From LTL to rLTL monitoring: improved monitorability through robust semantics

Runtime monitoring is commonly used to detect the violation of desired properties in safety critical cyber-physical systems by observing its executions. Bauer et al. introduced an influential framework for monitoring Linear Temporal Logic (LTL) properties based on a three-valued semantics for a finite execution: the formula is already satisfied by the given execution, it is already violated, or it is still undetermined, i.e., it can still be satisfied and violated by appropriate extensions of the given execution. However, a wide range of formulas are not monitorable under this approach, meaning that there are executions for which satisfaction and violation will always remain undetermined no matter how it is extended. In particular, Bauer et al. report that 44% of the formulas they consider in their experiments fall into this category. Recently, a robust semantics for LTL was introduced to capture different degrees by which a property can be violated. In this paper we introduce a robust semantics for finite strings and show its potential in monitoring: every formula considered by Bauer et al. is monitorable under our approach. Furthermore, we discuss which properties that come naturally in LTL monitoring—such as the realizability of all truth values—can be transferred to the robust setting. We show that LTL formulas with robust semantics can be monitored by deterministic automata, and provide tight bounds on the size of the constructed automaton. Lastly, we report on a prototype implementation and compare it to the LTL monitor of Bauer et al. on a sample of examples.

parallel to the system during deployment, evaluates it with respect to a fixed property. This is especially useful for systems that cannot be verified prior to deployment and, for this reason, can contain hidden bugs. While it is useful to catch and document these bugs during an execution of a system, we find that the current approach to runtime verification based on Linear Temporal Logic (LTL) [14] is not sufficiently informative, especially in what regards a system's robustness. Imagine that we are monitoring a property ϕ and that this property is violated during an execution. In addition to be alerted to the presence of a bug, there are several other questions we would like to have answered such as: although ϕ was falsified, was there a weaker version of ϕ that was still satisfied or did the system fail catastrophically? Similarly, if we consider a property of the form ϕ → ψ, where ϕ is an environment assumption and ψ is a system guarantee, and the environment violates ϕ slightly along an execution can we still guarantee that ψ is only slightly violated?
Answering these questions requires a logical formalism for specifying properties that provides meaning to terms such as weaker and slightly. Formalizing these notions within temporal logic, so as to be able to reason about the robustness of a system, was the main impetus behind the definition of robust Linear-time Temporal Logic (rLTL) [58]. While reasoning in LTL yields a binary result, rLTL adopts a five-valued semantics representing different shades of violation. Consider, for example, the specification a → b requiring that b is always satisfied provided a is always satisfied. In LTL, if the premise a is violated in a single position of the trace, then the specification is satisfied vacuously, eliminating all requirements on the system regarding b. In this case, rLTL detects a mild violation of the premise and thus allows for a mild violation of the conclusion.
While recent work covers the synthesis [58] and verification problem [5,6,58] for rLTL, the runtime verification problem is yet to be addressed, except for a preliminary version of the results in this paper presented in the 2020 International Conference on Hybrid Systems: Computation and Control [47]. Since runtime verification can only rely on finite traces by its nature, interesting theoretical questions open up for rLTL with finite semantics. On the practical side, the very same reasons that make runtime verification for LTL so useful also motivate the need for developing a finite semantics suitable for rLTL runtime verification. To this end, we tackle the problem of evaluating a property over infinite traces based on a finite prefix similarly to Bauer et al. [14]. If the available information is insufficient to declare a specification violated or satisfied, the monitor reports a ?. This concept is applied to each degree of violation of the rLTL semantics. Thus, the rLTL monitor's verdict consists of four three-valued bits, as the rLTL semantics is based on four two-valued bits. Each bit represents a degree of violation of the specification in increasing order of severity.
As an example, consider an autonomous drone that may or may not be in a stable state. 1 The specification requires that it remains stable throughout the entire mission. However, if the take-off is shaky due to bad weather, the drone is unstable for the first couple of minutes. An LTL monitor thus jumps to the conclusion that the specification is violated whereas an rLTL monitor only reports a partial violation. As soon as the drone stabilizes, the LTL monitor does not indicate any improvement while the rLTL monitor refines its verdict to also report a partial satisfaction.
Some interesting properties that come naturally with LTL monitoring cannot be seamlessly lifted to rLTL monitoring. While it is obvious that all three truth values for finite trace LTL, i.e. , satisfied, violated, and unknown, can be realized for some prefix and formula, the same does not hold for rLTL. Intuitively, the second and third bit of the rLTL monitor's four-bit output for the property a represent whether a eventually holds forever or whether it holds infinitely often, respectively. Based on a prefix, a monitor cannot distinguish between these two shades of violation, rendering some monitor outputs unrealizable. In addition to that, we investigate how the level of informedness of an LTL monitor relates to the one of an rLTL monitor. The first observation is that a verdict of an LTL monitor can be refined at most once, from an unknown to either true or false. With rLTL semantics, however, a monitor can refine its output for a given formula up to four times. Secondly, an LTL monitor can only deliver meaningful verdicts for monitorable [13] properties. Intuitively, a property is monitorable if every prefix can be extended by a finite continuation that gives a definite verdict. We adapt the definition to robust monitoring and show that neither does LTL monitorability imply rLTL monitorability, nor vice versa.
Notwithstanding the above, empirical data suggests that rLTL monitoring indeed provides more information than LTL monitoring: This paper presents an algorithm synthesizing monitors for rLTL specifications. An implementation thereof allows us to validate the approach by replicating the experiments of Bauer et al. [13]. As performance metric, we use LTL and rLTL monitorability. While 44% of the formulas considered by Bauer et al. [13] are not LTL-monitorable, we show all of them to be rLTL-monitorable. This indicates that rLTL monitoring is an improvement over LTL monitoring in terms of monitorability and complements the theoretical results with a practical validation.
This paper is an extended version of the work presented in the 2020 International Conference on Hybrid Systems: computation and control [47]. The main research contributions are a finite trace semantics for rLTL coupled with an investigation of its properties when compared to LTL, as well as an algorithm to synthesize monitors for rLTL specifications. Our construction is doubly-exponential in the size of the formula, showing that rLTL monitoring is no more costly than LTL monitoring. In addition to the original work [47], this article features (i) a more detailed discussion of the properties of our finite trace semantics for rLTL, (ii) a new running example detailing each step of the monitor construction, (iii) a new example illustrating the nesting of rLTL operators, (iv) refined complexity bounds on our monitor construction, and (v) all proofs omitted from the conference paper, which provide important additional insight into the problem of monitoring rLTL properties.

Related work
In runtime verification [22,35,42,49] the specification is often given in LTL [46]. While properties arguing about the past or current state of a system are always monitorable [34], LTL can also express assumptions on the future that cannot be validated using only a finite prefix of a word. Thus, adaptations of LTL have been proposed which include different notions of a next step on finite words [24,45], lifting LTL to a three-or four-valued domain [13,14], or applying predictive measures to rule out impossible extensions of words [60].
Non-binary monitoring has also been addressed by adding quantitative measures such as counting events [9,48]. Most notably, Bartocci et al. [10] evaluate the "likelihood" that a satisfying or violating continuation will occur. To this end, for a given prefix, they count how long a continuation needs to be such that the specification is satisfied/violated; these numbers are then compared against each other. The resulting verdict is quinary: satisfying/violating, presumably satisfying/violating, or inconclusive. This approach is similar in nature to our work as it assesses the degree of satisfaction or violation of a given prefix. However, the motivation and niche of both approaches differs: Bartocci et al.'s approach computesintuitively speaking-the amount of work that is required to satisfy or violate a specification, which allows for estimating the likelihood of satisfaction. Our approach, however, focuses on measuring the extent to which a specification was satisfied or violated.
Apart from that, monitoring tools collecting statistics [1,4,30] become increasingly popular: Snort [55] is a commercial tool for rule-based network monitoring and computing efficient statistics, Beep Beep 3 [33] is a tool based on a query language allowing for powerful aggregation functions and statistical measures. On the downside, these tools impose the overhead of running a heavy-weight application on the monitored system. In contrast, we generate monitor automata out of an rLTL formula. Such an automaton can easily and automatically be implemented on almost any system with statically determined memory requirements and negligible performance overhead. Similarly, the Copilot [52] framework based on synchronous languages [16,19] transforms a specification in a declarative data-flow language into a C implementation of a monitor with constant space and time requirements. Lola [2,19] allows for more involved computations, also incorporating parametrization [27] and real-time capabilities [28] while retaining constant space and time requirements.
Another approach is to enrich temporal logics with quantitative measures such as taking either the edit distance [37], counting the number of possible infinite models for LTL [31,59], incorporating aggregation expressions into metric first-order temporal logic [11], or using averaging temporal operators that quantify the degree of satisfaction of a signal for a specification by integrating the signal w.r.t. a constant reference signal [3].
Rather than enriching temporal logics with such strong quantitative measures, we consider a robust version of LTL: rLTL [5][6][7]58]. Robust semantics yields information about to which degree a trace violates a property. We adapt the semantics to work with finite traces by allowing for intermediate verdicts. Here, a certain degree of violation can be classified as "indefinite" and refined when more information becomes available to the monitor. Similarly, for Signal Temporal Logic [43,44], Fainekos et al. [25] introduced a notion of spacial robustness based on interpreting atomic propositions over the real numbers. The sign of the real number provides information about satisfaction/violation while its absolute value provides information about robustness, i.e., how much can this value be altered without changing satisfaction/violation. This approach is complementary to ours since the notion of robustness in rLTL is related to the temporal evolution of atomic propositions which are interpreted classically, i.e, over the Booleans. Donze et al. [21] introduced a notion of robustness closer to rLTL in the sense that it measures how long we need to wait for the truth value of a formula to change. For this, Cralley et al. [18] presented a convenient toolbox, achieving high efficiency through parallel evaluation. While the semantics of rLTL does not allow for quantifying the exact delay needed to change the truth value of a formula, it allows for distinguishing between the influence that different temporal evolutions, e.g., delays, persistence, and recurrence, have on the truth value of an LTL formula. Closer to rLTL is the work of Radionova et al. [54] (see also [57]) that established an unexpected connection between LTL and filtering through a quantitative semantics based on convolution with a kernel. By using different kernels, one can express weaker or stronger interpretations of the same formula. However, this requires the user to choose multiple kernels and to use multiple semantics to reason about how the degradation of assumptions leads to the degradation of guarantees. In contrast, no such choices are required in rLTL. Finally, it is worth mentioning that extensions similar to rLTL have been proposed for other temporal logics, such as prompt LTL and linear dynamic logic [50,51].
Another venue for robust monitoring is machine learning. Cheng [17] presents an algorithm for generating monitors evaluating the distance between the input of a neural net and its training data. While neural nets are prone to fragility, the monitor is provably robust in the sense that minor input deviations invariably lead to minor changes in the output. Similarly, Finkbeiner et al. [29] generate monitors for medical cyber-physical systems controlled by machine learned components. Due to the complexity of the underlying specification language, they opt for the simpler task of analyzing the robustness of the specification instead. If the specification is robust, then so will be the generated monitors.

Robust Linear Temporal Logic
Throughout this work, we assume basic familiarity with classical LTL and refer the reader to a textbook for more details on the logic (see, e.g. , [8]). Moreover, let us fix some finite set P of atomic propositions throughout the paper and define Σ = 2 P . We denote the set of finite and infinite words over Σ by Σ * and Σ ω , respectively. The empty word is denoted by ε and and denote the non-strict and the strict prefix relation, respectively. Moreover, we denote the set of Booleans by B = {0, 1}.
The logics LTL and rLTL share the same syntax save for a dot superimposed on temporal operators. More precisely, the syntax of rLTL is given by the grammar where p ranges over atomic propositions in P and the temporal operators , U , R , and correspond to "next", "until", "release", "eventually", and "always", respectively. 2 The size |ϕ| of a formula ϕ is the number of its distinct subformulas. Furthermore, we denote the set of all LTL and rLTL formulas over P by Φ LTL and Φ rLTL , respectively.
The development of rLTL was motivated by the observation that the difference between "minor" and "major" violations of a formula cannot be adequately described in a two-valued semantics. If an LTL formula ϕ, for example, demands that the property p holds at all positions of a word σ ∈ Σ ω , then σ violates ϕ even if p does not hold at only a single position, a very minor violation. The semantics of LTL, however, does not differentiate between the σ above and a σ in which the property p never holds, a major violation of the property ϕ.
In order to alleviate this shortcoming, Tabuada and Neider introduced Robust Linear-time Temporal Logic (rLTL) [58], whose semantics allows for distinguishing various "degrees" to which a word violates a formula. More precisely, the semantics of rLTL are defined over the set B 4 = {0000, 0001, 0011, 0111, 1111} of five truth values, each of which is a monotonically increasing sequence of four bits. We order the truth values in B 4 by 0000 < 0001 < 0011 < 0111 < 1111.
Intuitively, this order reflects increasingly desirable outcomes. If the specification is p, the least desirable outcome, represented by 0000, is that p never holds on the entire trace. A slightly more desirable outcome is that p at least holds sometime but not infinitely often, which results in the value 0001. An even more desirable outcome would be if p holds infinitely often, while also being violated infinitely often, represented by 0011. Climbing up the ladder of desirable outcomes, the next best one requires p to hold infinitely often while being violated only finitely often, represented by the value 0111. Lastly, the optimal outcome fully satisfies p, so p holds the entire time, represented by 1111. Thus, the first bit states whether p is satisfied, the second one stands for p, the third one for p, and the fourth one for p. If all of them are 0, ¬ p holds. The robust release is defined analogously.
The robust eventually-operator considers future positions in the trace and returns the truth value with the least degree of violation, which is a maximization with respect to the order defined above. This closely resembles the LTL definition. The robust until is defined analogously.
Based on this, the boolean conjunction and disjunction are defined as min and max, respectively, w.r.t. the order defined above, which generalizes the classical definition thereof. For the implication, consider a specification a → g, where a is an assumption on the environment and g is a system guarantee. If the truth value of g is greater or equal to the one of a, the implication is fully satisfied. Thus, the rLTL semantics takes the violation of the assumption into account and lowers the requirements on the guarantees. However, if the guarantee exhibits a greater violation than the assumptions, the truth value of the implication is the same as the one of the guarantee. Lastly, the intuition behind the negation is that every truth value that is not 1111 constitutes a violation of the specification. Thus, the negation thereof is a full satisfaction (1111). The negation of the truth value representing a perfect satisfaction (1111) is a full violation (0000).
For the sake of a simpler presentation, we denote the semantics of both LTL and rLTL not in terms of satisfaction relations but by means of valuation functions. For LTL, the valuation function V : Σ ω × Φ LTL → B assigns to each infinite word σ ∈ Σ ω and each LTL formula ϕ ∈ Φ LTL the value 1 if σ satisfies ϕ and the value 0 if σ does not satisfy ϕ, and is defined as usual (see, e.g., [8]). The semantics of rLTL, on the other hand, is more complex and formalized next by an valuation function V r : Σ ω × Φ rLTL → B 4 mapping an infinite word σ ∈ Σ ω and an rLTL formula ϕ to a truth value in B 4 . [3], [4], So as to not clutter this section too much, we refer the reader to the original work by Tabuada and Neider [58] for a thorough introduction and motivation to the preceding semantics. However, we here want to illustrate the definition above and briefly argue that it indeed captures the intuition described at the beginning of this section. To this end, we reconsider the formulas p, a → g, (q → p) in Examples 1, 2, and 3 respectively. Let us begin the example with the word σ 1 = {p} ω . It is not hard to verify that V r (σ 1 , p) [1] = 1 because p always holds in σ 1 , i.e., min n≥0 V r (σ [n, ∞), p) [1] = 1 for n ≥ 0. Using the same argument, we also have V r (σ 1 , Thus, V r (σ 1 , p) = 1111. As another example, consider the word σ 2 = ∅{p} ω . In this case, we have V r (σ 1 , p) [1] = 0 because V r (σ [0, ∞), p) [1] = 0 (p does not hold in the first symbol of σ 2 ). However, V r (σ 1 , p) [2] = 1 because p holds almost always, i.e., max m≥0 min n≥m V r (σ [n, ∞), p) [ p) = 0001, and V r (σ 5 , p) = 0000. In conclusion, this indeed illustrates that the semantics of the robust always is in accordance with the intuition provided at the beginning of this section.

Example 2
Let us now consider the more complex formula a → g, where we interpret a to be an assumption on the environment of a cyber-physical system and g one of its guarantees. Moreover, let σ be an infinite word over P = {a, g} such that V r (σ, a → g) = 1111. We now distinguish various cases.
First, let us assume that σ is such that V r (σ, a) = 1111, i.e., a always holds. By definition of the robust implication and since V r (σ, a → g) = 1111, this can only be the case if V r (σ, g) = 1111. Thus, the formula a → g ensures that if the environment assumption a always holds, so does the system guarantee g.
Next, assume that σ is such that V r (σ, a) = 0111, i.e., a does not always hold but almost always. By definition of the robust implication and since V r (σ, a → g) = 1111, this can only be the case if V r (σ, g) ≥ 0111. In this case, the formula a → g ensures that if the environment assumption a holds almost always, then the system guarantee g holds almost always or-even better-always.
It is not hard to verify that we obtain similar results for the cases V r (σ, a) ∈ {0011, 0001, 0000}. In other words, the semantics of rLTL ensures that the violation of the system guarantee g is always proportional to the violation of the environment assumption a (given that V r (σ, a → g) evaluates to 1111). Again, this illustrates that the semantics of the implication is in accordance with the intuition provided at the beginning of this section.
Example 3 As a last example, let us discuss the nesting of temporal operators. Consider the formula ϕ = (q → p) where we interpret q as a request and p as a response.
On the other hand, if q ∈ σ (n) and σ [n, ∞) does not contain a response then we have V r (σ [n, ∞), q → p) = 0000. From these observations, we can deduce V r (σ, ϕ) = 1111 if every request in σ is followed by a response, which is equivalent to the LTL formula ϕ 1 = (q → p) that expresses a request-response property. Further, we have V r (σ, ϕ) = 0111 if and only if σ violates ϕ 1 and if from some point onwards, every request in σ is followed by a response. This is equivalent to the LTL formula ¬ϕ 1 ∧ ϕ 2 with ϕ 2 = ( q) → ( p), which expresses strong fairness. Similarly, we have V r (σ, ϕ) = 0011 if and only if σ violates ϕ 2 and if for infinitely many positions, if there is a request in σ at that position, then it is followed by a response. This is equivalent to the LTL formula ¬ϕ 2 ∧ ϕ 3 with ϕ 3 = ( q) → ( p), which expresses weak fairness. Moreover, we have V r (σ, ϕ) = 0001 if and only if σ violates ϕ 3 and if there is some position such that if there is a request in σ at that position, then it is followed by a response. This is equivalent to the LTL formula ¬ϕ 3 ∧ ϕ 4 with ϕ 4 = ( q) → ( p), which expresses a very weak notion of fairness. Finally, we have V r (σ, ϕ) = 0000 if and only if σ violates ϕ 4 .
For i ∈ {1, 2, 3}, the LTL formula ϕ i implies ϕ i+1 . Thus, if a trace σ violates ϕ i+1 , it also violates ϕ i . This further illustrates the monotonicity of rLTL. This monotonicity also allows us to only require that ϕ i+1 violates ϕ i in the intuitive explanations above, instead of having to require violations of all ϕ i with i ≤ i.
It is important to note that rLTL is an extension of LTL. In fact, the LTL semantics can be recovered from the first bit of the rLTL semantics (after every implication ϕ → ψ has been replaced with ¬ϕ ∨ ψ). 3 3 It turns out that Tabuada and Neider's original proof [58, Proposition 5] has a minor mistake. Although the first bit of the rLTL semantics coincides with the original LTL semantics for all formulas that do not contain implications, the formula ¬a → a is an example witnessing this claim is no longer correct in the presence of implications, e.g., for {a}∅ ω . However, this issue can be fixed by replacing every implication ϕ → ψ with ¬ϕ ∨ ψ. This substitution results in an equivalent LTL formula for which the first bit of the rLTL semantics indeed coincides with the LTL semantics.

Lemma 1 ([58], Proposition 5) Let ϕ be an LTL formula without implications, and let ϕ be the corresponding rLTL formula (obtained by dotting all temporal operators). Then, we have
To reduce the number of cases we have to consider in our inductive proofs (for instance the one for Lemma 3), we note that the robust eventually and the robust always operator are syntactic sugar. Formally, we say that two rLTL formulas ϕ 1 , ϕ 2 are equivalent if V r (σ, ϕ 1 ) = V r (σ, ϕ 2 ) for every σ ∈ Σ ω . Now, let = p ∨ ¬p and ⊥ = p ∧ ¬p for some atomic proposition p. Then, the robust eventually and the robust always are, as usual, expressible in terms of the robust until and the robust release, respectively.

An alternative definition of robust semantics for LTL
Before we introduce rLTL monitoring, we need to introduce an alternative definition of the semantics of rLTL, which is more convenient to prove some of the results from Sect. 3. This alternative definition has been introduced in later works on rLTL [5,6]. Table 1. The rLTL semantics is then given as the valuation function V r : where for every σ ∈ Σ ω , every rLTL formula ϕ, and every , via the semantics of the LTL formulas ltl(i, ϕ)).
As a consequence of Lemma 1 (cf. [58], Proposition 5), we know that rLTL is at least as expressive as LTL. The latter definition of the semantics of rLTL shows that it is not more expressive than LTL, in the sense that for all rLTL formulas there exist LTL formulas giving the truth values of each of the four bits. However, it is more convenient to work with one formula of rLTL than to work with the four LTL formulas capturing it.
A useful feature of the alternative semantics is the following property: to determine the truth value of an rLTL formula ϕ on σ , it suffices to determine the truth values of the LTL formulas ltl(i, ϕ) on σ . For certain formulas, ltl(i, ϕ) is obtained from ϕ by a very simple rewriting, as shown below.

Remark 2
Let ϕ be an rLTL formula that has no always in the scope of a negation and only uses negation, conjunction, disjunction, next, eventually, and always. Then, -ltl(1, ϕ) is equivalent to the formula obtained from ϕ by replacing every by , every by , and every by , -ltl(2, ϕ) is equivalent to the formula obtained from ϕ by replacing every by , every by , and every by , -ltl(3, ϕ) is equivalent to the formula obtained from ϕ by replacing every by , every by , and every by , and -ltl(4, ϕ) is equivalent to the formula obtained from ϕ by replacing every by , every by , and every by .

Monitoring robust LTL
In their work on LTL monitoring, Bauer et al. [14] define the problem of runtime monitoring as "check[ing] LTL properties given finite prefixes of infinite [words]". More formally, given some prefix u ∈ Σ * and some LTL formula ϕ, it asks whether all, some, or no infinite extension uσ ∈ Σ ω of u by some σ ∈ Σ ω satisfies ϕ. To reflect these three possible results, the authors use the set B ? = {0, ?, 1} to define a three-valued logic that is syntactically identical to LTL, but equipped with a semantics in form of an evaluation function V m : Σ * × Φ LTL → B ? over finite prefixes. This semantics is defined such that V m (u, ϕ) is equal to 0 (is equal to 1) if no (if every) extension uσ of u satisfies ϕ. If neither is the case, i.e. , if there is an extension of u that satisfies ϕ and there is an extension of u that does not satisfy ϕ, then V m (u, ϕ) is equal to ?. We aim to extend the approach of Bauer et al. to rLTL, whose semantics is based on truth values from the set B 4 (containing the sequences of length four in 0 * 1 * ). As a motivating example, let us consider the formula ϕ = s for some atomic proposition s and study which situations can arise when monitoring this formula. Note that the truth value of ϕ can be obtained by concatenating the truth values of the LTL formulas ϕ 1 = s, ϕ 2 = s, ϕ 3 = s, and ϕ 4 = s. First, consider the empty prefix and its two extensions ∅ ω and {s} ω . We have V r (∅ ω , ϕ) = 0000 and V r ({s} ω , ϕ) = 1111. Thus, all four bits can both be equal to 0 and 1. This situation is captured by the sequence ???? which signifies that for every position i and every bit b ∈ B, there exists an extension of ε that has bit b in the i-th position of the truth value with respect to ϕ. Now, consider the prefix {s} for which we have V r ({s}σ, ϕ) [4] = 1 for every σ ∈ Σ ω as ϕ 4 = s is satisfied on each extension of {s} (s has already occurred). On the other hand, V r ({s}∅ ω , ϕ) = 0001 and V r ({s}{s} ω , ϕ) = 1111, i.e. , the first three bits can both be 0 and 1 by picking an appropriate extension. Hence, the situation is captured by the sequence ???1, signifying that the last bit is determined by the prefix, but the first three are not. Using dual arguments, the sequence 0??? is used for the prefix ∅, signifying that the first bit is determined by the prefix as every extension violates ϕ 1 = s. However, the last three bits are not yet determined by the prefix, hence the trailing ?'s.
In general, we use truth values of the form 0 * ? * 1 * , which follows from the fact that the truth values of rLTL are in 0 * 1 * . Hence, let B ? 4 denote the set of sequences of length four in 0 * ? * 1 * . Based on B ? 4 , we now formally define the rLTL monitoring semantics as a bitwise generalization of the LTL definition.
First, let us remark that our notion of rLTL monitoring indeed refines the notion of LTL monitoring, which follows immediately from Lemma 1.

Remark 3
Let ϕ be an LTL formula without implications, and let ϕ be the corresponding rLTL formula (obtained by dotting all temporal operators). Then, we have V m Using rLTL monitoring semantics, we are able to infer information about the infinite run of a system after having read only a finite prefix thereof. In fact, this robust semantics provides far more information about the degree of violation of the specification than classical LTL monitoring as each bit of the monitoring output represents a degree of violation of the specification: a ? turning into a 0 or 1 indicates a deterioration or improvement in the system's state, respectively. Consider, for instance, an autonomous drone with specification ϕ = s where s denotes a state of stable flight (recall the motivating example on Page 11). Initially, the monitor would output ???? due to a lack of information. If taking off under windy conditions, the state s is not reached initially, hence the monitor issues a warning by producing V m r (∅ n , ϕ) = 0??? for every n > 0. Thus, the safety condition is violated temporarily, but not irrecoverably. Hence, mitigation measures can be initiated. Upon success, the monitoring output turns into V m r (∅ n {s}, ϕ) = 0??1 for every n > 0, signaling that flight was stable for some time.
Hence, due to the monotonicity of the truth values from B 4 used to define After having shown that every possible output of V m r is in B ? 4 , the next obvious question is whether V m r is surjective, i.e. , whether every truth value β ∈ B ? 4 is realized by some prefix u ∈ Σ * and some rLTL formula ϕ in the sense that V m r (u, ϕ) = β. Recall the motivating example above: The formula s realizes at least the following four truth values: For most other truth values, it is straightforward to come up with rLTL formulas and prefixes that realize them. See Table 2 for an overview and recall Remark 2, which is applicable to all these formulas.
For others, such as 0011, it is much harder. Intuitively, to realize 0011, one needs to find an rLTL formula ϕ and a prefix u ∈ Σ * such that the formula obtained by replacing all in ϕ by is not satisfied by any extension of u, but the formula obtained by replacing all in ϕ by is satisfied by every extension of u. 4 Thus, intuitively, the prefix has to differentiate between a property holding almost always and holding infinitely often. It turns out that no such u and ϕ exist. A similar argument is true for 0001, leading to the following theorem.

Theorem 1 All truth values except for 0011 and 0001 are realizable.
The unrealizability results for the truth values 0011 and 0001 are based on the following technical lemma (the reader might want to skip the proof for now and consult it at a later time).
Proof The proofs of all three items proceed by induction over the construction of ϕ. The induction start and the induction steps for Boolean connectives can be abstracted into the following closure property, which follows easily from the original definition of V r in Sect. 2: Let T ⊆ B 4 contain 0000 and 1111. If V r (σ, ϕ 1 ) and V r (σ, ϕ 2 ) are in T , then so are V r (σ, p) for atomic propositions p, V r (σ, ¬ϕ 1 ), V r (σ, ϕ 1 ∧ ϕ 2 ), V r (σ, ϕ 1 ∨ ϕ 2 ), and V r (σ, ϕ 1 → ϕ 2 ).

Claim 1
The induction start and the induction step for the Boolean operators follow from the closure property, where we pick T to be the set of truth values from B 4 whose second and third bit coincide. Furthermore, due to Remark 1, we only have to consider the inductive steps for the next, until, and release operator. All three cases rely on the following simple fact: A suffix u∅ ω [n, ∞) for some n is again of the form u ∅ ω , i.e. , the induction hypothesis is applicable to suffixes. Also, if n ≥ |u|, then u∅ ω [n, ∞) = ∅ ω . In particular, u∅ ω has only finitely many distinct suffixes. So, first consider a formula of the form ϕ = ϕ 1 . Then, we have, for an arbitrary u ∈ Σ * , where the second equality is due to the induction hypothesis being applied to the suffix u∅ ω [1, ∞). Next, consider a formula of the form ϕ = ϕ 1 U ϕ 2 . Then, we have, for an arbitrary u ∈ Σ * , where the second equality follows from an application of the induction hypothesis to the suffixes u∅ ω [n, ∞) and u∅ ω [n , ∞). It remains to consider a formula of the form ϕ = ϕ 1 R ϕ 2 . Then, we have, for an arbitrary u ∈ Σ * , that V r (u∅ ω , ϕ) [2] is by definition equal to max m≥0 min n≥m max{V r (u∅ ω [n, ∞), ϕ 2 ) [2], max 0≤n <n The first equality follows from twice applying the induction hypothesis. For the second one, observe that is increasing in m. For the third one, note that for all n ≥ |u|, u∅ ω [n, ∞) = ∅ ω , which means that we have eliminated every occurrence of m and n. This explains the last equality. Similarly, V r (u∅ ω , ϕ) [3] is by definition equal to min m≥0 max n≥m max{V r (u∅ ω [n, ∞), ϕ 2 ) [3], max 0≤n <n where the equality again follows from all suffixes u∅ ω [n, ∞) with n ≥ |u| being equal to ∅ ω . Thus, we have derived the desired equality between V r (u∅ ω , ϕ) [2] and V r (u∅ ω , ϕ) [3]. Claim 2 The induction start and the induction steps for Boolean operators follow from the closure property, where we here pick T to be the set of truth values from B 4 whose third and fourth bit coincide. For u = u(0) · · · u(|u| − 1) and n < |u|, we define ρ(u, n) = u(n) · · · u(|u| − 1)u(0) · · · u(n − 1), i.e. , ρ(u, n) is obtained by "rotating" u n times. The induction steps for the temporal operators are based on the following simple fact: The suffix u ω [n, ∞) is equal to (ρ(u, n mod |u|)) ω , i.e. , the induction hypothesis is applicable to the suffixes. In particular, u ω has only finitely many distinct suffixes, which all appear infinitely often in a cyclic order. Now, the induction steps for the next and until operator are analogous to their counterparts in Item 1, as the only property we require there is that the induction hypothesis is applicable to suffixes. Hence, due to Remark 1, it only remains to consider the inductive step for the release operator.
So consider a formula of the form ϕ = ϕ 1 R ϕ 2 . Then, we have, for an arbitrary u ∈ Σ * , that V r (u ω , ϕ) [3] is by definition equal to where the first equality follows from twice applying the induction hypothesis and the second one is due to all suffixes u ω [n, ∞) being equal to ρ(u, n mod |u|) ω , and that there are only finitely many, which all appear infinitely often in a cyclic order among the (ρ(u, n)) ω for 0 ≤ n < |u|.
Similarly, V r (u ω , ϕ) [4] is by definition equal to where the equality again follows from all suffixes u ω [n, ∞) being equal to ρ(u, n mod |u|) ω , and that there are only finitely many, which appear in a cyclic order: In particular, after the first |u| suffixes, we have seen all of them. Thus, we have derived the desired equality between V r (u ω , ϕ) [3] and V r (u ω , ϕ) [4]. Claim 3 The induction start and the induction steps for Boolean operators are covered by the closure property, where we here pick T to be the set of truth values from B 4 whose first and second bit coincide. The cases of the next and until operator are again analogous to the first and second item. Hence, we only have to consider the inductive step for the always operator, as we here only consider formulas without release. So, consider a formula of the form ϕ = ϕ 1 . Here, we again rely on the fact that the suffix u ω [n, ∞) is equal to (ρ(u, n mod |u|)) ω . By definition, V r (u ω , ϕ) [1] is equal to ((ρ(u, n)) ω , ϕ 1 ) [2], where the first equality is due to the induction hypothesis and the second one due to the fact that u ω has only finitely many suffixes, which are all already realized by some u ω [n, ∞) for 0 ≤ n < |u|.
Similarly, V r (u ω , ϕ) [2] is by definition equal to = min 0≤n<|u| V r ((ρ(u, n)) ω , ϕ 1 ) [2], where the two equalities follow as before: the first by induction hypothesis and the second one by the fact that u ω has only finitely many suffixes, which all appear infinitely often in a cyclic order and which are all already realized by some u ω [n, ∞) for 0 ≤ n < |u|. Thus, we have derived the desired equality between V r (u ω , ϕ) [1] and V r (u ω , ϕ) [2]. Now, we are able to prove Theorem 1.

Proof
We begin by showing that 0011 and 0001 are not realizable. First, towards a contradiction, assume there is an rLTL formula ϕ and a prefix u such that V m r (u, ϕ) = 0011, i.e. , for every extension uσ , we have V r (uσ ) [2] = 0 and V r (uσ ) [3] = 1. However, by picking σ = ∅ ω we obtain the desired contradiction to Lemma 3.1.
The proof for 0001 is similar. Assume there is an rLTL formula ϕ and a prefix u such that V m r (u, ϕ) = 0001. Due to Lemma 4, we can assume that u is non-empty. Thus, we have V r (u ω , ϕ) = 0001 by definition of V m r , which contradicts Lemma 3.2. Finally, applying Lemma 3.3, one can show that no rLTL formula without the release operator realizes 0111. However, we show below that it is realizable by a formula with the release operator.
Next, we show that every other truth value β / ∈ {0011, 0001} is indeed realizable. The witnessing pairs of prefixes and formulas are presented in Table 2.
First, consider β = 0111 with prefix u = ∅{a} and formula ϕ = a R a. We have ltl(1, ϕ) = a R a and ltl(2, ϕ) = a ∨ a. Note that a R a is violated by uσ , for every σ ∈ Σ ω . Dually, a ∨ a is satisfied by uσ , for every σ ∈ Σ ω . Hence, for arbitrary σ ∈ Σ ω , we have V r (uσ, ϕ) [1] = 0 and V r (uσ, ϕ)[2] = 1. Hence, we have V r (uσ, ϕ) = 0111 for every σ , as this is the only truth value that matches this pattern. Hence, by definition, we obtain V m r (u, ϕ) = 0111. The verification for all other truth values is based on Remark 2, which is applicable to all formulas ϕ in the third column witnessing the realization of a truth value β = 0111. Now, for every such truth value β and corresponding pair (u, ϕ), one can easily verify the following: We leave the details of this slightly tedious, but trivial, verification to the reader.
As shown in Table 2, all of the realizable truth values except for 0111 are realized by formulas using only conjunction, disjunction, negation, eventually, and always. Further, 0111 can only be realized by a formula with the release operator while the truth values 0011 and 0001 are indeed not realizable at all.
Note that the two unrealizable truth values 0011 and 0001 both contain a 0 that is directly followed by a 1. The proof of unrealizability formalizes the intuition that such an "abrupt" transition from definitive violation of a property to definitive satisfaction of the property cannot be witnessed by any finite prefix. Finally, the only other truth value of this form, 0111, is only realizable by using a formula with the release operator. Going for every σ ∈ Σ ω . Now, as u is a prefix of u , we can decompose u into u = uv for some v ∈ Σ * and every extension u σ of u is the extension uvσ of u.

As this property holds for every i, we obtain V m r (u, ϕ) V m r (u , ϕ).
Let us discuss two properties of the semantics: impartiality and anticipation [20]. Impartiality states that a definitive verdict will never be revoked: If

Lemma 5 There is an rLTL formula ϕ and prefixes u
Proof Consider the sequence β 0 , . . . , β 4 with β j = 0 j ? 4− j and note that we have β j ≺ β j+1 for every j < 4. Furthermore, let u j = ∅ j for j ∈ {0, . . . , 4}. We construct a formula ϕ such that V m r (u j , ϕ) = β j for every j ∈ {0, . . . , 4}. To this end, let Later, we rely on the following fact about these formulas, which can easily be shown by applying Remark 2: we have V m r (u, ψ β j ) = β j for every prefix u. Further, for j ∈ {0, 1, 2, 3}, let ψ j be a formula that requires the proposition a to be violated at the first j −1 positions, but to hold at the j-th position (recall that we start counting at zero), i.e. , ψ j = ( 0≤ j < j j ¬a) ∧ j a. Here, we define the nesting of next operators as usual: 0 ξ = ξ and j+1 ξ = j ξ . By definition, we have V r (∅ j+1 σ, ψ j ) = 0000 for every σ ∈ Σ ω ( †).

Now, we define
and claim that it has the desired properties. To this end, we note that property ( †) implies V r (∅ 4 σ, ϕ) = 0000 for every σ ∈ Σ ω ( † †), as every disjunct of ϕ contains a conjunct of the form ψ j for some j ≤ 3. Also, let us mention that Remark 2 is applicable to ϕ.
After determining how many different truth values can be assumed by prefixes of a single infinite word, an obvious question is how many truth values can be realized by a fixed formula on different prefixes. It is not hard to combine the formulas in Table 2 to a formula that realizes all truth values not ruled out by Theorem 1. 5

Lemma 6
There is an rLTL formula ϕ such that for every β ∈ B ? 4 \{0011, 0001} there is a prefix u β with V m r (u β , ϕ) = β. Proof For every β ∈ B ? 4 \ {0011, 0001} let ϕ β be an rLTL formula and u β be a prefix, both over {a}, with V m r (u β , ϕ β ) = β. Such formulas and prefixes exist as shown in Table 2. Now, consider the formula a β ∧ ϕ β 5 Note that there are formulas in publicly available repositories that assume many truth values. One example is the formula which is taken from the LTLStore [38] and assumes ten different truth values. over the propositions {a} ∪ {a β | β ∈ B ? 4 \{0011, 0001}}. By construction, we have V m r (u β , ϕ) = β for every β, where i.e, we obtain u β from u β by adding the proposition a β to the first letter. Hence, ϕ has the desired properties.
Finally, let us consider the notion of monitorability [53], an important concept in the theory of runtime monitoring. As a motivation, consider the LTL formula ψ = s and an arbitrary prefix u ∈ Σ * . Then, the extension u{s} ω satisfies ψ while the extension u∅ ω does not satisfy ψ, i.e. , satisfaction of ψ is independent of any prefix u. Hence, we have V m (u, ψ) = ? for every prefix u, i.e. , monitoring the formula ψ does not generate any information.
In general, for a fixed LTL formula ϕ, a prefix u ∈ Σ * is called ugly if we have V m (uv, ϕ) = ? for every finite v ∈ Σ * , i.e. , every finite extension of u yields an indefinite verdict. 6 Now, ϕ is LTL-monitorable if there is no ugly prefix with respect to ϕ. A wide range of LTL formulas (e.g. , ψ = s as above) are unmonitorable in that sense. In particular, 44% of the LTL formulas considered in the experiments of Bauer et al. are not LTL-monitorable.
We next generalize the notion of monitorability to rLTL. In particular, we answer whether there are unmonitorable rLTL formulas. Then, in Sect. 5, we exhibit that all LTL formulas considered by Bauer et al.'s experimental evaluation, even the unmonitorable ones, are monitorable under rLTL semantics. To conclude the motivating example, note that the rLTL analogue s of the LTL formula ψ induces two truth values from B ? 4 indicating whether s has been true at least once (truth value ???1) or not (truth value ????). Even more so, every prefix inducing the truth value ???? can be extended to one inducing the truth value ???1.
As we have argued above, the formula s has no ugly prefix, i.e. , it is rLTLmonitorable. Thus, we have found an unmonitorable LTL formula whose rLTL analogue (the formula obtained by adding dots to all temporal operators) is monitorable. The converse statement is also true. There is a monitorable LTL formula whose rLTL analogue is unmonitorable. To this end, consider the LTL formula which is a tautology and therefore monitorable. On the other hand, we claim that ∅{s} is an ugly prefix for the rLTL analogue ϕ obtained by adding dots to the temporal operators. To this end note that we have both V r (∅{s}v∅ ω , ϕ) = 1111 and V r (∅{s}v{s} ω , ϕ) = 0000 for every v ∈ Σ * . Hence, V m r (∅{s}v, ϕ) = ???? for every such v, i.e. , ∅{s} is indeed ugly and ϕ therefore not rLTL-monitorable.
Thus, there are formulas that are unmonitorable under LTL semantics, but monitorable under rLTL semantics and there are formulas that are unmonitorable under rLTL semantics, but monitorable under LTL semantics. Using these formulas one can also construct a formula that is unmonitorable under both semantics.
To this end, fix LTL formulas ϕ and ϕ r over disjoint sets of propositions and a fresh proposition p not used in either formula such that ϕ has an ugly prefix u under LTL semantics, and ϕ r (with dotted operators) has an ugly prefix u r under rLTL semantics.
We can assume both prefixes to be non-empty, as ugliness is closed under finite extensions. ∧ ϕ r ). Then, the prefix obtained from u by adding the proposition p to the first letter is ugly for ϕ under LTL semantics and u r is ugly for ϕ (with dotted operators) under rLTL semantics.
As a final example, recall that we have shown that s is rLTL-monitorable and consider its negation ¬ s. It is not hard to see that V m r (u, ϕ) = ???? holds for every prefix u. Hence, ε is an ugly prefix for the formula, i.e. , we have found another unmonitorable rLTL formula. In particular, the example shows that, unlike for LTL, rLTL-monitorability is not preserved under negation.
After having studied properties of rLTL monitorability, we next show our main result: The robust monitoring semantics V m r can be implemented by finite-state machines.

Construction of rLTL monitors
An rLTL monitor is an implementation of the robust monitoring semantics V m r in form of a finite-state machine with output. More precisely, an rLTL monitor for an rLTL formula ϕ is a finite-state machine M ϕ that on reading an input u ∈ Σ * outputs V m r (u, ϕ). In this section, we show how to construct rLTL monitors and that this construction is asymptotically not more expensive than the construction of LTL monitors. Let us fix an rLTL formula ϕ for the remainder of this section.
Our rLTL monitor construction is inspired by Bauer et al. [14] and generates a sequence of finite-state machines (i.e. , Büchi automata over infinite words, (non)deterministic automata over finite words, and Moore machines). Underlying these machines are transition structures T = (Q, q I , Δ) consisting of a nonempty, finite set Q of states, an initial state q I ∈ Q, and a transition relation Δ ⊆ Q × Σ × Q. An (infinite) run of T on a word σ = a 0 a 1 a 2 · · · ∈ Σ ω is a sequence ρ = q 0 q 1 · · · of states such that q 0 = q I and (q j , a j , q j+1 ) ∈ Δ for j ∈ N. Finite runs on finite words are defined analogously. The transition structure T is deterministic if (a) (q, a, q ) ∈ Δ and (q, a, q ) ∈ Δ imply q = q and (b) for each q ∈ Q and a ∈ Σ there exists a (q, a, q ) ∈ Δ.
We then replace the transition relation Δ by a function δ : Q × Σ → Q. Finally, we define the size of a transition structure T as |T | = |Q| in order to measure its complexity.
Our construction then proceeds in three steps: 1. We bring ϕ into an operational form by constructing Büchi automata A ϕ β for each truth value β ∈ B 4 that can decide the valuation V r (σ, ϕ) of infinite words σ ∈ Σ ω . 2. Based on these Büchi automata, we then construct nondeterministic automata B ϕ β that can decide whether a finite word u ∈ Σ * can still be extended to an infinite word uσ ∈ Σ ω with V r (uσ, ϕ) = β. 3. We determinize the nondeterministic automata obtained in Step 2 and combine them into a single Moore machine that computes V m r (u, ϕ). Let us now describe each of these steps in detail.
Step 1 We first translate the rLTL formula ϕ into several Büchi automata using a construction by Tabuada and Neider [58], summarized in Theorem 2 below. A (nondeterministic) Büchi The Büchi automata A ϕ β for β ∈ B 4 serve as building blocks for the next steps. However, before we proceed, let us illustrate this step with an example.

Example 4 Let us consider the formula ϕ =
s, which already served as a running example in Sect. 3. Applying Theorem 2 results in the five nondeterministic Büchi automata A ϕ β , one for each β ∈ B 4 , shown in Fig. 1. We here use the standard way to represent finite-state machines graphically. States are drawn as circles and transitions are drawn as arrows. Moreover, the initial state has an incoming arrow, while accepting states are indicted by double circles. Finally, note that we use propositional formulas to symbolically define sets of transitions. For instance, a transition labeled with s in Fig. 1a represents all transitions labeled with a symbol from the set {A ⊆ P | s ∈ A} ⊆ Σ. In particular, true represents all symbols in Σ.
Step 2 For each Büchi automaton A ϕ β obtained in the previous step, we now construct a nondeterministic automaton B ϕ β over finite words. This automaton determines whether a finite word u ∈ Σ * can be continued to an infinite word uσ ∈ L(A ϕ β ) (i.e. , V r (uσ, ϕ) = β) and is used later to construct the rLTL monitor.
A nondeterministic finite automaton (NFA) is a four-tuple A = (Q, q I , Δ, F) that is syntactically identical to a Büchi automaton. The size of A is defined analogously to Büchi automata. In contrast to Büchi automata, however, NFAs only admit finite runs on finite words, i.e. , a run of A on u = a 0 · · · a n−1 ∈ Σ * is a sequence q 0 · · · q n such that q 0 = q I and (q j , a j , q j+1 ) ∈ Δ for every j < n. A run q 0 · · · q n is called accepting if q n ∈ F. Accepted words as well as the language of A are again defined analogously to the Büchi case. If (Q, q I , Δ) is deterministic, A is a deterministic finite automaton (DFA). It is well-known that for each NFA A one can construct a DFA A with L(A) = L(A ) and |A | ∈ O(2 |A| ).

Given the Büchi automaton
denotes the Büchi automaton A ϕ β but with initial state q instead of q I . Intuitively, the set F β contains all states q ∈ Q β from which there exists an accepting run in A ϕ β and, hence, indicates whether a finite word u ∈ Σ * reaching a state of F β can be extended to an infinite word uσ ∈ L(A ϕ β ). The set F β can be computed, for instance, using a nested depth-first search [56] for each state q ∈ Q β . Since each such search requires time quadratic in |A ϕ β |, the set F β can be computed in time O(|A ϕ β | 3 ). Using F β , we define the NFA B ϕ β = (Q β , q I ,β , Δ β , F β ). It shares the transition structure of A ϕ β and uses F β as the set of accepting states. Let us illustrate this construction using our running example.

Example 5 Given the NBAs
Step 1 of our construction, we now compute the corresponding NFAs B ϕ β , which are depicted in Fig. 2. Note that the transition structure has remained the same as compared to the preceding step (see Fig. 1). By contrast, the accepting states have changed according to the definition of F β , causing all states to be accepting. Note, however, that this does not mean that the resulting NFAs accept any finite word. For instance, the NFA B s 1111 in Fig. 2a is a counterexample to this claim.
The next lemma now states that B ). By definition of F β , this means that L(A ϕ β (q)) = ∅, say σ ∈ L(A ϕ β (q)). Since A ϕ β and B ϕ β share the same transition structures, the run of B ϕ β on u is also a run of A ϕ β on u, which both lead to state q. Therefore, uσ ∈ L(A ϕ β ). By Theorem 2, this is equivalent to V r (uσ, ϕ) = β. From right to left Let u ∈ Σ * and σ ∈ Σ ω such that V (uσ, ϕ) = β. By Theorem 2, we have uσ ∈ L(A ϕ β ). Consider an accepting run of A ϕ β on uσ , and let q be the state that A ϕ β reaches after reading the finite prefix u. Since uσ ∈ L(A ϕ β ), this means that σ ∈ L(A ϕ β (q)). Thus, q ∈ F β because L(A ϕ β (q)) = ∅. Moreover, since the run of A ϕ β on u is also a run of B ϕ β on u, the NFA B ϕ β can also reach state q after reading u. Therefore, u ∈ L(B ϕ β ) since q ∈ F β .
Before we continue to the last step in our construction, let us briefly comment on the complexity of computing the NFAs B Step 3 In the final step, we construct a Moore machine implementing an rLTL monitor for ϕ. Formally, a Moore machine is a five-tuple M = (Q, q I , δ, Γ , λ) consisting of a deterministic transition structure (Q, q I , δ), an output alphabet Γ , and an output function λ : Q → Γ . The size of M as well of runs of M are defined as for DFAs. In contrast to a DFA, however, a Moore machine M computes a function λ M : Σ * → Γ that is defined by λ M (u) = λ(q n ) where q n is the last state reached on the unique finite run q 0 · · · q n of M on its input u ∈ Σ * .
The first step in the construction of the Moore machine is to determinize the NFAs B ϕ β , obtaining equivalent DFAs C ϕ β = (Q β , q I ,β , δ β , F β ) of at most exponential size in |B ϕ β |. Subsequently, we combine these DFAs into a single Moore machine M ϕ implementing the desired rLTL monitor. Intuitively, this Moore machine is the product of the DFAs C ϕ β for each β ∈ B 4 and tracks the run of each individual DFA on the given input. Formally, M ϕ is defined as follows. Let us illustrate this last step of our construction by means of our running example.

Example 6
Given the NFAs B s β from Step 2 of our construction, we first apply a standard determinization step. This process results in equivalent DFAs C s β , which are shown in Fig. 3.
The final, minimized monitor M s , which results from the Cartesian product of all DFAs, is shown in Fig. 4. Note that this monitor has four different verdicts, shown as labels  Table 2 (on Page 13).
The main result of this paper now shows that the Moore machine M ϕ implements V m r , i.e. , we have λ M ϕ (u) = V m r (u, ϕ) for every prefix u.

Theorem 3 For every rLTL formula ϕ, one can construct an rLTL monitor of size 2 2 O(|ϕ|) .
Proof First observe that ξ indeed produces a valid value of B ? 4 (i.e. , a truth value of the form 0 * ? * 1 * ). This follows immediately from the definition of ξ and the fact that the truth values of rLTL are sequences in 0 * 1 * .
Next, we observe that M ϕ reaches state (q 1 , q 2 , q 3 , q 4 , q 5 ) after reading a word u ∈ Σ * if and only if for each β j ∈ B 4 the DFA C ϕ β j reaches state q j after reading u. A simple induction over the length of inputs fed to M ϕ proves this. Now, let us fix a word u ∈ Σ * and assume that (q 1 , q 2 , q 3 , q 4 , q 5 ) is the state reached by M ϕ after reading u. This means that each individual DFA C ϕ β j = (Q β j , q I ,β j , δ β j , F β j ) reaches state q j after reading u. Let now as in the definition of the output function λ of M ϕ . By applying Lemma 7, we then obtain To conclude the proof, it is left to show that ξ(B) = V m r (u, ϕ). We show this for each bit individually using a case distinction over the elements of B ? = {0, ?, 1}. So as to clutter this proof not too much, however, we only discuss the case of ? here, while noting that the remaining two cases can be proven analogously. Thus, let i ∈ {1, . . . , 4}. Then, Since λ (q 1 , q 2 , q 3 , q 4 , q 5 ) = ξ(B), the Moore machine M ϕ indeed outputs V m r (u, ϕ) for every word u ∈ Σ * . Moreover, M ϕ has 2 2 O(|ϕ|) states because the DFAs C ϕ β = (Q β , q I ,β , δ β , F β ) are of at most exponential size in |B ϕ β |, which in turn is at most exponential in |ϕ|. In total, this proves Theorem 3.
In a final post-processing step, we minimize M ϕ (e.g., using one of the standard algorithms for deterministic automata). As a result, we obtain the unique minimal monitor for the given rLTL formula.
It is left to determine the complexity of our rLTL monitor construction. Since each DFA  [14]. Moreover, this bound is tight since rLTL subsumes LTL (see Remark 3): Every monitor for an rLTL formula (without implications) can be turned into a monitor for the corresponding LTL formula by projecting every output to its first bit. Thus, the doubly-exponential bound, which is tight for LTL [14,40], is also tight for rLTL. Hence, robust runtime monitoring asymptotically incurs no extra cost compared to classical LTL runtime monitoring. However, it provides more useful information as we demonstrate next in our experimental evaluation.

Experimental evaluation
Besides incorporating a notion of robustness into classical LTL monitoring, our rLTL monitoring approach also promises to provide richer information than its LTL counterpart. In this section, we evaluate empirically whether this promise is actually fulfilled. More precisely, we answer the following two questions on a comprehensive suite of benchmarks: 1. How does rLTL monitoring compare to classical LTL monitoring in terms of monitorability? 2. For formulas that are both LTL-monitorable and rLTL-monitorable, how do both approaches compare in terms of the size of the resulting monitors and the time required to construct them?
To answer these research questions, we have implemented a prototype, which we named rLTL-mon. Our prototype is written in Java and builds on top of two libraries: Owl [39], a library for LTL and automata over infinite words, as well as AutomataLib (part of LearnLib [36]), a library for automata over finite words and Moore machines. For technical reasons (partly due to limitations of the Owl library and partly to simplify the implementation), rLTL-mon uses a monitor construction that is slightly different from the one described in Sect. 4: Instead of translating an rLTL formula into nondeterministic Büchi automata, rLTL-mon constructs deterministic parity automata. These parity automata are then directly converted into DFAs, thus skirting the need for a detour over NFAs and a subsequent determinization step. Note, however, that this alternative construction produces the same rLTL monitors than the one described in Sect. 4. Moreover, it has the same asymptotic complexity. The sources of our prototype are available online under the MIT license. 7

Benchmarks and experimental setup
The starting point of our evaluation was the original benchmark suite of Bauer et al. [14], which is based on a survey by Dwyer on frequently used software specification patterns [23]. This benchmark suite consists of 97 LTL formulas and covers a wide range of patterns, including safety, scoping, precedence, and response patterns. For our rLTL monitor construction, we interpreted each LTL formula in the benchmark suite as an rLTL formula (by treating every operator as a robust operator).
We compared rLTL-mon to Bauer et al.'s implementation of their LTL monitoring approach, which the authors named LTL 3 tools. This tool uses LTL2BA [32] to translate LTL formulas into Büchi automata and AT&T's fsmlib as a means to manipulate finite-state machines. Since LTL2BA's and Owl's input format for LTL formulas do not match exactly, we have translated all benchmarks into a suitable format using a python script.
We conducted all experiments on an Intel Core i5-6600 @ 3.3 GHz in a virtual machine with 4 GB of RAM running Ubuntu 18.04 LTS. As no monitor construction took longer than 600 s, we did not impose any time limit.

Results
Our evaluation shows that LTL 3 tools and rLTL-mon are both able to generate monitors for all 97 formulas in Bauer et al.'s benchmark suite. 8 Aggregated statistics of this evaluation are visualized in Fig. 5. 9 The histogram in Fig. 5a shows the aggregate number of LTL and rLTL monitors with respect to their number of states. As Bauer et al. already noted in their original work, the resulting LTL monitors are quite small (none had more than six states), which they attribute to Dwyer et al.'s specific selection of formulas [23]. A similar observation is also true for the rLTL monitors: None had more than eight states.
To determine which formulas are monitorable and which are not, we used a different, though equivalent definition, which is easy to check on the monitor itself: an LTL formula (rLTL formula) is monitorable if and only if the unique minimized LTL monitor (rLTL monitor) does not contain a sink-state with universal self-loop that outputs "?" (that outputs "????"). In other words, even if a finite word does not allow us to infer anything about the satisfaction of the LTL (rLTL) formula by infinite words extending it, it can always be 7 https://github.com/logic-and-learning/rltl-monitoring. 8 Note that the tools disagreed on one monitor where LTL 3 tools constructed a monitor with 1 state whereas rLTL-mon constructed an LTL monitor with 8 states. The respective formula was removed from the reported results. 9 Detailed results can be found in Tables 3 and 4 in the appendix.  [14] extended into another finite word that does. Bauer et al. report that 44.3% of the LTL monitors (43 out of 97) have this property (in fact, exactly the 43 LTL monitors with a single state), which means that 44.3% of all formulas in their benchmark suite are not LTL-monitorable. By contrast, all these formulas are rLTL-monitorable. Moreover, in 78.4% of the cases (76 out of 97), the rLTL monitor has more distinct outputs than the LTL monitor, indicating that the rLTL monitor provides more fine-grained information of the property being monitored; in the remaining 21.6%, both monitors have the same number of distinct outputs. These results answer our first research question strongly in favor of rLTL monitoring: rLTL monitoring did in fact provide more information than its classical LTL counterpart. In particular, only 55.7% of the benchmarks are LTL-monitorable, whereas 100% are rLTL-monitorable.
Let us now turn to our second research question and compare both monitoring approaches on the 54 formulas that are both LTL-monitorable and rLTL-monitorable. For these formulas, Fig. 5b further provides statistical analysis of the generated monitors in terms of their size (left diagram) as well as the time required to generate them (right diagram). Each box in the diagrams shows the lower and upper quartile (left and right border of the box, respectively), the median (line within the box), and minimum and maximum (left and right whisker, respectively).
Let us first consider the size of the monitors (left diagram of Fig. 5b). The majority of LTL monitors (52) has between two and four states, while the majority of rLTL monitors (45) has between two and five states. For 21 benchmarks, the LTL and rLTL monitors are of equal size, while the rLTL monitor is larger for the remaining 33 benchmarks. On average, rLTL monitors are about 1.5 times larger than the corresponding LTL monitors.
Let us now discuss the time taken to construct the monitors. As the diagram on the right-hand-side of Fig. 5b shows, LTL 3 tools was considerably faster than rLTL-mon on a majority of benchmarks (around 0.1 s and 2.6 s per benchmark, respectively). For all 54 benchmarks, the rLTL monitor construction took longer than the construction of the corresponding LTL monitor (although there are two non-LTL-monitorable formulas for which the construction of the rLTL monitor was faster). However, we attribute this large runtime gap partly to the overhead caused by repeatedly starting the Java virtual machine, which is not required in the case of LTL 3 tools. Note that this is not a concern in practice as a monitor is only constructed once before it is deployed.
Finally, our analysis answers our second question: rLTL monitors are only slightly larger than the corresponding LTL monitors and although they require considerably more time to construct, the overall construction time was negligible for almost all benchmarks.

Conclusion
We adapted the three-valued LTL monitoring semantics of Bauer et al. to rLTL, proved that the construction of monitors is asymptotically no more expensive than the one for LTL, and validated our approach on the benchmark of Bauer et al.: All formulas are rLTL-monitorable and the rLTL monitor is strictly more informative than its LTL counterpart for 77% of their formulas.
Recall Theorem 1, which states that the truth values 0011 and 0001 are not realizable. This points to a drawback regarding the two middle bits: When considering the formula a, the second bit represents a and the third bit a. A prefix cannot possibly provide enough information to distinguish these two formulas. On the other hand, the truth value ??11 is realizable, which shows that the middle bits can be relevant. In further work, we will investigate the role of the middle bits in rLTL monitoring.
Moreover, the informedness of a monitor can be increased further when attributing a special role to the last position(s) of a prefix. Even though a prefix of the form ∅ + {a} + does not fully satisfy a, neither does it fully violate it. If the system just now reached a state in which {a} always holds, an infinite continuation of the execution would satisfy the specification. So rather than reporting an undetermined result, the monitor could indicate that an infinite repetition of the last position of the prefix would satisfy the specification. Similarly, for a prefix {a} + ∅, the specification a is undetermined. While an infinite repetition of the last position ({a} + ∅ ω ) does not satisfy the specification, an infinite repetition of the last two positions ({a} + (∅{a}) ω ) would. We plan to investigate an extension of rLTL which takes this observation into account.
Bauer et al. [12] proposed an orthogonal approach with the logic RV-LTL. Here, the specification can contain the strong (weak) next-operator whose operand is consider violated (satisfied) at the last position of the trace. A formula that is undetermined under the strong semantics and satisfied (violated) under the weak semantics is considered potentially true (potentially false). Incorporating one of these approaches into rLTL monitoring could refine its output and thus increase its level of informedness.
Moreover, desired properties for cyber-physical systems often include real-time components such as "touch the ground at most 15 s after receiving a landing command". Monitors for logics taking real-time into account [15], such as STL [43,44], induce high computational overhead at runtime when compared to LTL and rLTL monitors. Thus, a real-time extension for rLTL retaining its low runtime cost would greatly increase its viability as specification language.
Acknowledgements The authors would like to thank Li Bingchen for discovering the formula mentioned in Data availability All data generated or analyzed during this study can be obtained through the repository at https://github.com/logic-and-learning/rltl-monitoring.
Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.

Experimental results
The following two tables provide detailed results of our experimental evaluation.