Safe-PCTL Specifications

• Safe-PCTL is a logic-based framework that formalizes probabilistic safety properties over Markovian models using finite-prefix closure.
• It employs a distinct PCTL fragment with modalities like next, weak until, and bounded until to rigorously constrain ‘bad events’ with quantifiable probabilities.
• The approach enables systematic decomposition of PCTL into safety and liveness components, facilitating efficient model checking and controller synthesis for safety-critical systems.

Safe-PCTL specifications formalize probabilistic safety properties over fully probabilistic and Markovian models, providing a logic-based framework to describe and analyze constraints such as “nothing bad happens” with high probability. The Safe-PCTL fragment of Probabilistic Computation Tree Logic (PCTL) admits a precise syntactic characterization, is sound and complete for safety properties in this setting, connects closely to concepts of safety and liveness via the structure of probabilistic trees, and admits systematic decomposition procedures. These specifications play a foundational role in probabilistic model checking, controller synthesis, and the verification of safety-critical systems.

1. Safety Properties in Probabilistic Systems

In the context of Markov chains and related probabilistic transition systems, executions are understood as infinite probabilistic trees (PTs)—rooted trees where nodes carry sets of atomic propositions and edges represent transitions with probabilities. A safety property is one for which every counterexample arises after a finite execution prefix: the property holds on all executions that cannot be “ruled out” by a finite undesirable event. Formally, a set of PTs $\mathcal{P}$ is a safety property if it is topologically closed under finite-prefix extensions, i.e., for all total trees $T$, $T\in \mathcal{P}$ if and only if every finite prefix $t$ of $T$ can be extended to a total tree $T'\in \mathcal{P}$ with $t\preceq T'$.

This characterization has two important consequences:

• Every safety violation can be witnessed with a finite counterexample (i.e., a finite-depth prefix not extensible to any $T'\in \mathcal{P}$).
• Safety is dual to liveness, with the latter defined by the absence of any finite refuting prefix.

2. Safe-PCTL: Syntax, Semantics, and Fragment Definition

The syntax of PCTL includes:

• State formulas: $a$ (atomic), $\neg a$, $\varphi\wedge\psi$, $\varphi\vee\psi$, $[\mathcal{P}]_{\ge q}$;
• Path formulas: $X\varphi$ (next), $\varphi U \psi$ (until), $\varphi W \psi$ (weak until).

The Safe-PCTL fragment, denoted $\mathit{PCTL}_{\mathrm{safe}}$, is inductively defined as follows:

1. Atomic steps: $a,\ \neg a$ are in $\mathit{PCTL}_{\mathrm{safe}}$.
2. Boolean closure: If $\varphi,\psi\in\mathit{PCTL}_{\mathrm{safe}}$, then both $\varphi\wedge\psi$ and $\varphi\vee\psi$ are as well.
3. Next and Weak-Until: For any $\varphi\in\mathit{PCTL}_{\mathrm{safe}}$, $[X\varphi]_{\ge q}\in\mathit{PCTL}_{\mathrm{safe}}$; for any $\varphi,\psi\in\mathit{PCTL}_{\mathrm{safe}}$, $$[\varphi W \psi]_{\ge q}\in\mathit{PCTL}_{\mathrm{safe}}$$.
4. Until with bounded probability: For any $\varphi,\psi\in\mathit{PCTL}_{\mathrm{safe}}$, $$[\neg\varphi U \psi]_{\le q}\in\mathit{PCTL}_{\mathrm{safe}}$$.

Semantically:

• $[X\varphi]_{\ge q}$ asserts that, in one step, a “bad event” (violation of $\varphi$) occurs with probability at most $1-q$.
• $[\varphi W \psi]_{\ge q}$ demands that, before reaching $\psi$, the process remains in $\varphi$ with total escape probability at most $1-q$.
• $[\neg\varphi U \psi]_{\le q}$ upper-bounds the probability of violating $\varphi$ before reaching $\psi$.

3. Soundness and Completeness of the Safe-PCTL Fragment

Every formula expressible in $\mathit{PCTL}_{\mathrm{safe}}$ specifies a safety property over PTs. This is proved via induction on the formula structure, exploiting the preservation of finite-prefix closure by literals, boolean connectives, and safe modal operators. Notably, $[\neg\varphi U \psi]_{\le q}$ is dual to $[\varphi\vee\neg\psi W \neg\psi]_{\ge 1-q}$, and this duality preserves safety semantics under finite prefixes.

Conversely, every PCTL formula specifying a safety property without strict probability bounds can be rewritten into $\mathit{PCTL}_{\mathrm{safe}}$ by syntactic manipulation: pushing negations to atoms, replacing strict inequalities by equivalent safe-style modal specifications, and expressing each “bad until” scenario as a weak-until formula in the closed fragment. This completeness result situates $\mathit{PCTL}_{\mathrm{safe}}$ as the exact logic for safety in probabilistic systems (Katoen et al., 2014).

4. Decomposition of Arbitrary PCTL into Safety and Liveness

Any flat (non-nested) PCTL formula can be algorithmically separated into a safety part and a liveness part. Given

$\Psi = P_1 \wedge P_2 \wedge \dots \wedge P_n$

each $P_i$ may be safe or not. The decomposition is:

• The safety part: $$\Phi_{\mathrm{safe}} = \mathrm{cls}(P_1) \wedge \dots \wedge \mathrm{cls}(P_n)$$ where $\mathrm{cls}(\cdot)$ is the finite-prefix closure, resulting in a formula in $\mathit{PCTL}_{\mathrm{safe}}$.
• The liveness part: $\Phi_{\mathrm{live}} = P_1 \vee \dots \vee P_n$, a liveness property (since its closure is the set of all PTs).

This decomposition is constructive and can be done in linear time relative to the size of the flat PCTL formula, aside from standard CNF expansion (Katoen et al., 2014).

5. Finite Counterexamples and the Structure of Violations

In Safe-PCTL, violations of a specification are always witnessed by finite prefixes: for any PT not in the set specified by a Safe-PCTL formula, there exists a finite-depth prefix all of whose extensions violate the property. Safety is thus characterized by the “finite witness” principle. On the other hand, liveness properties have no such finite counterexample, as their violations can only ever be observed over infinite trajectories.

This distinction underpins model checking strategies and practical verification, facilitating finite-state methods for searching for violations of Safe-PCTL properties (Katoen et al., 2014).

6. Relations to Qualitative Fragments and Absolute Properties

Qualitative PCTL—formulas using only probability bounds of $=1$ or $>0$—intersect with, but do not coincide with, the Safe-PCTL fragment: while $[a]=1$ is a safety property, $[a]>0$ is classified as liveness in PTs, due to the absence of finite-witness counterexamples. This classification aligns with the branching-time taxonomy of Manolios and Trefler for qualitative CTL.

Additionally, strong safety and absolute liveness, as per Sistla, have precise Safe-PCTL and liveness subfragments:

• Strong safety is captured by allowing only stuttering- and shrinking-closed properties, with a subfragment using only literals, boolean connectives, and $[\varphi W \psi]_{\ge q}$ modalities (plus next-operators over safe subformulas).
• Absolute liveness is characterized by formulas whose satisfaction at any prefix implies its satisfaction at all prior prefixes, and forms the smallest PCTL fragment admitting formulas of the form $[\Psi]_{>0}$, $[\Psi U \Theta]_{>0}$, etc., closed under positive-boolean combinations.

7. Practical Implications and Summary

Safe-PCTL provides a complete syntactic calculus for expressing, decomposing, and verifying safety properties in probabilistic systems. Given its finite-prefix basis and decomposition procedure, any safety property can be isolated for verification, aiding both manual analysis and automated model checking. These properties are robust under relevant system refinements and are key both in the isolation of safety-critical requirements and in the reduction of general PCTL specifications to their safety-essential content. The same syntactic and semantic logic underlies state-of-the-art algorithms for safe controller synthesis, runtime monitoring, and formal analysis of probabilistic software and hardware systems (Katoen et al., 2014).