A first-order logic characterization of safety and co-safety languages

Linear Temporal Logic (LTL) is one of the most popular temporal logics, that comes into play in a variety of branches of computer science. Among the various reasons of its widespread use there are its strong foundational properties: LTL is equivalent to counter-free omega-automata, to star-free omega-regular expressions, and (by Kamp's theorem) to the First-Order Theory of Linear Orders (FO-TLO). Safety and co-safety languages, where a finite prefix suffices to establish whether a word does not belong or belongs to the language, respectively, play a crucial role in lowering the complexity of problems like model checking and reactive synthesis for LTL. SafetyLTL (resp., coSafetyLTL) is a fragment of LTL where only universal (resp., existential) temporal modalities are allowed, that recognises safety (resp., co-safety) languages only. The main contribution of this paper is the introduction of a fragment of FO-TLO, called SafetyFO, and of its dual coSafetyFO, which are expressively complete with respect to the LTL-definable safety and co-safety languages. We prove that they exactly characterize SafetyLTL and coSafetyLTL, respectively, a result that joins Kamp's theorem, and provides a clearer view of the characterization of (fragments of) LTL in terms of first-order languages. In addition, it gives a direct, compact, and self-contained proof that any safety language definable in LTL is definable in SafetyLTL as well. As a by-product, we obtain some interesting results on the expressive power of the weak tomorrow operator of SafetyLTL, interpreted over finite and infinite words. Moreover, we prove that, when interpreted over finite words, SafetyLTL (resp. coSafetyLTL) devoid of the tomorrow (resp., weak tomorrow) operator captures the safety (resp., co-safety) fragment of LTL over finite words.


Introduction
Linear Temporal Logic (LTL) is the de-facto standard logic for system specifications [Pnu77]. It is a modal logic that is usually interpreted over infinite state sequences, but the finitewords semantics has recently gained attention as well [DV13,DV15]. The widespread use of LTL is due to its simple syntax and semantics, and to its strong foundational properties. Among them, we would like to mention the seminal work by Kamp [Kam68] and Gabbay et al. [GPSS80] on its expressive completeness, that is, LTL-definable languages are exactly those definable in the first-order fragment of the monadic second-order theory of linear orders [Büc90] (FO-TLO for short).
In formal verification, an important class of specifications is that of safety languages. They are languages of infinite words where a finite prefix suffices to establish whether a word does not belong to the language. As an example, the set of all and only those infinite sequences where some particular bad event never happens can be regarded as a safety language. In the dual co-safety languages (sometimes called guarantee languages), a finite prefix is sufficient to tell whether a word belongs to the language, e.g., when some desired event is mandated to eventually happen. Safety and co-safety languages are important for verification, model-checking, monitoring, and automated synthesis, because they capture a variety of real-world requirements while being much simpler to deal with algorithmically [KV01,BAS02,ZTL + 17].
Safety-LTL is the fragment of LTL where only the tomorrow, the weak tomorrow and the until temporal modalities are allowed. Similarly, its dual coSafety-LTL is obtained by only allowing the tomorrow, the weak tomorrow and the release modalities. It has been proved by Chang et al. [CMP92] that Safety-LTL and coSafety-LTL define exactly the safety and co-safety languages that are definable in LTL, respectively.
The paper consists of four parts.
In the first part, we provide a novel characterization of LTL-definable safety languages, and of their duals, in terms of a fragment of FO-TLO, called Safety-FO, and of its dual coSafety-FO. We argue that they have a very natural syntax, and we prove that they are expressively complete with respect to LTL-definable safety and co-safety languages. We first prove the correspondence between coSafety-FO and coSafety-LTL, which extends naturally to their duals and can be viewed as a version of Kamp's theorem [Kam68] specialized for safety and co-safety properties. Such a result provides a clearer picture of the correspondence between (fragments of) temporal and first-order logics. Then, we exploit it to prove the correspondence between co-safety languages definable in LTL and coSafety-FO, thus establishing also the equivalence between the former and coSafety-LTL. This gives a new proof of the fact that Safety-LTL captures exactly the set of LTL-definable safety languages [CMP92], which can be viewed as another contribution of the paper.
The interest of the latter proof is twofold: on the one hand, the original proof by Chang et al. [CMP92] is only sketched and it relies on two non-trivial translations scattered across different sources [Zuc86,SPH84]; on the other hand, such an equivalence result seems not to be very much known, as some authors presented the problem as open as lately as 2021 [ZTL + 17, DGDST + 21]. Thus, a compact and self-contained proof of the result seems to be a useful contribution for the community. It is worth to note that both proofs build on the fact that safety/co-safety languages can be captured by formulas of the form Gα/Fα with α pure-past, but, after that, the two proofs significantly diverge. At the end of this Vol. 19:3 A FO LOGIC CHAR. OF SAFETY AND CO-SAFETY LANGUAGES 13:3 part, as a by-product, we give some results that assess the expressive power of the weak tomorrow operator of Safety-LTL when interpreted over finite vs. infinite words. The second part is devoted to the safety and co-safety fragments of LTL interpreted over finite words. We show that the logic obtained from Safety-LTL (resp. coSafety-LTL) by forbidding the tomorrow (resp., weak-tomorrow ) operator captures the set of safety (resp., co-safety) properties of LTL over finite words. This provides a clearer view of which fragments of LTL over finite words characterize the safety and co-safety fragments.
In the third part, we study some formal properties of coSafety-FO and Safety-FO. We begin by studying the succinctness of coSafety-FO with respect to coSafety-LTL. We first show that there is a linear-size equivalence-preserving translation from coSafety-LTL to coSafety-FO. Then, we show that the proposed translation from coSafety-LTL to coSafety-FO that we exploit to prove the expressive equivalence between the two formalisms is nonelementary. Next, we illustrate an interesting practical application of coSafety-FO to reactive synthesis from temporal specifications. Finally, we compare coSafety-FO with another fragment of FO-TLO that has been proved to be expressively equivalent to the co-safety fragment of LTL [Tho88]. Naturally, all the above results can be dualized for the case of Safety- FO. In the fourth and last part, we summarize the other characterizations of the (co)safety fragment of LTL that have been proposed in the literature so far, that is, those in terms of (i) temporal logics, (ii) automata, and (iii) regular expressions.
The paper is organized as follows. Section 2 provides some background knowledge. Section 3 introduces Safety-FO and coSafety-FO and proves their correspondence with Safety-LTL and coSafety-LTL, respectively. Then, Section 4 proves their correspondence with the set of safety and co-safety languages definable in LTL, thus providing a compact and self-contained proof of the equivalence between Safety-LTL and LTL-definable safety languages. Some properties of the weak next operator are outlined as well. Section 5 proves the expressive completeness of the fragment of LTL over finite words devoid of the tomorrow (resp., weak-tomorrow ) operator and the safety (resp., co-safety) fragment of LTL over finite words. Section 6 compares coSafety-FO with related fragments and describes a practical application of coSafety-FO to reactive synthesis. Section 7 summarizes the state of the art about different characterizations of the (co)safety fragment of LTL. Finally, Section 8 provides an assessment of the work done and discusses future work.
The paper is a revised and largely extended version of [CGG + 22]. In particular, the whole second, third, and fourth parts of the paper were not present in [CGG + 22].

Preliminaries
Let A be a finite alphabet. We denote by A * and A ω the set of all finite and infinite words over A, respectively. Moreover, we let A + = A * \ {ε}, where ε is the empty word. Given a word σ ∈ A * , we denote by |σ| the length of σ. For an infinite word σ ∈ A ω , |σ| = ω. Given a (finite or infinite) word σ, we denote by σ i ∈ A, for 0 ≤ i < |σ|, the letter at the i-th position of the word. For 0 ≤ i ≤ j < |σ|, we denote by σ [i,j] the subword that starts at the i-th position (letter) of the word and ends at the j-th one, extrema included. By σ [i,∞] we denote the suffix of σ starting at the i-th position. Given a word σ ∈ A * and σ ′ ∈ A * ∪ A ω , we denote the concatenation of the two words as σ · σ ′ , or simply σσ ′ . A language L, with L ⊆ A * or L ⊆ A ω , is a set of words. Given two languages L and L ′ with L ⊆ A * and either L ′ ⊆ A * or L ′ ⊆ A ω , we define L · L ′ as the set {σ · σ ′ | σ ∈ L and σ ′ ∈ L ′ }. Given a finite 13:4 A. Cimatti,L. Geatti,N. Gigante,A. Montanari,and S. Tonetta Vol. 19:3 word σ = σ 0 . . . σ k , let σ r = σ k . . . σ 0 be the reverse of σ, and given a language of finite words L, let L r = {σ r | σ ∈ L}. We are now ready to define safety and co-safety languages.
Definition 2.1 (Safety language [KV01,Tho88]). Let L ⊆ A ω . We say that L is a safety language if and only if for all σ ∈ A ω , it holds that if σ ̸ ∈ L, then there exists i ∈ N such that, for all σ ′ ∈ A ω , σ [0,i] · σ ′ ̸ ∈ L. The class of safety languages is denoted by SAFETY.
Definition 2.2 (Co-safety language [KV01,Tho88]). Let L ⊆ A ω . We say that L is a co-safety language if and only if for all σ ∈ A ω , it holds that if σ ∈ L, then there exists The class of co-safety languages is denoted by coSAFETY.
Notice that, when interpreted over an infinite word, the semantics of the tomorrow and weak tomorrow operators is the same. The language of ϕ, denoted by L(ϕ), is the set of words σ ∈ (2 Σ ) ω such that σ |= ϕ. The language of finite words of ϕ, denoted by L <ω (ϕ), is the set of finite words σ ∈ (2 Σ ) + such that σ |= ϕ. Given a logic L, we denote by L the set of languages L such that there is a formula ϕ ∈ L such that L = L(ϕ), and by L <ω the set of languages of finite words L such that there is a formula ϕ ∈ L such that L = L <ω (ϕ) ( LTL <ω is usually referred to by LTLf in the literature [DV13]). It is known that LTLf and pure past LTL (LTL P ) have the same expressive power [LPZ85,Tho88].
We now define the two fragments of LTL that are the subject of this paper.
Definition 2.4 (Safety-LTL and coSafety-LTL [Sis94]). The logic Safety-LTL (resp., the logic coSafety-LTL) is the fragment of LTL where, for formulas in negated normal form, only the tomorrow, weak tomorrow, and release (resp., until ) temporal modalities are allowed.
Note that both Safety-LTL and coSafety-LTL contain only future temporal operators. We also define the logic coSafety-LTL(− X) as the logic coSafety-LTL devoid of the weak tomorrow ( X) operator (this logic will play a central role in our proofs). Similarly, we define Safety-LTL(−X) as the logic Safety-LTL devoid of the tomorrow (X) operator.
In the next section, we introduce two fragments of the First-Order Theory of Linear Orders [Buc63,Büc90], namely FO-TLO (or simply FO for short). Given an alphabet Σ, FO is a first-order language with equality over the signature ⟨<, {P } p∈Σ ⟩, and is interpreted over structures M = ⟨D M , < M , {P M } p∈Σ ⟩, where D M is either the set N of natural numbers or a prefix {0, . . . , n} thereof, and < M is the usual ordering relation over natural numbers. A sentence of FO is a formula of FO with no free variables. Given an FO formula ϕ(x 0 , . . . , x m ), with m + 1 free variables, the satisfaction of ϕ by a first-order structure M when x 0 = n 0 , . . . , x m = n m , denoted by M, n 0 , . . . , n m |= ϕ(x 0 , . . . , x m ), is defined according the standard first-order semantics. State sequences over Σ map naturally into such structures. Given a word σ ∈ (2 Σ ) * or σ ∈ (2 Σ ) ω , we denote by (σ) s the corresponding first-order structure. Given a formula ϕ(x) with exactly one free variable x, the language of ϕ, denoted by L(ϕ), is the set of words σ ∈ (2 Σ ) ω such that (σ) s , 0 |= ϕ. Similarly, the language of finite words of ϕ, denoted by L <ω (ϕ), is the set of finite words σ ∈ (2 Σ ) + such that (σ) s |= ϕ. We denote by FO and FO <ω the set of languages of respectively infinite and finite words definable by a FO formula.
We conclude the section by recalling some fundamental known results.
Finally, we state a normal form for LTL-definable safety/co-safety languages.
Proposition 2.6 (Chang et al. [CMP92], Thomas [Tho88]). A language L ∈ LTL is safety (resp., co-safety) if and only if it is the language of a formula of the form Gα (resp., Fα), where α ∈ LTL P .

Safety-FO and coSafety-FO
In this section, we state and prove the main results of the paper: we define two simple fragments of FO and we show that they precisely capture Safety-LTL and coSafety-LTL, respectively. A summary of the achieved results is given in Fig. 1.
Definition 3.1 (Safety-FO). The logic Safety-FO is generated by the following grammar: where x, y, and z are first-order variables, P is a unary predicate, and ϕ 1 and ϕ 2 are Safety-FO formulas.
Definition 3.2 (coSafety-FO). The logic coSafety-FO is generated by the following grammar: where x, y, and z are first-order variables, P is a unary predicate, and ϕ 1 and ϕ 2 are coSafety-FO formulas. We need to make a few observations on the syntax of the two fragments. First of all, note how any formula of Safety-FO is the negation of a formula of coSafety-FO and vice versa, and how any formula in this fragments has at least one free variable. Then, note that the two fragments are defined in negated normal form, i.e., negation only appears on atomic formulas. The particular kind of existential and universal quantifications allowed are the culprit of these fragments. In particular, Safety-FO restricts any existentially quantified variable to be bounded between two free variables. The same applies to universal quantification in coSafety-FO. Moreover Safety-FO and coSafety-FO formulas are future formulas, i.e., the quantifiers can only range over values greater than some free variables. These two features are essential to precisely capture Safety-LTL and coSafety-LTL. Finally, note that the comparisons in the guards of the quantifiers are strict, but non-strict comparisons can be used as well. In particular, ∃y(x ≤ y ∧ ϕ) can be rewritten as ϕ[y/x] ∨ ∃y(x < y ∧ ϕ), where ϕ[y/x] is the formula obtained by renaming all the free occurrences of y in ϕ with x.
To prove the relationship between Safety-LTL, coSafety-LTL, and these fragments, we focus now on coSafety-FO. By duality, all the results transfer to Safety-FO. We focus on coSafety-FO because the unbounded quantification is existential, and it is easier to reason about the existence of prefixes than on all the prefixes at once. We start by observing that, since the weak tomorrow operator, over infinite words, coincides with the tomorrow operator, the following holds.

Observation 3.3. coSafety-LTL = coSafety-LTL(− X)
When reasoning over finite words, the weak tomorrow operator plays a crucial role, since it can be used to recognize when we are at the last position of a word. In fact, the formula σ, i |= X⊥ is true if and only if i = |σ| − 1, for any σ ∈ (2 Σ ) * . Now, let us note that, thanks to the absence of the weak tomorrow operator, the coSafety-LTL(− X) logic is such that the concatenation of any (finite or infinite) suffix to a finite model of a coSafety-LTL(− X) formula results in a correct model of a formula. Lemmas 3.4 and 3.5 prove this result for finite and infinite suffixes, respectively.
We have to prove that, for each formula ϕ ∈ coSafety-LTL(− X), it holds that: We proceed by induction on the structure of ϕ. For the base case, consider ϕ = p ∈ Σ.
We have to prove that, for each formula ϕ ∈ coSafety-LTL(− X), it holds that: We proceed by induction on the structure of ϕ. For the base case, consider ϕ = p ∈ Σ.
In [GMM14], De Giacomo et al. define the notion of insensitive to infiniteness as a way to compare the finite and the infinite word semantics of fragments of LTL. They define a formula ϕ (over an alphabet Σ) to be insensitive to infiniteness if, and only if, for any finite word σ ∈ Σ + , it holds that σ |= ϕ iff σ · {e ω } |= ϕ, where e is a fresh proposition letter (e ̸ ∈ Σ). By Lemma 3.5, it follows that every formula of coSafety-LTL(− X) is insensitive to infiniteness. Vol. 19:3 A FO LOGIC CHAR. OF SAFETY AND CO-SAFETY LANGUAGES 13:9 Then, we can focus on coSafety-LTL(− X) and coSafety-FO on finite words. If we can prove that coSafety-LTL(− X) <ω = coSafety-FO <ω , we are done. At first, we show how to encode coSafety-LTL(− X) formulas into coSafety-FO with exactly one free variable.
Lemma 3.6. coSafety-LTL(− X) <ω ⊆ coSafety-FO <ω Proof. Let L ∈ coSafety-LTL(− X) <ω , and let ϕ ∈ coSafety-LTL(− X) such that L = L <ω (ϕ). By following the semantics of the operators in ϕ, we can obtain an equivalent coSafety-FO formula ϕ FO . We inductively define the formula F O(ϕ, x), where x is a variable, as follows: It is time to show the opposite direction, i.e., that any coSafety-FO formula can be translated into a coSafety-LTL(− X) formula which is equivalent over finite words. To prove this fact we adapt a proof of Kamp's theorem by Rabinovich [Rab14]. Kamp's theorem is one of the fundamental results about temporal logics, which states that LTL corresponds to FO in terms of expressiveness. Here, we prove a similar result in the context of co-safety languages. The proof goes by introducing a normal form for FO formulas, and showing that (i) any coSafety-FO formula can be translated into such normal form and (ii) any formula in normal form can be straightforwardly translated into a coSafety-LTL(− X) formula. We start by introducing such a normal form.
Some explanations are due. Each ∃∀-formula states a number of requirements for its free variables and for its quantified variables. Through the binding constraints, the free variables are identified with a subset of the quantified variables in order to uniformly state 13:10 A. Cimatti, L. Geatti, N. Gigante, A. Montanari,and S. Tonetta Vol. 19:3 the punctual and interval constraints, and the ordering constraints which sort all the variable in a total order. Note that there is no relationship between n and m: there might be more quantified variables than free variables, or less. Note as well that the binding constraint z 0 = x 0 is always present, i.e., at least one free variable has to be the minimal element of the ordering. This ensures that ∃∀-formulas constrain only positions of the word that are greater than the value of x 0 . We say that a formula of coSafety-FO is in normal form if and only if it is a disjunction of ∃∀-formulas. To see how formulas in normal form make sense, let us immediately show how to translate them into coSafety-LTL(− X) formulas.

Proof.
We show how any ∃∀-formula is equivalent to a coSafety-LTL(− X)-formula, over finite words. Since each formula in normal form is a disjunction of ∃∀-formulas, and since coSafety-LTL(− X) is closed under disjunction, this implies the proposition. Let ϕ(z) be a ∃∀-formula with a single free variable. Having only one free variable, ϕ(z) is of the form: Now, let A i be the temporal formulas corresponding to α i and B i be the ones corresponding to β i . Recall that α i and β i are quantifier free with only one free variable, hence this correspondence is trivial. Since z is the first time point of the ordering mandated by the formula, we only need future temporal operators to encode ϕ into a coSafety-LTL(− X) formula ψ defined as follows: It can be seen that σ, k |= ψ if and only if (σ) s , k |= ϕ(z), for each σ ∈ (2 Σ ) + and each k ≥ 0. Thus, L <ω (ϕ(z)) = L <ω (ψ).
Two differences between our ∃∀-formulas and those used by Rabinovich [Rab14] are crucial: first, we do not have unbounded universal requirements, but all interval constraints use bounded quantifications, hence we do not need the always operator to encode them; second, our ∃∀-formulas are future formulas, hence we only need future operators to encode them.
We now show that any coSafety-FO formula can be translated into normal form, that is, into a disjunction of ∃∀-formulas.
Lemma 3.9. Any coSafety-FO formula is equivalent to a disjunction of ∃∀-formulas.
Proof. Let ϕ be a coSafety-FO formula. We proceed by structural induction on ϕ. For the base case, for each atomic formula ϕ(z 0 , z 1 ) we provide an equivalent ∃∀-formula ψ(z 0 , z 1 ): (3) if ϕ = (z 0 ̸ = z 1 ), we can note that ϕ ≡ z 0 < z 1 ∨ z 1 < z 0 and then apply Item 1; (4) if ϕ = P (z 0 ) then we define ψ := ∃x 0 (z 0 = x 0 ∧ P (x 0 )). Similarly if ϕ = ¬P (z 0 ). For the inductive step: (1) The case of a disjunction is trivial. Vol. 19 (2) If ϕ(z 0 , . . . , z k ) is a conjunction, by the inductive hypothesis each conjunct is equivalent to a disjunction of ∃∀-formulas. By distributing the conjunction over the disjunction we can reduce ourselves to the case of a conjunction ψ 1 (z 0 , . . . , z k ) ∧ ψ 2 (z 0 , . . . , z k ) of two ∃∀-formulas 1 . In this case we have that: Since the set of quantified variables in ψ 1 is disjoint from the set of quantified variables in ψ 2 , we can distribute the existential quantifiers over the conjunction ψ 1 ∧ ψ 2 , obtaining: Note that we can identify x 0 and x n+1 , obtaining: where j i ∈ {0, . . . , k}, for each 0 ≤ i ≤ k. Now, to turn this formula into a disjunction of ∃∀-formulas, we consider all the possible interleavings of the variables that respect the two imposed orderings and explode the formula into a disjunction that consider each such interleaving. Let X = {x 0 , . . . , x n , x n+2 , . . . , x m } and let Π be the set of all the permutations of X compatible with the orderings x 0 < · · · < x n and x 0 < x n+1 < · · · < x m . For any π ∈ Π, π(0) = x 0 . Now, ψ 1 ∧ ψ 2 becomes the disjunction of a set of ∃∀-formulas ψ π , for each π ∈ Π, defined as: where β * i suitably combines the formulas β according to the interleaving of the orderings of the original variables, and is defined as follows: if both π(i), π(i − 1) ≤ n or both π(i), π(i − 1) > n β π(i) ∧ β π(i−1) if π(i) ≤ n and π(i − 1) > n or vice versa 1 Note that, without loss of generality, we can assume that ψ1 and ψ2 have the same free variables z1, . . . , z k .
In the case one of the two is not using a variable (say zi), then its binding constraint will not bind any variable to zi.
By the inductive hypothesis, this is equivalent to the formula ∃z m+1 (z i < z m+1 ∧ j k=0 ψ k (z 0 , . . . , z m , z m+1 )), where ψ k (z 0 , . . . , z m , z m+1 ) is a ∃∀-formula, for each 0 ≤ k ≤ j, that is: By distributing the conjunction over the disjunction, we obtain: and by distributing the existential quantifier over the disjunction, we have: Since the subformula z i < z m+1 does not contain the variables x 0 , . . . , x n , we can push it inside the existential quantification, obtaining: Now we divide in cases: (a) suppose that the formula ψ ′ k (z 0 , . . . , z m+1 , x 0 , . . . , x n k ) contains the following conjuncts: z i = x l i and z m+1 = x l m+1 , with l i = l m+1 . It holds that these formulas are in contradiction with the formula z i < z m+1 , that is: . . , x n k ) is equivalent to ⊥, and thus can be safely removed from the disjunction. (b) suppose that the formula ψ ′ k (z 0 , . . . , z m+1 , x 0 , . . . , x n k ) contains the following conjuncts: , and x l m+1 < · · · < x l i . As in the previous case, it holds that: Thus, also in this case, this disjunct can be safely removed from the disjunction. (c) otherwise, it holds that the formula ψ ′ k (z 0 , . . . , z m+1 , x 0 , . . . , x n k ) contains the following conjuncts: z i = x l i , z m+1 = x l m+1 (with l i ̸ = l m+1 ), and x l i < · · · < x l m+1 . Therefore, the subformula z i < z m+1 is redundant, and can be safely removed from ψ ′ k (z 0 , . . . , z m+1 , x 0 , . . . , x n k ). The resulting formula is a ∃∀-formula. After the previous transformation, we obtain: Finally, since each formula ψ ′′ k (z 0 , . . . , z m+1 , x 0 , . . . , x n k ) contains the conjunct z m+1 = x l m+1 , we can safely remove the quantifier ∃z m+1 . We obtain the formula: which is a disjunction of ∃∀-formulas. (4) Let ϕ(z 0 , . . . , z m ) = ∀z m+1 (z i < z m+1 < z j → ϕ 1 (z 0 , . . . , z m , z m+1 )), for some 0 ≤ i, j ≤ m. By the induction hypothesis we know that ϕ 1 is equivalent to a disjunction k ψ k where ψ k are ∃∀-formulas, i.e., each ψ k is of the form: Without loss of generality, we can suppose that z i , z m+1 and z j are binded to some variables x u i , x u m+1 and x u j that are ordered consecutively, i.e., x u i < x u m+1 < x u j with no other variable in between. That is because otherwise the ordering constraints and the binding constraints would be in conflict with the guard z i < z m+1 < z j of the universal quantification, and the disjunct ψ k could be removed from the disjunction. As a matter of fact, take for example a disjunct of k ψ k with ordering constraints inducing the order z i < z h < z m+1 , for some h. The existence of such a z h is not guaranteed for each value of z m+1 between z i and z j because when z m+1 = z i + 1 there is no value between z i and z i + 1 (we are on discrete time models), and thus such a disjunct can be safely removed from k ψ k . That said, we can now isolate all the parts of ψ k that talk about z m+1 , bringing them out of the existential quantification, obtaining ψ k ≡ θ k ∧ η k , where: Now, we have ϕ ≡ ∀z m+1 (z i < z m+1 < z j → k (θ k ∧ η k )). We can distribute the head of the implication over the disjunction: and then over the conjunction, obtaining:

13:14
A. Cimatti, L. Geatti, N. Gigante, A. Montanari,and S. Tonetta Vol. 19:3 In order to simplify the exposition, we now show how to proceed in the case of two disjuncts, which is easily generalizable. So suppose we have: We can a) distribute the disjunction over the conjunction (i.e., convert in conjunctive normal form in the case of multiple disjuncts): factor out the head of the implications: and c) distribute the universal quantification over the conjunction, obtaining: Now, note that η 1 and η 2 do not contain z m+1 as a free variable, because we factored out all the parts mentioning z m+1 into θ 1 and θ 2 before. Therefore we can push them out from the universal quantifications, obtaining: Now, note that ¬∃z m+1 (z i < z m+1 < z j ) is equivalent to z i = z j ∨ z j = z i + 1, which is the disjunction of two formulas that can be turned into ∃∀-formulas. Since both η 1 and η 2 are already ∃∀-formulas and since we already know how to deal with conjunctions and disjunctions of ∃∀-formulas, it remains to show that the universal quantifications in the formula above can be turned into ∃∀-formulas. Take ∀z m+1 (z i < z m+1 < z j → θ 1 ), i.e.: ∧ ∀y(z i < y < z m+1 → β(y)) ∧ ∀y(z m+1 < y < z j → β ′ (y))      Note that the first conjunct of the consequent can be removed, since it is redundant. Now, this formula is requesting β(y) for all y between z i and z m+1 , but with z m+1 that Vol. 19 ranges between z i and z j − 1, hence effectively requesting β(y) to hold between z i and z j . Similarly for β ′ (y), which has to hold for all y between z i + 1 and z j . Hence, it is equivalent to: which is a disjunction of a ∃∀-formula and others that can be turned into disjunctions of ∃∀-formulas. The reasoning is at all similar for ∀z m+1 (z i < z m+1 < z j → θ 1 ∨ θ 2 ).

Safety-FO captures LTL-definable safety languages
In this section, we prove that coSafety-FO captures LTL-definable co-safety languages. By duality, we have that Safety-FO captures LTL-definable safety languages, and by the equivalence shown in the previous section, this provides a novel proof of the fact that Safety-LTL captures LTL-definable safety languages. We start by characterizing co-safety languages in terms of LTL over finite words.
(⊇) Given L ∈ LTL <ω · (2 Σ ) ω , we know L = L <ω (β) · (2 Σ ) ω for some LTL formula β. Hence, for each σ ∈ L there is an n such that σ [0,n] , 0 |= β. Since LTL captures star-free languages and star-free languages are closed by reversal, there is an LTL formula α r such that (σ [0,n] ) r , 0 |= α r . Now, by replacing all the until /tomorrow /weak tomorrow operators in α r with since/yesterday/weak yesterday operators, we obtain an LTL P formula α such that σ [0,n] , n |= α. Hence, σ is such that there is an n such that σ, n |= α, i.e., σ |= Fα. Therefore, by Proposition 2.6, L ∈ LTL ∩ coSAFETY, and this in turn implies that LTL <ω · (2 Σ ) ω ⊆ LTL ∩ coSAFETY. Now, we show that, over finite words, the release and the globally modalities can be defined only in terms of the weak tomorrow, the until and the eventually modalities. Similarly, we also show that, over finite trace, the until and the eventually operators can be defined only in terms of the tomorrow, the release and the globally modalities.

Lemma 4.2. LTL <ω = Safety-LTL <ω = coSafety-LTL <ω
Proof. Since Safety-LTL and coSafety-LTL are fragments of LTL, we only need to show one direction, i.e., that LTL <ω ⊆ Safety-LTL <ω and LTL <ω ⊆ coSafety-LTL <ω . At first, we show the case of coSafety-LTL. For each LTL formula ϕ, we can build a coSafety-LTL formula whose language over finite words is exactly L <ω (ϕ). The globally operator can be replaced by means of an until operator whose existential part always refers to the last position of the word. In turn, this can be done with the formula X⊥, which is true only at the final position: Similarly, the release operator can be expressed by means of a globally operator in disjunction with an until operator: Hence, LTL <ω = coSafety-LTL <ω . Now, if we exploit the duality between the eventually/until and the globally/release operators, we obtain: Hence, since we showed that any eventually operator and any until operator can be defined only in terms of the tomorrow, the globally, and the release operators, we have that LTL <ω = Safety-LTL <ω .
We are ready now to state the main result.
This result together with Theorem 3.12 allow us to conclude the following.

Theorem 4.5. Safety-LTL = LTL ∩ SAFETY
Note that by Observation 3.3 and Lemma 3.5 on one hand, and by Lemmas 4.1 and 4.2 on the other, the question of whether Safety-LTL = LTL ∩ SAFETY can be reduced to whether coSafety-LTL <ω · (2 Σ ) ω = coSafety-LTL(− X) <ω · (2 Σ ) ω . If coSafety-LTL and coSafety-LTL(− X) were equivalent over finite words, this would already prove Theorem 4.5. However, the next theorem states that this is not the case.
Theorem 4.6. coSafety-LTL <ω ̸ = coSafety-LTL(− X) <ω Proof. Note that in coSafety-LTL(− X) we cannot hook the final position of the word without the weak tomorrow operator. For these reasons, given a coSafety-LTL(− X) formula ϕ, with a simple structural induction we can prove that for each σ ∈ (2 Σ ) + such that σ |= ϕ, it holds that σσ ′ |= ϕ for any σ ′ ∈ (2 Σ ) + , i.e., all the extensions of σ satisfy ϕ as well. This implies that L <ω (ϕ) is either empty (i.e., if ϕ is unsatisfiable) or infinite. Instead, by using the weak tomorrow operator to hook the last position of the word, we can describe a finite non-empty language, for example as in the formula ϕ = a ∧ X(a ∧ X⊥). The language of ϕ is L(ϕ) = {aa}, including exactly one word, hence L(ϕ) cannot be described without the weak tomorrow operator.

The (co)safety fragment of LTL over finite words
So far, we focused primarily on safety and co-safety languages of infinite words. Naturally, safety and co-safety languages of finite words deserve attention as well. In this section, we define the notion of (co-)safety languages of finite words and we prove that coSafety-LTL(− X) (resp., Safety-LTL(−X)), i.e., the logic obtained from coSafety-LTL (resp., Safety-LTL) by forbidding the X (resp., the X) operator, captures the set of co-safety (resp., safety) languages of LTL interpreted over finite words.
We start with the definitions of safety and co-safety languages of finite words, which (unsurprisingly) are the natural restriction of Definitions 2.1 and 2.2 to finite words.
Definition 5.1. Let L ⊆ A * be a language of finite words. We say that L is a safety language if and only if for all the words σ ∈ A * it holds that, if σ ̸ ∈ L, then there exists an i < |σ| such that, for all σ ′ ∈ A * , σ [0,i] · σ ′ ̸ ∈ L. The class of safety languages of finite words is denoted as SAFETY <ω .
Definition 5.2. Let L ⊆ A * be a language of finite words. We say that L is a co-safety language if and only if for all the words σ ∈ A * it holds that, if σ ∈ L, then there exists an i < |σ| such that, for all σ ′ ∈ A * , σ [0,i] · σ ′ ∈ L. The class of co-safety languages of finite words is denoted as coSAFETY <ω .
The remaining part of the section is devoted to the proof of the following theorem, which gives two characterizations of the safety and co-safety fragments of LTL over finite words, one in terms of temporal logics and one in terms of first-order logics.
We can now prove that coSafety-FO and coSafety-LTL(− X) capture the co-safety fragment of LTL interpreted over finite words, i.e., LTL <ω ∩ coSAFETY. By dualization, it also holds that Safety-FO and Safety-LTL(−X) are characterizations of the safety fragment of LTL over finite words in terms of temporal logics and first-order logics, respectively.
Theorem 5. 3. It holds that: We first prove the case for the co-safety fragment. The following equivalences are true: by Propositions 2.3, 2.5 and 2.6 = coSafety-FO <ω by Lemma 5.5 = coSafety-LTL(− X) <ω by Corollary 3.10 Exploiting the duality between safety and co-safety fragments, one can directly obtain the proof for the safety case.

Comparison with related fragments
In this section, we compare coSafety-FO with two related fragments, that is coSafety-LTL and EB-FO, another first-order logic characterization of LTL-definable co-safety properties.
We also point out a practical application of the translation of coSafety-LTL formulas into coSafety-FO. As before, all the results can be dualized to the safety case.
6.1. Succinctness of coSafety-FO with respect to coSafety-LTL. We show that there exists an equivalence-preserving translation from coSafety-LTL into coSafety-FO that involves only a linear blowup.
The other direction of Proposition 6.1 is less obvious. The translation of any coSafety-FO formula into an equivalent one in coSafety-LTL described in this paper (Section 3) follows two main steps: (i) the transformation of coSafety-FO into normal form (Lemma 3.9); (ii) the transformation of the normal form to coSafety-LTL (Lemma 3.8). While the second step requires only a linear size increase, the first step, in the general case, can produce a formula of nonelementary size with respect to the size of the initial formula. This is mainly due to how the case of conjunctions is managed by the proof of Lemma 3.9: the resulting formula, in this case, contains a subformula for each interleaving π in the set of all possible interleavings Π; since this set is exponentially larger than the size of the starting formula, the formula resulting from the case of conjunctions causes an exponential blow-up in the worst case. As a consequence, the equivalence-preserving translation from coSafety-FO to coSafety-LTL shown in this paper is nonelementary in the size of the final formula. Of course, this gives an upper bound to the succinctness of coSafety-FO with respect to coSafety-LTL: a still open question is about the lower bound, in particular whether there exists a translation from any coSafety-FO formula to an equivalent coSafety-LTL one of polynomial size.

6.2.
A practical feedback of coSafety-FO. Interestingly, the succinctness of coSafety-FO with respect to coSafety-LTL described in Section 6.1 has a practical feedback in the context of realizability and reactive synthesis.
Given a formula in LTL over a set of controllable and uncontrollable variables, realizability is the problem of establishing whether, given any sequence Unc of uncontrollable variables, Vol. 19 there exists a strategy s choosing the value of the controllable variables in such a way to guarantee that any sequence generated by s responding to Unc is a model of the initial formula. Reactive Synthesis is the problem of computing such a strategy (if any). In [ZTL + 17], Zhu et al. consider the realizability from Safety-LTL specifications. The first steps of their algorithm consist in negating the starting formula (thus obtaining a formula in coSafety-LTL, after the transformation into negation normal form), and the consequent translation into FO. This last step is used in order to exploit the tool MONA [HJJ + 95], an efficient tool for the construction and manipulation of automata. Interestingly, the formula resulting from this step is a formula of coSafety-FO of linear size with respect to the starting one, although Zhu et al. never explicitly identified it as such. 6.3. An alternative first-order logic characterization of (co)safety LTL properties. We start by giving a brief account of a different first-order logic characterization of safety and co-safety LTL properties, proposed by Thomas in [Tho88].
Given a formula ϕ(x) in the language of FO with one free variable (recall Section 2), we say that ϕ(x) is bounded if and only if all quantifiers in ϕ(x) are either of the form ∃y(y ≤ x ∧ . . . ) or ∀y(y ≤ x → . . . ). The two fragments of FO proposed by Thomas [Tho88] for capturing the safety and co-safety fragment of LTL are defined as follows. 2 Definition 6.2. The Existential Bounded fragment of FO (EB-FO, for short) is the set of FO sentences of type ∃x . ϕ(x), such that ϕ(x) is a bounded formula. The Universal Bounded fragment of FO (UB-FO, for short) is the set of FO sentences of type ∀x . ϕ(x), such that ϕ(x) is a bounded formula.
Note that, on the contrary of coSafety-FO and Safety-FO, formulas of EB-FO and UB-FO do not contain any free variable. For this reason, the definition of language for EB-FO and UB-FO formulas differs from the case for coSafety-FO and Safety-FO. We define the language of a formula ϕ in EB-FO or UB-FO, denoted as L(ϕ), as the set of words σ ∈ (2 Σ ) ω such that (σ) s |= ϕ.
The EB-FO and UB-FO fragments are heavily based on FO and the Fα and Gα normal forms (Proposition 2.6); in particular, we recall that: • the set of LTL-definable co-safety (resp. safety) properties is captured by the set of formulas of type Fα (resp. Gα), where α ∈ LTL P ; • by Propositions 2.3 and 2.5, we have that LTL P = FO .
Take for example the EB-FO fragment. The structure of its formulas naturally resembles the Fα normal form: the power of FO is used for representing all and only the formulas α in LTL P , while the initial existential quantifier ∃x . (. . .) together with the bound . . . ≤ x on all the other quantifiers is used for modeling the eventually (F) operator. A similar rationale holds for UB-FO. It follows that the EB-FO (resp. UB-FO) fragment is expressively complete with respect to the co-safety (resp. safety) fragment of LTL, that is [Tho88, Proposition 2.1]: • EB-FO = LTL ∩ coSAFETY • UB-FO = LTL ∩ SAFETY 2 Thomas did not give a name to these fragments. We chose to call them the Existential and the Universal Bounded fragment of FO.

13:22
A. Cimatti, L. Geatti, N. Gigante, A. Montanari,and S. Tonetta Vol. 19:3 6.4. Comparison between coSafety-FO and EB-FO. Since both coSafety-FO and EB-FO capture the co-safety fragment of LTL, it follows that EB-FO and the fragment of coSafety-FO with exactly one free variable have the same expressive power. Clearly, the same holds for the safety fragment, having that UB-FO and the fragment of Safety-FO with exactly one free variable are expressively equivalent. We now show that, in addition of being expressively equivalent, there is a linear-size translation between the fragment of coSafety-FO with only one free variable and EB-FO, and vice versa. Proposition 6.3. For any formula ϕ(x) ∈ coSafety-FO, there exists a formula ϕ ′ ∈ EB-FO such that: (i) L(ϕ(x)) = L(ϕ ′ ); and (ii) |ϕ ′ | ∈ O(|ϕ(x)|).
The converse direction holds as well.
The expressively equivalence between the fragment of coSafety-FO with only one free variable, EB-FO and the co-safety fragment of LTL, together with the linear-size transformation of coSafety-FO into EB-FO (Proposition 6.3), allow for the following consideration: in order to capture the whole co-safety fragment of LTL, it is not necessary to have the full power of FO, on which, as noted above, EB-FO is strongly based; on the contrary, it suffices to use the syntax of coSafety-FO, i.e., with existential quantifiers of type ∃y(x < y ∧ . . . ) and with universal quantifiers of type ∀y(x < y < z → . . . ). Vol. 19

Formal Languages Theory
(a) The co-safety fragment of LTL on infinite words semantics.

Other Characterizations of the (co-)safety fragment of LTL
In this section, we give an overview of the other characterizations that are present in the literature of the safety and co-safety fragments of LTL, both on infinite and finite words.
We start by recalling that there are four main characterizations of the set of LTL-definable ω-languages: • in terms of temporal modal logics, LTL is of course definable by LTL and LTL+P [Pnu77]; • in terms of first-order logics, LTL is captured by FO-TLO [Kam68]; • in terms of regular expressions, LTL is characterized by star-free ω-regular expressions [Tho79]; 13:24 A. Cimatti, L. Geatti, N. Gigante, A. Montanari,and S. Tonetta Vol. 19:3 • Gα • Safety-LTL -

Formal Languages Theory
Over finite words, the characterizations of LTL are the same, except that instead of starfree ω-regular expressions and counter-free Büchi automata, we consider star-free regular expressions and counter-free nondeterministic finite automata.
In Figures 2 and 3, we summarize the characterizations of the co-safety and safety fragments of LTL, both over infinite and finite words, in terms of: (i) temporal logics; (ii) first-order logics; (iii) regular expressions; (iv) automata. Vol. 19:3 A FO LOGIC CHAR. OF SAFETY AND CO-SAFETY LANGUAGES 13:25 7.1. Temporal and first-order logics. We first recall the characterizations in terms of temporal and first-order logics. In terms of temporal logics, the co-safety fragment of LTL is captured: • over infinite words, by Fα, coSafety-LTL, and coSafety-LTL(− X) <ω · (2 Σ ) ω (i.e., the finite-words interpretation of coSafety-LTL(− X) when concatenated to any possible infinite word); • over finite words, by Fα, coSafety-LTL(− X) and coSafety-LTL(− X) <ω · (2 Σ ) * (i.e., the finite-words interpretation of coSafety-LTL(− X) when concatenated to any possible finite word). Dually, the safety fragment of LTL is captured by Gα and Safety-LTL, for the case of infinite words interpretation, and by Gα and Safety-LTL(−X), for the case of finite words interpretation.
It holds that counter-free safety Streett automata capture LTL ∩ SAFETY.
In [CP03], Cerná and Pelánek prove that deterministic Occurrence Büchi automata are equivalent to guarantee Streett automata, thus proving also that the formers characterize the co-safety fragment of regular languages. The intuition behind this characterization is simple. A run π of a deterministic Occurrence Büchi automaton is accepting if and only if it reaches a final state (say at position i). Now, by definition of Occurrence Büchi automaton, every run that agrees with π from 0 to i and then goes on arbitrarly is accepting as well. It is not difficult to see that, in order to capture LTL ∩ coSAFETY, it suffices to add the counter-free condition to deterministic Occurrence Büchi automata. By dualization, Cerná and Pelánek [CP03] obtain that counter-free deterministic Occurrence co-Büchi automata capture LTL ∩ SAFETY. It is simple to see that this characterization of both the co-safety and the safety fragment of LTL in terms of counter-free deterministic Occurrence Büchi and co-Büchi automata holds for finite words as well.
Last but not least, the co-safety fragment of LTL can be captured by counter-free terminal automata [BRS99,CP03]. Terminal automata are nondeterministic automata such that each final state q ∈ α is such that δ(q, σ) ⊆ α (for any σ ∈ Σ), i.e., any run, once reached a final state, cannot reach a state which is not final. It holds that [CP03]: (i) LTL ∩ coSAFETY is captured by counter-free terminal Büchi automata; (ii) LTL <ω ∩ coSAFETY <ω is captured by counter-free terminal NFAs.

Conclusions
In this paper, we gave a first-order characterization of safety and co-safety languages, by means of two fragments of first-order logic, Safety-FO and coSafety-FO. These fragments of FO-TLO provide a very natural syntax and are expressively complete with regards to LTL-definable safety and co-safety languages.
The core theorem establishes a correspondence between Safety-FO (resp., coSafety-FO) and Safety-LTL (resp., coSafety-LTL), and thus it can be viewed as a special version of Kamp's theorem for safety (resp., co-safety) properties. Thanks to these new fragments, we were able to provide a novel, compact, and self-contained proof of the fact that Safety-LTL captures LTL-definable safety languages. Such a result was previously proved by Chang et al. [CMP92], but in terms of the properties of a non-trivial transformation from star-free languages to LTL by Zuck [Zuc86]. As a by-product, we provided a number of results that relate the considered languages when interpreted over finite and infinite words. In particular, we highlighted the expressive power of the weak tomorrow temporal modality, showing it to be essential in coSafety-LTL over finite words. Last but not least, we show that coSafety-LTL(− X) and Safety-LTL(−X) capture the set of co-safety and safety languages of finite words definable in LTL, respectively.
The equivalence-preserving translation from coSafety-FO to coSafety-LTL shown in this paper can, in the worst case, produce formulas of nonelementary size. An interesting future direction is to investigate whether more efficient (even polynomial) translations are possible.
As we have seen, different fragments of LTL can capture the (co-)safety fragment. It is interesting to study the succinctness of these fragments, in particular of coSafety-LTL and Fα, and to ask whether one can be exponentially more succinct than the other, or whether they are incomparable as far as succinctness is considered. Last but not least, a natural