorem 4.4, and the bound od size of the filtration is immediate from Proposition 4.1. It is well-known in standard case [12,16].
The satisfiability means for all STSL PC formula φ there is a spatio-temporal trace in topometric temporal model M such that (M, t, l) φ. Theorem 4.5 shows the searching is finite in the nodes of topometric temporal model. So it follows Theorem 4.6.  Proof Recall that STSL PC refers to the changes over time of truth-values of purely spatial propositions. The interaction between spatial and temporal components of STSL PC is very restricted to the elementary unit: purely spatial propositions. The proof will be carried through construction step, reduction step and a decision procedure.
Construction step: For every STSL PC -formula ϕ, one can construct an STL-formula φ by replacing every occurrence of a spatial proposition τ 1 τ 2 and atomic predicate x i ≥ 0 in ϕ with a fresh propositional variable. Specifically, given an STL-model M = (T, V) and an STL-formula φ with a time point t in T, we construct the set of spatial formulas as a collection of STL proposition variables. If φ t is satisfiable for every t in T, then there is a topometric temporal model M satisfying ϕ and based on the flow T.
Reduction step: Definitely, one can obtain the formulas I ϕ and ♦ I ϕ from ϕ 1 U I ϕ 2 , so checking whether an STL formula φ is satisfiable or not depends on the complexity of computing a formula with U I operators. In fact, the time domain of STL is bound in the interval I, and an STL formula in Boolean signal returns true or false for a given STL model M. The bound STL only with Boolean value has the same expressiveness with MITL [29]. It suffices to reduce the satisfiability problem of STL to the satisfiability problem for MITL [48] over infinite trace with interval to check satisfiability of φ t . Further, STL is interpreted in a temporal trace, while MITL is interpreted in timed automata, which capture all trace. The Boolean semantics of STL returns Boolean value, which is equal to MITL. However, STL can be interpreted in quantitative semantics, which returns real value. It makes STL enjoy more powerful expressiveness. STL and MITL have the same expressiveness in temporal interval because the interval in both of them is dense time.
Decision Procedure: We divide the procedure for deciding the satisfiability of STSL PC into two steps: the first is deciding spatial formula φ t in PC, the second is dealing with STL. According to the observation [29], an STL formula in Boolean semantics is as expressive as an MITL formula, so an Satisfiability Modulo Theories (SMT) [49]-based decision procedure for an MITL is suitable to decide an STL formula in Boolean semantics. We present a decision procedure to satisfiability checking of MITL, which is similar to the approach in [50]. The difference is that we restrict our MITL formula without past tense and the counting modality. We propose the encoding of MITL to Constraint LTL over clock (CLTLoc) [51], which is an extension of Constraint LTL [52] with clocks. θ∈sub(φ) ck θ ∧ θ=F (a,b) (γ ) auxck θ and for all k ∈ N, θ ∈ sub(φ), we have (π, σ ), k |= m(θ). Conversely, if (π, σ ), 0 |= θ∈sub(φ) (ck θ ∧ G(m(θ))) ∧ θ=F (a,b) (γ ) auxck θ , then there is a signal M such that (π, σ ) ∈ r sub(φ) (M).
The proof can be found in [50]. Let θ be the subformula of MITL formula φ, then θ is one of the form ¬φ, φ ∧ ϕ, φU I ϕ, ♦ I φ. The function m(θ) is defined to describe the translation of subformula θ of an MITL formula to a corresponding CLTLoc formula, which is the form: The transformation from MITL to CLTLoc is implemented by qtlsolver [53]. The decision procedure of the CLTLoc formula is described in [54], which relies on the Zot toolkit [53]. In [50], it shows the satisfiability of an CLTLoc formula is PSPACE in the size of the formula and in the binary encoding of the constants, the decision procedure induced the encoding is in EXPSPACE.

STSL OC
The interaction between the spatial and temporal components should comply with the principle of PC and OC [22], which is used to evaluate the interaction: • STSL PC : the language should be able to express changes over time of the truth-values of purely spatial propositions. • STSL OC : the language should be able to express changes or evolution of spatial objects over time.
STSL PC expresses the change of truth-value of proposition and it is the elementary requirement for a combined spatio-temporal logic. For STSL OC , spatio-temporal properties are specified about the changes of spatial objects over dense time with interval through extending the temporal globally, eventually, until operators to spatial terms of STSL PC . The spatio-temporal trace comply the finite variability. The trace are divided into some intervals. The STSL OC formulas with these intervals are also verified at runtime.
The difference between STSL PC and STSL OC exists that STSL PC involves in the change of truth-values of propositions, while STSL OC describes the change of extensions of predicates. Specifically, STSL PC expresses static spatial terms in topometric space over dense time through spatial complementary, intersection and union operators. The dynamic evolution of STSL O C is achieved by admitting spatial until operators with interval [ l 1 , l 2 ) to spatial terms in topometric temporal model.
The spatial until τ 1 U [l 1 ,l 2 ) τ 2 at spatial location l 1 consists of those points x of the topometric space for which there is l 2 > l 1 such that x belongs to τ 2 at moment l 2 and x is in τ 1 at all l whenever l 1 < l < l 2 . The difference between spatial until and temporal until exists in that spatial until is interpreted as spatial interval [ l 1 , l 2 ), and temporal until is defined in a temporal interval [ t 1 , t 2 ). Further, spatial until operates two spatial terms τ 1 and τ 2 , while temporal until operates two formulas ϕ 1 and ϕ 2 . The syntax of STSL OC is given by: Similar to the atomic formulas, the unary operators I and ♦ of spatio-temporal term can also be derived from the operator U I . The occupied spaces of term I τ and ♦ I τ at moment w are interpreted as the intersection and union of all spatial extensions of τ at moments v > w, respectively. [ p nb , EoA). The specification can be expressed as

Example 5.1. In the Example 3.3, what we can also guarantee is that After the train brakes in the emergent braking mode, there exists a moment that the velocity of normal braking is larger than that of the emergent braking mode within 40 s. And the train keeps running in the normal braking mode in the region of τ nb until it runs in the region of τ eb within the spatial interval
where v eb and v nb mean the velocity of the emergent and normal braking mode.
Example 5.2. The railway traffic with sensors, present by Liu et.al [2], provides a good perspective to discuss the proposed spatio-temporal specification language. In their example, a train and a control zone can be treated as a region-based spatial terms. Obviously, the spatial region of control zone seems bigger than the region of train. Therefore, the spatial relation between control zone and the train can be characterized as S4 u formulas or RCC-8 relations, i.e., disconnected (DC), externally connected (EC), partial overlap (PO), equal (EQ), tangential proper part (TPP) and tangential proper part inverse (TPPI), and nontangential proper part (NTPP) and nontangential proper part inverse (NTPPI). The changes of spatial relations over dense time can be specified by STSL PC . The specification a train intersects with the control zone until the train leaves within 10 min can be expressed as where τ cz means the region of control zone. The predicate PO(τ train , τ cz ) is equal to the STSL PC formula ♦ ∃ (Iτ train Iτ cz ∧¬ ∀ (τ train τ cz )∧¬ ∀ (τ cz τ train ), and the predicate DC(τ train , τ cz ) can be expressed by the STSL PC formula ¬♦ ∃ (τ train τ cz ). However, it is not enough to specify spatio-temporal properties with STSL OC because there is no evolution of (2020) 9:65 Page 15 of 22 spatial entities. Further, it can not even be specified with the spatial relation between point-based spatial terms in topometric space.
Example 5.3. In example 3.1, the spatio-temporal properties that the spatial entity a 1 reaches a 9 within 20, until the distance from the spatial entity a 1 to a 9 is reduced 18 within 8 min can be specified with STSL OC as The production of temporal logic and spatial logic expresses the spatial evolution in real time with spatial until. The axioms for STSL OC will add the spatial until.
The added operator has no influence on STSL OC . So the STSL OC enjoys the same soundness as STSL PC .
. Although the axioms T2 can be applied into temporal deduction, the formula I on the spatial terms returns the quantitative space.
A spatio-temporal trace w is a sequence over signals ε. The Boolean satisfaction relation and satisfaction degree for an STSL OC formula ϕ over a spatio-temporal trace w are similar to that of STSL PC formula.
The decidability of STSL OC will follow: Proof As we all know, Post's correspondence problem is undecidable [55]. Given a finite alphabet A = {a 1 , ..., a m } and a finite set P of pairs (v 1 , w 1 ), ..., (v k , w k ) of nonempty finite sequences (words) v i , w i over A, decide whether there exists an N ≥ 1 and a sequence i 1 , ..., i N of indices such that v i 1 , ..., v i N = w i 1 , ..., w i N .
An execution trace w is a set of STL signals x w 1 , ..., x w k defined over some interval D of R + [11]. Assume the real-valued signals are finite variability. The interval [ t i , t i+1 ) i∈N and threshold predicates divide the execution trace to be piecewise Boolean signals. We encode the satisfiability problem of STSL OC formulas to Post's correspondence problem as the way of [22].
The decidability with less expressive language initially is proved in [56]. We construct a formula ϕ A,P which is STSL OC -satisfiable iff for each 1 ≤ i ≤ k, let l i and r i be the length of words v i and w i , respectively, and let The formula ϕ A,P is construct as: where left a and right a (a ∈ A), left, right and stripe are spatial variables, for every pair (v i , w i )(1 ≤ i ≤ k), pair i are propositional variables. The variable range is required to 'relativise' temporal operators I and ♦ I in order to ensure that we can construct a model based on a finite flow of time.
ψ left is a conjunction of (12)- (18), for all i in 1 ≤ i ≤ k, and for all j < l i ,  Because of the difference between spatio-temporal logics and the corresponding model from [57], we change the Aleksandrov tt-model M = ((N, <), G, V) with G = (V , R) to topometric temporal model M = (T, L, V) with L = (M, I d ).
Since stripe holds in M at 0, we have, for every y ∈ M, M, (0, y) |= stripe iff M, (j, y) |= stripe for all j, 1 ≤ j ≤ N. The transitive binary relation R s on V defined by taking xR s y will be modified to the distance relation d on the topometric space M defined by taking d(x, y). The condition will be changed to that if there is z ∈ M such that ∃ , d(x, z) < and d(z, y) < , and (M, (0, x)) |= stripe holds iff (M, (0, z)) |= stripe.
Theorem 5.2 is the immediate result of Lemma 5.3.

Case study
The example of the train collision avoidance system can be treated as a cyber-physical system. In cyber system, the electrical signals are discrete, and the system clock ticks discretely. However, in physical environment, the running of the train follows kinetic equation, which is continuously changing. The execution of the train collision avoidance system is characterized a sequence of trace, which describes the evolution of spatial region.
The region of movement authority is defined as a special rail sections from the position that an train is authorized to enter to the end of movement authority (EoA), which is the position that the train reaches the safety margin of the leading train. A train must send a movement authority request and receive a permission before the train can enter the next section. In case of emergency, the following train must brake without the permission. In Fig. 7, p ma_req and p brake refer to the position that the following train sends a movement authority request and the braking position, respectively. The braking distance τ bd occupies the section from the braking position p brake to EoA. If the region of movement authority τ ma is treated as the universal set, we can describe the spatial relation as τ bd τ ma (19) And τ bd refers to the distance that the movement authority τ ma minus the braking distance τ bd , i.e., and V(τ bd ) denote the value of the corresponding spatial terms τ ma , τ bd and τ bd . Also, before the following train receives a movement authority, the position of the train is less than p brake , i.e., the spatial entities of the train τ train and the braking distance τ bd doesn't overlap. The spatial relation can be specified as There are two kinds of braking modes: service braking (SB) and emergency braking (EB). Service braking refers to that a train decelerates until it stops in EoA. Emergency braking means the maximal acceleration a max of a train to EoA if its velocity is greater than some critical value v c . In order to ensure collision avoidance, after receiving movement authority, the following train decelerates by a given velocity v until it stops within the time t. Its formalization in STL is straightforward by formula 21: where v, a and s is the velocity, acceleration and position of the following train. Suppose the time from sending movement authority to stopping of the following train is t 0 , and the braking time of the following train is t 1 . In order to ensure collision avoidance, after sending movement authority at time 0, the train doesn't overlap with the braking distance, until the train stops within t 0 . The specification will be expressed as an STSL PC formula After sending the movement authority, the following train runs to the braking region. And after receiving movement authority, the train and the braking distance don't overlap until it stops from t 0 to t 1 . Its formalization in an STSL OC formula is straightforward the formula

Related work
In order to specify spatio-temporal properties of cyberphysical systems, the spatio-temporal logics, which enjoy discrete or dense time domain and Boolean or quantitative value, attract some researchers' attention in Table 1.
Generally, there are two kinds of logic-based approaches to specify spatio-temporal properties: the extension of temporal logic with spatial modalities and the combinations of spatial logic and temporal logic. Some spatio-temporal logics are extensions of temporal logic with spatial modality. In [66], temporal modalities are extended with spatial directions to reason reaction diffusion systems. SSTL [60] is presented to combine the temporal modality until with two spatial modalities, so that one can express that something is true somewhere nearby and being surrounded by a region that satisfies a given spatio-temporal property. STREL [61] extends SSTL with spatial reachability, escape operators to describe the mobile and spatially distributed cyber-physical systems. Balbiani [67] explores the 2-dimensional space in multiagent systems through extending dynamic logic with formulas representing the agents' positions and programs moving from one position to another position. But these works face the problem of the expressiveness of discrete spatial representation, rather than more complex continuous space. Andreas [68] et al. present Shape Calculus based on Duration Calculus extended bounded polyhedron for the n-dimensional space for the specification and verification of mobile real-time systems. Mardare [64] presents Dynamic Spatial Logic, L DS , as an extension of Hennessy-Milner logic with parallel operator to distinguish processes. MLSL [63] is a two-dimensional extension of spatial interval temporal logic, where one dimension is characterized by a continuous space to describe the position in each lane and the other denotes a discrete space to count the number of the lane.
The combinations of temporal logic and spatial logic inherit the expressiveness of the two kinds of logics. LTL and CTL imply discrete time in temporal part. Bennett et al. [65] construct a multi-dimensional modal logic named PSTL through the Cartesian product of the temporal logic PTL and the modal logic S4 u to specify the discrete time and "general" topological space. Gabelaia et al. [22] present the principles for the requirements of a combined spatio-temporal form, and apply properly those principles and propose the combined spatio-temporal logic between PTL and some fragments of modal spatial logic S4 u . They prove that the complexity of combination of PTL with S4 u is PSPACE-complete. Kremer and Mints [62] provide dynamic topological logic (DTL) as a combination of LTL and S4 u to describe the dynamic changes of spatial objects over time. Shao et al. [69] also consider the combination of proposition temporal logic PTL and S4 u and apply it to several classical properties of train control systems. Ciancia et.al [58] present STLCS through enhancing SLCS with temporal operators that features the CTL path quantifiers ∀ (for all paths) and ∃ (there exists a path). All these work are trying to answer how to specify spatio-temporal properties in discrete time, rather than dense time.
In order to express spatial changes in dense time, MTSL [31] is proposed to specify spatio-temporal properties of cyber-physical systems by integrating MTL with S4 u . They follow the traditional S4 u with truth value to specify spatial changes and extend the domain of time to realvalued interval within bounded time in the principle of PC and OC.
The above proposed language are employing classical model checking to verify the system from the specified properties. The approach achieves the model of a system to check whether the model satisfies the properties specified by the proposed language. However, we may need an approach to get the satisfaction degree, rather than satisfaction or violation.
STL expresses the changes of real-valued signals in dense time. The system can be verified at run time to monitor the satisfaction degree of the signals from an STL formula [11]. But it is not enough to specify spatial properties using an STL formula. Haghighi et al. [59] present SpaTeL as a combination of signal temporal logic (STL) and tree spatial superposition logic (TSSL) in networked systems. While, TSSL is a discrete structure to describe spatial static relations. To specify the spatial terms with changeable shape over dense time, we propose STSL PC through integrating STL with S4 u , to describe the spatio-temporal properties of cyber-physical systems with dense time and real-valued variables. STSL PC interprets spatial subset relation and threshold predicate ad atomic proposition, and returns Boolean value to satisfaction or violation and the satisfaction degree of signals and spatial terms according to Boolean and quantitative interpretation. We extend STSL PC to express the spatial evolution over dense time through extending the interpretation temporal globally, eventually and until bounded with interval as spatial operators. We assume that the systems satisfy finite variability so that the STSL PC formulas are verified at run-time. The decidability and complexity of the two formalisms are analyzed, and the soundness and completeness of their axiomatization are proved.

Conclusion and future work
In this paper, we build STSL PC , a spatio-temporal specification language by combining STL with spatial logic S4 u , specifically containing dense time and topometric space. We provide the syntax and semantics of the proposed language, and guarantee the seamless integration of spatial logic with temporal aspect from the perspective of the changes of purely spatial proposition in STSL PC and spatial objects in STSL OC over time. A Hilbert-style proof axiomatization system and the soundness and completeness results show that the completeness of STSL PC and the incompleteness of STSL OC . The decidability indicates the undecidable STSL OC and the decidable STSL PC . Further, we present that the complexity for the STSL PC is EXPSPACE-complete and a decision procedure is present for the decidable fragment. Currently, the proposed STSL has a powerful expressiveness. However, the insufficiency of the paper exists in that there is no concrete monitoring technique, like other works [60,70] have done. In order to verify a cyberphysical system, it is not the situation that we can achieve all the model of the system. However, monitoring provides an approach to verify a trace of the system to guarantee the reliability of the current execution. We have already presents the feasibility of the proposed language in the semantics. One can implement the language and present the monitoring algorithm to verify the spatio-temporal specification language. The reason why we are trying to monitor an STSL formula exists in the interpretation of STSL on spatio-temporal traces. This makes traditional model checking insufficient to verify the spatiotemporal properties specified with STSL. The spatiotemporal traces for monitoring an STSL specification can be automata, petri nets [2], process algebra, neural networks, differential equations et al. We are developing the monitoring tool. Firstly, we are developing the offline monitoring through sampling spatio-temporal traces for a simulated system against the spatio-temporal specification language. Secondly, the runtime verification like online monitoring will be interesting to achieve spatiotemporal traces from the executing systems to verify an STSL formula. Thirdly, the more applications, like mobile systems [71] and cloud service-based systems, will be developed.

Appendix A: Proof of soundness of STSL PC
The proof of Theorem 4.1: S0 and S1 can be immediately got from the definition.