An Operational Guide to Monitorability

Monitorability delineates what properties can be verified at runtime. Although many monitorability definitions exist, few are defined explicitly in terms of the guarantees provided by monitors, i.e., the computational entities carrying out the verification. We view monitorability as a spectrum: the fewer monitor guarantees that are required, the more properties become monitorable. We present a monitorability hierarchy and provide operational and syntactic characterisations for its levels. Existing monitorability definitions are mapped into our hierarchy, providing a unified framework that makes the operational assumptions and guarantees of each definition explicit. This provides a rigorous foundation that can inform design choices and correctness claims for runtime verification tools.


Introduction
Runtime Verification (RV) [15] is a lightweight verification technique that checks for a specification by analysing the current execution exhibited by the system under scrutiny. Despite its merits, the technique is limited in certain respects: any sufficiently expressive specification language contains properties that cannot be monitored at runtime [2,5,22,29,35,45,47]. For instance, the satisfaction of a safety property ("bad things never happen") cannot, in general, be determined by observing the (finite) behaviour of a program up to the current execution point; its violation, however, can. Monitorability [15,47] concerns itself with the delineation between properties that are monitorable and those that are not.
Besides its importance from a foundational perspective, monitorability is paramount for a slew of RV tools, such as those described in [12,20,27,46,48], that synthesise monitors from specifications expressed in a variety of logics. These monitors are executed with the system under scrutiny to produce verdicts concerning the satisfaction or violation of the specifications from which they were synthesised. Monitorability is crucial for a principled approach to the construction of RV tools: It defines, either explicitly or implicitly, a notion of monitor correctness [32,33,36,44], which then guides the automated synthesis of monitors from specifications. It also delimits the monitorable fragment of the specification logic on which the synthesis is defined; monitors need not be synthesised for non-monitorable specifications. In some settings, a syntactic characterisation of monitorable properties can be identified [1,5,35], and used as a core calculus for studying optimisations of the synthesis algorithm. More broadly, monitorability boundaries may assist in the design of the monitoring set-up, and guide the design of hybrid verification strategies, which combine RV with other verification techniques (see the work in [2] for an example of this approach). We therefore emphasize the separation of concerns between the specification of a correctness property on the one hand, and the method(s) used to verify it on the other [35].
In spite of its importance, there is no generally accepted notion of monitorability to date. The literature contains a number of definitions, such as the ones proposed in [5,17,30,35,37,47]. These differ in aspects such as the adopted specification formalism, e.g., LTL, Street automata, recHML etc., the operational model, e.g., testers, automata, process calculi etc., and the semantic domain, e.g., infinite traces, finite and infinite (finfinite) traces or labelled transition systems. Even after these differences are normalised, many of these definitions are not in agreement: there are properties that are monitorable according to some definitions but not monitorable according to others. More alarmingly, as we will show, frequently cited definitions of monitorability by Falcone et al. [30] contain serious errors. Example 1.1 Consider the runtime verification of a system exhibiting (only) three events over finfinite traces: failure (f), success (s) and recovery (r). One property we may require is that "failure never occurs and eventually success is reached", otherwise expressed in LTL fashion as (G ¬f) ∧ (F s). According to the definition of monitorability attributed to Pnueli and Zaks [47] (discussed in Sec. 7), this property is monitorable. However, it is not monitorable according to others, including Schneider [50], Viswanathan and Kim [53], and Aceto et al. [5], whose definition of monitorability coincides with some subset of safety properties.
This discrepancy between definitions raises the question of which one to adopt when designing and implementing an RV tool, and what effect this choice has on the behaviour of the resulting tool. A difficulty in informing this choice is that few definitions make explicit the relationship between the operational model, i.e., the behaviour of a monitor, and the monitored properties. In other words, it is not clear what the guarantees provided by the various monitors mentioned in the literature are, and how they differ from each other. Yet, this is key in designing a monitoring set-up. For example, if a monitor is used to check that the input of a critical component, produced by an untrusted third-party component, satisfies some boundary conditions, then it is important that all violations are identified. On the other hand, if runtime monitoring is used as a best-effort attempt to catch bugs without model checking, then weaker guarantees can suffice.
Contributions. To our mind, this state of the art is unsatisfactory for tool construction. More concretely, an RV tool broadly relies on the following ingredients: 1. the input of the tool in terms of the formalism used to describe the specification properties; 2. the executable description of monitors that are the tool's output and 3. the mapping between the inputs and outputs, i.e., the synthesis function of monitors from specifications.
Any account on monitorability should, in our view, shed light on those three aspects, particularly on what it means for the synthesis function and the monitors it produces to be correct. This involves establishing the relationship between the truth value of a specification, given by a two-valued semantics, and what the runtime analysis tells us about it, given by the operational behaviour exhibited by the monitor; ideally, the specification and operational descriptions should also be described independently of one another, in order to ensure the aforementioned separation of concerns. 1 In addition, any account on monitorability should also be flexible enough to incorporate a variety of relationships between specification properties and the expected behaviour of monitors. This is essential for it be of use to the tool implementors, acting as a principled foundation to guide their design decisions.
For these reasons, we take the view that monitorability comes on a spectrum. There is a trade-off between the guarantees provided by monitors and the properties that can be monitored with those guarantees. We argue that considering different requirements gives rise to a hierarchy of monitorability-depicted in Fig. 1.1 (middle)-which classifies properties according to what types of guarantees RV can give for them. At one extreme, anything can be monitored if the only requirement is for monitors to be sound, that is, their verdicts should not contradict the monitored specification. However, monitors that are just sound give no guarantees of ever giving a verdict. More usefully, informatively monitorable properties enjoy monitors that reach a verdict for some finite execution; arguably, this is the minimum requirement for making monitoring potentially worthwhile. Informatively  monitorable properties can be further categorised into those informatively monitorable for violations and those informatively monitorable for satisfaction. More stringent requirements can demand this capability to be invariant over monitor executions, i.e., a monitor never reaches a state where it cannot provide a verdict; then we speak of persistently informative monitors. Requiring a specific verdict to always be reachable further refines this class into into persistently rejecting and persistently accepting monitors. Adding completeness requirements of different strengths, such as the requirement that a monitor should be able to identify all failures and/or satisfactions, yields stronger definitions of monitorability: partial, satisfaction or violation complete, and complete. Our first contribution is to define this hierarchy of monitorability, depicted in Fig. 1.1 (middle). In order not to favour a specific operational model, the hierarchy is cast in terms of abstract behavioural requirements for monitors, and is not restricted to regular properties. We then provide an instantiation that concretises those requirements into an operational hierarchy, establishing operational counterparts for each type of monitorability over regular properties. To this end, we use the operational framework developed in [5], that uses finite-state monitors and in which partial and complete monitorability were already defined. We show this framework to be, in a suitable technical sense, maximally general (Thm. 4.4) for regular properties. This shows that our work is equally applicable to other operational models for monitoring regular properties.
In order for a tool to synthesise monitors from specifications, it is useful to have syntactic characterisations of the properties that are monitorable with the required guarantees: synthesis can then directly operate on the syntactic fragment. Our second contribution is to provide monitorability characterisations as fragments of recHML [8,43] (a variant of the modal µ-calculus [40]) interpreted over finfinite traces-see Fig. 1.1 (right). This logic is expressive enough to capture all regular properties-the focus of nearly all existing definitions of monitorability-and subsumes more user-friendly but less expressive specification logics such as LTL. Partial and complete monitorability already enjoy monitor synthesis functions and neat syntactic characterisations in recHML [5]; related synthesis functions based on syntactic characterisations for a branching-time setting [34,35] have already been implemented in a tool [11,12]. Here, we provide the missing syntactic characterisations for informative and persistently informative monitorability as well as their violation and satisfaction refinements. 2 Note that we work in the finfinite domain, where executions can be finite or infinite, like Falcone et al. did in [30]. This setting is a natural one when it comes to monitoring, as it does not make the potentially unrealistic assumption that executions never stall, deadlock, or otherwise remain silent with respect to the events that are monitored. This gives our result more generality than restricting ourselves to the infinite domain.
Finally, we show that the proposed hierarchy accounts for existing notions of monitorability. See Fig. 1.1 (left). Safety, co-safety and their union correspond to partial monitorability and its two components, satisfaction-and violationmonitorability; Pnueli and Zaks's definition of monitorability can be interpreted in two ways, of which one (∃pz) maps to informative monitorability, and the other (∀pz) to persistently informative monitorability. We also show that the definitions of monitorability proposed by Falcone et al. [30], contrary to their claim, do not coincide with safety and co-safety properties. To summarise, our principal contributions are: 1. A unified operational perspective on existing notions of monitorability, clarifying what operational guarantees each provides, see Thms. 3.1, 6.1 and 7.1; 2. An extension of the syntactic characterisations of monitorable classes from [5], mapping all of these classes to fragments in recHML, which can be viewed as a target byte-code for higher-level logics, see Thms. 5.2 and 5.3.
This article extends the conference version [6]. The main technical novelty here is the logical characterisation of persistently informative monitorability. Furthermore, we refine the monitorability hierarchy by treating informative monitorability and persistently informative monitorability for satisfaction and violation as monitorability classes in their own right (with corresponding logical characterisations). Furthermore, we have added detailed proofs, extended examples and improved explanations.
Roadmap. We start with defining notation for traces and properties in the finfinite domain in Sec. 2. We then define the monitorability hierarchy for properties over finfinite traces in Sec. 3, and instanciate it with concrete operational semantics in Sec. 4 for regular properties. In Sec. 5 we give syntactic characterisations of each level of our hierarchy. In Secs. 6 and 7 we show how existing notions of monitorability embed into our hierarchy and discuss a serious error in Falcone et al.'s notion of monitorability. Finally, before concluding, in Sec. 8 we discuss other notions of monitorability and how changing various aspects of the framework, such as the trace domain or the definition of monitors affects the resulting monitorability hierarchy.

Preliminaries
Traces. We assume a finite set of actions, a, b, . . . ∈ Act. The metavariables t, u ∈ Act ω range over infinite sequences of actions. Finite traces, denoted as s, r ∈ Act * , represent finite prefixes of system runs. We also find it useful to denote sets of finite traces, S ⊆ Act * . Collectively, finite and infinite traces in the set Act ∞ = Act ω ∪Act * are called finfinite traces. We use f, g ∈ Act ∞ to range over finfinite traces and F ⊆ Act ∞ to range over sets of finfinite traces. A (finfinite) trace with action a at its head is denoted as af . Similarly, a (finfinite) trace with a prefix s and continuation f is denoted as sf . We write s f to denote that the finite trace s is a prefix of f , i.e., there is a g such that f = sg. We use the notation f [k] to denote the action at position k in f : for f = ag, f [0] = a, and for k ≥ 0, Properties. A property over finfinite (resp., infinite) traces, denoted by the variable P , is a subset of Act ∞ (resp., of Act ω ). In general, a property refers to a finfinite property, unless stated otherwise. A finite trace s positively determines a property P ⊆ Act ∞ when sf ∈ P for every continuation f ∈ Act ∞ ; analogously, s negatively determines P when sf / ∈ P for every f ∈ Act ∞ . The same terms apply similarly when P ⊆ Act ω . We say that P is suffix-closed when for all s, r ∈ Act * , s ∈ P implies sr ∈ P -notice that we only quantify over finite traces. For a given P ⊆ Act ∞ we identify the following two sets of finite traces: We say that a finfinite property is regular if it is the union of a regular property P fin ⊆ Act * and an ω-regular property P inf ⊆ Act ω [52].
Example 2.1 Recall the system discussed in Example 1.1 with actions failure (f), success (s) and recovery (r). A trace that contains at least two occurrences of r positively determines the property described by the LTL syntax F r ∧ X(F r) . A finite trace that contain the action s negatively determines the property G (f∨r)∧F r. Note, however, that not all violating traces have a prefix that contains the action s. Indeed, the infinite f ω does not satisfy this property, but none of its prefixes contain s.

A Monitor-Oriented Hierarchy
From a tool-construction perspective, it is important to give concrete, implementable definitions of monitors; we do so in Sec. 4. To understand the guarantees that these monitors will provide, we first discuss the general notion of monitor and monitoring system. We then identify, already in this abstract setting, the various requirements that give rise to the hierarchy of monitorability, depicted in the middle part of Fig. 1.1. Sec. 4 will then provide operational semantics to this hierarchy, in the setting of regular properties.

Monitoring Sytems
It is important to agree up-front on what properties are common to any reasonable monitoring framework. We consider a monitor to be an entity that analyses finite traces and (at the very least) identifies a set of finfinite traces that it accepts and a set of finfinite traces that it rejects. We consider two postulates. Firstly, an acceptance or rejection verdict has to be based on a finite prefix of a trace, Def. 3.1.1: verdicts are thus given for incomplete traces. Secondly, verdicts must be irrevocable, Def. 3.1.2. These postulates make explicit two features shared by most monitorability definitions in the literature. -acc(m, f ) implies ∃s ∈ Act * · s f and acc(m, s) and -rej(m, f ) implies ∃s ∈ Act * · s f and rej(m, s) ; 2. For every finite trace s ∈ Act * : -acc(m, s) implies ∀f ∈Act ∞ ·acc(m, sf ) and -rej(m, s) implies ∀f ∈Act ∞ ·rej(m, sf ). We define a notion of maximal monitoring system for a collection of properties; for each property P in that set, such a system must contain a monitor that reaches a verdict for all traces that have some prefix that determines P . Definition 3.2 A monitoring system (M, acc, rej) is maximal for a collection of properties C ⊆ 2 Act ∞ if for every P ∈ C there is a monitor m P ∈ M such that (i) acc(m P , f ) iff trace f ∈Act ∞ has a prefix that positively determines P ; (ii) rej(m P , f ) iff trace f ∈Act ∞ has a prefix that negatively determines P .
In Sec. 4, we present an instance of such a maximal monitoring system for regular properties. This shows that, for regular properties at least, the maximality of a monitoring system is a reasonable requirement. Unless otherwise stated, we assume a fixed maximal monitoring system (M, acc, rej) throughout the rest of the paper. For a monitor m ∈ M to monitor for a property P , it needs to satisfy some requirements. The most important such requirement is soundness.
Remark 3.2 The definition of a monitoring system, Def. 3.1, does not preclude inconsistent monitors i.e., there could be an m ∈ M and an f ∈ Act ∞ such that acc(m, f ) and rej(m, f ). Soundness for a property P does however prohibit inconsistences; in the instance above, it would imply both f ∈ P and f ∈ P , which is not possible. Proof Fix a s ∈ Act * where acc(m, s) and pick some f ∈ Act ∞ . By Def. 3.1.2 and acc(m, s) we know that acc(m, sf ) and by soudness we obtain sf ∈ P .
Lemma 3.2 For every property P ⊆ Act ∞ and monitor m P in a maximal monitoring system (M, acc, rej): 1. m P is sound for P ; and 2. if m is a sound monitor for P then

Shades of completeness
We are now ready to define monitorability in terms of the guarantees that the monitors are expected to give. Soundness is not negotiable. The dual requirement to soundness, i.e., completeness, entails that the monitor detects all violating and satisfying traces.

Definition 3.4 (Completeness)
Monitor m is satisfaction-complete for P if f ∈P implies acc(m, f ) and violation-complete for P if f / ∈P implies rej(m, f ). It is complete for P if it is both satisfaction-and violation-complete for P and partiallycomplete if it is either satisfactionor violation-complete.
However, as shown now in Prop. 3.1, completeness is only possible for trivial properties in the finfinite domain; in the infinite domain more properties are completely monitorable-see Sec. 8. Proposition 3.1 If m is sound and complete for P then P =Act ∞ or P =∅.
Given the consequences of requiring completeness, as evidenced by Prop. 3.1, we also consider weaker forms of completeness. The weaker the completeness guarantee, the more properties can be monitored. Definition 3.5 (Complete Monitorability) Property P is completely monitorable when there exists a monitor that is sound and complete for P . It is monitorable for satisfactions (resp., violations) when there exists a monitor m that is sound and satisfaction (resp., and violation) complete for P . It is partially monitorable when it is monitorable for satisfactions or violations.
A class of properties C ⊆ 2 Act ∞ is satisfaction, violation, partially, or completely monitorable, when every property P ∈C is, respectively, satisfaction, violation, partially or completely monitorable. We denote the class of all satisfaction, violation, partially, and completely monitorable properties by maximal monitoring systems as SCmp, VCmp, PCmp, and Cmp, respectively.
The following lemma explicits the relation between the monitorability classes of Def. 3.5 and finite prefixes that determine a property, which are also called good and bad prefixes [41]. Lemma 3.3 If P ⊆ Act ∞ is monitorable for satisfaction (resp., for violation) by any monitoring system, then every f ∈ P (resp., f ∈ Act ∞ \ P ) has a finite prefix that positively (resp., negatively) determines P .
Proof We treat the case for satisfaction, as the case for violation is dual. Let f ∈ P and m be a monitor that is sound and satisfaction-complete for P . Then, due to satisfaction-completeness, acc(m, f ), and by the requirements of Def. 3.1, there is a finite prefix s of f , such that acc(m, s). Therefore, by the same requirements, for every g ∈ Act ∞ , acc(m, sg). As we know that m is sound for P , this yields that s positively determines P .
Since even partial monitorability, the weakest form in Def. 3.5, renders a substantial number of properties unmonitorable [5], one may consider even weaker forms of completeness that only flag a subset of satisfying (or violating) traces. Sound denotes monitorability without completeness requirements. Arguably, however, the weakest guarantee for a sound monitor of a property P to be of use is the one that pledges to flag at least one trace. One may then further strengthen this requirement and demand that this guarantee is invariant throughout the analysis of a monitor: for every observed prefix the monitor is still able to reach a verdict (possibly after observing more actions). informatively accepting if there is trace that m accepts: ∃f ∈ Act ∞ · acc(m, f ); -informatively rejecting if there is a trace that m rejects: ∃f ∈ Act ∞ · rej(m, f ); -informative when it either accepts or rejects a trace: ∃f ∈ Act ∞ · rej(m, f ) or acc(m, f ); -persistently accepting if it remains informatively accepting for all finite traces: ∀s ∈ Act * · ∃f · acc(m, sf ); -persistently rejecting if it remains informatively rejecting for all finite traces: ∀s ∈ Act * · ∃f · rej(m, sf ); -persistently informative when it remains informative for all finite traces: ∀s ∈ Act * · ∃f · rej(m, sf ) or acc(m, sf ).

Definition 3.7 (Informative Monitorability) We say that:
-A property P is informatively monitorable for satisfaction (resp., for violation) if there is an informatively accepting (resp., informatively rejecting) monitor that is sound for P .
-A property P is informatively monitorable if there is a informative monitor that is sound for P . -A property P is persistently informatively monitorable for satisfaction (resp., for violation) if there is a persistently accepting (resp., persistently rejecting) monitor that is sound for P . -A property P is persistently informatively monitorable if there is a persistently informative monitor that is sound for P . -A class of properties C⊆2 Act ∞ is informatively (resp., persistently informatively) monitorable, when all its properties are informatively (resp., persistently informatively) monitorable-the class of all informatively (resp., persistently informatively) monitorable properties by maximal monitoring systems is denoted as ICmp (resp., PICmp).
Example 3.1 Recall the property "f never occurs and eventually s is reached" from Example 1.1 (expressible in LTL as (G ¬f) ∧ (F s)). Given any maximal monitoring system, this property is not partially monitorable: a monitor cannot accept the satisfying infinite trace s(r) ω by just observing a finite prefix, nor can it reject the violating trace r ω by observing one of its finite prefixes. It is, however, persistently informatively monitorable for violation: every finite prefix that is not yet violating can be extended to produce the action f which would be enough evidence for a monitor to reject the trace. Example 3.2 The property requiring that "r only appears a finite number of times" is not informatively monitorable. If it were, the respective sound informative monitor m in the maximal system should at least accept or reject one trace. If it accepts a trace f , by Def. 3.1, it must accept some prefix s f . Again, by Def. 3.1, all continuations, including sr ω , must be accepted by m. This makes it unsound, which is a contradiction. A dual argument can also be made for rejections. If m rejects some f , it must reject some finite s f that necessarily contains a finite number of r actions, making it unsound.

1(middle) is
Pick a property P ∈ VCmp. Pick also a finite trace s ∈ Act * . If sf / ∈ P for some f , then by Def. 3.4 we have rej(m P , sf ). Otherwise, sf ∈ P for each f , meaning that s positively determines P , and by Def. 3.2 we have acc(m P , sf ). By Def. 3.6, we deduce that m P is persistently informative since ∀s∃f ·acc(m P , sf ) or rej(m P , sf ). Thus, by Def. 3.7, it follows that P ∈ PICmp. The case for P ∈ SCmp is dual. Remark 3.3 We note that a property being partially monitorable does not imply that it is also persistently informatively monitorable for satisfaction or for violation. Furthermore, not all persistently informatively monitorable properties are also informatively monitorable for satisfaction, and they are not all informatively monitorable for violation. To see why this is the case, simply observe that tt is not informatively monitorable for violation.

An Instantiation for Regular Properties
We now provide a concrete maximal monitoring system for regular properties. This monitoring system gives an operational interpretation to the levels of the monitorability hierarchy, and enables us to find syntactic characterisations for them in the next section. We use the logic recHML to represent regular properties. This is a reformulation of the modal µ-calculus [40], and embeds other specification formalisms such as LTL, (ω-)regular expressions, Büchi automata, and Street automata, used in the state of the art on monitorability.
We begin by recalling the syntax and semantics of recHML and the monitoring system for regular properties from [5]. We then argue that this monitoring system is maximal for regular properties, in the sense of Def. 3.2, and show that this means that it subsumes all other monitoring systems for regular properties. This both demonstrates that the framework proposed in Sec. 3 is realistic and allows us to work with a fixed monitoring system in the sequel without loss of generality.

The Logic.
The syntax of recHML is defined by the grammar in Fig. 4.1, which assumes a countable set of logical variables X, Y ∈ LVar. Apart from the standard constructs for truth, falsehood, conjunction and disjunction, the logic is equipped with existential ( a ϕ) and universal ([a]ϕ) modal operators, and two recursion operators expressing least and greatest fixpoints (resp., min X.ϕ and max X.ϕ). The semantics is given by the function − defined in Fig. 4.1. It maps a (possibly open) formula to a set of (finfinite) traces [5] by induction on the formula structure, using valuations that map logical variables to sets of traces, σ : LVar → P(Act ∞ ), where σ(X) is the set of traces assumed to satisfy X. An existential modality a ϕ denotes all traces with a prefix action a and a continuation that satisfies ϕ, whereas a universal modality [a]ϕ denotes all traces that are either not prefixed by a or are of the form ag for some g that satisfies ϕ. The sets of traces satisfying least and greatest fixpoint formulae, say min X.ϕ and max X.ϕ, are the least and the greatest fixpoints, respectively, of the function induced by the formula ϕ. For closed formulae, we use ϕ in lieu of ϕ, σ (for some σ). Formulae are generally assumed to be closed and guarded [42]. In the discussions we occasionally treat formulae, ϕ, as the properties they denote, ϕ .
LTL [23] is the specification logic of choice for many RV approaches. As a consequence, it is also the logic used by a number of studies on monitorability (e.g., see [16,17,37]). Our choice of logic, recHML, is not limiting in this regard because it is well known [40,54] that LTL can be translated into recHML.
Example 4.1 The characteristic LTL operators can be encoded in recHML as: In the following examples, atomic propositions a and ¬a resp., denote a tt and [a]ff respectively.
The use of recHML allows us to consider monitorable properties that may be missed by previous approaches. For instance, it is well known that logics such as the modal µ-calculus (and variants such as recHML) can describe properties that are not expressible in popular specification languages like LTL [54]. Consider the property requiring that "success (s) occurs on every even position". Although this is not expressible in LTL [54], it can be expressed in recHML as: Note that LTL properties such as ¬s ∧ G(s ⇔ ¬s) do not express the aforementioned property; the LTL property given is in fact too strict (it describes "s at even positions only") and rules out traces of the form f ω which clearly satisfy the property ϕeven. The weaker property "success (s) occurs on every even position until the execution ends" still cannot be expressed in LTL, but can be expressed in recHML: More broadly, recHML captures all (ω-)regular properties, while LTL can only express properties recognised by counter-free Büchi automata [28]. Our logic of choice has several other advantages over LTL: -recHML semantics adapt easily to the finite, infinite and finfinite domains.
LTL semantics are only standard on infinite traces; there is no canonical finite or finfinite semantics. (See, however, [26] for a finite-trace semantics for LTL and Linear Dynamic Logic.). In particular, to specify whether a property holds or not on a finite trace, we would need to add to the syntax of LTL modalities corresponding to the box and diamond of recHML that indicate whether a continuation is allowed or required, thus moving away from standard LTL. -recHML is closer to the underlying automata models, and to the process algebras describing our monitors. For instance, given a monitor, it is straightforward to deduce the recHML formula for which it is sound and complete; however, it is nontrivial to even decide whether such an LTL formula exists. Therefore, to study monitorability, we prefer to use recHML, as it can express all regular properties, allowing for clearer distinctions between monitorability classes. Furthermore, when synthesizing a monitor, one can use a specification in LTL, embed it to recHML in a straightforward manner, and then use a monitor synthesis that relies on recHML, thus gaining all advantages these logics offer. For the sake of better readability, and in the light of its familiarity to the RV community, we use LTL for the examples that can be encoded in that logic. Note that, since we operate in the finfinite domain, X should be read as a strong next operator, in line with Example 4.1.
In the sequel, we use the following classical result for recHML B -like specification logics (see [10] for more on the µ-calculus and recHML): Proof We know that ϕ ∩ Act * is regular (Lem. 4.1) and ϕ ∩ Act ω , the infinitetrace interpretation of ϕ, is ω-regular. Therefore, there are a DFA D F that recognizes ϕ ∩ Act * and a deterministic ω-automaton D I that recognizes ϕ ∩ Act ω . Let A F = {s ∈ Act * | ∀r ∈ Act * . sr ∈ ϕ } and A I = {s ∈ Act * | ∀t ∈ Act ω . st ∈ ϕ }. Let Q F (resp., Q I ) be the set of states in D F (resp., in D I ) that can be reached reading some trace s ∈ A F (resp.,A I ). By construction, for each s ∈ Act * , we have that s ∈ A F (resp., s ∈ A I ) if and only if s does not end in Q F (resp., Q I ). Therefore, there are DFAs D F and D I for A F and A I , respectively, and thus

The Monitors.
We consider the operational monitoring system of [5,35], summarised in Fig. 4.2 (symmetric rules for binary operators are omitted). Monitors are states of a transition system where m + n denotes an (external) choice and m n denotes a composite monitor where ∈ {⊕, ⊗}. There are three distinct verdict states, yes, no, and end, although only the first two are relevant to monitorability. The syntax in Fig. 4.2 assumes a countably infinite set of variables x, y, . . . ∈ Vars; see [5] for a comprehensive discussion.
The monitoring system (Mon, acc, rej) is given by a labelled transition system (LTS) based on Act, which is comprised of the monitor states, or monitors, and a transition relation. The set of monitor states, Mon, and the monitor transition relation, −→⊆ (Mon × (Act ∪ {τ }) × Mon), are defined in Fig. 4 . We employ the usual notation for weak transitions and write m =⇒ n in lieu of m( A monitor that does not use any parallel operator is called a regular monitor. The full monitoring system and regular monitors were defined and used in [1,4,5,32,33,35]. We refer the interested reader to these studies for explanations and motivations. This semantics gives an operational account of how a monitor in state m incrementally analyses a sequence of actions s = a 1 . . . a k to reach a new monitor state n; the monitor m accepts (resp., rejects) a trace f , written acc(m, f ) (resp., rej(m, f )), when it can transition to the verdict state yes (resp., no) while analysing a prefix s f . Definition 4.1 (Acceptance and Rejection) For a monitor m ∈ Mon, we define rej(m, s) (resp., acc(m, s)) and say that m rejects (resp., accepts) when m s = ⇒ no (resp., m s = ⇒ yes). Similarly, for t ∈ Act ω , we write rej(m, t) (resp., acc(m, t)) if there exist s ∈ Act * and u ∈ Act ω such that t = su and m rejects (resp., accepts) s.
For a finite nonempty set of indices I, we use i∈I m i to denote any combination of the monitors in {m i | i ∈ I} using the operator +. For each j ∈ I, i∈I m i is called a sum of m j , and m j is called a summand of i∈I m i . The following Lem. 4.3 assures us that regular monitors satisfy the conditions to be a monitoring system, given in Def. 3.1. We will use the following definitions and results in our proofs. We define determinism for regular monitors.   Due to Thm. 4.1, we can assume that every monitor in Mon is a regular, or deterministic regular monitor. We often do so in the following proofs. We use the formula synthesis function from regular monitors to formulae defined in [5,35] (we assume a bijection between logical and monitor variables that we leave implicit):  Proof By Lem. 4.2, D + ϕ and D − ϕ , the sets of finite traces that (respectively) positively or negatively determine ϕ are regular. It is also not hard to see that they are suffix-closed. Therefore the theorem follows from Thm. 4.2.
As a corollary of Thm. 4.4, from Lem. 3.1 we deduce that for any arbitrary monitoring system (M, acc, rej), if m ∈ M is sound for some ϕ ∈ recHML, then there is a monitor n ∈ Mon from Fig. 4.2 that accepts (resp., rejects) all traces f that m accepts (resp., rejects). Corollary 4.1 If m is a sound monitor for ϕ ∈ recHML, then there is a regular monitor n that is sound for ϕ, and such that for every s ∈ Act * , acc(m, s) implies acc(n, s), and rej(m, s) implies rej(n, s).
Proof By Thm. 4.4, there is a regular monitor n that is sound for ϕ, and accepts all finite traces that positively determine ϕ, and rejects all the finite traces that negatively determine ϕ. If acc(m, s) (resp., rej(m, s)) for some finite trace s, then, due to the soundness of m, s ∈ ϕ (resp., s / ∈ ϕ ), and therefore, from Lem. 3.1, s positively (resp., negatively) determines ϕ. By the properties of n, we have that acc(n, s) (resp., rej(n, s)).
In the sequel, we thus assume (Mon, acc, rej) from Fig. 4.2 as our fixed monitoring system, as it subsumes all others.

A Syntactic Characterisation of Monitorability
We present syntactic characterisations for the various monitorability classes as fragments of recHML. We begin by recalling the syntactic characterisation of partial monitorability by Aceto et al. from [5], and then proceed to provide the corresponding syntactic characterisations for informative and persistently informative monitorability. The fragments we provide are maximal in the sense that they not only guarantee that any property expressible within the fragment is monitorable with the corresponding guarantees, but also conversely, every property that is monitorable with respect to the corresponding notion of monitorability is expressible in the fragment. 5.1 Partial Monitorability, syntactically.
Observe that for every regular monitor m, f(m) ∈ sHML. As a corollary of Thm. 5.1 we obtain maximality: any ϕ ∈ recHML that is monitorable for satisfaction (resp., for violation) can also be expressed as some ψ ∈ cHML (resp., ψ ∈ sHML) where ϕ = ψ . For this fragment, the following automated synthesis function, which is readily implementable, is given in [5]. We proceed to identify syntactic fragments of recHML that correspond to informative monitorability. Intuitively, a sHML formula is informatively monitorable for violation if ff appears in it: there is a trace that falsifies the formula. Furthermore, the conjunction of any such formula with an arbitrary formula is still falsified by the same trace. Dually, cHML formulas in which tt occurs are informatively monitorable for satisfaction, and so are their disjunctions with arbitrary formulas. We now formalise this intuition. Definition 5.1 The informative fragment is iHML = siHML ∪ ciHML where siHML = {ϕ 1 ∧ ϕ 2 ∈ recHML | ϕ 1 ∈ sHML and ff appears in ϕ 1 }, ciHML = {ϕ 1 ∨ ϕ 2 ∈ recHML | ϕ 1 ∈ cHML and tt appears in ϕ 1 }.
We define the depth of ff in an sHML formula in a recursive way: Proof Straightforward induction on ϕ.
Lemma 5.2 If ϕ ∈ siHML (resp., ciHML), then there is a regular monitor that is sound and informatively rejecting (resp., informatively accepting) for ϕ. If ϕ ∈ iHML, then there is a regular monitor that is sound and informative for ϕ.
As ff appears in ϕ 1 , d ff (ϕ) < ∞, so there is a finite trace that negatively determines ϕ 1 , and therefore also ϕ. The lemma follows from Thm. 4.4.
Proof If m is sound and informatively accepting for ϕ, then by Lem. 3.1, there is a finite trace s that positively determines ϕ. We can then easily construct a formula ψ 1 (s) that is satisfied exactly by s and all its extensions, recursively on s: let ψ 1 (ε) = tt, and let ψ 1 (αs) = α ψ 1 (s). Then, let ψ = ψ 1 (s) ∨ ϕ. Thus, ψ ∈ ciHML and ψ = ϕ . The case for informatively rejecting monitors is similar.
The maximality results of Thms. 5.1 and 5.2 permit tool constructions to concentrate on the syntactic fragments identified when synthesizing monitors. To achieve the corresponding monitorability guarantees, one would have to first work on the given formula and find an appropriate equivalent form in the right fragment. Thms. 5.1 and 5.2 also serve as a syntactic check to determine when a property is monitorable (according to the monitorability classes in Fig. 1.1). We note that these syntactic characterisations may not always yield monitors that detect as many satisfactions or violations as they could. However, Thm. 4.4 assures us that for each recHML formula ϕ, there is a monitor m that detects all traces that positively or negatively determine ϕ, and therefore that monitor will satisfy all guarantees that are possible when monitoring ϕ, and therefore the knowledge that ϕ is in a certain fragment informs us of a certain good behaviour of m.
Example 5.1 The property ϕ evenW from Example 4.2 is monitorable for violation; this can be easily determined since it is expressible in sHML. By contrast, ϕeven from Example 4.2 cannot be expressed in either sHML or cHML. In fact, it is not partially-complete monitorable: it cannot be monitored completely for satisfaction because the trace (rs) ω ∈ ϕeven but none of its prefixes can be accepted by a sound monitor since they all violate the property; it cannot be monitored completely for violation either, since the trace ∈ ϕeven but is can be extended by (rs) ω which makes (persistent) rejection verdicts unsound. The property (G ¬f) ∧ F s from Example 3.1 (expressed here in LTL) is a siHML property, as G¬f can be written in sHML as max X.
[f]ff∧[s]X∧[r]X. In contrast, FG¬r cannot be written in iHML since it is not informatively monitorable. Remark 5.1 In siHML and ciHML, ϕ 1 describes an informative part of the formula, that is, a formula with at least one path to tt (or ff), which indicates that the corresponding finite trace determines the property. Monitor synthesis from these fragments can use this part of the formula to synthesize a monitor that detects the finite traces that satisfy (violate) ϕ 1 . The value of the synthesised monitor then depends on ϕ 1 . It is therefore important to have techniques to extract some ϕ 1 that will retain as much monitoring information as possible. One obvious choice is a formula describing D + , the set of finite traces that positively determines a property, and dually the formula describing Act ∞ \ D − , the set of traces that do not negatively determine the property. See Kupferman and Vardi's construction in [41] for how to construct these formulae; this method has to be adapted a little in the finfinite domain, but this is outside the scope of the present work.

Persistently informative monitorability for satisfaction and violation, syntactically.
As the requirements for persistently informative monitors are subtler than for informative monitors, the fragments we present are more involved than those for informative monitorability.
We begin by characterising persistently informative monitorability for satisfaction and for violation separately. The following definition of explicit formulae forces modal subformulae to explicitly list every action. Observe that a disjunction of existential modalities requires there to be a successor while the conjunction of universal modalities holds if there is no successor. Definition 5. 2 We define eHML, the explicit fragment of recHML: Roughly, the following definition captures whether tt and ff are reachable from subformulae (where the binding of a variable is reachable from the variable). Definition 5.3 Let ϕ be a closed recHML formula and let ψ be a subformula of ϕ. We say that: ψ can refute (resp., verify) in ϕ in 0 unfoldings, when ff (resp., tt) appears in ψ, and that ψ can refute (resp., verify) in ϕ in k + 1 unfoldings, when it can refute (resp., verify) in k unfoldings, or X appears in ψ and ψ is in the scope of a subformula max X.ψ or min X.ψ that can refute (resp., verify) in k unfoldings.
We simply say that ψ can refute (resp., verify) in ϕ when it can refute (resp., verify) in ϕ in k unfoldings, for some k ≥ 0. We may also simply say that ψ can refute (resp., verify) when ϕ is evident or not relevant. We can define a similar notion for monitors. Definition 5.4 Let m be a closed monitor and let n be a submonitor of m. We say that: n can reject (resp., accept) in m in 0 unfoldings, when no (resp., yes) appears in n, and that n can reject (resp., accept) in m in k + 1 unfoldings, when it can reject (resp., accept) in k unfoldings, or x appears in n and n is in the scope of a submonitor rec X.n that can reject (resp., accept) in k unfoldings.
We simply say that n can reject (resp., accept) in m when it can reject (resp., accept) in m in k unfoldings, for some k ≥ 0. We may also simply say that n can reject (resp., accept) when m is evident or not relevant.
We now define the fragments of recHML corresponding to recHML properties that are persistently informatively monitorable for satisfaction or violation. The intuition is similar to the one underlying the definition of the informative fragment, except here the reachability condition is quantified universally over subformulae, and we need the informative part of the formula to be explicit. Definition 5.5 We define the fragments spHML and cpHML as: spHML = ϕ 1 ∧ ϕ 2 ∈ recHML ϕ 1 ∈ sHML ∩ eHML and every subformula of ϕ 1 can refute cpHML = ϕ 1 ∨ ϕ 2 ∈ recHML ϕ 1 ∈ cHML ∩ eHML and every subformula of ϕ 1 can verify We now make explicit two (obvious) lemmas used in the sequel. Lemma 5.4 Let ϕ = max X.ψ or ϕ = min X.ψ. If ϕ can refute (resp., verify) in ϕ, then it is also the case that ψ[ϕ/X] can refute (resp., verify) in ψ[ϕ/X].
We define the box-depth of a formula from eHML ∩ sHML recursively: The box-depth of a formula measures how deep in the syntactic tree of the formula one can find a box or ff. Proof Straightforward induction on ϕ.
Proof We assume that ϕ ∈ eHML ∩ sHML, as the case for ϕ ∈ eHML ∩ cHML is similar. Since ϕ is a closed formula and can refute, ff appears in ϕ, and therefore d B (ϕ) < ∞. We proceed to prove the lemma by strong numerical induction on d B (ϕ), similarly to the proof of Lem. 5.2.
Lemma 5.8 If ϕ ∈ spHML or ϕ ∈ cpHML, then there is a regular monitor that is sound for ϕ and persistently rejecting, or, respectively, persistently accepting.
Proof We assume that ϕ ∈ spHML, as the case for ϕ ∈ cpHML is similar. Let ϕ = ψ ∧ ψ * , where ψ ∈ eHML ∩ sHML and all of its subformulae can refute, and ψ * ∈ recHML. By Thm. 4.4, it suffices to prove that for every s ∈ Act * , there is some r ∈ Act * , such that sr negatively determines ϕ. We prove this by structural induction on s. If s = ε, then as in the proof of Lem. 5.2, we can show that there is a finite trace that negatively determines ψ. If s = as , then by Lem. 5.7. there is some ψ ∈ eHML ∩ sHML, such that all subformulae of ψ can refute, and for every f ∈ Act ∞ , af ∈ ψ implies that f ∈ ψ . By the inductive hypothesis, there is some r, such that s r negatively determines ψ , and therefore, sr negatively determines ψ.
We define the depth of a variable x in a regular monitor m recursively: We proceed to prove this claim by induction on dx(n), and the case for n = x is immediate. If n = n 1 + n 2 , then, as n is deterministic, n = b.n 1 + c.n 2 , where b = c, and we are done by the inductive hypothesis on either n 1 or n 2 , and n . If n = b.n 1 , then if the inductive hypothesis on n 1 and n gives trace r, then we can set s = br. If n = rec y.n 1 , then we are done by the inductive hypothesis on n 1 [n/y] (notice that dx(n 1 [n/y] < dx(m)) and n [n/y].
Here we call a regular monitor explicit when it is generated by the grammar:  Lemma 5.11 If ϕ ∈ recHML and there is a monitor that is sound for ϕ and persistently rejecting or persistently accepting, then there is some ψ ∈ spHML, or, respectively, ψ ∈ cpHML, such that ψ = ϕ .
Proof We treat the case where the monitor is persistently rejecting, as the case for a persistently accepting monitor is similar. From Cor. 4.1, there is a regular monitor, m, that is sound for ϕ and persistently rejecting. By Thm. 4.1, we can assume that m is deterministic (Def. 4.2). From Cor. 5.1, m is explicit. If there is a submonitor of m that cannot reject, then we can prove by induction on m that there is a finite trace s, for which there is no finite trace r, such that m sr = = ⇒ no, which is a contradiction. Observe that f(m) ∈ sHML. Then, from Lem. 5.10, the sHML formula f(m) is in eHML, and all of its subformulae can refute. Since m is sound for ϕ and sound and violation complete for f(m), it is the case that Act ∞ \ f(m) ⊆ Act ∞ \ ϕ , and therefore f(m) ∧ ϕ ∈ spHML and f(m) ∧ ϕ = ϕ . Theorem 5.3 For ϕ ∈ recHML, ϕ is persistently informatively monitorable for violation (resp., for satisfaction) if and only if there is some ψ ∈ spHML (resp., ψ ∈ cpHML), such that ψ = ϕ .
Proof A consequence of Lems. 5.8 and 5.11.

Persistently informative monitorability, syntactically
We now give a syntactic characterisation of persistently informative monitorability. The reasoning is rather different from the one we employed for the previous fragments of recHML, and relies on a deterministic form for recHML.
We first introduce the deterministic fragment of recHML and argue that all recHML formulas can be determinised. This is a simple consequence of the expressive completeness of deterministic finite automata and deterministic parity automata in the domains of regular and ω-regular languages, respectively [39,52].
We start by defining the deterministic fragment of recHML (Def. 5.6). We continue by giving background on deterministic automata over finite, infinite, and finfinite traces (Def. 5.7). We show that every recHML formula is equivalent to a deterministic automaton over finfinite traces (Lem. 5.12), and then we use this result to prove that every recHML formula is equivalent to a deterministic one over finfinite traces (Lem. 5.13). This allows us to identify the persistently informatively monitorable formulas as certain deterministic formulas with special characteristics (Thm. 5.4).
Definition 5.6 The deterministic fragment dHML of recHML is given by: In order to motivate the definition of this fragment, consider a formula ϕ ∈ dHML and let ψ be one of its subformulae. Let s be the finite trace consisting of the modalities leading to an occurrence of ψ in ϕ. Then a finfinite trace sf satisfies ϕ if, and only if, f satisfies ψ. In contrast, for subformulae of a sHML formula, sf can only be made to violate the formula by a suffix f that falsifies the subfomula; the dual statement holds true for cHML. Since persistently informative monitorability depends on both violations and satisfactions, we turn to the deterministic fragment in Def. 5.6.
While the determinisation of both finite automata and ω-automata are standard, automata over the finfinite domain are not well-established. We define these automata and show that using determinisation procedures from the finite and the infinite domain, we can obtain, for any recHML formula ϕ, a deterministic automaton over finfinite words that recognises the traces satisfying ϕ. We then translate such automata into dHML.
The following definition recalls the definitions of deterministic automata over finite and infinite traces (words) and defines deterministic automata over finfinite traces.
Definition 5.7 A deterministic automaton is given by D = (Q, Σ, q 0 , δ, Ω) where Q is a set of states, Σ is an alphabet, q 0 ∈ Q is an initial state, δ : Q × Σ → Q is a transition function and Ω is an acceptance condition, which depends on the type of the automaton. For deterministic automata over finite traces (DFA), Ω is a subset F ⊆ Q; for deterministic automata over infinite traces (DPA), Ω is a priority assignment ρ : Q → I where I is a finite set of integer priorities; for deterministic automata over finfinite traces (DPFA), Ω is a pair of the form (F, ρ).
A run of an automaton D over a finite trace s ∈ Σ * is a sequence of states π = π 0 π 1 · · · π |s|+1 of length |s|+1 such that π 0 = q and π i+1 = δ(π i , s[i]). Similarly, a run of an automaton D over an infinite trace t ∈ Σ ω is an infinite sequence of states π = π 0 π 1 ..., such that π 0 = q and π i+1 = δ(π i , t[i]). A run of a DFA over a finite word is accepting if the final state of the run is in F ; a run of a DPA over an infinite word is accepting if the highest priority assigned by ρ to a state occuring infinitely often on the run is even; a run of a DPFA over a finfinite word is accepting if it is either finite and its final state is in F or it is infinite and the highest priority assigned by ρ to a state occuring infinitely often is even. A deterministic automaton D accepts a word t if the (unique) run over t is accepting. The language recognised by the automaton, L(D) is the set of traces that D accepts.
DFA are known to recognise all regular properties over finite traces while DPA recognise all ω-regular properties over infinite traces. We now argue that it follows that any recHML property ϕ is recognised by a DPFA. Lemma 5.12 For each recHML formula ϕ there is a DPFA that recognises the language of finfinite traces that satisfy ϕ.
Proof The set of finite traces S * that satisfy ϕ is a regular property of finite words, and therefore there is a DFA D * = (Q, Act, q 0 , δ, F ) that recognises S * . Similarly, the set Sω of infinite traces that satisfy ϕ is ω-regular, so there is a DPA Dω = (Q , Act, q 0 , δ , ρ) that recognises Sω.
Let D = (Q × Q , Act, (q 0 , q 0 ), ∆, (F , ρ )) where ∆((q, q ), a) = (δ(q, a), δ(q , a)) and F = F × Q and ρ (q, q ) = ρ(q ). D recognises ϕ . Indeed, D accepts a finite trace s if and only if the first component of its run is an accepting run over s in D * , and an infinite trace t if and only if the second component of its run is an accepting run over t in Dω.

Lemma 5.13
For every recHML formula ϕ, there is an equivalent dHML formula ψ.
Proof From Lem. 5.12, there is a DPFA D = (Q, Act, q 0 , δ, (F, ρ)) that accepts exactly the traces that satisfy ϕ. We now show how to translate D into a dHML formula that is equivalent to ϕ.
We now consider all (finite) paths in D that start from q 0 . For k ≥ 0, states q 1 , q 2 , . . . , q k ∈ Q, and actions a 1 , a 2 , . . . , a k ∈ Act, = q 0 a 1 q 1 a 2 q 2 · · · a k q k is a path (for our purposes) of length k in D, if for all states q i , q j , where j > i, if q i = q j , then there is some i < l < j, such that ρ(q l ) > ρ(q i ); and for all i < k, q i+1 = δ(q i , a i+1 ).
It is not hard to see, with a combinatorial argument, that k ≤ 2 |Q| (the highest priority can only occur once, the second highest twice, and the i th -highest 2 i−1 times). We use the notations q = q k and |q = q 0 a 1 q 1 a 2 q 2 · · · a i q i , where q i = q is the last position where q appears in the path.
We then define a formula for each path = q 0 a 1 q 1 a 2 q 2 · · · a k q k : g( , a), if q k / ∈ F and ρ(q k ) is even; min X . a∈Act a g( , a), if q k / ∈ F and ρ(q k ) is odd; where g( , a) = ϕ aδ(q,a) if aδ(q, a) is a path, and X | δ(q,a) otherwise. Furthermore, we define ψ to be such that ϕ = max X .ψ , or ϕ = min X .ψ . Observe that the definition above is recursive, with maximal paths as base cases, and therefore for all , ϕ is well defined. Furthermore, according to the above definition, a fixpoint variable appears only if it is marked by a subscript of a prefix of the corresponding path, and therefore it appears only in the scope of a (unique) formula that binds it.
We proceed to prove that ϕq 0 is exactly the language of D, i.e., we show that for every finfinite trace f , D accepts f if and only if f ∈ ϕq 0 . We distinguish two cases.
Case 1: f is a finite trace. For this case, we consider an environment σ, such that for every path , σ(X ) = ϕ , σ , and we use induction on f to prove that for every path = q 0 a 1 q 1 · · · a k q k , f ∈ ϕ , σ if and only if the run of D from q on f is an accepting run, and this suffices, because ϕq 0 is a closed formula. Case 2: f is an infinite trace. In this case, let π = π 0 π 1 · · · be the (infinite) run of D on f , where q 0 = π 0 . Let f = a 1 a 2 · · · , and for each i ≥ 0, let f i = a i a i+1 · · · . We can define the path-run π = π 0 π 1 · · · , where each π i is a path in D, such that π 0 = q 0 , and for all i > 0, if π i−1 δ(q π i−1 , a i ) is a path, then π i = π i−1 δ(q π i−1 , a i ), and otherwise π i = π i−1 | δ(q π i−1 ,ai) . Let q be such that ρ(q) is the highest priority that appears infinitely often in the run. We first assume that D accepts f (and therefore ρ(q) is even), and we prove that f ∈ ϕq 0 . Let I 0 ≥ 0 be such that π I0 = q, and every priority that does not appear infinitely often in the path-run, only appears before position I 0 .
We proceed to prove the following claims: Claim 1: f I0 ∈ ϕ π I 0 , σ . Since ρ(q π I 0 ) is even, ϕ π I 0 is a greatest fixpoint formula, and therefore, from its semantics, it suffices to find a set of traces S, such that S ⊆ ψ π I 0 , σ[X π I 0 → S] . Let S = {f i | i ≥ I 0 and π i = π I0 }. Let I > I ≥ I 0 be such that π I = π I = π I0 . To prove the claim, it suffices to prove that f I ∈ ϕ π I , σ[X π I 0 → S] . Note that ρ(π I ) is the greatest priority that appears from position I onward, and therefore all paths that appear in the path-run after position I are extensions of π I . Therefore, all ϕ π i , where i ≥ I are subformulas of ϕ π I . We show that for every I ≤ i < I , f i ∈ ϕ π i , σ[X π I 0 → S] and we use induction on The base case is i + 1 = I , and therefore g( , a i ) = X π I 0 , so The inductive step is straightforward, after observing that ϕ π i is equivalent to ψ π i [ϕ π i /X π i ], which, under σ[X π I 0 → S] is equivalent to ψ π i (we have established that X π I 0 = X π i ). Claim 2: for all i ≤ I 0 , f i ∈ ϕ π i , σ . We can prove this by induction on I 0 − i.
The base case is Claim 1 and the inductive steps are straightforward and similar to the above. We now assume that D does not accept f (and therefore ρ(q) is odd), and we prove that f / ∈ ϕq 0 . This case is similar to the above.
We are ready to define the persistently informative fragment of recHML.
Definition 5. 8 The persistently informatively monitorable fragment of recHML is pHML, which consists of all the formulas in dHML all of whose subformulas can refute or verify. Theorem 5.4 For ϕ ∈ recHML, ϕ is persistently informatively monitorable if and only if there is some ψ ∈ pHML such that ϕ = ψ .
Proof Assume that ϕ ∈ recHML is a persistently informatively monitorable. By Lem. 5.13, we can assume, without loss of generality, that ϕ ∈ dHML. Furthermore, assume that unsatisfiable subformulas are replaced by ff and valid subformulas are replaced by tt. Towards a contradiction, assume that a subformula ψ of ϕ can neither refute or verify. Consider a sequence of modalities under the scope of which ψ is located and let s be the finite trace read off these modalities. Since ϕ is persistently informatively monitorable, it has a sound persistently informative monitor, and therefore, from Lem. 3.1, there is some r such that sr determines ϕ. Since ψ can neither refute nor verify, ψ is neither ff nor tt; since it is neither valid nor unsatisfiable, there are traces srt ∈ ϕ and srt / ∈ ψ , contradicting that sr determines ϕ.
For the other direction, consider ϕ ∈ dHML all of whose subformulas can refute or verify. Then, for every trace s, we can find some r such that sr determines ϕ; indeed r is the trace labelling the sequence of modalities leading to tt or ff. Hence ϕ is persistently monitorable, and we are done.
This concludes our quest for syntactic characterisations of regular properties monitorable according to the different levels of our monitorability hierarchy. We now turn our attention to how existing notions of monitorability from the literature embed into this hierarchy, starting with (co-)safety properties. 6 Safety and Co-safety The classic (and perhaps the most intuitive) definition of monitorability consists of (some variation of) safety properties [5,9,30,37,50,53]. There are, however, subtleties associated with how exactly safety properties are defined-particularly over the finfinite domain-and how decidable they need to be to qualify as truly monitorable. For example, Kim and Viswanathan [53] argued that only recursively enumerable safety properties are monitorable (they restrict themselves to infinite, rather than finfinite traces). By and large, however, most works on monitorability restrict themselves to regular properties, as we do in Sec. 4.
We adopt the definition of safety that is intuitive for the context of RV: a property can be considered monitorable if its failures can be identified by a finite prefix. This is equivalent to Falcone et al.'s definition of safety properties [30,Def. 4] and, when restricted to infinite traces, to other work such as [9,19,37]. Definition 6.1 (Safety) A property P ⊆ Act ∞ is a safety property if every f / ∈ P has a prefix that determines P negatively. The class of safety properties is denoted as Safe in Fig. 1.1.
Pnueli and Zaks, and Falcone et al. (among others) argue that it makes sense to monitor both for violation and satisfaction. Hence, if safety is monitorable for violations, then the dual class, co-safety (a.k.a. guarantee [30], reachability [18]), is monitorable for satisfaction. That is, every trace that satisfies a co-safety property can be positively determined by a finite prefix. Definition 6.2 (Co-safety) A property P ⊆ Act ∞ is a co-safety property if every f ∈ P has prefix that determines P positively. The class of co-safety properties is denoted as CoSafe, also represented in Fig. 1.1. Example 6.1 "Eventually s is reached", i.e., F s, is a co-safety property whereas "f never occurs", i.e., G ¬f, is a safety property. The property "s occurs infinitely often", i.e., G F s, is neither safety nor co-safety. The property only holds over infinite traces so it cannot be positively determined by a finite trace. Dually, there is no finite trace that determines that there cannot be an infinite number of s occurrences in a continuation of the trace. Similarly, ϕeven from Example 4.2 is neither a safety nor a co-safety property, but ϕ evenW is a safety property.
Safety and Co-safety, operationally. It should come as no surprise that safety and co-safety coincide with an equally natural operational definition. Here, we establish the correspondence with the denotational definition of safety (co-safety), completing three correspondences amongst the monitorability classes of Fig. 1.1. Proof We treat the case for safety, as the case for co-safety is similar. If P is a safety property, then for every f ∈ Act ∞ \ P , there is some finite prefix s of f that negatively determines P . Therefore, m P is sound (Lem. 3.2) and violationcomplete (Def. 3.2) for P . The other direction follows from the fact that whenever P ⊆ Act ∞ is monitorable for violation, every f ∈ Act ∞ \ P has a finite prefix that negatively determines it.
Aceto et al. [5] already show the correspondence between violation (dually, satisfaction) monitorability over finfinite traces and properties expressible in sHML (dually, cHML). As a corollary of Thm. 6.1, we obtain a syntactic characterisation for the Safe and CoSafe monitorability classes; see Falcone et al. [30] propose three definitions of monitorability (Definitions 16 and 17 in [30]) which they claim to coincide with safety, co-safety, and the union of safety and co-safety properties (Theorem 3 in [30]). We discuss this claim in more detail here, and argue that it does not hold. In brief, their definition deems all properties that are uniform over finite traces, such as "success infinitely often", or "the trace is finite" to be monitorable, not just safety and co-safety properties. In this appendix we recall Falcone et al.'s definitions and show that their definitions of monitorability include more than just safety and co-safety properties. The definition of monitorability proposed by Falcone et al. in [30] is parameterised by a truth domain, and a mapping of formulas into this domain. They then give a uniform condition that defines monitorability with respect to any truth-domain and its associated mapping. Here we focus on their monitorability with respect to the truth-domains {tt, ?}, {ff, ?} and {tt, ff, ?}, which they claim correspond to co-safety, safety and their union, respectively. Definition 6.3 (Property evaluation with respect to a truth-domain [30]) For each of three different verdict-domains and finfinite properties P ("r-properties" in their terminology), Falcone, Fernandez and Mournier define the following evaluation functions: For B = {ff, ?} and s ∈ Act * : P B (s) = ff if ∀f ∈ Act ∞ . sf / ∈ P P B (s) =? otherwise. For B = {tt, ?} and s ∈ Act * : P B (s) = tt if ∀f ∈ Act ∞ . sf ∈ P P B (s) =? otherwise. For B = {tt, ff, ?} and s ∈ Act * : P B (s) = tt if s ∈ P and ∀f ∈ Act ∞ . sf ∈ P P B (s) = ff if s / ∈ P and ∀f ∈ Act ∞ . sf / ∈ P P B (s) =? otherwise.
Definition 6.4 (FFM-monitorability Definition 17, [30]) A property P is Bmonitorable over a truth domain B if for all s, r ∈ Act * , if s ∈ P and r / ∈ P , then P B (s) = P B (r).
From this definition, it easily follows that any property P for which P ∩Act * = ∅ or Act * ⊆ P is vacuously monitorable for any truth-domain, and evaluation function. However, not all such properties are safety or co-safety properties: "always eventually success" for instance is neither a safety nor a co-safety property.
We believe the critical points are Lemma 3 and Theorem 3 in [30], which do not hold. The proof of Lemma 3 in particular (Appendix 2.3) falsely claims that P ∩ Act * = ∅ or Act * ⊆ P implies that P is a safety or co-safety properties.

Pnueli and Zaks
The work on monitorability due to Pnueli and Zaks [47] is often cited by the RV community [15]. The often overlooked particularity of their definitions is that they only define monitorability of a property with respect to a (finite) sequence.

Definition 7.1 ([47])
Property P is s-monitorable, where s ∈ Act * , if there is some r ∈ Act * such that P is positively or negatively determined by sr.
Example 7.1 The property f ∧ F r ∨ F G s is s-monitorable for any finite trace that begins with f, i.e., fs, since it is determined by the extension fsr. It is not s-monitorable for finite traces that begin with an action other than f.
Monitorability over properties-rather than over property-sequence pairs-can then be defined by either quantifying universally or existentially over finite traces: a property is monitorable either if it is s-monitorable for all s, or for some s. We address both definitions, which we call ∀pz-and ∃pz-monitorability respectively. ∀pz-monitorability is the more standard interpretation: it appears for example in [16,30] where it is attributed to Pnueli and Zaks. However, the original intent seems to align more with ∃pz-monitorability: in [47], Pnueli and Zaks refer to a property as non-monitorable if it is not monitorable for any sequence. This interpretation coincides with weak monitorability used in [21]. Definition 7.2 (∀pz-monitorability) A property P is (universally Pnueli-Zaks) ∀pz-monitorable if it is s-monitorable for all finite traces s. The class of all ∀pzmonitorable properties is denoted ∀PZ. Definition 7.3 (∃pz-monitorability) A property is (existentially Pnueli-Zaks) ∃pz-monitorable if it is s-monitorable for some finite trace s, i.e., if it is ε-monitorable. The class of ∃pz-monitorable properties is written ∃PZ.
The apparently innocuous choice between existential and universal quantification leads to different monitorability classes ∀PZ and ∃PZ.
Example 7.2 Consider the property "Either s occurs before f, or r happens infinitely often", expressed in LTL fashion as (¬f) U s ∨ G F r . This property is ∃pzmonitorable because the trace s positively determines the property. However, it is not ∀pz-monitorable because no extension of the trace f positively or negatively determines that property. Indeed, all extensions of f violate the first disjunct and, as we argued in Example 6.1, there is no finite trace that determines the second conjunct positively or negatively. Property ϕeven from Example 4.2 is ∀pz-monitorable: any prefix of the form a 0 s . . . ans or a 0 s . . . an (including ), where n ≥ 0 and every a i ∈ {s, f, r}, can be extended to a prefix that negatively determines it (e.g., by extending it with ff).
Proof Let P ∈ Safe and pick a finite trace s. If there is an f such that sf / ∈ P then, by Def. 6.1, there exists r sf that negatively determines P , meaning that s has an extension that negatively determines P . Alternatively, if there is no f such that sf / ∈ P , s itself positively determines P . Hence P is s-monitorable, for every s, according to Def. 7.1. The case for P ∈ CoSafe is dual.
Pnueli and Zaks, operationally.∃pz-monitorability coincides with informative monitorability: ∃pz-monitorable properties are those for which some monitor can reach a verdict on some finite trace. For similar reasons, ∀pz-monitorability coincides with persistently informative monitorability. See Fig. 1.1. Proof Since the proofs of the two claims are analogous, we simply outline the one for ∀PZ = PICmp. Let P ∈ ∀PZ and pick a finite trace s ∈ Act * . By Lem. 3.2, m P is sound for P . By Def. 3.6 we need to show that there exists an f such that acc(m P , sf ) or rej(m P , sf ). From Defs. 7.1 and 7.2 we know that there is a finite r such that sr positively or negatively determines P . By Def. 3.2 we know that acc(m P , sr) or rej(m P , sr). Thus P ∈ PICmp, which is the required result.
Conversely, assume P ∈ PICmp, and pick some s ∈ Act * . By Defs. 7.1 and 7.2, we need to show that there is an extension of s that positively or negatively determines P . From Defs. 3.6 and 3.7, there exists some f such that acc(m P , sf ) or rej(m P , sf ). By Def. 3.1, there is a finite extension of s, say sr, that is a prefix of sf such that acc(m P , sr) or rej(m P , sr). By Def. 3.2, we know that sr either positively or negatively determines P . Thus P ∈ ∀PZ.

Monitorability in other settings
We have shown how classical definitions of monitorability fit into our hierarchy and provided the corresponding operational interpretations and syntactic characterisations, focussing on regular finfinite properties over a finite alphabet and monitors with irrevocable verdicts. Here we discuss how different parameters, both within our setting and beyond, affect what is monitorable.
Monitorability with respect to the alphabet. The monitorability of a property can depend on Act. For instance, if Act has at least two elements {a, b, . . .}, property {a ω }, which can be represented as max X. a X, is s-monitorable for every sequence s, as s can be extended to sb, which negatively determines the property.
On the other hand, assume that Act = {a}. In this case, {a ω } is neither ∃pz-nor ∀pz-monitorable. Indeed, no string s = a k , k ≥ 0, determines {a ω } positively or negatively as s does not satisfy p but its extension a ω does. On the other hand, when restricted to infinite traces, p is again ∃pz-monitorable.
So far, we only considered finite alphabets; how an infinite alphabet, which may encode integer data for example, affects monitorability is left as future work.
Monitoring with revocable verdicts. Early on, we postulated that verdicts are irrevocable. Although this is a typical (implicit) assumption in most work on monitorability, some authors have considered monitors that give revocable judgements when an irrevocable one is not appropriate. This approach is taken by Bauer et al. when they define a finite-trace semantics for LTL, called RV-LTL [16]. Falcone et al. [30] also have a definition of monitorability based on this idea (in addition to those discussed in Sec. 6.1). It uses the four-valued domain {yes, no, yes c , noc} (c for currently). Finite traces that do not determine a property yield a (revocable) verdict yes c or noc that indicates whether the trace observed so far satisfies the property; yes and no are still irrevocable. This definition allows all finfinite properties to be monitored since it does not require verdicts to be irrevocable.
This type of monitoring does not give any guarantees beyond soundness: there are properties that are monitorable according to this definition for which no sound monitor ever reaches an irrevocable verdict: F G s for the system from Example 1.1 has no sound informative monitor, yet can be monitored according to Falcone et al.'s four-valued monitoring. This type of monitorability is complete, in the sense of providing at least a revocable verdict for all traces.
Monitorability in the infinite and finite. Bauer et al. use ∀pz-monitorability in their study of runtime verification for LTL [17] and attribute it to Pnueli and Zaks. However, unlike Falcone et al., Pnueli and Zaks [47] and ourselves, they focus on properties over infinite traces. There are some striking differences that arise if there is no risk of an execution ending. Aceto et al. show that, unlike in the finfinite domain, a set of non-trivial properties becomes completely monitorable: HML [38] (a.k.a. modal logic) is monitorable for both satisfaction and violation over infinite traces [5]. Furthermore, some properties, like {a ω } over Act = {a}, that were not ∃pz-or ∀pz-monitorable on the finfinite domain, are ∃pz-or even ∀pz-monitorable on the infinite domain. The full analysis of how the hierarchy in Fig. 1.1 changes for the infinite domain is left for future work.
Havelund and Peled recently presented a related classification of infinitary properties [37]. Their classification consists of safety and co-safety properties, (there called AFS and AFR), and properties that are not positively or not negatively determined by any sequence (NFS and NFR) and properties where some, but not all prefixes have an extention that determines the property positively, and their negations (SFS and SFR). They show that several of their classes contain both ∀pz-monitorable and non-∀pz-monitorable properties. In contrast, in our classification, ∀pz-monitorability is not orthogonal to other types of monitorability; rather, it is part of a spectrum that reflects the trade-offs between the strengths of the guarantees a monitor can provide and the specifications that can be monitored with these guarantees.
Barringer et al. [14] consider monitoring of properties over finite traces. In this domain, all properties are monitorable if, as is the case in [14], the end of a trace is observable; in this setting the question of monitorability is less relevant.
Monitorability parameterised by the domain Instead of considering finite, infinite of finfinite traces, we could equally consider monitorability with respect to any set of traces S. This could, for example, reflect some prior knowledge we have about the system. Then, the level of S-monitorability of a property will correspond to the guarantees that monitors can provide assuming the execution is from S. This approach is also called grey-box monitoring, as it no longer treats the system as a black box, and has been considered in [51] for hyperproperties.
Monitoring non-regular properties. Although we have focussed on the monitorability of regular properties, the monitorability hierarchy of Sec. 3 is not restricted to this setting. Indeed, although non-regular properties require richer monitors, for example monitors with a stack or registers, the same concerns of soundness and degress of completeness remain relevant. Barringer et al. consider a specification logic that allows for context-free properties [14], in [31], Ferrier et al. consider monitors with registers (i.e., infinite state monitors) to verify safety properties that are not regular. Characterising (e.g., syntactically) the different classes of monitorability for non-regular properties is left as future work.
Beyond Monitorability. Stream-based monitoring systems such as [24,25] are more concerned with producing (revocable) aggregate outputs and transforming traces to satisfy properties, employing more powerful monitors than the ones considered here (e.g., transducers). Instead of monitorability, enforceability [7,30] is a criteria that is better suited for these settings.

Conclusion
We have proposed a unified, operational view on monitorability. This allows us to clearly state the implicit operational guarantees of existing definitions of monitorability. For instance, recall Example 1.1 from the introduction: since (G ¬f) ∧ (F s) is ∃pz-and ∀pz-monitorable but it is neither a safety nor a co-safety property, we know there is a monitor which can recognise some violations and satisfactions of this property, but there is no monitor that can recognise all satisfactions or all violations. Although we focussed on regular, finfinite properties, the definitions of monitorability in Sec. 3, and, more fundamentally, the methodology that systematically puts the relationship between monitor behaviour and specification centre stage, are equally applicable to other settings.
The emphasis our approach places on the explicit guarantees provided by the different types of monitorability should clarify the role of monitorability in the design of RV tools which, depending on the setting, may have different requirements. Indeed, a monitor that checks that the output of a module does not violate the preconditions of the next module had better be violation-complete; on the other hand, it is probably sufficient that a monitor be informative when it is used as a light-weight, best-effort part of a hybrid verification strategy.