14  Time-Series Anomaly Methods

14.1 Learning Objectives

By the end of this chapter, you will be able to:

• Apply ARIMA Models: Use forecasting-based detection for temporal anomalies
• Implement Exponential Smoothing: Detect level shifts and trend changes efficiently
• Use STL Decomposition: Separate trend, seasonality, and residuals to isolate anomalies
• Select Appropriate Methods: Choose time-series techniques based on data patterns

In 60 Seconds

Time-series anomaly detection methods such as ARIMA, exponential smoothing, and STL decomposition detect contextual anomalies that are only unusual given their temporal context — a temperature of 30°C is normal in summer but anomalous in winter. The core technique is to forecast the expected value, then flag readings whose forecast error exceeds a learned threshold.

For Beginners: Time-Series Anomaly Detection

Time-series anomaly detection spots unusual patterns in data that changes over time. Think of monitoring a heartbeat – a steady rhythm is normal, but unexpected spikes or pauses are concerning. For IoT sensors, this means learning what normal daily and weekly patterns look like so the system can automatically detect when something goes wrong.

Minimum Viable Understanding: Time-Series Anomaly Detection

Core Concept: Time-series methods exploit temporal patterns - anomalies are points where actual values significantly differ from what the model predicted based on historical patterns.

Why It Matters: IoT data is inherently temporal. A temperature of 30°C might be normal at 2 PM but anomalous at 2 AM. Time-series methods capture these contextual patterns that simple statistical methods miss.

Key Takeaway: Use ARIMA when data has clear trends/seasonality, exponential smoothing for detecting level shifts, and STL decomposition when you need to separate seasonal patterns from anomalies.

14.2 Prerequisites

Before diving into this chapter, you should be familiar with:

• Statistical Methods: Z-score, IQR, and adaptive thresholds
• Anomaly Types: Understanding contextual anomalies that depend on temporal context

~15 min | Advanced | P10.C01.U03

Key Concepts

• ARIMA: AutoRegressive Integrated Moving Average — a forecasting model capturing autocorrelation (AR), removing non-stationarity via differencing (I), and smoothing noise (MA); residuals outside a threshold indicate anomalies.
• STL decomposition: Seasonal-Trend decomposition using Loess — separates a time series into trend, seasonal, and residual components; anomalies appear as spikes in the residual component.
• Exponential smoothing: A forecasting technique weighting recent observations more heavily; Holt-Winters triple exponential smoothing handles both trend and seasonal patterns.
• Stationarity: A property of a time series where mean and variance are constant over time; required by ARIMA, achieved via differencing to remove trends.
• Autocorrelation: The correlation of a time series with its own past values at different lags; high autocorrelation enables good forecasting.
• Concept drift: A shift in the statistical properties of the time series over time that degrades forecast accuracy; requires periodic model retraining or adaptive algorithms.
• Forecast error threshold: The maximum allowable deviation between a forecasted value and the observed value before a reading is classified as anomalous.

14.3 Introduction

IoT sensor data is inherently temporal – values are meaningful in sequence, not isolation. While statistical methods (Z-score, IQR) treat each reading independently, time-series methods leverage the sequential structure to detect anomalies that only become apparent in temporal context. This chapter covers three complementary approaches: ARIMA for forecast-based detection, exponential smoothing for level-shift detection, and STL decomposition for separating seasonal patterns from true anomalies.

How It Works

Each method takes a different approach to exploiting temporal patterns:

ARIMA Forecasting Mechanism:

1. Model learns patterns: ARIMA captures trends (gradual increase/decrease), seasonality (daily/weekly cycles), and autocorrelation (current value depends on past values)
2. Predict next value: Based on recent history, model forecasts what the next reading should be
3. Calculate forecast error: Residual = actual value - predicted value
4. Threshold on residuals: Large residuals indicate anomalies – values that deviate from expected temporal trajectory

Why this works: Normal sensor patterns have temporal structure. ARIMA learns time-dependent patterns and flags values that violate the expected trajectory – even if the absolute value appears “normal” in isolation.

STL Decomposition Mechanism:

1. Separate components: Split time series into three additive parts:
   • Trend: Long-term increase/decrease (e.g., sensor drift over months)
   • Seasonal: Regular repeating patterns (e.g., daily temperature cycle)
   • Residual: What remains after removing trend and seasonal (noise + anomalies)
2. Detect in residuals: Anomalies appear as spikes in the residual component
3. Context preservation: By isolating seasonal patterns, STL prevents flagging normal daily variations as anomalies

Why this works: IoT data has strong seasonal patterns (HVAC follows occupancy, solar panels follow sun). STL removes these known patterns, leaving only true deviations.

Exponential Smoothing (EWMA) Mechanism:

1. Weighted average: Recent values get higher weight, old values get lower weight (exponentially decaying)
2. Track baseline: EWMA represents current “expected” value based on recent trend
3. Detect level shifts: When actual value suddenly departs from EWMA baseline by >threshold, flag anomaly

Why this works: EWMA adapts quickly to gradual changes (avoiding false alarms from concept drift) while detecting sudden level shifts (actual anomalies). The smoothing parameter (α) controls responsiveness.

14.4 ARIMA (AutoRegressive Integrated Moving Average)

Core Concept: Model time series as a function of past values and past errors to forecast future values. Anomalies are points where actual value significantly differs from forecast.

When ARIMA Excels:

• Data has clear trends or seasonal patterns
• You need to forecast next value to compare against
• Anomalies are deviations from expected trajectory

ARIMA Components:

• AR (AutoRegressive): Value depends on previous values
• I (Integrated): Differencing to make series stationary
• MA (Moving Average): Value depends on previous errors

IoT Application Example:

from statsmodels.tsa.arima.model import ARIMA
import numpy as np

class ARIMADetector:
    def __init__(self, order=(1,1,1), threshold=3.0):
        """
        order: (p, d, q) for ARIMA model
        threshold: number of std deviations for anomaly
        """
        self.order = order
        self.threshold = threshold
        self.history = []
        self.model = None

    def train(self, historical_data):
        """Train ARIMA model on historical data"""
        self.history = list(historical_data)
        self.model = ARIMA(self.history, order=self.order)
        self.model_fit = self.model.fit()

    def predict_and_detect(self, new_value):
        """
        Predict next value and check if new_value is anomalous
        """
        if len(self.history) < 10:
            self.history.append(new_value)
            return False, None, None

        # Forecast next value
        forecast = self.model_fit.forecast(steps=1)[0]

        # Calculate residual error
        residuals = self.model_fit.resid
        std_error = np.std(residuals)

        # Check if new value is anomalous
        error = abs(new_value - forecast)
        is_anomaly = error > (self.threshold * std_error)

        # Update history and retrain (in practice, retrain periodically)
        self.history.append(new_value)

        return is_anomaly, forecast, error

# Example: Power consumption monitoring with daily patterns
# Historical data: 24 hours of power usage (kW)
historical_power = [
    12, 10, 9, 8, 8, 9, 15, 25, 30, 28, 26, 27,  # Day pattern
    28, 29, 27, 25, 30, 35, 28, 22, 18, 15, 13, 11  # Evening/night
]

detector = ARIMADetector(order=(2,1,2), threshold=2.5)
detector.train(historical_power)

# Next hour: should be ~12 kW, but reads 55 kW (anomaly)
anomaly, forecast, error = detector.predict_and_detect(55)
print(f"Expected: {forecast:.1f} kW")
print(f"Actual: 55.0 kW")
print(f"Error: {error:.1f} kW")
print(f"Anomaly: {anomaly}")
# Output: Expected: 12.3 kW, Actual: 55.0 kW, Error: 42.7 kW, Anomaly: True

Try It: ARIMA Forecast-Based Anomaly Detection

Adjust the ARIMA parameters and anomaly threshold to see how forecast-based detection works on power consumption data with a daily pattern. Inject an anomaly value and observe whether the detector flags it.

viewof arima_p = Inputs.range([0, 4], {value: 2, step: 1, label: "AR order (p)"})
viewof arima_d = Inputs.range([0, 2], {value: 1, step: 1, label: "Differencing (d)"})
viewof arima_q = Inputs.range([0, 4], {value: 2, step: 1, label: "MA order (q)"})
viewof arima_thresh = Inputs.range([1.0, 5.0], {value: 2.5, step: 0.1, label: "Threshold (std devs)"})
viewof arima_anomaly_val = Inputs.range([10, 80], {value: 55, step: 1, label: "Injected anomaly value (kW)"})
viewof arima_anomaly_hour = Inputs.range([0, 23], {value: 0, step: 1, label: "Anomaly injection hour"})

{
  // Power consumption pattern: 24 hours
  const arima_base = [12, 10, 9, 8, 8, 9, 15, 25, 30, 28, 26, 27,
                      28, 29, 27, 25, 30, 35, 28, 22, 18, 15, 13, 11];

  // Simple AR forecast: weighted sum of recent values
  const arima_weights_p = [];
  for (let i = 0; i < arima_p; i++) {
    arima_weights_p.push(1.0 / (i + 1));
  }
  const arima_wsum = arima_weights_p.reduce((a, b) => a + b, 0) || 1;

  // Build data with forecast
  const arima_data = [];
  const arima_residuals = [];

  for (let h = 0; h < 24; h++) {
    let forecast = arima_base[h];
    if (h >= arima_p && arima_p > 0) {
      let wf = 0;
      for (let j = 0; j < arima_p; j++) {
        wf += arima_weights_p[j] * arima_base[h - j - 1];
      }
      forecast = wf / arima_wsum;
      // Apply differencing correction
      if (arima_d >= 1 && h >= 1) {
        forecast += (arima_base[h - 1] - (h >= 2 ? arima_base[h - 2] : arima_base[h - 1])) * 0.5;
      }
    }
    const actual = (h === arima_anomaly_hour) ? arima_anomaly_val : arima_base[h];
    const residual = actual - forecast;
    arima_residuals.push(residual);
    arima_data.push({hour: h, actual, forecast, residual});
  }

  // Calculate std of residuals (excluding anomaly hour for baseline)
  const arima_clean_res = arima_residuals.filter((_, i) => i !== arima_anomaly_hour);
  const arima_mean_res = arima_clean_res.reduce((a, b) => a + b, 0) / arima_clean_res.length;
  const arima_std_res = Math.sqrt(arima_clean_res.reduce((a, r) => a + (r - arima_mean_res) ** 2, 0) / arima_clean_res.length) || 1;
  const arima_threshold_val = arima_thresh * arima_std_res;

  // Mark anomalies
  for (const d of arima_data) {
    d.is_anomaly = Math.abs(d.residual) > arima_threshold_val;
  }

  const anomaly_point = arima_data[arima_anomaly_hour];
  const detected = anomaly_point.is_anomaly;

  // SVG chart
  const w = 700, h = 320, pad = {top: 30, right: 30, bottom: 50, left: 60};
  const pw = w - pad.left - pad.right, ph = h - pad.top - pad.bottom;

  const allVals = arima_data.flatMap(d => [d.actual, d.forecast]);
  const yMin = Math.min(...allVals) - 5;
  const yMax = Math.max(...allVals) + 5;

  const xScale = (v) => pad.left + (v / 23) * pw;
  const yScale = (v) => pad.top + ph - ((v - yMin) / (yMax - yMin)) * ph;

  // Build forecast line path
  let forecastPath = "";
  for (let i = 0; i < arima_data.length; i++) {
    const x = xScale(arima_data[i].hour);
    const y = yScale(arima_data[i].forecast);
    forecastPath += (i === 0 ? "M" : "L") + `${x},${y}`;
  }

  // Build actual line path
  let actualPath = "";
  for (let i = 0; i < arima_data.length; i++) {
    const x = xScale(arima_data[i].hour);
    const y = yScale(arima_data[i].actual);
    actualPath += (i === 0 ? "M" : "L") + `${x},${y}`;
  }

  // Threshold band around forecast
  let bandUpper = "", bandLower = "";
  for (let i = 0; i < arima_data.length; i++) {
    const x = xScale(arima_data[i].hour);
    const yu = yScale(arima_data[i].forecast + arima_threshold_val);
    const yl = yScale(arima_data[i].forecast - arima_threshold_val);
    bandUpper += (i === 0 ? "M" : "L") + `${x},${yu}`;
    bandLower += (i === 0 ? "M" : "L") + `${x},${yl}`;
  }
  const bandPath = bandUpper + "L" + bandLower.split("L").reverse().join("L").replace("M", "") + "Z";

  // Y-axis ticks
  const yTicks = [];
  const yStep = Math.ceil((yMax - yMin) / 6);
  for (let v = Math.ceil(yMin); v <= yMax; v += yStep) {
    yTicks.push(v);
  }

  // X-axis ticks
  const xTicks = [0, 4, 8, 12, 16, 20, 23];

  // Anomaly markers
  const anomalyMarkers = arima_data.filter(d => d.is_anomaly).map(d =>
    `<circle cx="${xScale(d.hour)}" cy="${yScale(d.actual)}" r="7" fill="none" stroke="#E74C3C" stroke-width="2.5"/>
     <circle cx="${xScale(d.hour)}" cy="${yScale(d.actual)}" r="3" fill="#E74C3C"/>`
  ).join("");

  const svg = `<svg viewBox="0 0 ${w} ${h}" style="width:100%;max-width:${w}px;font-family:Arial,sans-serif;">
    <rect width="${w}" height="${h}" fill="#fafafa" rx="4"/>
    <!-- Threshold band -->
    <path d="${bandPath}" fill="#3498DB" opacity="0.12"/>
    <!-- Grid lines -->
    ${yTicks.map(v => `<line x1="${pad.left}" y1="${yScale(v)}" x2="${w - pad.right}" y2="${yScale(v)}" stroke="#ddd" stroke-width="0.5"/>`).join("")}
    <!-- Forecast line -->
    <path d="${forecastPath}" fill="none" stroke="#3498DB" stroke-width="2" stroke-dasharray="6,3"/>
    <!-- Actual line -->
    <path d="${actualPath}" fill="none" stroke="#2C3E50" stroke-width="2"/>
    <!-- Anomaly markers -->
    ${anomalyMarkers}
    <!-- Actual data points -->
    ${arima_data.map(d => `<circle cx="${xScale(d.hour)}" cy="${yScale(d.actual)}" r="3" fill="${d.is_anomaly ? '#E74C3C' : '#2C3E50'}"/>`).join("")}
    <!-- Y-axis -->
    <line x1="${pad.left}" y1="${pad.top}" x2="${pad.left}" y2="${pad.top + ph}" stroke="#7F8C8D"/>
    ${yTicks.map(v => `<text x="${pad.left - 8}" y="${yScale(v) + 4}" text-anchor="end" font-size="11" fill="#7F8C8D">${v}</text>`).join("")}
    <text x="${pad.left - 40}" y="${pad.top + ph / 2}" text-anchor="middle" font-size="12" fill="#2C3E50" transform="rotate(-90,${pad.left - 40},${pad.top + ph / 2})">Power (kW)</text>
    <!-- X-axis -->
    <line x1="${pad.left}" y1="${pad.top + ph}" x2="${w - pad.right}" y2="${pad.top + ph}" stroke="#7F8C8D"/>
    ${xTicks.map(v => `<text x="${xScale(v)}" y="${pad.top + ph + 18}" text-anchor="middle" font-size="11" fill="#7F8C8D">${v}:00</text>`).join("")}
    <text x="${pad.left + pw / 2}" y="${h - 5}" text-anchor="middle" font-size="12" fill="#2C3E50">Hour of Day</text>
    <!-- Legend -->
    <line x1="${pad.left + 10}" y1="${pad.top + 12}" x2="${pad.left + 30}" y2="${pad.top + 12}" stroke="#2C3E50" stroke-width="2"/>
    <text x="${pad.left + 34}" y="${pad.top + 16}" font-size="11" fill="#2C3E50">Actual</text>
    <line x1="${pad.left + 90}" y1="${pad.top + 12}" x2="${pad.left + 110}" y2="${pad.top + 12}" stroke="#3498DB" stroke-width="2" stroke-dasharray="6,3"/>
    <text x="${pad.left + 114}" y="${pad.top + 16}" font-size="11" fill="#3498DB">Forecast</text>
    <circle cx="${pad.left + 185}" cy="${pad.top + 12}" r="5" fill="none" stroke="#E74C3C" stroke-width="2"/>
    <text x="${pad.left + 194}" y="${pad.top + 16}" font-size="11" fill="#E74C3C">Anomaly</text>
    <rect x="${pad.left + 255}" y="${pad.top + 6}" width="16" height="12" fill="#3498DB" opacity="0.15" stroke="#3498DB" stroke-width="0.5"/>
    <text x="${pad.left + 275}" y="${pad.top + 16}" font-size="11" fill="#3498DB">Threshold band</text>
  </svg>`;

  const container = htl.html`<div>
    <div>${html`${svg}`}</div>
    <div style="display:grid;grid-template-columns:repeat(3,1fr);gap:1rem;margin-top:1rem;background:var(--bs-light,#f8f9fa);padding:1rem;border-radius:4px;border-left:4px solid #3498DB;">
      <div style="text-align:center;">
        <div style="font-size:1.4rem;font-weight:bold;color:#2C3E50;">ARIMA(${arima_p},${arima_d},${arima_q})</div>
        <div style="font-size:0.85rem;color:#7F8C8D;">Model order</div>
      </div>
      <div style="text-align:center;">
        <div style="font-size:1.4rem;font-weight:bold;color:#3498DB;">${arima_threshold_val.toFixed(1)} kW</div>
        <div style="font-size:0.85rem;color:#7F8C8D;">Threshold (${arima_thresh}x std)</div>
      </div>
      <div style="text-align:center;">
        <div style="font-size:1.4rem;font-weight:bold;color:${detected ? '#E74C3C' : '#16A085'};">${detected ? 'ANOMALY DETECTED' : 'No anomaly'}</div>
        <div style="font-size:0.85rem;color:#7F8C8D;">Injected ${arima_anomaly_val} kW at ${arima_anomaly_hour}:00 (forecast: ${anomaly_point.forecast.toFixed(1)} kW)</div>
      </div>
    </div>
    <div style="font-size:0.85rem;color:#7F8C8D;text-align:center;margin-top:0.5rem;">
      ${arima_p === 0 ? 'No AR component: forecast ignores past values entirely' :
        arima_p === 1 ? 'AR(1): forecast depends on 1 previous value - minimal temporal context' :
        arima_p <= 3 ? 'AR(' + arima_p + '): forecast considers ' + arima_p + ' past values - captures short-term patterns' :
        'AR(4): maximum lookback window - may overfit on short series'}
    </div>
  </div>`;
  return container;
}

14.5 Exponential Smoothing

Core Concept: Weighted average where recent observations have more influence than older ones. Excellent for detecting level shifts and trend changes.

EWMA (Exponentially Weighted Moving Average):

\[\text{EWMA}(t) = \alpha \cdot X(t) + (1 - \alpha) \cdot \text{EWMA}(t-1)\]

Where \(\alpha\) is the smoothing factor (\(0 < \alpha < 1\)):

• \(\alpha = 0.1\): Heavily smoothed, slow to react
• \(\alpha = 0.9\): Light smoothing, fast to react

Use Case: Detecting sudden jumps in vibration, temperature, or current draw.

Interactive: EWMA Alpha Explorer

Adjust the smoothing factor to see how EWMA responds to a step change from a baseline of 22°C to 30°C. Watch how different alpha values trade off detection speed against noise sensitivity.

viewof alpha_ewma = Inputs.range([0.01, 0.95], {value: 0.2, step: 0.01, label: "Smoothing factor (alpha)"})
viewof noise_level = Inputs.range([0.0, 2.0], {value: 0.3, step: 0.1, label: "Sensor noise (°C)"})

{
  const baseline = 22;
  const step_val = 30;
  const step_point = 30;
  const n = 60;

  // Generate data with step change
  const data = [];
  let ewma = baseline;
  let ewma_var = 0;
  const threshold_mult = 3.0;

  for (let i = 0; i < n; i++) {
    const actual = (i < step_point ? baseline : step_val) +
                   (Math.random() - 0.5) * 2 * noise_level;
    const error = actual - ewma;
    ewma = alpha_ewma * actual + (1 - alpha_ewma) * ewma;
    ewma_var = alpha_ewma * error * error + (1 - alpha_ewma) * ewma_var;
    const std = Math.sqrt(ewma_var > 0 ? ewma_var : 0.01);
    const is_anomaly = Math.abs(error) > threshold_mult * std && i > 5;
    data.push({sample: i, actual: actual, ewma: ewma, anomaly: is_anomaly});
  }

  // Calculate detection metrics
  const t63 = -1 / Math.log(1 - alpha_ewma);
  const t95 = 3 * t63;
  const first_detect = data.findIndex(d => d.sample >= step_point && d.anomaly);
  const detect_delay = first_detect >= 0 ? first_detect - step_point : -1;

  const container = htl.html`<div style="background: var(--bs-light, #f8f9fa); border-left: 4px solid #3498DB; padding: 1rem; border-radius: 4px; font-family: sans-serif;">
    <div style="display: grid; grid-template-columns: repeat(3, 1fr); gap: 1rem; margin-bottom: 1rem;">
      <div style="text-align: center;">
        <div style="font-size: 1.5rem; font-weight: bold; color: #2C3E50;">${t63.toFixed(1)}</div>
        <div style="font-size: 0.85rem; color: #7F8C8D;">t<sub>63%</sub> (samples)</div>
      </div>
      <div style="text-align: center;">
        <div style="font-size: 1.5rem; font-weight: bold; color: #E67E22;">${t95.toFixed(1)}</div>
        <div style="font-size: 0.85rem; color: #7F8C8D;">t<sub>95%</sub> (samples)</div>
      </div>
      <div style="text-align: center;">
        <div style="font-size: 1.5rem; font-weight: bold; color: ${detect_delay >= 0 ? '#16A085' : '#E74C3C'};">${detect_delay >= 0 ? detect_delay + ' samples' : 'Not detected'}</div>
        <div style="font-size: 0.85rem; color: #7F8C8D;">Detection delay</div>
      </div>
    </div>
    <div style="font-size: 0.85rem; color: #7F8C8D; text-align: center;">
      ${alpha_ewma < 0.15 ? 'Low alpha: slow response, fewer false alarms from noise' :
        alpha_ewma < 0.4 ? 'Moderate alpha: balanced detection speed and stability' :
        'High alpha: fast response, but sensitive to noise (more false alarms)'}
    </div>
  </div>`;
  return container;
}

Putting Numbers to It

The EWMA response time to a step change is controlled by \(\alpha\). For a sudden shift of magnitude \(\Delta\), the EWMA reaches 63% of the new value after:

\[t_{63\%} = -\frac{1}{\ln(1-\alpha)} \text{ samples}\]

And 95% after approximately \(3 \times t_{63\%}\) samples.

Example: Temperature sensor at 1 sample/minute experiences step from 22°C to 30°C (\(\Delta = 8\)°C, so 95% level = 29.6°C): - \(\alpha = 0.1\): Reaches 95% after \(3 \times 9.5 \approx 29\) minutes - \(\alpha = 0.3\): Reaches 95% after \(3 \times 2.8 \approx 8\) minutes - \(\alpha = 0.7\): Reaches 95% after \(3 \times 0.83 \approx 2.5\) minutes

Trade-off: Higher \(\alpha\) detects changes faster but also generates more false alarms from noise. For IoT with 1% sensor noise, \(\alpha = 0.2\) balances 14-minute detection with 2% false alarm rate.

14.6 Seasonal Decomposition (STL)

Core Concept: Separate time series into Trend, Seasonal, and Residual components (as described in the mechanism above). Anomalies appear as spikes in the residual – the signal that remains after removing all expected patterns.

Implementation:

from statsmodels.tsa.seasonal import seasonal_decompose
import pandas as pd
import numpy as np

# Temperature data with daily seasonality
timestamps = pd.date_range('2024-01-01', periods=168, freq='H')  # 1 week
temps = [20 + 5*np.sin(2*np.pi*i/24) + np.random.normal(0, 0.5)
         for i in range(168)]

# Inject anomaly at hour 100
temps[100] = 35  # Sudden spike

df = pd.DataFrame({'timestamp': timestamps, 'temperature': temps})
df.set_index('timestamp', inplace=True)

# Decompose into trend, seasonal, residual
decomposition = seasonal_decompose(df['temperature'], model='additive', period=24)

# Anomalies are large residuals
residuals = decomposition.resid
threshold = 3 * residuals.std()
anomalies = abs(residuals) > threshold

anomaly_indices = df.index[anomalies]
print(f"Anomalies detected at: {anomaly_indices.tolist()}")
# Output: Anomalies detected at: [Timestamp('2024-01-05 04:00:00')]
# (Hour 100 = day 5, 4:00 AM -- the injected spike)

Try It: STL Decomposition Explorer

Explore how STL (Seasonal-Trend-Loess) decomposition separates a temperature signal into trend, seasonal, and residual components. Adjust the seasonal amplitude, inject an anomaly spike, and see how the anomaly appears clearly in the residual – even when it is hidden in the raw signal.

viewof stl_season_amp = Inputs.range([1, 10], {value: 5, step: 0.5, label: "Seasonal amplitude (°C)"})
viewof stl_noise = Inputs.range([0.0, 2.0], {value: 0.5, step: 0.1, label: "Noise level (°C)"})
viewof stl_anomaly_hour = Inputs.range([0, 167], {value: 100, step: 1, label: "Anomaly injection hour"})
viewof stl_anomaly_mag = Inputs.range([0, 20], {value: 10, step: 0.5, label: "Anomaly magnitude (°C)"})
viewof stl_threshold_mult = Inputs.range([1.5, 5.0], {value: 3.0, step: 0.1, label: "Threshold multiplier (x std)"})

{
  const stl_n = 168; // 7 days x 24 hours
  const stl_period = 24;
  const stl_baseline = 20;

  // Seed-like reproducible random
  function stl_rand(seed) {
    let x = Math.sin(seed * 12.9898 + 78.233) * 43758.5453;
    return x - Math.floor(x);
  }

  // Generate raw signal
  const stl_raw = [];
  const stl_trend_vals = [];
  const stl_seasonal_vals = [];
  const stl_residual_vals = [];

  for (let i = 0; i < stl_n; i++) {
    // Trend: slight linear increase over the week
    const trend = stl_baseline + 0.02 * i;
    // Seasonal: sinusoidal daily pattern
    const seasonal = stl_season_amp * Math.sin(2 * Math.PI * (i % stl_period) / stl_period);
    // Noise
    const noise = (stl_rand(i + 1) - 0.5) * 2 * stl_noise;
    // Anomaly injection
    const anomaly = (i === stl_anomaly_hour) ? stl_anomaly_mag : 0;

    const raw = trend + seasonal + noise + anomaly;
    stl_raw.push(raw);
    stl_trend_vals.push(trend);
    stl_seasonal_vals.push(seasonal);
    stl_residual_vals.push(noise + anomaly);
  }

  // Residual statistics (excluding anomaly point)
  const stl_clean_residuals = stl_residual_vals.filter((_, i) => i !== stl_anomaly_hour);
  const stl_res_std = Math.sqrt(stl_clean_residuals.reduce((a, r) => a + r * r, 0) / stl_clean_residuals.length) || 0.1;
  const stl_threshold = stl_threshold_mult * stl_res_std;

  // Detect anomalies in residuals
  const stl_anomalies = stl_residual_vals.map((r, i) => ({
    hour: i,
    residual: r,
    is_anomaly: Math.abs(r) > stl_threshold
  }));
  const stl_detected_count = stl_anomalies.filter(a => a.is_anomaly).length;
  const stl_injected_detected = stl_anomalies[stl_anomaly_hour].is_anomaly;

  // Chart dimensions
  const sw = 700, sh = 520, sp = {top: 20, right: 20, bottom: 40, left: 55};
  const spw = sw - sp.left - sp.right;

  // Four stacked panels
  const panelH = 100;
  const panelGap = 15;
  const panels = [
    {label: "Raw Signal (°C)", data: stl_raw, color: "#2C3E50"},
    {label: "Trend", data: stl_trend_vals, color: "#16A085"},
    {label: "Seasonal", data: stl_seasonal_vals, color: "#E67E22"},
    {label: "Residual", data: stl_residual_vals, color: "#9B59B6"}
  ];

  let panelsSvg = "";
  for (let p = 0; p < panels.length; p++) {
    const py = sp.top + p * (panelH + panelGap);
    const vals = panels[p].data;
    const vMin = Math.min(...vals) - 1;
    const vMax = Math.max(...vals) + 1;

    const xS = (v) => sp.left + (v / (stl_n - 1)) * spw;
    const yS = (v) => py + panelH - ((v - vMin) / (vMax - vMin)) * panelH;

    // Panel background
    panelsSvg += `<rect x="${sp.left}" y="${py}" width="${spw}" height="${panelH}" fill="#fafafa" stroke="#eee" rx="2"/>`;

    // Label
    panelsSvg += `<text x="${sp.left - 8}" y="${py + 12}" text-anchor="end" font-size="10" fill="${panels[p].color}" font-weight="bold">${panels[p].label}</text>`;

    // Data line
    let path = "";
    for (let i = 0; i < stl_n; i++) {
      path += (i === 0 ? "M" : "L") + `${xS(i)},${yS(vals[i])}`;
    }
    panelsSvg += `<path d="${path}" fill="none" stroke="${panels[p].color}" stroke-width="1.5"/>`;

    // Threshold lines on residual panel
    if (p === 3) {
      panelsSvg += `<line x1="${sp.left}" y1="${yS(stl_threshold)}" x2="${sp.left + spw}" y2="${yS(stl_threshold)}" stroke="#E74C3C" stroke-width="1" stroke-dasharray="4,3"/>`;
      panelsSvg += `<line x1="${sp.left}" y1="${yS(-stl_threshold)}" x2="${sp.left + spw}" y2="${yS(-stl_threshold)}" stroke="#E74C3C" stroke-width="1" stroke-dasharray="4,3"/>`;
      panelsSvg += `<text x="${sp.left + spw + 2}" y="${yS(stl_threshold) + 4}" font-size="9" fill="#E74C3C">+${stl_threshold.toFixed(1)}</text>`;
      panelsSvg += `<text x="${sp.left + spw + 2}" y="${yS(-stl_threshold) + 4}" font-size="9" fill="#E74C3C">-${stl_threshold.toFixed(1)}</text>`;

      // Mark anomalies on residual
      for (const a of stl_anomalies.filter(d => d.is_anomaly)) {
        panelsSvg += `<circle cx="${xS(a.hour)}" cy="${yS(a.residual)}" r="4" fill="#E74C3C" opacity="0.8"/>`;
      }
    }

    // Mark anomaly injection point on raw signal
    if (p === 0 && stl_anomaly_mag > 0) {
      panelsSvg += `<circle cx="${xS(stl_anomaly_hour)}" cy="${yS(stl_raw[stl_anomaly_hour])}" r="5" fill="none" stroke="#E74C3C" stroke-width="2"/>`;
    }

    // Y-axis min/max labels
    panelsSvg += `<text x="${sp.left - 4}" y="${py + panelH}" text-anchor="end" font-size="9" fill="#7F8C8D">${vMin.toFixed(0)}</text>`;
    panelsSvg += `<text x="${sp.left - 4}" y="${py + 12}" text-anchor="end" font-size="9" fill="#7F8C8D">${vMax.toFixed(0)}</text>`;
  }

  // X-axis labels (days)
  let xLabels = "";
  for (let d = 0; d < 7; d++) {
    const x = sp.left + (d * 24 / (stl_n - 1)) * spw;
    xLabels += `<text x="${x}" y="${sp.top + 4 * (panelH + panelGap) + 15}" text-anchor="middle" font-size="10" fill="#7F8C8D">Day ${d + 1}</text>`;
  }

  const svgChart = `<svg viewBox="0 0 ${sw} ${sh}" style="width:100%;max-width:${sw}px;font-family:Arial,sans-serif;">
    ${panelsSvg}
    ${xLabels}
  </svg>`;

  const container = htl.html`<div>
    <div>${html`${svgChart}`}</div>
    <div style="display:grid;grid-template-columns:repeat(4,1fr);gap:0.75rem;margin-top:0.75rem;background:var(--bs-light,#f8f9fa);padding:1rem;border-radius:4px;border-left:4px solid #9B59B6;">
      <div style="text-align:center;">
        <div style="font-size:1.3rem;font-weight:bold;color:#9B59B6;">${stl_res_std.toFixed(2)} °C</div>
        <div style="font-size:0.8rem;color:#7F8C8D;">Residual std dev</div>
      </div>
      <div style="text-align:center;">
        <div style="font-size:1.3rem;font-weight:bold;color:#E74C3C;">${stl_threshold.toFixed(2)} °C</div>
        <div style="font-size:0.8rem;color:#7F8C8D;">Anomaly threshold</div>
      </div>
      <div style="text-align:center;">
        <div style="font-size:1.3rem;font-weight:bold;color:${stl_injected_detected ? '#16A085' : '#E74C3C'};">${stl_injected_detected ? 'Detected' : 'Missed'}</div>
        <div style="font-size:0.8rem;color:#7F8C8D;">Injected anomaly (${stl_anomaly_mag}°C at hr ${stl_anomaly_hour})</div>
      </div>
      <div style="text-align:center;">
        <div style="font-size:1.3rem;font-weight:bold;color:#2C3E50;">${stl_detected_count}</div>
        <div style="font-size:0.8rem;color:#7F8C8D;">Total anomalies flagged</div>
      </div>
    </div>
    <div style="font-size:0.85rem;color:#7F8C8D;text-align:center;margin-top:0.5rem;">
      ${stl_anomaly_mag < stl_threshold ? 'Anomaly magnitude (' + stl_anomaly_mag.toFixed(1) + '°C) is below the threshold (' + stl_threshold.toFixed(1) + '°C) -- increase magnitude or lower the multiplier to detect it' :
        stl_detected_count > 3 ? 'Many detections -- consider raising the threshold multiplier to reduce noise-driven false alarms' :
        'STL successfully isolates the anomaly in the residual component, separating it from trend and seasonal patterns'}
    </div>
  </div>`;
  return container;
}

14.7 Worked Example: HVAC Energy Anomaly Detection with STL

Worked Example: Detecting HVAC Faults via Power Consumption Anomalies

Scenario: Siemens Building Technologies monitors HVAC systems across a 15-story office building in Frankfurt, Germany. Each floor has 4 air handling units (AHUs), totaling 60 AHUs. The facility manager wants automatic detection of AHU faults before they cause comfort complaints or energy waste.

Given:

• 60 AHUs, each with a power meter sampling every 5 minutes (288 readings/day)
• Normal AHU power: 2.5-8.0 kW depending on time of day and season
• Daily pattern: Low overnight (2.5 kW, midnight-5am), ramp-up (5am-8am), peak (8.0 kW, 10am-3pm), ramp-down (3pm-7pm)
• Weekly pattern: ~30% lower on weekends
• Historical data: 6 months (26 weeks), confirmed faults logged by maintenance team
• Known fault types: stuck damper (sustained high power), refrigerant leak (gradual efficiency loss), fan belt slip (erratic power spikes)

Step 1 – Apply STL decomposition to separate normal patterns:

For a single AHU (Floor 7, Unit B), decompose 6 months of data:

Component	What It Captures	Typical Range
Trend	Gradual seasonal shift (summer = higher baseline)	3.5 kW (winter) to 5.2 kW (summer)
Daily seasonality	Business-hours cycle	+/-2.5 kW swing
Weekly seasonality	Weekend reduction	-1.5 kW on Sat/Sun
Residual	Unexplained variation – anomalies live here	+/-0.3 kW normally

Step 2 – Establish residual thresholds from clean history:

From the first 4 months (no known faults): - Residual mean: 0.0 kW (by construction) - Residual standard deviation: 0.28 kW - Anomaly threshold: |residual| > 3 x 0.28 = 0.84 kW

Step 3 – Detect three real fault types:

Fault	Floor/Unit	Residual Pattern	Detection Time	Without STL
Stuck damper	7B	Sustained +1.2 kW for 48 hours	2 hours after onset	14 hours (masked by daily cycle)
Refrigerant leak	3A	Gradual increase: +0.1 kW/week for 6 weeks	Week 3 (residual trend)	Week 8 (not caught until comfort complaint)
Fan belt slip	12D	Erratic spikes of +2.0 to +3.5 kW every 15-30 min	15 minutes after first spike	15 minutes (obvious spike)

Step 4 – Calculate value of early detection:

Fault Type	Without Detection	With STL Detection	Savings per Incident
Stuck damper	14h wasted energy at 1.2 kW = 16.8 kWh (EUR 5)	2h = 2.4 kWh (EUR 0.70)	EUR 4.30
Refrigerant leak	5 weeks excess: 840 kWh (EUR 252) + EUR 1,200 compressor damage	3 weeks: 504 kWh (EUR 151)	EUR 1,301
Fan belt failure	Emergency call-out: EUR 800	Scheduled repair: EUR 200	EUR 600

Over 60 AHUs with an average of 8 faults/year: estimated annual savings of EUR 15,000-25,000 in energy and maintenance costs.

Result: STL decomposition detects stuck dampers 7x faster than fixed thresholds and catches refrigerant leaks 5 weeks earlier than complaint-driven maintenance. The residual-based approach works because it isolates faults from the expected daily/weekly/seasonal patterns that would otherwise mask gradual degradation.

Key Insight: For HVAC anomaly detection, the biggest win is not catching sudden failures (those are obvious) but detecting gradual efficiency losses that waste energy silently. A 10% refrigerant leak increases energy consumption by 20% but the absolute power change is small enough to hide within normal daily variation. STL decomposition separates the signal from the noise.

14.8 Method Comparison

Comparison of Time-Series Methods:

Method	Strength	Limitation	Best IoT Use Case
ARIMA	Captures complex temporal patterns	Requires stationarity, computationally expensive	Predictable systems (HVAC, production lines)
Exponential Smoothing	Fast, simple, adapts to level changes	Misses complex patterns	Real-time edge detection (motor current)
STL Decomposition	Handles seasonality explicitly	Needs full cycles of data (>=2 seasons)	Environmental monitoring (temp, humidity)

Pitfall: Using Static Thresholds for Dynamic Systems

The Mistake: Setting fixed anomaly detection thresholds (e.g., “alert if temperature > 80°C”) based on initial observations, then leaving them unchanged as the system operates over months or years.

Why It Happens: Static thresholds are simple to implement and understand. Initial calibration produces reasonable results, creating false confidence. Gradual changes in “normal” baseline go unnoticed, and recalibration requires effort that gets deprioritized.

The Fix: Implement adaptive thresholds that evolve with system behavior:

1. Rolling baseline: Calculate thresholds based on recent history (e.g., last 7 days) rather than historical constants. Use exponentially weighted moving averages (EWMA) with decay factor 0.94-0.99 depending on expected change rate.

2. Contextual thresholds: Maintain separate thresholds for different operating modes - a motor at full load has different “normal” vibration than at idle. Use clustering to automatically discover operating modes from historical data.

3. Scheduled recalibration: For slow-drifting systems, automatically recalibrate monthly using unsupervised methods (rebuild IQR bounds, recompute seasonal decomposition).

4. Anomaly rate monitoring: If your system suddenly detects 10x more anomalies than baseline, investigate whether something changed in the environment OR if your thresholds have drifted out of calibration.

A factory motor that operated at 75°C for 2 years may run at 82°C after maintenance - that’s not an anomaly, it’s a new normal.

For Kids: Meet the Sensor Squad!

Sammy the Sensor had a mystery to solve. He was watching the temperature in a smart greenhouse, and something strange was happening.

“Max!” Sammy called. “The temperature is 28 degrees. Is that normal?”

Max the Microcontroller checked the clock. “It is 2 PM on a sunny day. 28 degrees is perfectly normal for this time!”

Later that night, Sammy reported 28 degrees again. Max jumped up. “Wait – it is 2 AM now! 28 degrees in the middle of the night? That is NOT normal! Something is wrong!”

Lila the LED was confused. “But the number is the same! How can 28 degrees be normal at one time and weird at another?”

“That is what makes time-series detection so cool,” Max explained. “It is not just about the NUMBER – it is about WHEN the number happens. I keep a mental calendar of what temperatures should look like at each hour. During the day, it is warm. At night, it should cool down. When it does not follow the pattern, I know something is off.”

They investigated and found that a heating vent was stuck open! Without time-series awareness, they would have missed it entirely because 28 degrees looked perfectly fine on its own.

Bella the Battery added: “It is like if you saw someone wearing a winter coat. Normal in January, weird in July – same coat, different context!”

Key lesson: Time-series methods detect anomalies based on WHEN something happens, not just what the value is. A normal value at the wrong time can be just as important as an obviously strange reading!

Try It: Exponential Smoothing Anomaly Detector

Build an EWMA-based anomaly detector in pure Python (no external libraries). This demonstrates how exponential smoothing catches level shifts and spikes in IoT sensor data.

import math
import random

class EWMADetector:
    """Exponentially Weighted Moving Average anomaly detector."""

    def __init__(self, alpha=0.1, threshold_std=3.0):
        self.alpha = alpha
        self.threshold_std = threshold_std
        self.ewma = None
        self.ewma_var = None  # Track variance for adaptive threshold
        self.count = 0

    def update(self, value):
        """Process new value, return (is_anomaly, ewma, threshold)."""
        if self.ewma is None:
            self.ewma = value
            self.ewma_var = 0.0
            self.count = 1
            return False, value, 0.0

        self.count += 1

        # Predict: current EWMA is our forecast
        forecast = self.ewma
        error = value - forecast

        # Update EWMA
        self.ewma = self.alpha * value + (1 - self.alpha) * self.ewma

        # Update variance estimate (EWMA of squared errors)
        self.ewma_var = (self.alpha * error**2 +
                         (1 - self.alpha) * self.ewma_var)
        std = math.sqrt(self.ewma_var) if self.ewma_var > 0 else 1.0

        # Anomaly if error exceeds threshold
        threshold = self.threshold_std * std
        is_anomaly = abs(error) > threshold and self.count > 10

        return is_anomaly, forecast, threshold

# === Simulate IoT temperature sensor with anomalies ===
random.seed(42)

# Normal: ~22C with small noise, daily cycle
readings = []
for hour in range(72):  # 3 days, hourly
    daily_cycle = 3 * math.sin(2 * math.pi * (hour % 24) / 24)
    noise = random.gauss(0, 0.3)
    temp = 22 + daily_cycle + noise
    readings.append(("normal", temp))

# Inject anomalies
anomaly_hours = {
    24: ("spike", 35.0),       # Heater malfunction at hour 24
    48: ("drop", 8.0),         # Window left open at hour 48
    60: ("gradual", None),     # Gradual drift starts at hour 60
}

for i, (label, temp) in enumerate(readings):
    if i in anomaly_hours:
        atype, aval = anomaly_hours[i]
        if atype == "spike":
            readings[i] = ("SPIKE", aval)
        elif atype == "drop":
            readings[i] = ("DROP", aval)
    if i >= 60:  # Gradual drift
        drift = 0.5 * (i - 60)
        old_label, old_temp = readings[i]
        if old_label == "normal":
            readings[i] = ("drift" if drift > 2 else "normal",
                           old_temp + drift)

# Run detector with two different alpha values
print("=== EWMA Anomaly Detection: Alpha Comparison ===\n")

for alpha in [0.1, 0.3]:
    detector = EWMADetector(alpha=alpha, threshold_std=3.0)
    detected = []

    print(f"Alpha = {alpha} ({'slow response' if alpha < 0.2 else 'fast response'})")
    print(f"{'Hour':>4} {'Label':>7} {'Value':>7} {'EWMA':>7} "
          f"{'Thresh':>7} {'Alert':>6}")
    print("-" * 46)

    for hour, (label, value) in enumerate(readings):
        is_anomaly, ewma, threshold = detector.update(value)
        if is_anomaly:
            detected.append((hour, label, value))

        # Print key moments
        if is_anomaly or hour % 12 == 0 or label != "normal":
            alert = "***" if is_anomaly else ""
            print(f"{hour:4d} {label:>7} {value:7.1f} {ewma:7.1f} "
                  f"{threshold:7.1f} {alert:>6}")

    print(f"  Total anomalies detected: {len(detected)}")
    true_pos = sum(1 for _, l, _ in detected if l != "normal")
    false_pos = sum(1 for _, l, _ in detected if l == "normal")
    print(f"  True positives:  {true_pos}")
    print(f"  False positives: {false_pos}\n")

print("Key insight: Lower alpha (0.1) has smoother baseline but "
      "slower response to real changes.\n"
      "Higher alpha (0.3) catches anomalies faster but may "
      "generate more false positives.\n"
      "Choose alpha based on how quickly 'normal' changes in your system.")

What to Observe:

• The spike at hour 24 (35C vs ~22C baseline) is caught immediately by both alpha values
• The drop at hour 48 (8C) is also detected clearly – any sudden deviation triggers the detector
• The gradual drift starting at hour 60 is harder to catch: alpha=0.1 detects it later because EWMA adapts slowly
• Alpha=0.3 catches drift sooner but may have more false positives from the daily temperature cycle
• The trade-off between sensitivity and specificity is controlled by alpha and threshold_std

Try It: EWMA Alpha Comparison Dashboard

Compare two EWMA detectors side by side with different alpha values. Inject a spike, a drop, and a gradual drift into a simulated temperature signal and see how detection speed and false alarm rates differ. This directly illustrates the sensitivity-specificity trade-off.

viewof ewma_alpha_a = Inputs.range([0.01, 0.5], {value: 0.1, step: 0.01, label: "Alpha A (slow)"})
viewof ewma_alpha_b = Inputs.range([0.01, 0.5], {value: 0.3, step: 0.01, label: "Alpha B (fast)"})
viewof ewma_spike_mag = Inputs.range([0, 20], {value: 13, step: 0.5, label: "Spike magnitude (°C above baseline)"})
viewof ewma_drop_mag = Inputs.range([0, 20], {value: 14, step: 0.5, label: "Drop magnitude (°C below baseline)"})
viewof ewma_drift_rate = Inputs.range([0.0, 1.0], {value: 0.5, step: 0.05, label: "Drift rate (°C/hour from hour 60)"})
viewof ewma_cmp_thresh = Inputs.range([1.5, 5.0], {value: 3.0, step: 0.1, label: "Threshold (x std)"})

{
  const n_cmp = 72; // 3 days hourly
  const cmp_baseline = 22;
  const spike_hour = 24;
  const drop_hour = 48;
  const drift_start = 60;

  // Reproducible pseudo-random
  function cmp_rng(s) {
    let x = Math.sin(s * 9.8765 + 43.21) * 43758.5453;
    return (x - Math.floor(x)) - 0.5;
  }

  // Generate signal
  const cmp_signal = [];
  for (let i = 0; i < n_cmp; i++) {
    const daily = 3 * Math.sin(2 * Math.PI * (i % 24) / 24);
    const noise = cmp_rng(i + 7) * 0.6;
    let val = cmp_baseline + daily + noise;
    if (i === spike_hour) val = cmp_baseline + ewma_spike_mag;
    if (i === drop_hour) val = cmp_baseline - ewma_drop_mag;
    if (i >= drift_start) val += ewma_drift_rate * (i - drift_start);
    cmp_signal.push(val);
  }

  // Run EWMA detector
  function runEwma(alpha) {
    let ewma = cmp_signal[0];
    let ewma_var = 0;
    const results = [];
    for (let i = 0; i < n_cmp; i++) {
      const error = cmp_signal[i] - ewma;
      ewma = alpha * cmp_signal[i] + (1 - alpha) * ewma;
      ewma_var = alpha * error * error + (1 - alpha) * ewma_var;
      const std = Math.sqrt(ewma_var > 0 ? ewma_var : 0.01);
      const thresh = ewma_cmp_thresh * std;
      const is_anom = Math.abs(error) > thresh && i > 5;
      results.push({hour: i, val: cmp_signal[i], ewma, error, thresh, is_anom});
    }
    return results;
  }

  const resA = runEwma(ewma_alpha_a);
  const resB = runEwma(ewma_alpha_b);

  // Stats
  function calcStats(res, label) {
    const anomalies = res.filter(r => r.is_anom);
    const trueAnomalyHours = new Set([spike_hour, drop_hour]);
    // Also count drift hours as true anomalies
    for (let i = drift_start; i < n_cmp; i++) {
      if (ewma_drift_rate * (i - drift_start) > 2) trueAnomalyHours.add(i);
    }
    const tp = anomalies.filter(a => trueAnomalyHours.has(a.hour)).length;
    const fp = anomalies.filter(a => !trueAnomalyHours.has(a.hour)).length;
    // Detection delay for spike
    const spikeDetect = res.findIndex(r => r.hour >= spike_hour && r.is_anom);
    const spikeDelay = spikeDetect >= 0 ? res[spikeDetect].hour - spike_hour : -1;
    return {total: anomalies.length, tp, fp, spikeDelay};
  }

  const statsA = calcStats(resA, "A");
  const statsB = calcStats(resB, "B");

  // Draw two-panel SVG
  const cw = 700, ch = 360, cp = {top: 25, right: 20, bottom: 40, left: 55};
  const cpw = cw - cp.left - cp.right;
  const panelH_cmp = 140;
  const panelGap_cmp = 30;

  const allVals_cmp = cmp_signal.concat(resA.map(r => r.ewma), resB.map(r => r.ewma));
  const yMin_cmp = Math.min(...allVals_cmp) - 2;
  const yMax_cmp = Math.max(...allVals_cmp) + 2;

  function drawPanel(res, alpha, panelY, label, color) {
    const xS = (v) => cp.left + (v / (n_cmp - 1)) * cpw;
    const yS = (v) => panelY + panelH_cmp - ((v - yMin_cmp) / (yMax_cmp - yMin_cmp)) * panelH_cmp;

    let svg = `<rect x="${cp.left}" y="${panelY}" width="${cpw}" height="${panelH_cmp}" fill="#fafafa" stroke="#eee" rx="2"/>`;

    // Title
    svg += `<text x="${cp.left + 5}" y="${panelY - 5}" font-size="11" fill="${color}" font-weight="bold">${label} (alpha=${alpha})</text>`;

    // Signal line
    let sigPath = "";
    for (let i = 0; i < n_cmp; i++) {
      sigPath += (i === 0 ? "M" : "L") + `${xS(i)},${yS(cmp_signal[i])}`;
    }
    svg += `<path d="${sigPath}" fill="none" stroke="#7F8C8D" stroke-width="1" opacity="0.5"/>`;

    // EWMA line
    let ewmaPath = "";
    for (let i = 0; i < n_cmp; i++) {
      ewmaPath += (i === 0 ? "M" : "L") + `${xS(i)},${yS(res[i].ewma)}`;
    }
    svg += `<path d="${ewmaPath}" fill="none" stroke="${color}" stroke-width="2"/>`;

    // Anomaly markers
    for (const r of res.filter(r => r.is_anom)) {
      svg += `<circle cx="${xS(r.hour)}" cy="${yS(r.val)}" r="5" fill="#E74C3C" opacity="0.7"/>`;
    }

    // Event markers
    svg += `<line x1="${xS(spike_hour)}" y1="${panelY}" x2="${xS(spike_hour)}" y2="${panelY + panelH_cmp}" stroke="#E74C3C" stroke-width="0.5" stroke-dasharray="3,2"/>`;
    svg += `<line x1="${xS(drop_hour)}" y1="${panelY}" x2="${xS(drop_hour)}" y2="${panelY + panelH_cmp}" stroke="#3498DB" stroke-width="0.5" stroke-dasharray="3,2"/>`;
    svg += `<line x1="${xS(drift_start)}" y1="${panelY}" x2="${xS(drift_start)}" y2="${panelY + panelH_cmp}" stroke="#E67E22" stroke-width="0.5" stroke-dasharray="3,2"/>`;

    // Y-axis ticks
    const yStep_cmp = Math.ceil((yMax_cmp - yMin_cmp) / 4);
    for (let v = Math.ceil(yMin_cmp); v <= yMax_cmp; v += yStep_cmp) {
      svg += `<text x="${cp.left - 4}" y="${yS(v) + 3}" text-anchor="end" font-size="9" fill="#7F8C8D">${v.toFixed(0)}</text>`;
      svg += `<line x1="${cp.left}" y1="${yS(v)}" x2="${cp.left + cpw}" y2="${yS(v)}" stroke="#eee" stroke-width="0.5"/>`;
    }

    return svg;
  }

  const panelA_svg = drawPanel(resA, ewma_alpha_a, cp.top, "Detector A", "#16A085");
  const panelB_svg = drawPanel(resB, ewma_alpha_b, cp.top + panelH_cmp + panelGap_cmp, "Detector B", "#E67E22");

  // X-axis
  let xAxis = "";
  for (let h = 0; h < n_cmp; h += 12) {
    const x = cp.left + (h / (n_cmp - 1)) * cpw;
    xAxis += `<text x="${x}" y="${cp.top + 2 * (panelH_cmp + panelGap_cmp) + 5}" text-anchor="middle" font-size="10" fill="#7F8C8D">${h}h</text>`;
  }

  // Legend
  const legY = cp.top + 2 * (panelH_cmp + panelGap_cmp) + 18;
  const legend = `
    <line x1="${cp.left}" y1="${legY}" x2="${cp.left + 15}" y2="${legY}" stroke="#7F8C8D" stroke-width="1" opacity="0.5"/>
    <text x="${cp.left + 18}" y="${legY + 3}" font-size="9" fill="#7F8C8D">Signal</text>
    <line x1="${cp.left + 60}" y1="${legY}" x2="${cp.left + 75}" y2="${legY}" stroke="#16A085" stroke-width="2"/>
    <text x="${cp.left + 78}" y="${legY + 3}" font-size="9" fill="#16A085">EWMA A</text>
    <line x1="${cp.left + 125}" y1="${legY}" x2="${cp.left + 140}" y2="${legY}" stroke="#E67E22" stroke-width="2"/>
    <text x="${cp.left + 143}" y="${legY + 3}" font-size="9" fill="#E67E22">EWMA B</text>
    <circle cx="${cp.left + 190}" cy="${legY}" r="4" fill="#E74C3C" opacity="0.7"/>
    <text x="${cp.left + 197}" y="${legY + 3}" font-size="9" fill="#E74C3C">Anomaly</text>
    <line x1="${cp.left + 250}" y1="${legY - 5}" x2="${cp.left + 250}" y2="${legY + 5}" stroke="#E74C3C" stroke-width="0.5" stroke-dasharray="3,2"/>
    <text x="${cp.left + 253}" y="${legY + 3}" font-size="9" fill="#E74C3C">Spike</text>
    <line x1="${cp.left + 290}" y1="${legY - 5}" x2="${cp.left + 290}" y2="${legY + 5}" stroke="#3498DB" stroke-width="0.5" stroke-dasharray="3,2"/>
    <text x="${cp.left + 293}" y="${legY + 3}" font-size="9" fill="#3498DB">Drop</text>
    <line x1="${cp.left + 325}" y1="${legY - 5}" x2="${cp.left + 325}" y2="${legY + 5}" stroke="#E67E22" stroke-width="0.5" stroke-dasharray="3,2"/>
    <text x="${cp.left + 328}" y="${legY + 3}" font-size="9" fill="#E67E22">Drift start</text>
  `;

  const svgFull = `<svg viewBox="0 0 ${cw} ${ch}" style="width:100%;max-width:${cw}px;font-family:Arial,sans-serif;">
    ${panelA_svg}
    ${panelB_svg}
    ${xAxis}
    ${legend}
  </svg>`;

  const container = htl.html`<div>
    <div>${html`${svgFull}`}</div>
    <div style="display:grid;grid-template-columns:1fr 1fr;gap:1rem;margin-top:0.75rem;">
      <div style="background:var(--bs-light,#f8f9fa);padding:0.75rem;border-radius:4px;border-left:4px solid #16A085;">
        <div style="font-weight:bold;color:#16A085;margin-bottom:0.4rem;">Detector A (alpha=${ewma_alpha_a})</div>
        <div style="font-size:0.85rem;color:#2C3E50;">
          Anomalies flagged: <strong>${statsA.total}</strong><br/>
          True positives: <strong style="color:#16A085;">${statsA.tp}</strong> | False positives: <strong style="color:#E74C3C;">${statsA.fp}</strong><br/>
          Spike detection delay: <strong>${statsA.spikeDelay >= 0 ? statsA.spikeDelay + ' hour(s)' : 'Not detected'}</strong>
        </div>
      </div>
      <div style="background:var(--bs-light,#f8f9fa);padding:0.75rem;border-radius:4px;border-left:4px solid #E67E22;">
        <div style="font-weight:bold;color:#E67E22;margin-bottom:0.4rem;">Detector B (alpha=${ewma_alpha_b})</div>
        <div style="font-size:0.85rem;color:#2C3E50;">
          Anomalies flagged: <strong>${statsB.total}</strong><br/>
          True positives: <strong style="color:#16A085;">${statsB.tp}</strong> | False positives: <strong style="color:#E74C3C;">${statsB.fp}</strong><br/>
          Spike detection delay: <strong>${statsB.spikeDelay >= 0 ? statsB.spikeDelay + ' hour(s)' : 'Not detected'}</strong>
        </div>
      </div>
    </div>
    <div style="font-size:0.85rem;color:#7F8C8D;text-align:center;margin-top:0.5rem;">
      ${ewma_alpha_a < ewma_alpha_b ?
        (statsA.fp > statsB.fp ? 'Surprisingly, the slower detector (A) has more false positives -- try adjusting the threshold' :
         statsB.fp > statsA.fp ? 'Higher alpha (B) reacts faster but generates more false positives -- the classic speed vs accuracy trade-off' :
         'Both detectors have similar false positive rates at this threshold level') :
        'Alpha A is higher than Alpha B -- swap them to see the expected fast-vs-slow comparison'}
    </div>
  </div>`;
  return container;
}

Concept Relationships

How These Concepts Connect:

• Contextual vs point anomalies: Time-series methods distinguish “wrong value” from “wrong value at wrong time” – statistical methods cannot
• Forecast-based vs decomposition-based: ARIMA predicts next value (forecast error = anomaly), STL removes patterns first (residual spikes = anomalies)
• Seasonality removal prevents false alarms: Without STL, daily temperature swings would trigger alerts; STL isolates deviations from expected cycles
• Method selection by pattern complexity: EWMA for simple baselines, ARIMA for autocorrelation, STL for strong seasonal patterns

See Also

Foundation Concepts:

• Anomaly Types - Time-series methods target contextual anomalies (context = time)
• Statistical Methods - When point-in-time analysis is sufficient vs needing temporal context

When Time-Series Methods Shine:

• HVAC Energy Anomalies - Strong daily/weekly patterns requiring STL decomposition
• Seasonal Patterns - Detecting and handling periodic variations

Advanced Temporal Techniques:

• Machine Learning Methods - LSTM autoencoders for complex temporal sequences
• Fourier Analysis - Detecting periodic anomalies in frequency space

Deployment and Operations:

• Real-Time Pipelines - Where time-series detection fits (usually fog layer, not edge)
• Performance Metrics - Evaluating time-series detector accuracy

Domain Applications:

• Predictive Maintenance - Vibration pattern changes over time
• Smart Grid - Power consumption patterns with diurnal cycles

Interactive Quiz: Match Concepts

Interactive Quiz: Sequence the Steps

Common Pitfalls

1. Applying ARIMA to non-stationary data without differencing

ARIMA requires a constant mean. A gradually rising temperature baseline will cause ARIMA to systematically underestimate future values, generating endless false positives. Always apply the Augmented Dickey-Fuller test first.

2. Using a fixed forecast-error threshold across seasons

A threshold calibrated on summer data will trigger false alarms in winter when natural variance is higher. Fit separate thresholds per season or use adaptive percentile-based bounds.

3. Ignoring computational cost of ARIMA on embedded devices

ARIMA fitting is expensive and requires matrix operations unsuitable for microcontrollers. Use exponential smoothing (O(1) memory) at the edge; reserve ARIMA for gateway or cloud tiers.

4. Not accounting for missing data in time-series models

Sensor dropouts break the equal-time-step assumption of ARIMA. Impute missing values before fitting any time-series model to avoid corrupted parameter estimates.

Label the Diagram

14.9 Summary

Time-series methods excel at detecting contextual anomalies where temporal patterns matter:

• ARIMA: Forecast-based detection for complex temporal patterns
• Exponential Smoothing: Fast level-shift detection at the edge
• STL Decomposition: Separates seasonality to isolate true anomalies

Key Takeaway: Use time-series methods when “normal” depends on when the reading occurred. Statistical methods miss these contextual patterns.

14.10 What’s Next

If you want to…	Read this
Apply statistical methods for non-seasonal anomalies	Statistical Methods
Use ML for multivariate and collective anomalies	Machine Learning Approaches
Build an end-to-end detection pipeline	Detection Pipelines
Evaluate with appropriate imbalanced-data metrics	Performance Metrics
Return to the module overview	Anomaly Detection Overview