Towards Partial Monitoring: It is Always too Soon to Give Up^††thanks: Cardoso’s work supported by Royal Academy of Engineering under the Chairs in Emerging Technologies scheme.

Runtime Verification (RV) is a well-known lightweight formal verification technique [6]. Similar to other existing formal verification techniques, such as Model Checking [10] and Theorem Proving [22], it aims to verify the system behaviour, usually referred to as the System Under Analysis (SUA). Such a system can be composed of both software and hardware components, and the formal verification technique of choice is used to verify that everything works as expected.

RV achieves the verification of the SUA through monitoring. Specifically, starting from a formal property expressed in some formalism of choice, one (or multiple) monitors are generated. A monitor is a device that, given a sequence of events (a trace) that are generated by the system execution, it verifies the conformance of such a trace with respect to the formal property. Since the trace can be generated at runtime, the monitor can inform the system’s users about unexpected behaviours; i.e., events which violate the formal specification.

Differently from other formal verification techniques, RV is performed on the execution of the system. The formal properties are verified on traces of events generated by actual system executions. This is an important difference with respect to more traditional formal verification techniques such as Model Checking, where the verification is performed statically over an abstracted model of the system. RV does not require any model, nor any other information apart from execution traces, which makes it well suited to be used in black-box scenarios where not much is known about the SUA, such as in autonomous systems. Moreover, from a computational perspective RV performs better than traditional verification techniques; since monitors only take as input what the SUA produces, without the need of going through a model. It has been shown that RV offers polynomial time behaviour with respect to the length of the analysed trace [21].

Providing certification for reliable autonomous systems is not an easy task [12]. Formal verification of monolithic systems is already hard; to apply such techniques in the context of autonomous, cyber-physical, or even robotic systems makes it even more complicated. This is mainly due to the fact that these systems are intrinsically unpredictable [23]; especially when Machine Learning techniques are involved, such as Neural Networks [16]. In these scenarios, RV may be of help, especially since it does not require a model of the system and it can be deployed at runtime while the system is still running. In this way, even though the system offers some unpredictable aspects, by adding monitors it is possible to improve the system reliability. In fact, since monitors can be deployed together with the system, the monitors will be there to detect and possibly react accordingly in case of unexpected behaviours (e.g., by triggering or implementing some mechanism to handle such failures).

Unfortunately, some formal properties cannot be monitored at runtime. A formal property is considered monitorable, when it is possible to synthesise a monitor which verifies it. In turn, a formal property is denoted as non-monitorable, when it is not possible to synthesise such a monitor. In literature, there exists different definitions on the requirements for a property to be considered monitorable [17]. Nonetheless, the most common requirement for a property to be monitorable is that it should always be possible to conclude the satisfaction or violation of the property. Which means that there should not exist traces of events which make the property never satisfied nor violated. The reason such kind of properties are usually avoided is that the resulting monitors might be useless, since they may never be able to conclude anything about the SUA. Because of this, RV approaches usually focus on monitorable fragments of the properties to analyse. However, as we will show in this paper, some of these non-monitorable properties may still be worth to be analysed at runtime, even though if only partially. Therefore, we pose the following research question:

Is it possible for monitors that are synthesised by non-monitorable properties to be used in practice?

We suggest that a viable answer to this question is using partial monitoring. Since a non-monitorable property does not give any assurance on satisfaction or violation, we need to synthesise monitors which are capable of giving up on the verification process when it is clear that it will never arrive at any conclusion. This is especially relevant in the context of autonomous systems, where the availability of computational power and memory might be limited (e.g., in embedded systems). In such context, the presence of a component (the monitor) that arrives at a certain state where it does not do anything useful anymore is not only pointless, but it is also a waste of resources which could be better allocated. Thus, it is important to have monitors capable of giving up on the verification of a property, in order to safely reclaim otherwise used resources. At the same time, by using partial monitors we can be less restrictive on the kind of formal properties we are allowed to use, since a non-monitorable property can still be partially monitored at runtime.

As a proof of concept, in this work we exemplify our approach in a robotic application where an autonomous rover is deployed into a nuclear facility to perform remote inspection. In this scenario, the dynamic environment makes it hard to formally verify properties using traditional formal methods such as model checking. Thus, we can use RV to formally verify at runtime how the rover behaves. Using this application, we show that non-monitorable formal properties have parts of it that can still be verified using a partial monitor, as long as the monitor is capable of detecting when to give up. For example, we can have partial monitors to detect that the rover does not stay in areas with high-level of radiation, but if it observes a bad event (e.g., an event that would cause the monitor to be stuck in inconclusive states), which would render the monitor useless, then it needs to give up.

In this paper, we briefly revise the notion of monitorability [17, 3, 6, 26], where we focus more on its engineering implications for what concerns the monitor synthesis. To do so, we present a straightforward extension of the standard monitor synthesis for temporal properties in Linear Temporal Logic (LTL), where we take into consideration that a monitor could fail to completely verify an LTL property. We show how we can achieve this reasoning at the monitor level, instead of the more standard way of doing this at the property specification level. Specifically, we reduce the problem of a monitor recognising when to give up to a reachability problem inside the monitor representation.

The remainder of this paper is structured as follows. Section 2 presents some background definitions and notation that are used in the paper. Section 3 revises the notion of monitorability and reports related works in literature. Section 4 proposes our contribution, where the notion of partial monitoring is introduced. Section 4.1 demonstrates the use of partial monitors in an autonomous rover performing remote inspection tasks. In Section 4.2, we give the details on how the approach described in this paper has been implemented. Section 5 discusses the approach and its engineering implications in the monitor synthesis. Finally, Section 6 concludes the paper with final remarks and future research directions.

A system $S$ has an alphabet $\Sigma$ containing all of its observable events. Given an alphabet $\Sigma$, a trace $\sigma=ev_{\_}0ev_{\_}1\ldots$, is a sequence of events in $\Sigma$. $\sigma(i)$ is the i-th element of $\sigma$ (i.e., $ev_{\_}i$), $\sigma^{i}$ is the suffix of $\sigma$ starting from $i$ (i.e., $ev_{\_}iev_{\_}{i+1}\ldots$), $\Sigma^{*}$ is the set of all possible finite traces over $\Sigma$, and $\Sigma^{\omega}$ is the set of all possible infinite traces over $\Sigma$.

The standard formalism to specify formal properties in RV is propositional Linear Temporal Logic (LTL [25]). The relevant parts of the syntax of LTL are as follows:

$$\varphi=true\;|\;false\;|\;ev\;|\;(\varphi\land\varphi^{\prime})\;|\;(\varphi\lor\varphi^{\prime})\;|\;\lnot\varphi\;|\;(\varphi\;\mathop{\mathrm{\mathbf{U}}}\;\varphi^{\prime})\;|\;\mathchoice{{\tf@size pt{}}}{{\tf@size pt{}}}{{\sf@size pt{}}}{{\ssf@size pt{}}}\varphi$$

where $ev\in\Sigma$ is an event (a proposition), $\varphi$ is a formula, $\mathop{\mathrm{\mathbf{U}}}$ stands for until, and $\mathchoice{{\tf@size pt{}}}{{\tf@size pt{}}}{{\sf@size pt{}}}{{\ssf@size pt{}}}$ stands for next-time. In the rest of the paper, we also use the standard derived operators, such as $(\varphi\rightarrow\varphi^{\prime})$ instead of $(\lnot\varphi\lor\varphi^{\prime})$, $\varphi\;R\;\varphi^{\prime}$ instead of $\lnot(\lnot\varphi\mathop{\mathrm{\mathbf{U}}}\lnot\varphi^{\prime})$, $\square\varphi$ (always $\varphi$) instead of ($false\;R\;\varphi$), and $\lozenge\varphi$ (eventually $\varphi$) instead of ($true\mathop{\mathrm{\mathbf{U}}}\varphi$).

Let $\sigma\in\Sigma^{\omega}$ be an infinite sequence of events over $\Sigma$, the semantics of LTL is as follows:

	$\displaystyle\sigma$	$\displaystyle\models$	$\displaystyle ev\textrm{ if }ev\in\sigma(0)$
	$\displaystyle\sigma$	$\displaystyle\models$	$\displaystyle\lnot\varphi\textrm{ if }\sigma\not\models\varphi$
	$\displaystyle\sigma$	$\displaystyle\models$	$\displaystyle\varphi\land\varphi^{\prime}\textrm{ if }\sigma\models\varphi\textrm{ and }\sigma\models\varphi^{\prime}$
	$\displaystyle\sigma$	$\displaystyle\models$	$\displaystyle\varphi\lor\varphi^{\prime}\textrm{ if }\sigma\models\varphi\textrm{ or }\sigma\models\varphi^{\prime}$
	$\displaystyle\sigma$	$\displaystyle\models$	$\displaystyle\mathchoice{{\tf@size pt{}}}{{\tf@size pt{}}}{{\sf@size pt{}}}{{\ssf@size pt{}}}\varphi\textrm{ if }\sigma^{1}\models\varphi$
	$\displaystyle\sigma$	$\displaystyle\models$	$\displaystyle\varphi\mathop{\mathrm{\mathbf{U}}}\varphi^{\prime}\textrm{ if }\exists_{\_}{i\geq 0}.\sigma^{i}\models\varphi^{\prime}\textrm{ and }\forall_{\_}{0\leq j<i}.\sigma^{j}\models\varphi$

A trace $\sigma$ satisfies an atomic proposition ($ev$), if the event $ev$ belongs to the head (first element) of $\sigma$; which means, $ev$ has been observed as initial event of the trace $\sigma$. A trace $\sigma$ satisfies the negation of the LTL property $\varphi$, if $\sigma$ does not satisfy $\varphi$. A trace $\sigma$ satisfies the conjunction of two LTL properties, if $\sigma$ satisfies both properties. A trace $\sigma$ satisfies the disjunction of two LTL properties, if $\sigma$ satisfies at least one of them. A trace $\sigma$ satisfies next-time $\varphi$, if the suffix of $\sigma$ starting in the next step ($\sigma^{1}$) satisfies $\varphi$. Finally, a trace $\sigma$ satisfies $\varphi\mathop{\mathrm{\mathbf{U}}}\varphi^{\prime}$, if there exists a suffix of $\sigma$ s.t. $\varphi^{\prime}$ is satisfied, and for all suffixes before it, $\varphi$ holds.

Thus, given an LTL property $\varphi$, we denote $\llbracket{\varphi}\rrbracket$ the language of the property, i.e., the set of traces which satisfy $\varphi$; namely $\llbracket{\varphi}\rrbracket=\{\sigma\;|\;\sigma\models\varphi\}$.

In Definition 1, we present a general and formalism-agnostic definition of a monitor. As mentioned before, a monitor is a function that, given a trace of events in input, returns a verdict which denotes the satisfaction (resp. violation) of a formal property over the trace.

Intuitively, a monitor returns $\top$ if all continuations ($u$) of $\sigma$ satisfy $\varphi$; $\bot$ if all possible continuations of $\sigma$ violate $\varphi$; $?$ otherwise. The first two outcomes are standard representations of satisfaction and violation, while the third is specific to RV. In more detail, it denotes when the monitor cannot conclude any verdict yet. This is closely related to the fact that RV is applied while the system is still running, and not all information about it are available. For instance, a property might be currently satisfied (resp. violated) by the system, but violated (resp. satisfied) in the (still unknown) future. The monitor can only safely conclude any of the two final verdicts ($\top$ or $\bot$) if it is sure such verdict will never change. The addition of the third outcome symbol $?$ helps the monitor to represent its position of uncertainty w.r.t. the current system execution.

A monitor function is usually implemented as a Finite State Machine (FSM), specifically a Moore machine (FSM where the output value of a state is only determined by the state) [7, 8]. A Moore machine can be defined as a tuple $\langle Q,q_{\_}0,\Sigma,O,\delta,\gamma\rangle$, where $Q$ is a finite set of states, $q_{\_}0$ is the initial state, $\Sigma$ is the input alphabet, $O$ is the output alphabet, $\delta:Q\times\Sigma\rightarrow Q$ is the transition function mapping a state and an event to the next state, and $\gamma:Q\rightarrow O$ is the function mapping a state to the output alphabet.

In [8], Bauer et al. present the sequence of steps required to generate from an LTL formula $\varphi$ the corresponding Moore machine instantiating the $Mon_{\_}{{\varphi}}$ function (as summarised in Figure 1).

Given an LTL property $\varphi$, a series of transformations is performed on $\varphi$, and its negation $\lnot\varphi$. Considering $\varphi$ in step (i), first, a corresponding Büchi Automaton $A^{\varphi}$ is generated in step (ii). This can be obtained using Gerth et al.’s algorithm  [14]. Such automaton recognises the set of infinite traces that satisfy $\varphi$ (according to LTL semantics). Then, each state of $A^{\varphi}$ is evaluated; the states that when selected as initial states in $A^{\varphi}$ do not generate the empty language are then added to the $F^{\varphi}$ set in step (iii). With such a set, a Non-deterministic Finite State Automaton $\hat{A}^{\varphi}$ is obtained from $A^{\varphi}$ by simply substituting the final states of $A^{\varphi}$ with $F^{\varphi}$ in step (iv). $\hat{A}^{\varphi}$ recognises the finite traces (prefixes) that has at least one infinite continuation satisfying $\varphi$ (since the prefix reaches a state in $F^{\varphi}$). After that, $\hat{A}^{\varphi}$ is transformed (Rabin–Scott powerset construction [27]) into its equivalent deterministic version $\tilde{A}^{\varphi}$ in step (v); this is possible since deterministic and non-deterministic automata have the same expressive power. The exact same steps are performed on $\lnot\varphi$, which bring to the generation of the $\tilde{A}^{\lnot\varphi}$ counterpart. The difference between $\tilde{A}^{\varphi}$ and $\tilde{A}^{\lnot\varphi}$ is that the former recognises finite traces which have continuations satisfying $\varphi$, while the latter recognises finite traces which have continuations violating $\varphi$. Finally, a Moore machine can be generated as a standard automata product between $\tilde{A}^{\varphi}$ and $\tilde{A}^{\lnot\varphi}$ in the final step (vi), where the states are denoted as tuples $(q,q^{\prime})$, with $q$ and $q^{\prime}$ belonging to $\tilde{A}^{\varphi}$ and $\tilde{A}^{\lnot\varphi}$, respectively. The outputs are then determined as: $\top$ if $q^{\prime}$ does not belong to the final states of $\tilde{A}^{\lnot\varphi}$, $\bot$ if $q$ does not belong to the final states of $\tilde{A}^{\varphi}$, and $?$ otherwise.

Monitorability [17] refers to the branch of RV focused on the delineation of which formal properties can be monitored. It is crucial to understand monitorability for performing efficient verification at runtime of formal properties. However, the level of detail such notion is defined in the literature may vary. It has a wide range of definitions, some are more restrictive, while others are more flexible. A thorough presentation of the existing variations of monitorability can be found in [3]; where the authors report a complete guide on monitorability and its uses.

In this paper, we consider the definitions of monitorability introduced by Pnueli and Zaks [26], where the concept of monitorability was generalised w.r.t. its first appearance [17]. We chose their view of monitoriability since it is one of the most commonly cited by the community and it is less restrictive on the set of non-monitorable properties than other definitions found in the literature.

Definition 2 states that a property $\varphi$ is considered monitorable with respect to a finite trace of events $\sigma$, if we can find at least one trace $u$, such that $\varphi$ is satisfied (i.e., $\sigma$ is a good prefix) or violated (i.e., $\sigma$ is a bad prefix) by the resulting concatenated trace $\sigma\bullet u$. Intuitively, if a property is ${\sigma}\textrm{-}monitorable$, we know that for at least one possible trace of events the monitor will be able to conclude the satisfaction or violation of $\varphi$.

Following this reasoning, we define four different notions of monitorable property. We start from less restrictive and move towards more restrictive notions. Definition 3 uses a more relaxed notion of monitorability, where a property $\varphi$ is considered existentially monitorable when for at least one trace of events $\sigma\in\Sigma^{*}$ it is possible to find a continuation for which $\varphi$ is either satisfied or violated. Intuitively, this means that some trace can bring the monitor to never conclude the satisfaction or violation of $\varphi$. In the literature, these properties are also known as weak monitorable [9].

Definition 4 introduces a more restrictive notion of monitorability, where a property $\varphi$ is considered universally monitorable when for all finite traces $\sigma\in\Sigma^{*}$, it is possible to find a continuation for which $\varphi$ is either satisfied or violated. This means that no trace can bring the monitor to never conclude the satisfaction or violation of $\varphi$.

Monitorable properties are defined according to Definition 4 in a variety of past research [8, 6, 21, 15, 17]. The reason for this is that any other notion of monitorability, such as the one proposed in Definition 3, does not give any guarantees on the monitor used to verify the property. Indeed, if we consider Definition 3, there is no guarantee that eventually the monitor will encounter a trace of events $\sigma$ for which no continuation determines $\varphi$ positively or negatively. If this happens, then the monitor will just become pointless, because it will remain in an inconclusive state forever (i.e., it will never conclude anything about $\varphi$). In such scenarios, we follow the notation used in [8] to refer to such a trace of events $\sigma$ as an ugly prefix, since it represents a case where nothing can (and nothing will) be concluded. In order to avoid these scenarios, more restrictive rules over monitorability are usually imposed; of which Definition 4 is a key example.

Next, we show that by restricting even more the notion of monitorability, we find Safety and Co-Safety properties [4]. Definition 5 denotes the properties of the kind “nothing bad will ever happen”.

These properties can only be violated at runtime, which means the resulting monitor can only report negative and inconclusive verdicts. This is due to the fact that safety properties are satisfied only by infinite traces of events, and at runtime we only have access to finite traces.

An example of a safety property can be found in the right branch of $\varphi$ in Example 3, i.e., $\square ev_{\_}4$. This is a safety property where the expected behaviour is to observe $ev_{\_}4$ indefinitely. Thus, any $\sigma\in\Sigma^{*}$ (the $\Sigma$ of Example 3) can be extended with a continuation $u\in\Sigma^{*}$ s.t. $\sigma\bullet u$ negatively determines $\varphi$. There is no continuation $u\in\Sigma^{*}$ s.t. $\sigma\bullet u$ positively determines $\varphi$, but this is not actually required for being monitorable.

On the same level of restrictiveness, we have Co-Safety properties. Definition 6 denotes the properties of the kind “something good will eventually happen”.

These properties can only be satisfied at runtime, which means the resulting monitor can only report positive and inconclusive verdicts. This is due to the fact that co-safety properties are violated only by infinite traces of events.

An example of a co-safety property can be found in the left branch of $\varphi$ in Example 3, i.e., $\lozenge ev_{\_}2$. This is a co-safety property where the expected behaviour is to observe eventually $ev_{\_}2$. Thus, any $\sigma\in\Sigma^{*}$ (the $\Sigma$ of Example 3) can be extended with a continuation $u\in\Sigma^{*}$ s.t. $\sigma\bullet u$ positively determines $\varphi$. There is no continuation $u\in\Sigma^{*}$ s.t. $\sigma\bullet u$ negatively determines $\varphi$, but once again this is not required for being monitorable.

Note that, to check if a property belongs to the Safe class it is a PSPACE problem, while to check if a property is in the CoSafe class it is an EXPSPACE problem [28].

Figure 5 represents the different monitorability classes as sets. On the left, the largest set corresponds to $\exists_{\_}{PZ}$, which only requires the properties to have at least one good prefix. Then, we have $\forall_{\_}{PZ}$, which requires the properties to have only good prefixes. After that, we find the Safe and CoSafe classes, which are included in $\forall_{\_}{PZ}$ by construction. Since for every safety (resp. co-safety) property and $\sigma\in\Sigma^{*}$, we may find $u\in\Sigma^{*}$ s.t. $\sigma\bullet u$ negatively (resp. positively) determines the property. On the right, we have the rest of the properties, which are considered non-monitorable. These are the properties for which there is no trace $\sigma\in\Sigma^{*}$ which determines the property neither positively nor negatively. Thus, properties for which all traces are ugly.

Note that the more restrictive the conditions for a property to be considered monitorable are, the less these properties will be used in practice for achieving RV. Thus, one has to find a good balance to be able to discard as few properties as possible, and at the same time to correctly handle the possible lack of guarantees on the resulting monitoring process. The presence of a monitor that can reach a state with nothing to report should be avoided, or at least detected and handled.

In [26], Pnueli and Zaks propose a way to decide, given a finite trace $\sigma$, if a property under consideration $\varphi$ is ${\sigma}\textrm{-}monitorable$. In this way, they can detect whether the current observed trace is ugly and inform the user. The main difference with our approach is at which level such check is performed. In their work this is performed on the property; while in our work we perform it directly on the monitor.

In [2, 13], the notion of monitorability is presented for linear and branching flavours of Hennessy-Milner Logic with recursion (recHML) [19]. Differently from us, they consider partial monitoring the monitors which derive from either safety or co-safety properties (not both). Instead, we consider the monitors which are not always capable of determining the property, either positively or negatively.

It is important to note that a property can start monitorable (resp. non-monitorable) and become non-monitorable (resp. monitorable) depending on the information known about the SUA. In fact, as pointed out in [15], the monitorability result w.r.t. a property may change under assumptions on the SUA. If we know how the system behaves (e.g., a model of the system exists), then we can rewrite the property accordingly and this can change the answer to the monitorability question.

To the best of our knowledge, our work is the first that tackles the practical implications of partial monitoring; where monitors are not assumed to be able to always conclude the satisfaction or violation of the formal property under analysis, and where it is not always simple to determine if a property is monitorable or not.

In this section, we introduce the notion of partial monitoring from a practical perspective. First, we formally define partial monitors and show an example of how it works based on a property from a previous example. Then, we discuss the application and benefits of partial monitoring to an example of an autonomous rover performing remote inspection tasks. Finally, we present the implementation details of our tool, which is capable of automatically synthesising partial monitors from existing monitors for non-monitorable properties, and discuss the engineering aspects of our approach.

In Definition 1, we had a standard three-valued monitor. Usually, a monitor is intended to be complete, in the sense that a verdict is always assumed to be returned. This happens due to the presence of the inconclusive verdict ($?$), which is returned until the satisfaction ($\top$) or violation ($\bot$) of the property can be concluded. Nonetheless, in the standard definition, the property is assumed to be $\forall_{\_}{PZ}\textrm{-}monitorable$. Moreover, most of the time these are safety properties, since RV is usually applied in scenarios where it is used to verify that “nothing bad will ever happen”.

Definition 7 presents the notion of a partial monitor, which differs from Definition 1 in the values returned as outcome of the verification. An additional output “give up” value is added, i.e., $\upchi$. With $\upchi$, the monitor can explicitly give up on the current execution and inform the user/system that there is no point in continuing to monitor this property. To make the addition of this new output possible, we updated the condition for returning $?$. The monitor now requires the existence of a future continuation of $\sigma$ which will make the monitor conclude with a final verdict ($\top$ or $\bot$). If that is the case, then the monitor can conclude (for the moment) an inconclusive verdict, and eventually, it might conclude a final verdict. Otherwise, the monitor is unfortunately in a situation where $\sigma$ denotes an ugly prefix, where no possible continuation will ever allow the monitor to conclude the satisfaction or violation of $\varphi$. When this happens the monitor returns $\upchi$, which symbolises that it has given up on the current analysis.

Given a standard monitor, to obtain a partial monitor we add an additional post-processing step after generating the Moore machine. From a Moore machine representing the instantiation of a monitor, we compute for each state labelled with $?$ the reachability of a state labelled with $\top$ or $\bot$. Reaching these states means that the monitor cannot get stuck in an inconclusive state indefinitely (i.e., it has no dead ends). This analysis can be achieved in polynomial time w.r.t. the number of states and edges of the Moore machine. Specifically, in the worst case scenario the time complexity is $O(N^{2}+NE)$, with $N$ the number of states, and $E$ the number of edges. But, to have a better understanding of the time complexity, it is important to note the relation between $N$ and $\varphi$. In fact, the standard LTL monitor synthesis procedure (Figure 1) generates a Moore machine with double exponential size w.r.t. the size of the LTL property $|\varphi|$. Thus, if we expand the time complexity w.r.t. to the property, we obtain that the approach has time complexity $O(2^{2^{|\varphi|+1}}+2^{2^{|\varphi|}}E)$. Nonetheless, properties are usually small in size, which makes the time complexity less limiting.

In this work, we presented an intuitive approach to make monitors capable of giving up when necessary. As mentioned in Section 3, this is not the first time the notion of monitorability has been studied. Nonetheless, w.r.t. related work, we tackle the monitorability problem on a more practical level. Indeed, there are plenty of works which study and explore the theoretical aspects of what makes a property monitorable; but, not much has been done to answer what we can do with monitorability in practice. For instance, when is it the right time to give up on a property? Or more generally, what can we do with a non-monitorable property? Naturally, there are scenarios where nothing can be done. These are the cases when a property simply cannot be verified at runtime, in any possible way (such as the property from Example 5). However, there are scenarios where something can be rightfully concluded, albeit partially. And these are the cases we aimed to exploit in this work. In general, properties are expected to be fully monitorable (i.e., $\forall_{\_}{PZ}\textrm{-}monitorable$), because when such constraint does not hold, we do not have guarantees whether the monitor will ever conclude anything useful. Nonetheless, if the monitor is capable of giving up by recognising and handling ugly prefixes, then non-monitorable properties can be monitored through the use of partial monitors.

Applying such analysis at the monitor level is very important, because this does not only allow us to give up on the monitor at runtime, but also to reuse our approach in various scenarios. Since the approach is based on the Moore machine denoting the monitor (and not the property), it is formalism-agnostic up to a certain level. Thus, we are not just limited to LTL for defining the properties that can be used. We can use another logic as long as a Moore machine can be synthesised. This would not require any modifications to our approach at the theoretical level, but it does require changes in the implementation. For example, either the logic can be converted into LTL if possible, or an automaton representing the monitor needs to be generated (if this automaton is a Moore machine we are done and ready to use our approach, otherwise we need to convert it).

From a research perspective, by directly applying our approach on a Moore machine, we also offer a much more reusable workflow. As long as a Moore machine is generated, more challenging aspects can be explored. For instance, Predictive Runtime Verification (PRV) [30, 20] can be deployed instead of standard RV. In fact, works on PRV of LTL properties exist; where a model of the system (a Büchi Automaton) is used to predict future events and to help the monitor to conclude its verdict in advance (before actually observing the events). In such works, the flow presented in Figure 1 is extended for considering the model of the system as well. The important aspect for us is that, even though the workflow is extended, the final result is still a Moore machine, with the additional power of anticipating the conclusive outcomes. Since our approach is directly applied on a Moore machine and not on the property itself, we can still obtain partial monitoring for PRV by analysing the resulting predictive Moore machine. This means we can apply our approach to more challenging scenarios in the future, without the need to change anything specific in the process.

To summarise, in this paper we introduced the notion of partial monitoring as a practical view on monitorability, but it is important to note that the theoretical aspects of partial monitorability are different and much harder to tackle. On one hand we have partial monitoring, where we look into the representation of an existing monitor and we identify if it has any states where it should give up; if this is the case and the monitor still has other valid states that are not give up, then we have a partial monitor. Partial monitorability on the other hand, would deal with identifying what can make a property partially monitorable; e.g., what is the relation of the chosen logic’s operators with monitorability (if any) and how chaining these operators together impacts monitorability, delineate the types of properties that are more amenable and advantageous for partial monitoring, and so on.

In this paper, we discussed the issue of handling monitors generated from non-monitorable properties and how such monitors can be extended to give up when no final verdict can be ever concluded. We described a practical technique to perform reachability analysis of LTL monitors obtained using standard synthesis approaches [8], and how the resulting partial monitors can avoid to get stuck in scenarios where no final verdict can be concluded, such as when trying to monitor non-monitorable properties. We have demonstrated the use of partial monitoring in an example from the robotics domain, where a rover performing the inspection of a nuclear facility can be partially verified at runtime using non-monitorable properties. We also described the implementation details and engineering aspects of a tool that we developed to automate the detection and synthesis of partial monitors.

This work has focused on the engineering and implications of monitorability for the synthesis of partial monitors. In future work, we plan to extend the approach to other formalisms, such as Metric Temporal Logic (MTL) [18], Signal Temporal Logic (STL) [24], Runtime Monitoring Language (RML) [5], and so on. We also want to integrate our approach with existing RV tools for autonomous systems such as ROSMonitoring [11], which is a RV framework for the popular middleware for robotic development Robot Operating System (ROS)³³3https://www.ros.org/. Adding support to other formalisms requires updates to the tool, since right now it can only take as input plain Moore machines. This is important since more complex scenarios may require more expressive formalisms than LTL, and the issue of having partial monitors (as well as monitorability) arises in other formalisms as well.