An Axiomatic Approach to Existence and Liveness for Differential Equations
AAn Axiomatic Approach to Existence and Liveness forDifferential Equations
Yong Kiam Tan Andr´e Platzer ∗ Abstract
This article presents an axiomatic approach for deductive verification of existence andliveness for ordinary differential equations (ODEs) with differential dynamic logic ( dL ). Theapproach yields proofs that the solution of a given ODE exists long enough to reach a giventarget region without leaving a given evolution domain. Numerous subtleties complicate thegeneralization of discrete liveness verification techniques, such as loop variants, to the contin-uous setting. For example, ODE solutions may blow up in finite time or their progress towardsthe goal may converge to zero. These subtleties are handled in dL by successively refiningODE liveness properties using ODE invariance properties which have a well-understood de-ductive proof theory. This approach is widely applicable: several liveness arguments fromthe literature are surveyed and derived as special instances of axiomatic refinement in dL .These derivations also identify and correct several soundness errors in the surveyed literature,which further highlights the subtlety of ODE liveness reasoning and the utility of an axiomaticdeductive approach. An important special case of the approach yields formal deduction of(global) existence properties of ODEs, which are a fundamental part of every ODE livenessargument. Thus, all generalizations of existence properties and their proofs immediately leadto corresponding generalizations of ODE liveness arguments. Overall, the resulting library ofcommon refinement steps enables both the sound development and justification of new ODEexistence and liveness proof rules from dL axioms. These insights also enable and inform animplementation of those proof rules in the KeYmaera X theorem prover for hybrid systems. Keywords: differential equations, liveness, global existence, differential dynamic logic
Hybrid systems are mathematical models describing discrete and continuous dynamics, and in-teractions thereof. This flexibility makes them natural models of cyber-physical systems (CPSs)which feature interactions between discrete computational control and continuous real world physics[2, 30]. Formal verification of hybrid systems is of significant practical interest because the CPSsthey model frequently operate in safety-critical settings. Verifying properties of the differential ∗ Computer Science Department, Carnegie Mellon University, Pittsburgh, USA { yongkiat | aplatzer } @cs.cmu.edu a r X i v : . [ c s . L O ] A p r Y. K. Tan and A. Platzerequations describing the continuous dynamics present in hybrid system models is a key aspect ofany such endeavor.This article focuses on deductive verification of liveness properties for ordinary differentialequations (ODEs), i.e., the question whether an ODE solution exists for long enough to reach agiven region without leaving its domain of evolution. Such questions can be phrased naturally indifferential dynamic logic ( dL ) [27, 28, 30], a logic for deductive verification of hybrid systemswhose relatively complete axiomatization [26, 28] lifts ODE verification results to hybrid systems,and whose theorem prover KeYmaera X [11] enables an implementation.For discrete systems, methods for proving liveness are well-known: loop variants show thatdiscrete loops eventually reach a desired goal [17], while temporal logic is used to specify andstudy liveness properties in concurrent and infinitary settings [22, 23]. Deduction of (continuous)ODE liveness properties, however, is hampered by several difficulties: i) solutions of ODEs mayconverge towards a goal without ever reaching it, ii) solutions of nonlinear ODEs may blow upin finite time leaving insufficient time for the desired goal to be reached, and iii) the goal may bereachable but only by (illegally) leaving the evolution domain constraint. In contrast, invarianceproperties for ODEs are better understood [12, 21] and have a complete dL axiomatization [31].Motivated by the aforementioned difficulties, this article presents dL axioms enabling systematic,step-by-step refinement of ODE liveness properties with a sequence of ODE invariance properties.This refinement approach is a powerful framework for understanding ODE liveness arguments as itbrings the full deductive power of dL ’s ODE invariance proof rules to bear on liveness proofs. It isused in this article to survey several arguments from the literature and derive them all as (corrected) dL proof rules, see Table 1. This logical presentation has two key benefits: • The proof rules are syntactically derived from sound axioms of dL , which guarantees theircorrectness. Many of the surveyed arguments contain subtle soundness errors, see Table 1.These errors do not diminish the surveyed work. Rather, they emphasize the need for anaxiomatic, uniform way of presenting and analyzing ODE liveness arguments instead ofrelying on ad hoc approaches. • The approach identifies common refinement steps that form a basis for the surveyed livenessarguments. This library of building blocks enables sound development and justification ofnew ODE liveness proof rules, e.g., by generalizing individual refinement steps or by explor-ing different combinations of those steps. Corollaries 14, 16, and 22 are examples of newODE liveness proof rules that can be derived and justified from the uniform approach thatthis article follows.This article extends the author’s earlier conference version [42]. The key new insight is thatall of the aforementioned liveness arguments (Table 1) are based on reducing liveness properties ofODEs to assumptions about sufficient existence duration for their solutions. In fact, many of thosearguments become significantly simpler (and sound) when the ODEs of concern are assumed tohave global solutions, i.e., they do not blow up in finite time. It is reasonable and commonplace to Liveness for ODEs has sometimes been called eventuality [35, 39] and reachability [41]. To minimize ambiguity,this article refers to the property as liveness , with a precise formal definition in Section 2. Other advanced notions ofliveness for ODEs are discussed in Section 8. n Axiomatic Approach to Existence and Liveness for Differential Equations 3Table 1: Surveyed ODE liveness arguments with highlighting in blue for soundness-critical cor-rections identified in this article. The referenced corollaries are corresponding (corrected) derivedproof rules.Source Without Domain Constraints With Domain Constraints[25] OK (Cor. 12) if open/closed, initially false (Cor. 18)[34, 35] [35, Remark 3.6] is incorrect if conditions checked globally (Cor. 23)[36] if compact (Cor. 17) if compact (Cor. 20)[39] OK (Cor. 15) OK (Cor. 21)[41] if global solutions (Cor. 13) if global solutions (Cor. 19)make such an assumption for the continuous dynamics in models of CPSs [2, Section 6]. After all,most real world systems do not simply cease to exist after a short time! Logically though, a priori assuming global existence for ODEs means that the correctness of any subsequent verificationresults for the ODEs and hybrid system models are conditional on an unproved existence durationhypothesis. While global existence is well-known to be true for linear systems, even the simplestnonlinear ODEs (see Section 4) fail to meet the hypothesis without further assumptions. Thisarticle therefore adopts the view that (global) existence should be proved rather than assumed forthe continuous dynamics in hybrid system models. The new contributions of this article are: • Section 4 presents deductive dL proofs of global existence for ODE solutions. Togetherwith the liveness proofs of Sections 5 and 6, this enables unconditional proofs of ODEliveness properties entirely within the uniform dL refinement framework without existencepresuppositions. • Section 7 discusses an implementation of ODE existence and liveness proof rules in theKeYmaera X theorem prover for hybrid systems [11]. The section focuses on key practicalinsights, namely: i) the design of new proof rules that are practically useful and well-suitedfor implementation (Section 7.1), ii) the design of proof automation to aid users in existenceand liveness proofs (Section 7.2).The unconditional liveness proofs enabled by Section 4 fit particularly well to an implementa-tion in KeYmaera X (Section 7) because the axiomatic refinement approach closely mirrors KeY-maera X’s design principles. KeYmaera X implements dL ’s uniform substitution calculus [28] andit is designed to minimize the soundness-critical code that has to be trusted in order to trust itsverification results. On top of the soundness-critical core, KeYmaera X’s tactics framework [10]adds support and automation for proofs, but tactics are not soundness-critical. Liveness proofs aresimilarly based on a series of small refinement steps which are, in turn, implemented as (untrusted)tactics based only on a small number of derived refinement axioms. More complicated livenessarguments, such as those from Table 1 or from new user insights, are implemented by piecing those An example from control theory is Lyapunov stable systems which always have global solutions near their stableequilibria, e.g., [19, Definition 4.1] and [16, Theorem 3.1]. Control systems are designed to always operate near stableequilibria.
Y. K. Tan and A. Platzertactics together using tactic combinators [10]. The implementation only required minor changesto ≈ lines of soundness-critical code in KeYmaera X, while the remaining ≈ lines consistof new ODE existence and liveness proof rules implemented as tactics. These additions suffice toprove all of the examples in this article and in ODE models elsewhere [39, 4].Throughout this article, core dL axioms underlying the refinement approach are presented inlemmas, which are summarized and proved in Appendix A. Existence and liveness proof rulesthat derive syntactically from those axioms (e.g., Table 1) are listed in corollaries. The derivationsof these proof rules are given in Appendix B. Counterexamples explaining the soundness errorsin Table 1 are given in Appendix C. This section reviews the syntax and semantics of dL , focusing on its continuous fragment, whichhas a complete axiomatization for ODE invariants [31]. Full presentations of dL , including itsdiscrete fragment, are available elsewhere [27, 28, 30]. The grammar of dL terms is as follows, where x ∈ V is a variable and c ∈ Q is a rational constant.These terms are polynomials over the set of variables V : p, q ::= x | c | p + q | p · q The grammar of dL formulas is as follows, where ∼ ∈ { = , (cid:54) = , ≥ , >, ≤ , < } is a comparisonoperator and α is a hybrid program: φ, ψ ::= First-order formulas of real arithmetic
P,Q (cid:122) (cid:125)(cid:124) (cid:123) p ∼ q | φ ∧ ψ | φ ∨ ψ | ¬ φ | ∀ v φ | ∃ v φ | [ α ] φ | (cid:104) α (cid:105) φ The notation p (cid:60) q (resp. (cid:52) ) is used when the comparison operator can be either ≥ or > (resp. ≤ or < ). Other standard logical connectives, e.g., → , ↔ , are definable as in classical logic.Formulas not containing the modalities [ · ] , (cid:104)·(cid:105) are formulas of first-order real arithmetic and arewritten as P, Q . The box ( [ α ] φ ) and diamond ( (cid:104) α (cid:105) φ ) modality formulas express dynamic propertiesof the hybrid program α . This article focuses on continuous programs, where α is given by a systemof ODEs x (cid:48) = f ( x ) & Q . Here, x (cid:48) = f ( x ) is an n -dimensional system of differential equations, x (cid:48) = f ( x ) , . . . , x (cid:48) n = f n ( x ) , over variables x = ( x , . . . , x n ) , where the LHS x (cid:48) i is the timederivative of x i and the RHS f i ( x ) is a polynomial over variables x . The domain constraint Q specifies the set of states in which the ODE is allowed to evolve continuously. When there isno domain constraint, i.e., Q is the formula true , the ODE is also written as x (cid:48) = f ( x ) . For n -dimensional vectors x, y , x · y def = (cid:80) ni =1 x i y i denotes the dot product and (cid:107) x (cid:107) def = (cid:80) ni =1 x i denotesthe squared Euclidean norm.Other norms are explicitly defined in the article when used.Two running example ODEs are visualized in Fig. 1 with directional arrows corresponding totheir RHS evaluated at points on the plane. The first ODE, α l ≡ u (cid:48) = − v − u, v (cid:48) = u − v , is linear n Axiomatic Approach to Existence and Liveness for Differential Equations 5 - u - v - u - v Figure 1: Visualization of α l (left) and α n (right). Solutions of α l globally spiral towards theorigin. In contrast, solutions of α n spiral inwards within the inner red disk (dashed boundary), butspiral outwards otherwise. For both ODEs, solutions starting on the black unit circle eventuallyenter their respective shaded green goal regions. The ODE α n also exhibits finite time blow up ofsolutions outside the red disk.because its RHS depends linearly on u, v . The second ODE, α n ≡ u (cid:48) = − v − u ( − u − v ) , v (cid:48) = u − v ( − u − v ) , is nonlinear . The nonlinearity of α n results in more complex behavior for itssolutions, e.g., the difference in spiraling behavior inside or outside the red disk shown in Fig. 1. Infact, solutions of α n blow up in finite time iff they start outside the disk characterized by u + v ≤ . The finite time blow up phenomena is precisely defined and investigated in Section 4. Finitetime blow up is impossible for linear ODEs like α l [6, 43].When terms (or formulas) appear in contexts involving ODEs x (cid:48) = f ( x ) , it is sometimesnecessary to restrict the set of free variables they are allowed to mention. These restrictions arealways stated explicitly and are also indicated as arguments to terms (or formulas), e.g., p () meansthe term p does not mention any of x , . . . , x n free, while P ( x ) means the formula P may mentionall of them. States ω : V → R assign real values to each variable in V ; the set of all states is written S .The semantics of polynomial term p in state ω ∈ S is the real value ω [[ p ]] of the correspondingpolynomial function evaluated at ω . The semantics of dL formula φ is the set of states [[ φ ]] ⊆ S in which that formula is true and is defined compositionally [28, 30]. The semantics of first-orderlogical connectives are defined as usual, e.g., [[ φ ∧ ψ ]] = [[ φ ]] ∩ [[ ψ ]] . For ODEs, the semanticsof the modal operators is defined directly as follows. Let ω ∈ S and ϕ : [0 , T ) → S (for some < T ≤ ∞ ), be the unique solution maximally extended to the right [6, 43] for the ODE x (cid:48) = f ( x ) This understanding of variable dependencies is made precise using function and predicate symbols in dL ’s uniformsubstitution calculus [28]. Y. K. Tan and A. Platzerwith initial value ϕ (0) = ω , then: ω ∈ [[[ x (cid:48) = f ( x ) & Q ] φ ]] iff for all ≤ τ < T where ϕ ( ζ ) ∈ [[ Q ]] for all ≤ ζ ≤ τ : ϕ ( τ ) ∈ [[ φ ]] ω ∈ [[ (cid:104) x (cid:48) = f ( x ) & Q (cid:105) φ ]] iff there exists ≤ τ < T such that: ϕ ( ζ ) ∈ [[ Q ]] for all ≤ ζ ≤ τ and ϕ ( τ ) ∈ [[ φ ]] Informally, the safety property [ x (cid:48) = f ( x ) & Q ] φ is true in initial state ω if all states reachedby following the ODE from ω while remaining in the domain constraint Q satisfy postcondition φ .Dually, the liveness property (cid:104) x (cid:48) = f ( x ) & Q (cid:105) φ is true in initial state ω if some state which satisfiesthe postcondition φ is eventually reached in finite time by following the ODE from ω while stayingin domain constraint Q at all times. Figure 1 suggests that formulas (cid:104) α l (cid:105) (cid:0) ≤ (cid:107) ( u, v ) (cid:107) ∞ ≤ (cid:1) and (cid:104) α n (cid:105) u + v ≥ are true for initial states ω on the unit circle. These liveness properties arerigorously proved in Examples 2 and 3 respectively.Variables y ∈ V \ { x } not occurring on the LHS of ODE x (cid:48) = f ( x ) remain constant alongsolutions ϕ : [0 , T ) → S of the ODE, with ϕ ( τ )( y ) = ϕ (0)( y ) for all τ ∈ [0 , T ) . Since onlythe values of x = ( x , . . . , x n ) change along the solution ϕ it may also be viewed geometricallyas a trajectory in R n , dependent on the initial values of the constant parameters y . Similarly, thevalues of terms and formulas depend only on the values of their free variables [28]. Thus, terms(or formulas) whose free variables are all parameters for x (cid:48) = f ( x ) also have provably constant(truth) values along solutions of the ODE. For formulas φ that only mention free variables x , [[ φ ]] can also be viewed geometrically as a subset of R n . Such a formula is said to characterize a(topologically) open (resp. closed, bounded, compact) set with respect to variables x iff the set [[ φ ]] ⊆ R n is topologically open (resp. closed, bounded, compact) with respect to the Euclideantopology. These topological conditions are used as side conditions for some of the axioms andproof rules in this article. In Appendix A.3, a more general definition of these side conditions isgiven for formulas φ that mention parameters y . These side conditions are decidable [3] when φ isa formula of first-order real arithmetic and there are simple syntactic criteria for checking if theyhold (Appendix A.3).Formula φ is valid iff [[ φ ]] = S , i.e., φ is true in all states. If the formula I → [ x (cid:48) = f ( x ) & Q ] I is valid, the formula I is an invariant of the ODE x (cid:48) = f ( x ) & Q . Unfolding the semantics, thismeans that from any initial state ω satisfying I , all states reached by the solution of the ODE x (cid:48) = f ( x ) from ω while staying in the domain constraint Q satisfy I . Similarly, if the livenessformula R → (cid:104) x (cid:48) = f ( x ) & Q (cid:105) P is valid, then, for all initial states ω satisfying assumptions R ,the target region P can be reached in finite time by following the ODE solution from ω whileremaining in the domain constraint Q . (cid:107) · (cid:107) ∞ denotes the supremum norm, with (cid:107) x (cid:107) ∞ ≡ max ni =1 | x i | for an n -dimensional vector x . The inequality (cid:107) ( u, v ) (cid:107) ∞ ≤ is expressible in first-order real arithmetic as u ≤ ∧ v ≤ . Similarly, ≤ (cid:107) ( u, v ) (cid:107) ∞ isexpressible as ≤ u ∨ ≤ v . n Axiomatic Approach to Existence and Liveness for Differential Equations 7 All derivations are presented in a classical sequent calculus with usual rules for manipulatinglogical connectives and sequents. The semantics of sequent Γ (cid:96) φ is equivalent to the formula ( (cid:86) ψ ∈ Γ ψ ) → φ and a sequent is valid iff its corresponding formula is valid. Completed branchesin a sequent proof are marked with ∗ . First-order real arithmetic is decidable [3] so proof steps arelabeled with R whenever they follow from real arithmetic. An axiom (schema) is sound iff all itsinstances are valid. Proof rules are sound iff validity of all premises (above the rule bar) entailsvalidity of the conclusion (below the rule bar). Axioms and proof rules are derivable if they can bededuced from sound dL axioms and proof rules. Soundness of the base dL axiomatization ensuresthat derived axioms and proof rules are sound [28, 30].The dL proof calculus (briefly recalled below) is complete for ODE invariants [31], i.e., anytrue ODE invariant expressible in first-order real arithmetic can be proved in the calculus. Theproof rule dI (cid:60) (below) uses the Lie derivative of polynomial p with respect to the ODE x (cid:48) = f ( x ) ,which is defined as L f ( x ) ( p ) def = (cid:80) x i ∈ x ∂p∂x i f i ( x ) . Higher Lie derivatives . p ( i ) are defined inductively: . p (0) def = p, . p ( i +1) def = L f ( x ) ( . p ( i ) ) , . p def = . p (1) . Syntactically, Lie derivatives . p ( i ) are polynomials in theterm language, and they are provably definable in dL using differentials [28]. Semantically, thevalue of Lie derivative . p is equal to the time derivative of the value of p along solution ϕ of theODE x (cid:48) = f ( x ) . Lemma 1 (Axioms and proof rules of dL [28, 30, 31]) . The following are sound axioms and proofrules of dL . (cid:104)·(cid:105) (cid:104) α (cid:105) P ↔ ¬ [ α ] ¬ P K [ α ]( R → P ) → ([ α ] R → [ α ] P ) dI (cid:60) Q (cid:96) . p ≥ . q Γ , p (cid:60) q (cid:96) [ x (cid:48) = f ( x ) & Q ] p (cid:60) q (where (cid:60) is either ≥ or > )dC Γ (cid:96) [ x (cid:48) = f ( x ) & Q ] C Γ (cid:96) [ x (cid:48) = f ( x ) & Q ∧ C ] P Γ (cid:96) [ x (cid:48) = f ( x ) & Q ] P M [ (cid:48) ] Q, R (cid:96) P Γ (cid:96) [ x (cid:48) = f ( x ) & Q ] R Γ (cid:96) [ x (cid:48) = f ( x ) & Q ] P dW Q (cid:96) P Γ (cid:96) [ x (cid:48) = f ( x ) & Q ] P M (cid:104) (cid:48) (cid:105) Q, R (cid:96) P Γ (cid:96) (cid:104) x (cid:48) = f ( x ) & Q (cid:105) R Γ (cid:96) (cid:104) x (cid:48) = f ( x ) & Q (cid:105) P Axiom (cid:104)·(cid:105) expresses the duality between the box and diamond modalities. It is used to switchbetween the two in proofs and to dualize axioms between the box and diamond modalities. Ax-iom K is the modus ponens principle for the box modality. Differential invariants dI (cid:60) say that ifthe Lie derivatives obey the inequality . p ≥ . q , then p (cid:60) q is an invariant of the ODE. Differentialcuts dC say that if one can separately prove that formula C is always satisfied along the solution,then C may be assumed in the domain constraint when proving the same for formula P . In thebox modality, solutions are restricted to stay in the domain constraint Q . Thus, differential weak-ening dW says that postcondition P is always satisfied along solutions if it is already implied bythe domain constraint. Using dW,K, (cid:104)·(cid:105) , the final two monotonicity proof rules M [ (cid:48) ] ,M (cid:104) (cid:48) (cid:105) for differ-ential equations are derivable. They strengthen the postcondition from P to R , assuming domainconstraint Q , for the box and diamond modalities respectively. Y. K. Tan and A. PlatzerNotice that the premises of some proof rules, e.g., dI (cid:60) ,dW, discard all assumptions Γ oninitial states when moving from conclusion to premises. This is necessary for soundness be-cause the premises of these rules internalize reasoning that happens along solutions of the ODE x (cid:48) = f ( x ) & Q rather than in the initial state. On the other hand, the truth value of constant assump-tions P () do not change along solutions, so they can be soundly kept across rule applications [30].These additional constant contexts are useful when working with assumptions on symbolic param-eters, e.g., v () > to model a (constant) positive velocity.Besides rules dI (cid:60) ,dC,dW shown above, the key to completeness for ODE invariants in dL isthe differential ghosts [28, 31] axiom shown below. The ∃ quantifier in the axiom can be replacedwith a ∀ quantifier.DG [ x (cid:48) = f ( x ) & Q ( x )] P ( x ) ↔ ∃ y [ x (cid:48) = f ( x ) , y (cid:48) = a ( x ) y + b ( x ) & Q ( x )] P ( x ) Axiom DG says that, in order to prove safety postcondition P ( x ) for the ODE x (cid:48) = f ( x ) , itsuffices to prove it for a larger system with an added ODE y (cid:48) = a ( x ) y + b ( x ) that is linear in theghost variable y (because a ( x ) , b ( x ) do not mention y ). Intuitively, this addition is sound becausethe ODE x (cid:48) = f ( x ) does not mention the added variables y , and so the evolution of x (cid:48) = f ( x ) should be unaffected by the addition of an ODE for y . However, this intuition is only true if theadditional ODEs do not unsoundly restrict the duration of the original solution by blowing uptoo early [28]. The linearity restriction prevents such a blow up. Using axiom DG in a proofseems counterintuitive though, because the axiom tries to prove a property for a seemingly easier(lower-dimensional) ODE by instead studying a more difficult (higher-dimensional) one! Yet,the DG axiom, is crucially used for completeness because it enables mathematical (or geometric)transformations to be carried out syntactically in the dL proof calculus [31]. This completenessresult only requires a scalar version of DG that adds one ghost variable at time. More generalvectorial versions of the axiom (where a ( x ) is a matrix and b ( x ) is a vector) have also been usedelsewhere [31]. This article uses a new vectorial generalization, which allows differential ghostswith provably bounded ODEs to be added. Lemma 2 (Bounded differential ghosts) . The following bounded differential ghosts axiom BDG issound, where y = ( y , . . . , y m ) is a m -dimensional vector of fresh variables (not appearing in x ), g ( x, y ) is a corresponding m -dimensional vector of terms, (cid:107) y (cid:107) is the squared Euclidean norm of y . Term p ( x ) and formulas P ( x ) , Q ( x ) are dependent only on free variables x (and not y ). BDG [ x (cid:48) = f ( x ) , y (cid:48) = g ( x, y ) & Q ( x )] (cid:107) y (cid:107) ≤ p ( x ) → (cid:0) [ x (cid:48) = f ( x ) & Q ( x )] P ( x ) ↔ [ x (cid:48) = f ( x ) , y (cid:48) = g ( x, y ) & Q ( x )] P ( x ) (cid:1) Like DG, axiom BDG allows an arbitrary vector of ghost ODEs y (cid:48) = g ( x, y ) to be addedsyntactically to the ODEs. However, it places no additional syntactic restriction on the RHS ofthe ODE (such as linearity in axiom DG). For soundness, BDG instead adds a new preconditionrequiring a provable bound (cid:107) y (cid:107) ≤ p ( x ) in terms of x on the squared norm of y along solutionsof the augmented ODE. This syntactic precondition ensures that y cannot blow up before x so thatsolutions of x (cid:48) = f ( x ) , y (cid:48) = g ( x, y ) exist as long as solutions of x (cid:48) = f ( x ) . Section 4 showshow to prove these preconditions so that axiom BDG enables ODE existence proofs through therefinement approach of Section 3.n Axiomatic Approach to Existence and Liveness for Differential Equations 9 This section explains step-by-step refinement for proving ODE liveness properties in dL . Supposethat an initial liveness property (cid:104) x (cid:48) = f ( x ) & Q (cid:105) P is known for the ODE x (cid:48) = f ( x ) . How couldthis be used to prove a desired liveness property (cid:104) x (cid:48) = f ( x ) & Q (cid:105) P for that ODE? Logically, thisamounts to proving: (cid:104) x (cid:48) = f ( x ) & Q (cid:105) P → (cid:104) x (cid:48) = f ( x ) & Q (cid:105) P (1)Proving implication (1) refines the initial liveness property to the desired one. As a simpleexample, if the formula Q → Q is provable (thus, valid), then implication (1) proves by mono-tonicity because any solution staying in the smaller domain Q must also stay in the larger domain Q . Similarly, implication (1) would also be provable if P → P were a provable formula. How-ever, neither of these monotonicity-based arguments are sufficiently powerful for liveness proofsbecause they do not account for the specific ODE x (cid:48) = f ( x ) under consideration at all. This arti-cle’s approach is instead built on refinement axioms that conclude implications like (1) from boxmodality formulas involving the ODE x (cid:48) = f ( x ) . The following are four derived ODE refinementaxioms of dL that are used for the approach. Lemma 3 (Diamond ODE refinement axioms) . The following (cid:104)·(cid:105)
ODE refinement axioms derivein dL . In axioms BDG (cid:104)·(cid:105) ,DDG (cid:104)·(cid:105) , y = ( y , . . . , y m ) is an m -dimensional vector of fresh vari-ables (not appearing in x ) and g ( x, y ) is a corresponding m -dimensional vector of terms. Terms p ( x ) , L ( x ) , M ( x ) and formulas P ( x ) , Q ( x ) are dependent only on free variables x (and not y ). K (cid:104) & (cid:105) [ x (cid:48) = f ( x ) & Q ∧ ¬ P ] ¬ G → (cid:0) (cid:104) x (cid:48) = f ( x ) & Q (cid:105) G → (cid:104) x (cid:48) = f ( x ) & Q (cid:105) P (cid:1) DR (cid:104)·(cid:105) [ x (cid:48) = f ( x ) & R ] Q → (cid:0) (cid:104) x (cid:48) = f ( x ) & R (cid:105) P → (cid:104) x (cid:48) = f ( x ) & Q (cid:105) P (cid:1) BDG (cid:104)·(cid:105) [ x (cid:48) = f ( x ) , y (cid:48) = g ( x, y ) & Q ( x )] (cid:107) y (cid:107) ≤ p ( x ) → (cid:0) (cid:104) x (cid:48) = f ( x ) & Q ( x ) (cid:105) P ( x ) → (cid:104) x (cid:48) = f ( x ) , y (cid:48) = g ( x, y ) & Q ( x ) (cid:105) P ( x ) (cid:1) DDG (cid:104)·(cid:105) [ x (cid:48) = f ( x ) , y (cid:48) = g ( x, y ) & Q ( x )] 2 y · g ( x, y ) ≤ L ( x ) (cid:107) y (cid:107) + M ( x ) → (cid:0) (cid:104) x (cid:48) = f ( x ) & Q ( x ) (cid:105) P ( x ) → (cid:104) x (cid:48) = f ( x ) , y (cid:48) = g ( x, y ) & Q ( x ) (cid:105) P ( x ) (cid:1) Axiom K (cid:104) & (cid:105) is best understood in the contrapositive. Formula [ x (cid:48) = f ( x ) & Q ∧ ¬ P ] ¬ G says G never happens along the solution while ¬ P holds. Thus, the solution cannot get to G unless itgets to P first. In axiom DR (cid:104)·(cid:105) , formula [ x (cid:48) = f ( x ) & R ] Q says that the ODE solution never leaves Q while staying in R , so if the solution gets to P within R , then it also gets to P within Q .The latter two refinement axioms BDG (cid:104)·(cid:105) ,DDG (cid:104)·(cid:105) are both derived from BDG. The (nested)refinement in both axioms says that, if the ODE x (cid:48) = f ( x ) can reach P ( x ) , then the ODE x (cid:48) = f ( x ) , y (cid:48) = g ( x, y ) , with the added variables y , can also reach P ( x ) . Axiom BDG (cid:104)·(cid:105) is the deriveddiamond version of BDG, obtained by directly dualizing BDG’s inner equivalence with (cid:104)·(cid:105) andpropositional simplification. The intuition behind BDG (cid:104)·(cid:105) is identical to BDG: if the added ghostODEs y never blow up in norm, then they do not affect whether the solution of the original ODEs x (cid:48) = f ( x ) can reach P ( x ) .Axiom DDG (cid:104)·(cid:105) is a derived, differential version of BDG (cid:104)·(cid:105) . Instead of bounding the squarednorm (cid:107) y (cid:107) explicitly, DDG (cid:104)·(cid:105) instead limits the rate of growth of the ghost ODEs by bounding0 Y. K. Tan and A. Platzerthe Lie derivative L x (cid:48) = f ( x ) ,y (cid:48) = g ( x,y ) ( (cid:107) y (cid:107) ) = 2 y · g ( x, y ) of the squared norm. This derivativebound in turn implicitly bounds the squared norm of the ghost ODEs by the solution of the lineardifferential equation z (cid:48) = L ( x ) z + M ( x ) , with dependency on the value of x along solutions of theODE x (cid:48) = f ( x ) . This ensures that premature blow-up of y before x itself blows up is impossible.Axioms K (cid:104) & (cid:105) ,DR (cid:104)·(cid:105) ,BDG (cid:104)·(cid:105) ,DDG (cid:104)·(cid:105) all prove implication (1) in just one refinement step.Logical implication is transitive though, so a sequence of such steps can be chained together toprove implication (1). This is shown in (2), with neighboring implications informally chainedtogether for illustration: (cid:104) x (cid:48) = f ( x ) & Q (cid:105) P DR (cid:104)·(cid:105) with [ x (cid:48) = f ( x ) & Q ] Q (cid:122)(cid:125)(cid:124)(cid:123) −→ (cid:104) x (cid:48) = f ( x ) & Q (cid:105) P K (cid:104) & (cid:105) with [ x (cid:48) = f ( x ) & Q ∧¬ P ] ¬ P (cid:122)(cid:125)(cid:124)(cid:123) −→ (cid:104) x (cid:48) = f ( x ) & Q (cid:105) P −→ · · · −→ (cid:104) x (cid:48) = f ( x ) & Q (cid:105) P (2)With its side conditions, i.e., the box modality formulas, proven, the chain of refinements (2)proves the desired implication (1). However, a proof of the liveness property (cid:104) x (cid:48) = f ( x ) & Q (cid:105) P on the right still needs a proof of the hypothesis (cid:104) x (cid:48) = f ( x ) & Q (cid:105) P at the beginning of the chain.Typically, this hypothesis is a (simple) existence assumption for the differential equation. Formal-izing and proving such existence properties is the focus of Section 4. Those proofs are also basedon refinements and make use of axioms BDG (cid:104)·(cid:105) ,DDG (cid:104)·(cid:105) .Refinement with axiom DR (cid:104)·(cid:105) requires proving the formula [ x (cid:48) = f ( x ) & R ] Q . Na¨ıvely, onemight expect that adding ¬ P to the domain constraint should also work, i.e., the solution onlyneeds to be in Q while it has not yet gotten to P :DR (cid:104)·(cid:105) (cid:18) [ x (cid:48) = f ( x ) & R ∧ ¬ P ] Q → (cid:0) (cid:104) x (cid:48) = f ( x ) & R (cid:105) P → (cid:104) x (cid:48) = f ( x ) & Q (cid:105) P (cid:1) This conjectured axiom is unsound (indicated by (cid:18) ) as the solution could sneak out of Q exactlywhen it crosses from ¬ P into P . In continuous settings, the language of topology makes precisewhat this means. The following topological refinement axioms soundly restrict what happens atthe crossover point: Lemma 4 (Topological ODE refinement axioms) . The following topological (cid:104)·(cid:105)
ODE refinementaxioms are sound. In axiom COR,
P, Q either both characterize topologically open or both char-acterize topologically closed sets over variables x . COR ¬ P ∧ [ x (cid:48) = f ( x ) & R ∧ ¬ P ] Q → (cid:0) (cid:104) x (cid:48) = f ( x ) & R (cid:105) P → (cid:104) x (cid:48) = f ( x ) & Q (cid:105) P (cid:1) SAR [ x (cid:48) = f ( x ) & R ∧ ¬ ( P ∧ Q )] Q → (cid:0) (cid:104) x (cid:48) = f ( x ) & R (cid:105) P → (cid:104) x (cid:48) = f ( x ) & Q (cid:105) P (cid:1) Axiom COR is the more informative topological refinement axiom. Like the (unsound) axiomcandidate DR (cid:104)·(cid:105) (cid:18) , it allows formula ¬ P to be assumed in the domain constraint when provingthe box refinement. For soundness though, axiom COR has crucial topological side conditions onformulas P, Q so it can only be used when these conditions are met. Several variations of CORare possible (with similar soundness proofs), but they require alternative topological restrictions In dL ’s uniform substitution calculus [28], this Lie derivative is written directly as the differential term ( (cid:107) y (cid:107) ) (cid:48) which can be soundly and syntactically rewritten using dL ’s differential axioms [28]. n Axiomatic Approach to Existence and Liveness for Differential Equations 11and additional topological notions. One useful variation involving the topological interior is givenin Lemma 26. When these topological restrictions are enforced syntactically, axiom COR derivesfrom dL ’s real induction axiom [31]. For the sake of generality, this article gives semantic topo-logical side conditions with associated semantic soundness proofs in Appendix A.2.Axiom SAR applies more generally than COR but only assumes the less informative formula ¬ ( P ∧ Q ) in the domain constraint for the box modality. Its proof crucially relies on Q being aformula of real arithmetic so that the set it characterizes has tame topological behavior [3], see theproof in Appendix A.2 for more details. By topological considerations, axiom SAR is also sound ifformula P (or resp. Q ) characterizes a topologically closed (resp. open) set over the ODE variables x . These additional cases are also proved in Appendix A.2 without relying on the fact that Q is aformula of real arithmetic. This section explains how global existence properties can be proved for a given ODE x (cid:48) = f ( x ) ,subject to assumptions Γ about the initial states for the ODE. The existence and uniqueness the-orems for ODEs [6, 43] guarantee that polynomial ODEs like x (cid:48) = f ( x ) always have a unique,right-maximal solution from any initial state, ϕ : [0 , T ) → S for some < T ≤ ∞ . However,these theorems give no guarantees about the precise duration T . In particular, ODEs can exhibit atechnical phenomenon known as finite time blow up of solutions [6], where ϕ is only defined ona bounded time interval [0 , T ) with T < ∞ . Additionally, it is possible that such finite time blowup phenomena only happens for some initial conditions (and corresponding solutions) of the ODE.However, these initial conditions (with finite time blow up) may not be relevant to the model ofconcern, especially when the dynamics of real world systems are controlled to stay away from theblow up. For example, α n from Fig. 1 exhibits finite blow up of solutions only outside the red diskand, even then, the blow up occurs well after its solutions have reached the target region.As an example for this section, consider the nonlinear ODE α b ≡ v (cid:48) = − v . Mathematically,the solution to this ODE is v ( t ) = v v + t , where v (cid:54) = 0 is the initial value of v at time t = 0 (if v = 0 , then v ( t ) = 0 for all t ). If v < initially, then this solution is only defined to the rightfor the finite time interval [0 , − v ) , because the denominator v + t is at t = − v . On the otherhand, for v > (and when v = 0 ), the existence interval to the right is [0 , ∞ ) . Thus, α b exhibitsfinite time blow up of solutions, but only for v < . The discussion above uses the mathematical solution v ( t ) of the ODE α b . Syntactic proofs ofexistence for such solutions start by expressing existence properties in dL as a special form ofODE liveness property. The first step is to add a fresh variable t with t (cid:48) = 1 that tracks the progressof time . Then, using a fresh variable τ not in x, t , the following formula expresses that the ODE For consistency, the ODE x (cid:48) = f ( x ) is assumed to not mention t even if this is not always strictly necessary. τ : ∀ τ (cid:104) x (cid:48) = f ( x ) , t (cid:48) = 1 (cid:105) t > τ (3)The simplest instance of (3) is for the ODE t (cid:48) = 1 by itself without any ODE x (cid:48) = f ( x ) . In thiscase, the formula (3) is valid because t (cid:48) = 1 is an ODE with constant RHS and its solution existsfor all time. The axiom TEx below expresses this fact and it derives directly from the solutionaxiom of dL [28]: Lemma 5 (Time existence) . The following axiom derives in dL . TEx ∀ τ (cid:104) t (cid:48) = 1 (cid:105) t > τ Other instances of (3) can be proved using axioms BDG (cid:104)·(cid:105) ,DDG (cid:104)·(cid:105) with appropriate assump-tions about the initial conditions for the additional ODEs x (cid:48) = f ( x ) . This is exemplified for theODE α b next. Example . The ODE α b can be viewed as a model ofthe velocity of a particle that is slowing down due to air resistance. Of course, it does not makephysical sense for the velocity of such a particle to “blow up”. However, the solution of α b onlyexists globally if the particle starts with positive initial velocity v > , otherwise, it only has short-lived solutions. The reason is that α b only makes physical sense for positive velocities v > ,so that the air resistance term − v slows the particle down instead of speeding it up. Globalexistence (3) can be proved for α b if its initial velocity is positive, i.e., the dL formula v > →∀ τ (cid:104) v (cid:48) = − v , t (cid:48) = 1 (cid:105) t > τ is valid. The derivation is as follows: ∗ v > (cid:96) [ v (cid:48) = − v , t (cid:48) = 1] v > M [ (cid:48) ] v > (cid:96) [ v (cid:48) = − v , t (cid:48) = 1]2 v · ( − v ) ≤ ∗ TEx (cid:96) (cid:104) t (cid:48) = 1 (cid:105) t > τ DDG (cid:104)·(cid:105) v > (cid:96) (cid:104) v (cid:48) = − v , t (cid:48) = 1 (cid:105) t > τ → R, ∀ R (cid:96) v > → ∀ τ (cid:104) v (cid:48) = − v , t (cid:48) = 1 (cid:105) t > τ After basic propositional steps ( → R, ∀ R), axiom DDG (cid:104)·(cid:105) is used with v (cid:48) = − v as the ghostequation with the trivial choice of bounds L ≡ , M ≡ . This yields two premises, the right ofwhich proves using TEx. The resulting left premise requires proving the formula v · ( − v ) ≤ along the ODE. Mathematically, this says that the derivative of the squared norm v is non-negative along α b , so that v is non-increasing and can not blow up. An M [ (cid:48) ] step strengthens thepostcondition to v > since v > implies v · ( − v ) ≤ in real arithmetic. The resulting premiseis an invariance property for v > which proves in dL (proof omitted [31]). The initial assumption v > is crucially used in this step, as expected.Section 3 offers another view of the derivation above as a single refinement step in the chain (2).Here, an initial existence property for the ODE t (cid:48) = 1 is refined to an existence property for the The fact that v is non-increasing can also be used in an alternative derivation with axiom BDG (cid:104)·(cid:105) and the bound p ≡ v , where v syntactically stores the initial value of v . n Axiomatic Approach to Existence and Liveness for Differential Equations 13ODE v (cid:48) = − v , t (cid:48) = 1 . The refinement step is justified using DDG (cid:104)·(cid:105) with the box modalityformula [ v (cid:48) = − v , t (cid:48) = 1]2 v · ( − v ) ≤ . (cid:104) t (cid:48) = 1 (cid:105) t > τ DDG (cid:104)·(cid:105) −→ (cid:104) v (cid:48) = − v , t (cid:48) = 1 (cid:105) t > τ This chain can be extended to prove global existence for more complicated ODEs x (cid:48) = f ( x ) in a stepwise fashion, and (possibly) alternating between uses of DDG (cid:104)·(cid:105) or BDG (cid:104)·(cid:105) for the refine-ment step. To do this, note that any ODE x (cid:48) = f ( x ) can be written in dependency order , whereeach group y i is a vector of variables and each g i corresponds to the respective vectorial RHS ofthe ODE for y i for i = 1 , . . . , k . The RHS of each y (cid:48) i is only allowed to depend on the precedingvariables (inclusive) y , . . . , y i . y (cid:48) = g ( y ) , y (cid:48) = g ( y , y ) , y (cid:48) = g ( y , y , y ) , . . . , y (cid:48) k = g k ( y , y , y , . . . , y k ) (cid:124) (cid:123)(cid:122) (cid:125) x (cid:48) = f ( x ) written in dependency order (4) Corollary 6 (Dependency order existence) . Consider the ODE x (cid:48) = f ( x ) in dependency order (4) ,and where τ is a fresh variable not in x, t . The following rule with k stacked premises derivesfrom BDG (cid:104)·(cid:105) ,DDG (cid:104)·(cid:105) and TEx, where the postcondition of each premise P i for ≤ i ≤ k can bechosen to be either of the form: B (cid:13) P i ≡ (cid:107) y i (cid:107) ≤ p i ( t, y , . . . , y i − ) for some term p i with the indicated dependencies, or, D (cid:13) P i ≡ y i · g i ( y , . . . , y i ) ≤ L i ( t, y , . . . , y i − ) (cid:107) y i (cid:107) + M i ( t, y , . . . , y i − ) for some terms L i , M i with the indicated dependencies. DEx Γ (cid:96) [ y (cid:48) = g ( y ) , t (cid:48) = 1] P Γ (cid:96) [ y (cid:48) = g ( y ) , y (cid:48) = g ( y , y ) , t (cid:48) = 1] P ... Γ (cid:96) [ y (cid:48) = g ( y ) , . . . , y (cid:48) k = g k ( y , . . . , y k ) , t (cid:48) = 1] P k Γ (cid:96) ∀ τ (cid:104) x (cid:48) = f ( x ) , t (cid:48) = 1 (cid:105) t > τ Proof Sketch (Appendix B.1).
The derivation proceeds (backwards) by successively using either BDG (cid:104)·(cid:105) for premises corresponding to the form B (cid:13) or DDG (cid:104)·(cid:105) for those corresponding to D (cid:13) , with the ghostequations for g i and the respective bounds p i or L i , M i at each step for i = k, . . . , .Rule DEx corresponds to a refinement chain (2) of length k , with successive BDG (cid:104)·(cid:105) ,DDG (cid:104)·(cid:105) steps, e.g.: (cid:104) t (cid:48) = 1 (cid:105) t > τ BDG (cid:104)·(cid:105) −→ (cid:104) y (cid:48) = g ( y ) , t (cid:48) = 1 (cid:105) t > τ DDG (cid:104)·(cid:105) −→ · · ·−→ (cid:104) y (cid:48) = g ( y ) , . . . , y (cid:48) k = g k ( y , . . . , y k ) , t (cid:48) = 1 (cid:105) t > τ In rule DEx any choice of the shape of premises ( B (cid:13) and D (cid:13) ) is sound as these correspondto an underlying choice of axiom BDG (cid:104)·(cid:105) ,DDG (cid:104)·(cid:105) to apply at each step, respectively. Anothersource of flexibility arises when choosing the dependency ordering (4) for the ODE x (cid:48) = f ( x ) , as4 Y. K. Tan and A. Platzerlong as the requisite dependency requirements are met. For example, one can always choose thecoarsest dependency order y ≡ x, g ≡ f ( x ) , and directly prove global existence in one step usingappropriate choice of bounds L , M . The advantage of using finer dependency orders in DEx isthat it allows the user to choose the bounds L i , M i in a step-by-step manner for i = 1 , . . . , k . Thisflexibility is used in Corollaries 8 and 10.The discussion thus far proves global existence for ODEs by encoding existence properties withan explicit time variable t . This is not a serious restriction for the liveness proofs in later sectionsof this article. Such a fresh time variable can always be added using the rule dGt below, whichderives from DG. The rule also adds the assumption t = 0 initially without loss of generality forease of proof. dGt Γ , t = 0 (cid:96) (cid:104) x (cid:48) = f ( x ) , t (cid:48) = 1 & Q (cid:105) P Γ (cid:96) (cid:104) x (cid:48) = f ( x ) & Q (cid:105) P Rule DEx gives a general recipe for proving global existence of an ODE by refinement with BDG (cid:104)·(cid:105)
DDG (cid:104)·(cid:105) . However, it still requires the user to manually prove all k premises resulting from ap-plication of the rule. For certain classes of ODEs and initial conditions, there are well-knownmathematical techniques to prove global existence. These techniques also have purely syntacticrenderings in dL as special cases of BDG (cid:104)·(cid:105) ,DDG (cid:104)·(cid:105) ,DEx. In particular, this section shows howaxioms GEx,BEx (shown below), which were proved semantically in the earlier conference ver-sion [42], can be derived syntactically. The refinement approach also yields natural generalizationsof these axioms. A function f : R m → R n is called globally Lipschitz continuous if there is a (positive) Lipschitzconstant C ∈ R such that the inequality (cid:107) f ( x ) − f ( y ) (cid:107) ≤ C (cid:107) x − y (cid:107) holds for all x, y ∈ R m , where (cid:107) · (cid:107) are appropriate norms. Since norms are equivalent on finite dimensional vector spaces [43, § x (cid:48) = f ( x ) is globally Lipschitz if its RHS f ( x ) is globally Lipschitz continuous. Solutions of suchODEs always exist globally for all time [43, § α l , and more generally by linear ODEs of the form x (cid:48) = Ax , where A is a matrixof (constant) parameters [43] because of the following (mathematical) inequality with Lipschitzconstant (cid:107) A (cid:107) , i.e., the (matrix-Euclidean) Frobenius norm of A : (cid:107) Ax − Ay (cid:107) = (cid:107) A ( x − y ) (cid:107) ≤ (cid:107) A (cid:107)(cid:107) x − y (cid:107) This calculation uses the Euclidean norm (cid:107) · (cid:107) , which is not a term in dL (Section 2.1) becauseit is not a polynomial. This syntactic exclusion is not an oversight: it is crucial to the soundnessof dL that such non-differentiable terms are excluded from its syntax. For example, (cid:107) x (cid:107) is notdifferentiable at x = 0 . Thus, a subtle technical challenge in proofs is to appropriately rephrasemathematical inequalities, typically involving norms, into ones that can be reasoned about soundlyn Axiomatic Approach to Existence and Liveness for Differential Equations 15also in the presence of differentiation. In this respect, the Euclidean norm is useful, becauseexpanding the inequality ≤ (1 − (cid:107) x (cid:107) ) and rearranging yields: (cid:107) x (cid:107) ≤ (cid:107) x (cid:107) (5)Notice that, unlike the Euclidean norm (cid:107) x (cid:107) , the RHS of the square inequality (5) can be repre-sented syntactically. Indeed, the squared Euclidean norm is already used in axioms BDG BDG (cid:104)·(cid:105) DDG (cid:104)·(cid:105) . To support intuition, the proof sketches below continue to use mathematical inequalitiesinvolving Euclidean norms, while the actual proofs in the appendix use rephrasings with (5) in-stead. The following corollary shows how global existence for globally Lipschitz ODEs is derivedusing a norm inequality as a special case of rule DEx.
Corollary 7 (Global existence) . The following global existence axiom derives from DDG (cid:104)·(cid:105) in dL ,where τ is a fresh variable not in x, t , and x (cid:48) = f ( x ) is globally Lipschitz. GEx ∀ τ (cid:104) x (cid:48) = f ( x ) , t (cid:48) = 1 (cid:105) t > τ Proof Sketch (Appendix B.1).
Let C be the Lipschitz constant for f . The proof uses DDG (cid:104)·(cid:105) andtwo (mathematical) inequalities. The first inequality (6) bounds (cid:107) f ( x ) (cid:107) linearly in (cid:107) x (cid:107) . Theconstant is chosen here to simplify the resulting arithmetic. (cid:107) f ( x ) (cid:107) = (cid:107) f ( x ) − f (0) + f (0) (cid:107) ≤ (cid:107) f ( x ) − f (0) (cid:107) + (cid:107) f (0) (cid:107) ≤ C (cid:107) x − (cid:107) + (cid:107) f (0) (cid:107) = C (cid:107) x (cid:107) + (cid:107) f (0) (cid:107) (6)The second inequality uses bound (6) on (cid:107) f ( x ) (cid:107) to further bound x · f ( x ) linearly in (cid:107) x (cid:107) along the ODE with appropriate choices of L, M that only depend on the (positive) Lipschitzconstant C and (cid:107) f (0) (cid:107) . x · f ( x ) ≤ (cid:107) x (cid:107)(cid:107) f ( x ) (cid:107) (6) ≤ (cid:107) x (cid:107) (cid:0) C (cid:107) x (cid:107) + (cid:107) f (0) (cid:107) (cid:1) = 2 C (cid:107) x (cid:107) + 2 (cid:107) x (cid:107)(cid:107) f (0) (cid:107) (7) (5) ≤ C (cid:107) x (cid:107) + (1 + (cid:107) x (cid:107) ) (cid:107) f (0) (cid:107) = (cid:0) C + (cid:107) f (0) (cid:107) (cid:1)(cid:124) (cid:123)(cid:122) (cid:125) L (cid:107) x (cid:107) + (cid:107) f (0) (cid:107) (cid:124) (cid:123)(cid:122) (cid:125) M The derivation of axiom GEx uses DDG (cid:104)·(cid:105) , but global existence extends to more complicatedODEs with the aid of DEx as long as appropriate choices of
L, M can be made. A useful exampleof such an extension is global existence for ODEs that have an affine dependency order (4), i.e.,each y (cid:48) i = g i ( y , . . . , y i ) is affine in y i with y (cid:48) i = A i ( y , . . . , y i − ) y i + b i ( y , . . . , y i − ) where A i , b i are respectively matrix and vector terms with appropriate dimensions and the indicated variabledependencies. Corollary 8 (Affine dependency order global existence) . Axiom GEx is derivable from DDG (cid:104)·(cid:105) in dL for ODEs x (cid:48) = f ( x ) with affine dependency order.Proof Sketch (Appendix B.1). The proof is similar to Corollary 7 but uses DEx to prove globalexistence step-by-step for the dependency order. It uses the following (mathematical) inequality6 Y. K. Tan and A. Platzerand corresponding choices of L i , M i (shown below) for i = 1 , . . . , k at each step: y i · ( A i y i + b i ) = 2( y i · ( A i y i ) + y i · b i ) ≤ (cid:107) A i (cid:107)(cid:107) y i (cid:107) + 2 (cid:107) y i (cid:107)(cid:107) b i (cid:107)≤ (cid:107) A i (cid:107)(cid:107) y i (cid:107) + (1 + (cid:107) y i (cid:107) ) (cid:107) b i (cid:107) = (2 (cid:107) A i (cid:107) + (cid:107) b i (cid:107) ) (cid:124) (cid:123)(cid:122) (cid:125) L i (cid:107) y i (cid:107) + (cid:107) b i (cid:107) (cid:124)(cid:123)(cid:122)(cid:125) M i (8)This inequality is very similar to the one used for Corollary 7, where (cid:107) A i (cid:107) corresponds to C ,and (cid:107) b i (cid:107) corresponds to (cid:107) f (0) (cid:107) . The difference is that terms L i , M i are allowed to depend onthe preceding variables y , . . . , y i − . Importantly for soundness, both terms meet the appropriatevariable dependency requirements of DDG (cid:104)·(cid:105) because the terms A i , b i are not allowed to dependon y i in the affine dependency order.With the extended refinement chain underlying DEx, Corollary 8 enables more general proofsof global existence for certain multi-affine ODEs that are not necessarily globally Lipschitz. Forexample, the ODE u (cid:48) = u, v (cid:48) = uv meets the dependency requirements of Corollary 8 so it hasprovable global solutions but its RHS is not a globally Lipschitz function of u, v . Returning to the example ODEs α b and α n , observe that axiom GEx applies to neither of thoseODEs because they do not have affine dependency order. As observed earlier in Example 1 andFig. 1 respectively, neither α b nor α n have global solutions from all initial states. Although Exam-ple 1 shows how global existence for α b can be proved from assumptions motivated by physics, itis also useful to have general axioms (similar to GEx) corresponding to well-known mathematicaltechniques for proving global existence of solutions for nonlinear ODEs under particular assump-tions. One such mathematical technique is briefly recalled next.Suppose that the solution of ODE x (cid:48) = f ( x ) is trapped within a bounded set (whose compactclosure contained in the domain of the ODE), then, the ODE solution exists globally. For a proof,see [16, Corollary 2.5] and [19, Theorem 3.3]. In control theory, this principle is used to show theglobal existence of solutions near stable equilibria [16, 19]. It also applies in case the model ofinterest has state variables that are a priori known to range within a bounded set [2, Section 6].This discussion suggests that the following formula is valid for any ODE x (cid:48) = f ( x ) , where B ( x ) characterizes a bounded set over the variables x so the assumption [ x (cid:48) = f ( x )] B ( x ) says thatthe ODE solution is always trapped within the bounded set characterized by B ( x ) . [ x (cid:48) = f ( x )] B ( x ) → ∀ τ (cid:104) x (cid:48) = f ( x ) , t (cid:48) = 1 (cid:105) t > τ (9)Formula (9) is rewritten more succinctly in the following corollary by negating the box modal-ity. Corollary 9 (Bounded existence) . The following bounded existence axiom derives from BDG (cid:104)·(cid:105) in dL , where τ is a fresh variable not in x, t , and formula B ( x ) characterizes a bounded set overvariables x . BEx ∀ τ (cid:104) x (cid:48) = f ( x ) , t (cid:48) = 1 (cid:105) ( t > τ ∨ ¬ B ( x )) n Axiomatic Approach to Existence and Liveness for Differential Equations 17 Proof Sketch (Appendix B.1).
The squared norm (cid:107) x (cid:107) function is continuous in x so it is boundedabove by a constant D on the compact closure of the set characterized by B ( x ) . Axiom BDG (cid:104)·(cid:105) isused with p ( x )= D .Axiom BEx removes the global Lipschitz (or affine dependency) requirement of GEx but weak-ens the postcondition to say that solutions must either exist for sufficient duration or blow up andleave the bounded set characterized by formula B ( x ) . Like axiom GEx, axiom BEx is derived byrefinement using axiom BDG (cid:104)·(cid:105) . This commonality again yields a more general version of BEx,which also incorporates ideas from GEx. Corollary 10 (Dependency order bounded existence) . Consider the ODE x (cid:48) = f ( x ) in dependencyorder (4) , and where τ is a fresh variable not in x, t . The following axiom derives from BDG (cid:104)·(cid:105) DDG (cid:104)·(cid:105) in dL , where the indices i = 1 . . . , k is partitioned in two disjoint index sets L, N suchthat: • For each i ∈ L , y (cid:48) i = g i ( y , . . . , y i ) is affine in y i . • For each i ∈ N , B i ( y i ) characterizes a bounded set over the variables y i . GBEx ∀ τ (cid:104) x (cid:48) = f ( x ) , t (cid:48) = 1 (cid:105) (cid:0) t > τ ∨ (cid:87) i ∈ N ¬ B i ( y i ) (cid:1) Proof Sketch (Appendix B.1).
The derivation is similar to rule DEx, with an internal DDG (cid:104)·(cid:105) step(similar to GEx) for i ∈ L and an internal BDG (cid:104)·(cid:105) step (similar to BEx) for i ∈ N .The index set L in Corollary 10 indicates those variables of x (cid:48) = f ( x ) whose global existence(with respect to the other variables) can be automatically proved. On the other hand, the indexset N indicates the variables that may cause finite time blow up of solutions. The postcondition ofaxiom GBEx says that solutions either exist for sufficient duration or they blow up and leave one ofthe bounded sets indexed by N . Therefore, an immediate modeling application of Corollary 10 isto identify which of the state variables in a model must be proved (or assumed) to take on boundedvalues [2, Section 6]. This underlies the automated existence proof support discussed in Section 7. The derivation of the existence axioms GEx,BEx,GBEx and rule DEx illustrate the use of live-ness refinement for proving existence properties. Moreover, BDG (cid:104)·(cid:105) is the sole ODE diamondrefinement axiom underlying these derivations (recall DDG (cid:104)·(cid:105) derives from BDG (cid:104)·(cid:105) ). This yieldsa natural question: are there ODEs whose solutions exist globally, but whose global existence cannot be proved syntactically using BDG (cid:104)·(cid:105) ? The next completeness result gives a conditionalcompleteness answer: all global existence properties can be proved using BDG (cid:104)·(cid:105) , if the corre-sponding ODE solutions are represented syntactically.
Proposition 11 (Global existence completeness) . Suppose ODE x (cid:48) = f ( x ) has a global solutionrepresentable in the dL term language. Formula (3) is derivable for x (cid:48) = f ( x ) from axiom BDG (cid:104)·(cid:105) . Proof Sketch (Appendix B.1).
Suppose that ODE x (cid:48) = f ( x ) has a global solution syntacticallyrepresented in dL as term X ( t ) dependent only on the free variable t . The equality x = X ( t ) isprovable along the ODE x (cid:48) = f ( x ) , t (cid:48) = 1 because solutions are equational invariants [28, 31].The proof uses BDG (cid:104)·(cid:105) with the bounding term p = (cid:107) X ( t ) (cid:107) , so that the required hypothesisof BDG (cid:104)·(cid:105) , i.e., [ x (cid:48) = f ( x ) , t (cid:48) = 1] (cid:107) x (cid:107) ≤ (cid:107) X ( t ) (cid:107) proves trivially using the equality x = X ( t ) .The completeness result in Proposition 11 is somewhat unsatisfying at first glance, becauseone needs to have an explicit syntactic representation of the solution for the ODE. In the termlanguage of this article (Section 2.1) only polynomial solutions would be representable in thisway. However, dL also has term language extensions [31], which considerably extends the classof syntactically representable solutions to include, e.g., towers of exponentials. Additionally, theproof in Proposition 11 actually only requires a provable upper bound (cid:107) x (cid:107) ≤ (cid:107) X ( t ) (cid:107) rather thanan equality. Thus, a dL representable (and provable) upper bound (cid:107) X ( t ) (cid:107) also suffices for proveglobal existence. This completeness result highlights the advantage of axioms BDG (cid:104)·(cid:105) ,DDG (cid:104)·(cid:105) and their use in the derived axioms of Corollaries 7–10 because they implicitly deduce globalexistence without needing an explicit representable solution for the ODEs. This section presents proof rules for liveness properties of ODEs x (cid:48) = f ( x ) without domain con-straints, i.e., where Q is the formula true . Errors and omissions in the surveyed techniques arehighlighted in blue. The fundamental technique for verifying liveness of discrete loops are loop variants, i.e., quantitiesthat decrease strictly across each loop iteration.
Differential variants [25] are their continuousanalog:
Corollary 12 (Atomic differential variants [25]) . The following proof rules (where (cid:60) is either ≥ or > ) are derivable in dL . Terms ε () , p () are constant for ODE x (cid:48) = f ( x ) , t (cid:48) = 1 . In rule dV (cid:60) ,the ODE x (cid:48) = f ( x ) has provable global solutions. dV Γ (cid:60) ¬ ( p (cid:60) (cid:96) . p ≥ ε ()Γ , p = p () , t = 0 , (cid:104) x (cid:48) = f ( x ) , t (cid:48) = 1 (cid:105) (cid:0) p () + ε () t > (cid:1) (cid:96) (cid:104) x (cid:48) = f ( x ) , t (cid:48) = 1 (cid:105) p (cid:60) dV (cid:60) ¬ ( p (cid:60) (cid:96) . p ≥ ε ()Γ , ε () > (cid:96) (cid:104) x (cid:48) = f ( x ) (cid:105) p (cid:60) Nevertheless, even such a syntactic extension is insufficient because Turing machines can be simulated by solu-tions of polynomial differential equations [15, Theorem 2]. Thus, it is possible to construct polynomial ODEs whosesolutions do not blow up, but grow like the (Turing-computable) Ackermann function, i.e., faster than any tower ofexponentials. n Axiomatic Approach to Existence and Liveness for Differential Equations 19
Proof Sketch (Appendix B.2).
Rule dV Γ (cid:60) derives by using axiom K (cid:104) & (cid:105) with G ≡ (cid:0) p ()+ ε () t > (cid:1) : K (cid:104) & (cid:105) Γ , p = p () , t = 0 (cid:96) [ x (cid:48) = f ( x ) , t (cid:48) = 1 & ¬ ( p (cid:60) (cid:0) p () + ε () t ≤ (cid:1) Γ , p = p () , t = 0 , (cid:104) x (cid:48) = f ( x ) , t (cid:48) = 1 (cid:105) (cid:0) p () + ε () t > (cid:1) (cid:96) (cid:104) x (cid:48) = f ( x ) , t (cid:48) = 1 (cid:105) p (cid:60) Monotonicity M [ (cid:48) ] strengthens the postcondition to p ≥ p () + ε () t with the domain constraint ¬ ( p (cid:60) . A subsequent use of dI (cid:60) completes the derivation: ¬ ( p (cid:60) (cid:96) . p ≥ ε () dI (cid:60) Γ , p = p () , t = 0 (cid:96) [ x (cid:48) = f ( x ) , t (cid:48) = 1 & ¬ ( p (cid:60) (cid:0) p ≥ p () + ε () t (cid:1) M [ (cid:48) ] Γ , p = p () , t = 0 (cid:96) [ x (cid:48) = f ( x ) , t (cid:48) = 1 & ¬ ( p (cid:60) (cid:0) p () + ε () t ≤ (cid:1) Rule dV (cid:60) is derived in Appendix B.2 as a corollary of rule dV Γ (cid:60) because the ODE x (cid:48) = f ( x ) isassumed to have solutions which (provably) exist globally.The premises of both rules dV Γ (cid:60) ,dV (cid:60) require a constant (positive) lower bound ε () on theLie derivative . p . This bound ensures that the value of p strictly increases along solutions to theODE, eventually becoming non-negative. Soundness of both rules therefore crucially requires thatODE solutions exist for sufficiently long for p to become non-negative. This is usually left asa soundness-critical side condition in liveness proof rules [25, 39], but any such side conditionis antithetical to approaches for minimizing the soundness-critical core in implementations [28]because it requires checking the (semantic) condition that solutions exist for sufficient duration.The conclusion of rule dV Γ (cid:60) formalizes this side condition as an assumption. In contrast, rule dV (cid:60) discharges it using the (assumed) provable global existence for the ODEs (see Section 4).The rest of this article similarly develops ODE liveness proof rules that rely on the globalexistence proofs from Section 4. In all subsequent proof rules, the ODE x (cid:48) = f ( x ) is said tohave provable global solutions if the global existence formula (3) for x (cid:48) = f ( x ) is provable.For example, if x (cid:48) = f ( x ) were globally Lipschitz (or, as a special case, linear), then its globalexistence can be proven using axiom GEx from Corollaries 7 and 8. For uniformity, all proofsteps utilizing this assumption are marked with GEx, although proofs of global existence coulduse various other techniques described in Section 4. All subsequent proof rules can alternativelybe presented with sufficient duration assumptions like dV Γ (cid:60) , but those are omitted for brevity. Example . The liveness property that Fig. 1 suggested for the linear ODE α l is proved by rule dV (cid:60) . The proof is shown on the left below and visualized on the right. Thefirst monotonicity step M (cid:104) (cid:48) (cid:105) strengthens the postcondition to the inner blue circle u + v = which is contained within the green goal region. Next, since solutions satisfy u + v = 1 initially(black circle), the K (cid:104) & (cid:105) step expresses an intermediate value property: to show that the continuous solution eventually reaches u + v = , it suffices to show that it eventually reaches u + v ≤ (also see Corollary 13 below). The postcondition is rearranged before dV (cid:60) is used with ε () = .Its premise proves with R because the Lie derivative of − ( u + v ) with respect to α l is u + v ) ,which is bounded below by under the assumption − ( u + v ) < .0 Y. K. Tan and A. Platzer ∗ R < u + v (cid:96) u + v ) ≥ − ( u + v ) < (cid:96) u + v ) ≥ dV (cid:60) u + v = 1 (cid:96) (cid:104) α l (cid:105) − ( u + v ) ≥ u + v = 1 (cid:96) (cid:104) α l (cid:105) u + v ≤ K (cid:104) & (cid:105) u + v = 1 (cid:96) (cid:104) α l (cid:105) u + v = M (cid:104) (cid:48) (cid:105) u + v = 1 (cid:96) (cid:104) α l (cid:105) (cid:0) ≤ (cid:107) ( u, v ) (cid:107) ∞ ≤ (cid:1) - u - v The Lie derivative calculation shows that the value of u + v decreases along solutions of α l , as visualized by the shrinking (dashed) circles. However, the rate of shrinking converges tozero as solutions approach the origin, so solutions never reach the origin in finite time! This iswhy dV Γ (cid:60) ,dV (cid:60) crucially need a constant positive lower bound on the Lie derivative . p ≥ ε () forsoundness [25] instead of merely requiring . p > .It is also instructive to examine the chain of refinements (2) underlying the proof above. Since α l is a linear ODE, the first dV (cid:60) step refines the initial liveness property from GEx, i.e., thatsolutions exist globally (so, for at least for time / = ), to the property u + v ≤ . Subsequentrefinement steps can be read off from the proof steps above: (cid:104) α l , t (cid:48) = 1 (cid:105) t > dV (cid:60) −→ (cid:104) α l (cid:105) u + v ≤ K (cid:104) & (cid:105) −→ (cid:104) α l (cid:105) u + v = 14 M (cid:104) (cid:48) (cid:105) −→ (cid:104) α l (cid:105) (cid:0) ≤ (cid:107) ( u, v ) (cid:107) ∞ ≤ (cid:1) The latter two steps illustrate the idea behind the next two surveyed proof rules. In their originalpresentation [41], the ODE x (cid:48) = f ( x ) is only assumed to be locally Lipschitz continuous, which isinsufficient for global existence of solutions, making the original rules unsound. See Appendix Cfor counterexamples. Corollary 13 (Equational differential variants [41]) . The following proof rules are derivable in dL . Term ε () is constant for ODE x (cid:48) = f ( x ) , and the ODE has provable global solutions for bothrules. dV = p < (cid:96) . p ≥ ε ()Γ , ε () > , p ≤ (cid:96) (cid:104) x (cid:48) = f ( x ) (cid:105) p = 0 dV M = p = 0 (cid:96) P p < (cid:96) . p ≥ ε ()Γ , ε () > , p ≤ (cid:96) (cid:104) x (cid:48) = f ( x ) (cid:105) P The view of dV (cid:60) as a refinement of GEx in Example 2 also yields generalizations of dV (cid:60) tohigher Lie derivatives. Indeed, it suffices that any higher Lie derivative . p ( k ) is bounded below by apositive constant ε () rather than just the first: Corollary 14 (Atomic higher differential variants) . The following proof rule (where (cid:60) is either ≥ or > ) is derivable in dL . Term ε () is constant for ODE x (cid:48) = f ( x ) , and the ODE has provableglobal solutions. dV k (cid:60) ¬ ( p (cid:60) (cid:96) . p ( k ) ≥ ε ()Γ , ε () > (cid:96) (cid:104) x (cid:48) = f ( x ) (cid:105) p (cid:60) n Axiomatic Approach to Existence and Liveness for Differential Equations 21 Proof Sketch (Appendix B.2).
Since . p ( k ) is strictly positive, all lower Lie derivatives . p ( i ) of p for i < k , including p itself, eventually become positive. This derives using a sequence of dC,dI (cid:60) steps. The idea behind staging sets [39] is to use an intermediary staging set formula S that can only beleft by entering the goal region P . This staging property is expressed by the box modality formula [ x (cid:48) = f ( x ) & ¬ P ] S . Corollary 15 (Staging sets [39]) . The following proof rule is derivable in dL . Term ε () is constantfor ODE x (cid:48) = f ( x ) , and the ODE has provable global solutions. SP Γ (cid:96) [ x (cid:48) = f ( x ) & ¬ P ] S S (cid:96) p ≤ ∧ . p ≥ ε ()Γ , ε () > (cid:96) (cid:104) x (cid:48) = f ( x ) (cid:105) P Proof Sketch (Appendix B.2).
The derivation starts by using refinement axiom K (cid:104) & (cid:105) with G ≡ ¬ S .The rest of the derivation is similar to dV Γ (cid:60) ,dV (cid:60) .In rule SP, the staging set formula S provides a choice of intermediary between the differentialvariant p and the desired postcondition P . Proof rules can be significantly simplified by choosing S with desirable topological properties. For example, all of the liveness proof rules derived so fareither have an explicit sufficient duration assumption (like dV Γ (cid:60) ) or assume that the ODEs haveprovable global solutions (like dV (cid:60) using axiom GEx). An alternative is to use axiom BEx, bychoosing the staging set formula S ( x ) to characterize a bounded or compact set over the variables x . Corollary 16 (Bounded/compact staging sets) . The following proof rules are derivable in dL . Term ε () is constant for x (cid:48) = f ( x ) . In rule SP b , formula S characterizes a bounded set over variables x . In rule SP c , it characterizes a compact, i.e., closed and bounded, set over those variables. SP b Γ (cid:96) [ x (cid:48) = f ( x ) & ¬ P ] S S (cid:96) . p ≥ ε ()Γ , ε () > (cid:96) (cid:104) x (cid:48) = f ( x ) (cid:105) P SP c Γ (cid:96) [ x (cid:48) = f ( x ) & ¬ P ] S S (cid:96) . p > (cid:96) (cid:104) x (cid:48) = f ( x ) (cid:105) P Proof Sketch (Appendix B.2).
Rule SP b derives using BEx and differential variant p to establish atime bound. Rule SP c is an arithmetical corollary of SP b , using the fact that continuous functionson compact domains attain their extrema. Example . The liveness property that Fig. 1 suggested for the nonlinear ODE α n is proved using rule SP c by choosing the staging set formula S ≡ ≤ u + v ≤ (blueannulus) and the differential variant p = u + v . The Lie derivative . p with respect to α n is u + v )( u + v − ) , which is bounded below by in S . Thus, the right premise of SP c closestrivially. The left premise requires proving that S is an invariant within the domain constraint ¬ ( u + v ≥ . Intuitively, this is true because the blue annulus can only be left by entering goal u + v ≥ . Its elided invariance proof is easy [31].2 Y. K. Tan and A. Platzer ∗ S (cid:96) [ α n & ¬ ( u + v ≥ S cut, R u + v = 1 (cid:96) [ α n & ¬ ( u + v ≥ S ∗ R S (cid:96) . p > SP c u + v = 1 (cid:96) (cid:104) α n (cid:105) u + v ≥ - u - v There are two subtleties to highlight in this proof. First, S characterizes a compact, hencebounded, set (as required by rule SP c ). Solutions of α n can blow up in finite time which necessitatesthe use of BEx for proving its liveness properties. Second, S cleverly excludes the red disk (dashedboundary) characterized by u + v ≤ . Solutions of α n behave differently in this region, e.g.,the Lie derivative . p is non-positive in this disk. The chain of refinements (2) behind this proofcan be seen from the derivation of rules SP b ,SP c in Appendix B.2. It starts from the initial livenessproperty BEx (with time bound / = ) and uses two K (cid:104) & (cid:105) refinement steps. The first K (cid:104) & (cid:105) stepshows that the staging set is left ( (cid:104) α n (cid:105)¬ S ), while the latter shows the desired liveness property: (cid:104) α n , t (cid:48) = 1 (cid:105) ( ¬ S ∨ t >
23 ) K (cid:104) & (cid:105) −→(cid:104) α n (cid:105)¬ S K (cid:104) & (cid:105) −→(cid:104) α n (cid:105) u + v ≥ The use of axiom BEx is subtle and is often overlooked in surveyed liveness arguments. Thisincludes incorrect claims [35, Remark 3.6] that a liveness argument works without assuming thatthe relevant sets are bounded. Similarly, the following proof rule derives from SP c by adaptingideas from the literature [36, Theorem 2.4, Corollary 2.5] that were claimed to hold for any closedset K , when, in fact, K needs to be compact as assumed implicitly in the proof [36]. Corollary 17 (Set Lyapunov functions [36]) . The following proof rule is derivable in dL . Formula K characterizes a compact set over variables x , while formula P characterizes an open set overthose variables. SLyap p ≥ (cid:96) K ¬ P, K (cid:96) . p > , p (cid:60) (cid:96) (cid:104) x (cid:48) = f ( x ) (cid:105) P Proof Sketch (Appendix B.2).
Rule SLyap derives from SP c with S ≡ ¬ P ∧ K , since ¬ P charac-terizes a closed set, and the intersection of a closed set with a compact set is compact. This section presents proof rules for liveness properties x (cid:48) = f ( x ) & Q with domain constraint Q .These properties are more subtle than liveness without domain constraints, because the limitationto a domain constraint Q may make it impossible for an ODE solution to reach a desired goalregion without leaving Q . Axiom DR (cid:104)·(cid:105) with R ≡ true provides one way of directly generalizingn Axiomatic Approach to Existence and Liveness for Differential Equations 23the proof rules from Section 5, as shown in the following derivation. Proof rules from Section 5can be used on the resulting right premise: Γ (cid:96) [ x (cid:48) = f ( x )] Q Γ (cid:96) (cid:104) x (cid:48) = f ( x ) (cid:105) P DR (cid:104)·(cid:105) Γ (cid:96) (cid:104) x (cid:48) = f ( x ) & Q (cid:105) P This derivation extends all chains of refinements (2) from Section 5 with one additional step: · · · −→ (cid:104) x (cid:48) = f ( x ) (cid:105) P DR (cid:104)·(cid:105) −→(cid:104) x (cid:48) = f ( x ) & Q (cid:105) P Liveness arguments become much more intricate when attempting to generalize beyond DR (cid:104)·(cid:105) ,e.g., recall the unsound conjecture DR (cid:104)·(cid:105) (cid:18) . Indeed, unlike the technical glitches of Section 5, thisarticle uncovers subtle soundness-critical errors in the literature. With dL ’s deductive approach,these intricacies are isolated to the topological axioms (Lemma 4) which have been proved soundonce and for all. Errors and omissions in the surveyed techniques are again highlighted in blue. The first proof rule generalizes differential variants to handle domain constraints:
Corollary 18 (Atomic differential variants with domains [25]) . The following proof rule (where (cid:60) is either ≥ or > ) is derivable in dL . Term ε () is constant for the ODE x (cid:48) = f ( x ) , and the ODE hasprovable global solutions. Formula Q characterizes a closed (resp. open) set when (cid:60) is ≥ (resp. > ). dV (cid:60) & Γ (cid:96) [ x (cid:48) = f ( x ) & ¬ ( p (cid:60) Q ¬ ( p (cid:60) , Q (cid:96) . p ≥ ε ()Γ , ε () > , ¬ ( p (cid:60) (cid:96) (cid:104) x (cid:48) = f ( x ) & Q (cid:105) p (cid:60) Proof Sketch (Appendix B.3).
The derivation uses axiom COR choosing R ≡ true , noting that p ≥ (resp. p > ) characterizes a topologically closed (resp. open) set so the appropriatetopological requirements of COR are satisfied: Γ (cid:96) [ x (cid:48) = f ( x ) & ¬ ( p (cid:60) Q ¬ ( p (cid:60) , Q (cid:96) . p ≥ ε () . . . Γ , ε () > (cid:96) (cid:104) x (cid:48) = f ( x ) (cid:105) p (cid:60) COR Γ , ε () > , ¬ ( p (cid:60) (cid:96) (cid:104) x (cid:48) = f ( x ) & Q (cid:105) p (cid:60) The derivation steps on the right premise are similar to the ones used in dV (cid:60) although anintervening dC step is used to add Q to the antecedents.The original presentation of rule dV Γ (cid:60) [25] omits the highlighted assumption ¬ ( p (cid:60) , whichis needed for the COR; the rule is unsound without it. In addition, it uses a form of syntacticweak negation [25], which is unsound for open postconditions, as pointed out earlier [39]. See Ap-pendix C for counterexamples. Corollary 18 recovers soundness by adding topological restrictionson the domain constraint Q .4 Y. K. Tan and A. PlatzerThe next two corollaries similarly make use of COR to derive the proof rule dV M = & [41] andthe adapted rule SLyap & [36]. They respectively generalize dV M = and SLyap from Section 5 tohandle domain constraints. The technical glitches in their original presentations [36, 41], whichwere identified in Section 5, remain highlighted here. Corollary 19 (Equational differential variants with domains [41]) . The following proof rules arederivable in dL . Term ε () is constant for the ODE x (cid:48) = f ( x ) , and the ODE has provable globalsolutions for both rules. Formula Q characterizes a closed set over variables x . dV = & Γ (cid:96) [ x (cid:48) = f ( x ) & p < Q p < , Q (cid:96) . p ≥ ε ()Γ , ε () > , p ≤ , Q (cid:96) (cid:104) x (cid:48) = f ( x ) & Q (cid:105) p = 0 dV M = & Q, p = 0 (cid:96) P Γ (cid:96) [ x (cid:48) = f ( x ) & p < Q p < , Q (cid:96) . p ≥ ε ()Γ , ε () > , p ≤ , Q (cid:96) (cid:104) x (cid:48) = f ( x ) & Q (cid:105) P Proof Sketch (Appendix B.3).
Similar to the derivation of dV = ,dV M = from dV (cid:60) . In this case, rule dV (cid:60) & is used with (cid:60) being ≥ , since Q characterizes a closed set. Corollary 20 (Set Lyapunov functions with domains [36]) . The following proof rule is derivablein dL . Formula K characterizes a compact set over variables x , while formula P characterizes anopen set over those variables. SLyap & p ≥ (cid:96) K ¬ P, K (cid:96) . p > , p > (cid:96) (cid:104) x (cid:48) = f ( x ) & p > (cid:105) P Proof Sketch (Appendix B.3).
Similar to the derivation of SLyap, but with an additional COR step,since both formulas p > and P characterize open sets.The staging sets with domain constraints proof rule SP & [39] uses axiom SAR: Corollary 21 (Staging sets with domains [39]) . The following proof rule is derivable in dL . Term ε () is constant for ODE x (cid:48) = f ( x ) , and the ODE has provable global solutions. SP & Γ (cid:96) [ x (cid:48) = f ( x ) & ¬ ( P ∧ Q )] S S (cid:96) Q ∧ p ≤ ∧ . p ≥ ε ()Γ , ε () > (cid:96) (cid:104) x (cid:48) = f ( x ) & Q (cid:105) P Proof Sketch (Appendix B.3).
The derivation starts with a SAR step, and then uses rule SP.The rules derived in Corollaries 18–21 demonstrate the flexibility of dL ’s refinement approachfor deriving the surveyed liveness arguments as proof rules. Indeed, their derivations are mostlystraightforward adaptations of the corresponding rules presented in Section 6, with the appropriateaddition of either a COR or SAR refinement step. This flexibility is not limited to the surveyedliveness arguments because refinement steps can also be freely mixed-and-matched for specificliveness questions. Example . The liveness property u + v = 1 → (cid:104) α n (cid:105) u + v ≥ was provedin Example 3 using the staging set formula S ≡ ≤ u + v ≤ . Since S and u + v ≥ n Axiomatic Approach to Existence and Liveness for Differential Equations 25characterize closed sets, axiom COR extends the chain of refinements (2) from Example 3 to astronger liveness property for α n : (cid:104) α n , t (cid:48) = 1 (cid:105) ( ¬ S ∨ t >
23 ) K (cid:104) & (cid:105) −→ (cid:104) α n (cid:105)¬ S K (cid:104) & (cid:105) −→ (cid:104) α n (cid:105) u + v ≥ COR −→ (cid:104) α n & S (cid:105) u + v ≥ Formula (cid:101) S ≡ ≤ u + v < also proves Example 3 but does not characterize a closed set.Thankfully, the careful topological restriction of COR prevents unsoundly concluding the property u + v = 1 → (cid:104) α n & (cid:101) S (cid:105) u + v ≥ . This latter property is unsatisfiable because (cid:101) S does notoverlap with u + v ≥ .The refinement approach also enables the discovery of new, general liveness proof rules bycombining refinement steps in alternative ways. As an example, the following chimeric proof rulecombines ideas from Corollaries 14, 16, and 21: Corollary 22 (Combination proof rule) . The following proof rule is derivable in dL . Formula S characterizes a compact set over variables x . SP kc & Γ (cid:96) [ x (cid:48) = f ( x ) & ¬ ( P ∧ Q )] S S (cid:96) Q ∧ . p ( k ) > (cid:96) (cid:104) x (cid:48) = f ( x ) & Q (cid:105) P Proof Sketch (Appendix B.3).
The derivation combines ideas from the derivations of dV k (cid:60) (gener-alizing dV (cid:60) to higher derivatives), SP c (compact staging sets), and SP & (refining domain con-straints).The logical approach of dL derives even complicated proof rules like SP kc & from a small setof sound logical axioms, which ensures their correctness. The proof rule E c & below derivesfrom SP kc & (for k = 1 ) and is adapted from the literature [35, Theorem 3.5], where additionalrestrictions were imposed on the sets characterized by Γ , P, Q , and different conditions were givencompared to the left premise of E c & (highlighted below). These original conditions were overlypermissive as they are checked on sets that are smaller than necessary for soundness. See Ap-pendix C for counterexamples. Corollary 23 (Compact eventuality [35]) . The following proof rule is derivable in dL . Formula Q ∧ ¬ P characterizes a compact set over variables x . E c & Γ (cid:96) [ x (cid:48) = f ( x ) & ¬ ( P ∧ Q )] Q Q, ¬ P (cid:96) . p > (cid:96) (cid:104) x (cid:48) = f ( x ) & Q (cid:105) P Proof Sketch (Appendix B.3).
This derives from SP kc & (for k = 1 ), with S ≡ Q ∧ ¬ P . This section discusses an implementation of ODE existence and liveness proof rules in KeY-maera X, drawing on the refinement approach and the common refinement steps identified in thepreceding sections. These proof rules are implemented as tactics in KeYmaera X [10], which are6 Y. K. Tan and A. Platzernot soundness-critical. This arrangement allows the implementation of useful ODE liveness proofrules (Section 7.1) and their associated proof automation (Section 7.2), but with KeYmaera X’ssound kernel as a safeguard against any implementation errors or mistakes in their derivations orside conditions. Nevertheless, for the sake of completeness, syntactic derivations of all livenessproof rules presented in this section are also given in Appendix B.4.All of the concrete ODE liveness examples in this article and elsewhere [39] have been for-mally proved in KeYmaera X using this implementation. By leveraging existing infrastructure inKeYmaera X, the implementation can also be used as part of liveness proofs for hybrid systems.It has been used for the liveness proofs (among others) of a case study involving a robot modeldriving along circular arcs in the plane [4].
Atomic differential variants dV (cid:60) is a useful primitive proof rule to implement in KeYmaera Xbecause many ODE liveness arguments, e.g., dV M = ,SP, use it. From a practical perspective though,rule dV (cid:60) as presented in Corollary 12 still requires users to provide a choice of the constant ε () ,e.g., the proof in Example 2 uses ε () = . The following slight rephrasing of dV (cid:60) enables a moreautomated implementation. Corollary 24 (Existential atomic differential variants [25]) . The following proof rule (where (cid:60) iseither ≥ or > ) is derivable in dL , where ε is a fresh variable and ODE x (cid:48) = f ( x ) has provableglobal solutions. dV ∃ (cid:60) Γ (cid:96) ∃ ε > ∀ x (cid:0) ¬ ( p (cid:60) → . p ≥ ε (cid:1) Γ (cid:96) (cid:104) x (cid:48) = f ( x ) (cid:105) p (cid:60) Proof Sketch (Appendix B.4).
Rule dV ∃ (cid:60) derives from dV (cid:60) as a corollary.Just like rule dV (cid:60) , rule dV ∃ (cid:60) requires a positive lower bound ε > on the derivative of p alongsolutions. The difference is that rule dV ∃ (cid:60) asks a purely arithmetical question about the existenceof a suitable choice for ε . This can be decided automatically to save user effort in identifying ε , butsuch automation comes at added computational cost because the decision procedure must now find a suitable instance of ε for the ∃ quantifier (or decide that none exist) rather than simply checking a user-provided instance. Thus, both dV (cid:60) ,dV ∃ (cid:60) are implemented to give users flexible control overthe desired degree of automation in their proofs.Another variation of dV (cid:60) is its semialgebraic generalization, i.e., where the goal region is de-scribed by a formula P formed from conjunctions and disjunctions of (in)equalities. Rules dV M = ,SPprovide examples of such a generalization, but they are indirect generalizations because users muststill identify an underlying (atomic) differential variant p as input when applying either rule. Incontrast, the new semialgebraic generalization of dV (cid:60) below directly examines the syntactic struc-ture of the goal region described by formula P . Its implementation is enabled by KeYmaera X’sODE invariance proving capabilities which are, in turn, based on dL ’s complete axiomatization forODE invariants [31].n Axiomatic Approach to Existence and Liveness for Differential Equations 27 Corollary 25 (Semialgebraic differential variants) . Let b be a fresh variable, and term ε () beconstant for ODE x (cid:48) = f ( x ) , t (cid:48) = 1 . Let P be a semialgebraic formula in the following normalform ([31, Eq 5]), and G P be its corresponding ε -progress formula (also in normal form): P ≡ M (cid:95) i =0 (cid:16) m ( i ) (cid:94) j =0 p ij ≥ ∧ n ( i ) (cid:94) j =0 q ij > (cid:17) G P ≡ M (cid:95) i =0 (cid:16) m ( i ) (cid:94) j =0 p ij − ( b + ε () t ) ≥ ∧ n ( i ) (cid:94) j =0 q ij − ( b + ε () t ) ≥ (cid:17) The following proof rule derives in dL , where ODE x (cid:48) = f ( x ) has provable global solu-tions, and . ( ¬ P ) ( ∗ ) , . G P ( ∗ ) are semialgebraic progress formulas [31, Def. 6.4] with respect to x (cid:48) = f ( x ) , t (cid:48) = 1 . dV ¬ P, . ( ¬ P ) ( ∗ ) , G P (cid:96) . ( G P ) ( ∗ ) Γ , ε () > (cid:96) (cid:104) x (cid:48) = f ( x ) (cid:105) P Proof Sketch (Appendix B.4).
The derivation is similar to rule dV Γ (cid:60) , but replaces the use of rule dI (cid:60) with the complete ODE invariance proof rule [31, Theorem 6.8]. The fresh variable b is used tolower bound the value of all polynomials p ij , q ij appearing in the description of P along solutionsof the ODE.The intuition behind rule dV is similar to rule dV (cid:60) . As long as the solution has not yet reachedthe goal P , it grows towards the goal at “rate” ε () . The technical challenge is how to formallyphrase the “rate” of growth for a semialgebraic formula P , which does not have a well-definednotion of derivative. Rule dV uses the ε -progress formula G P , together with the semialgebraicprogress formulas . ( ¬ P ) ( ∗ ) , . G P ( ∗ ) and [31, Theorem 6.8] for this purpose. These give sufficient,although implicit, arithmetical conditions for proving liveness for P . More explicit arithmeticalconditions can be obtained by unfolding the definitions of . ( ¬ P ) ( ∗ ) , . G P ( ∗ ) from [31, Def. 6.4], asexemplified below. Example . Consider the following liveness formulawith two inequalities in its postcondition: (cid:104) u (cid:48) = − u (cid:105) ( − ≤ u ∧ u ≤ (10)Using the min function, formula (10) can be written equivalently with a single atomic inequal-ity: (cid:104) u (cid:48) = − u (cid:105) min(1 − u, u + 1) ≥ (11)However, (11) is not a formula of real arithmetic (Section 2.1) and it does not have well-defined dL semantics. Indeed, rule dV (cid:60) does not work directly for proving (11) because the Lie derivativeof its postcondition is not well-defined. One possible solution is to generalize dV (cid:60) by consideringdirectional derivatives of continuous (but non-differentiable) functions such as min , max , such asin [39, Section 5.2]. However, justifying the correctness of this option would require delicate The arithmetic formula . P ( ∗ ) exactly characterizes that the ODE x (cid:48) = f ( x ) makes local progress in P for somenonzero duration, see prior work [31, Thm. 6.6]. dL semantics. Rule dV instead proves (10) directly without requiring rephrasing, norcomplications associated with directional derivatives. The proof is as follows, with ε () = 1 and P ≡ u + 1 ≥ ∧ − u ≥ , G P ≡ u + 1 − ( b + t ) ≥ ∧ − u − ( b + t ) ≥ : ∗ R u +1 < ∨ − u< , u +1 − ( b + t ) ≥ ∧ − u − ( b + t ) ≥ (cid:96) ( u +1 − ( b + t )=0 → − u − > ∧ . . . ¬ P, G P (cid:96) . ( G P ) ( ∗ ) ¬ P, . ( ¬ P ) ( ∗ ) , G P (cid:96) . ( G P ) ( ∗ ) dV (cid:96) (cid:104) u (cid:48) = − u (cid:105) − ≤ u ≤ The proof starts by using rule dV, where the assumption . ( ¬ P ) ( ∗ ) in its premise is weakenedas it is unnecessary for the proof. Unfolding the definition of . ( G P ) ( ∗ ) and simplifying leaves anarithmetical question. The right conjunct is omitted for brevity since the argument is symmetric.The left conjunct of the succedent proves with real arithmetic R because the assumptions u + 1 − ( b + t ) = 0 and u + 1 − ( b + t ) ≥ ∧ − u − ( b + t ) ≥ imply − u ≥ u + 1 . This, in turn,implies − u − > using the assumption u + 1 < ∨ − u < .More generally, for a liveness postcondition comprising a conjunction of atomic inequalities p (cid:60) ∧ q (cid:60) (where (cid:60) is either ≥ or > in either conjunct), the premise resulting from applying dVsimplifies in real arithmetic to the following arithmetical premise: ¬ ( p (cid:60) ∧ q (cid:60) (cid:96) ( p < q → . p > ε ()) ∧ ( p > q → . q > ε ()) ∧ ( p = q → . p > ε () ∧ . q > ε ()) (12)The arithmetical premise (12) is equivalent to the corresponding arithmetical conditions givenin [39, Example 14], and both are decidable in real arithmetic. The intuition behind (12) is thatwhenever p is further from the goal than q , then p is required to make ε progress towards thegoal (symmetrically when q is further than p from the goal). A similar simplification of dV fora disjunction p (cid:60) ∨ q (cid:60) is shown in (13), which asks for the term closer to the goal tomake ε progress towards the goal instead. Further simplifications for semialgebraic formulas P are obtained as nested combinations of (12) and (13). ¬ ( p (cid:60) ∨ q (cid:60) (cid:96) ( p < q → . q > ε ()) ∧ ( p > q → . p > ε ()) ∧ ( p = q → . p > ε () ∨ . q > ε ()) (13)The two variations of dV (cid:60) shown in Corollaries 24 and 25 (and their implementation) allowusers to focus on high-level liveness arguments in KeYmaera X rather than low-level derivationsteps. Another key usability improvement afforded by the implementation is the sound and au-tomatic enforcement of the appropriate side conditions for every proof rule. The common sideconditions for ODE liveness proof rules presented in this article can be broadly classified as fol-lows:1. Freshness side conditions on variables, e.g., in rules dV (cid:60) ,dV ∃ (cid:60) ,dV. These are automaticallyenforced in the implementation because KeYmaera X’s kernel insists on fresh names whenrequired for soundness. Renaming with fresh variables is also automatically supported.n Axiomatic Approach to Existence and Liveness for Differential Equations 292. Global existence of ODE solutions. These are semi-automatically proved, as in Section 7.2.3. Topological side conditions, e.g., in axiom COR and rules dV (cid:60) & ,dV M = & . These conditionsare important to correctly enforce because they may otherwise lead to the subtle soundnesserrors (e.g., Section 6). The implementation uses syntactic criteria for checking these sideconditions (Appendix A.3).An example topological refinement axiom (Lemma 4) and its corresponding proof rule imple-mented in KeYmaera X with syntactic topological side conditions is given next. Lemma 26 (Closed domain refinement axiom) . The following topological (cid:104)·(cid:105)
ODE refinementaxiom is sound, where formula Q characterizes a topologically closed set over variables x , andformula ˚ Q characterizes the topological interior of the set characterized by Q . CR ¬ P ∧ [ x (cid:48) = f ( x ) & R ∧ ¬ P ] ˚ Q → (cid:0) (cid:104) x (cid:48) = f ( x ) & R (cid:105) P → (cid:104) x (cid:48) = f ( x ) & Q (cid:105) P (cid:1) Corollary 27 (Closed domain refinement rule) . The following proof rule is derivable in dL , whereformula Q is formed from finite conjunctions and disjunctions of non-strict inequalities ≥ , ≤ , andformula Q > ≥ is identical to Q but with strict inequalities >, < in place of ≥ , ≤ respectively. cR Γ (cid:96) Q Γ (cid:96) [ x (cid:48) = f ( x ) & R ∧ ¬ P ∧ Q ] Q > ≥ Γ (cid:96) (cid:104) x (cid:48) = f ( x ) & R (cid:105) P Γ (cid:96) (cid:104) x (cid:48) = f ( x ) & Q (cid:105) P Axiom CR is a variant of axiom COR with different topological conditions. Like COR, theseconditions allow formula ¬ P to be assumed in the domain constraint when proving the box re-finement for CR. The corresponding proof rule cR gives syntactic side conditions for the formulas Q, Q > ≥ , which are easily checked by the implementation, e.g., the formula Q > ≥ can be automaticallygenerated from Q . The advantage of CR over COR,SAR manifests in the domain constraint ofthe middle premise of rule cR. Here, the closed domain constraint Q can be additionally assumedwhen proving that solutions stay within ˚ Q . The implementation provides rule cR as a powerfulprimitive for refining domain constraints amongst other options, e.g., DR (cid:104)·(cid:105) . Beyond enabling the sound implementation of complex ODE liveness proof rules such as thosein Section 7.1, tactics can also provide substantial proof support for users.
Recall derived axiom GBEx from Corollary 10, which proves (global) existence of solutions for anODE x (cid:48) = f ( x ) . A user of the axiom must still identify precisely which dependency order (4) touse, and provide the sequence of bounded sets B i for each group of variables y i involving nonlinearODEs. The canonical choice of such a dependency order can be automatically produced by a tacticusing a topological sort of the strongly connected components (SCCs) of the dependency graphof the ODE. A strongly connected component of a directed graph is a maximal subset of vertices that are pairwise connectedby paths. x x x y x x y x y x x y Figure 2: A possible dependency graph corresponding to an ODE over the variables x , . . . , x .There is a directed edge (drawn as arrows) x i → x j if the ODE x (cid:48) i depends on free variable x j .Each dashed rectangle is a strongly connected component. Reverse topologically sorting thesecomponents yields one possible grouping of the variables y , . . . , y in dependency order. Thevertices in y are not connected to those in y , y , y , so the order between these groups can bechosen arbitrarily.More precisely, to prove global existence for an ODE x (cid:48) = f ( x ) , consider the dependencygraph G where each variable x i is a vertex and with a directed edge from x i to x j if the RHS f i ( x ) for x (cid:48) i depends on free variable x j . First, compute the SCCs of G , and then topologically sort theSCCs. The groups of variables y i can be chosen according to the vertices in each SCC in reversetopological order. An illustrative example with four SCCs is shown in Fig. 2.After finding the appropriate SCC order (as in Fig. 2), the global existence tactic can now checkif the ODEs corresponding to the variables in each SCC y i is affine and, if that is the case, it provesglobal existence for those variables automatically. For example, if the SCC y ≡ { x , x , x } had affine dependencies, then the ODE solution could be proved automatically to be global inthe variables x , x , x following the proof in Corollary 8. On the other hand, suppose the SCC y ≡ { x , x } had nonlinear dependencies, then users are prompted to input a bounded set (or abound on derivatives) over variables x , x in order to prove global existence for those variables.This process continues similarly for the SCCs y and y until global existence is proved for the fullODE. This process minimizes the manual effort required of the user in proving global existence byfocusing their attention only on the (automatically identified) nonlinear parts of the ODE.To drive global existence proof automation further, key special cases can be added to themethod described above. One such special case for univariate ODEs is exemplified below. Example . Consider the case where a variable group hasjust one variable and no further dependencies, e.g., y ≡ { x } in Fig. 2 or α b from Section 4.Global existence for such univariate ODEs is decidable, even if the RHS is highly nonlinear [14].The idea is from dynamical systems theory: for univariate polynomial ODEs, all solutionseither asymptotically approach a root of the polynomial RHS or diverge to infinity. Fig. 3 illustratesthe dynamical systems view of a univariate ODE. For all initial conditions x between points r and r (inclusive), the ODE solution exists globally. Conversely, for all other initial conditions, theODE blows up in finite time because f ( x ) is nonlinear. Therefore, for a nonlinear univariatepolynomial ODE x (cid:48) = f ( x ) and initial assumptions Γ , it suffices to check validity of the followingn Axiomatic Approach to Existence and Liveness for Differential Equations 31 xf ( x ) r r r Figure 3: An example univariate ODE x (cid:48) = f ( x ) viewed as a dynamical system by plotting theRHS f ( x ) (vertical axis) against x (horizontal axis). Points x on the horizontal axis evolve towardsthe right (red arrow) when f ( x ) ≥ , and towards the left (blue arrow) when f ( x ) ≤ . Thefixed points r , r , r are roots of the polynomial RHS (where f ( x ) = 0 ). These fixed points eitherattract trajectories like r , or repel them like r , r . Furthermore, all points on the horizontal axisevolve asymptotically towards exactly one fixed point or approach ±∞ .sequent to decide global existence: Γ (cid:96) ∃ r (cid:0) f ( r ) = 0 ∧ ( f ( x ) ≥ ∧ r ≥ x (cid:124) (cid:123)(cid:122) (cid:125) a (cid:13) ∨ f ( x ) ≤ ∧ r ≤ x (cid:124) (cid:123)(cid:122) (cid:125) b (cid:13) ) (cid:1) The existentially quantified variable r corresponds to a fixed point (a root with f ( r ) = 0 ).Disjunct a (cid:13) checks whether the solution approaches r from the left, e.g., the points between r and r in Fig. 3 approach r from the left. Alternatively, disjunct b (cid:13) checks whether the solutionapproaches r from the right. The implementation checks validity of this sequent for univariatenonlinear ODEs and then proves global existence using BDG (cid:104)·(cid:105) because the solution is provablytrapped between the initial value of x and the fixed point r . Differential cuts dC provide a convenient way to structure and stage safety proofs for ODEs in dL . An in-depth discussion is available elsewhere [30], but the idea is illustrated by the followingderivation: Γ (cid:96) [ x (cid:48) = f ( x ) & Q ] C . . . Q ∧ C ∧ C ∧ · · · ∧ C n (cid:96) P dW ... dC Γ (cid:96) [ x (cid:48) = f ( x ) & Q ∧ C ∧ C ] P dC Γ (cid:96) [ x (cid:48) = f ( x ) & Q ∧ C ] P dC Γ (cid:96) [ x (cid:48) = f ( x ) & Q ] P The derivation uses a sequence of differential cut steps to progressively add the cuts C , C , . . . , C n to the domain constraint. A final dW step completes the proof when the postcondition P isalready implied by the (now strengthened) domain constraint. Intuitively, the differential cuts areakin to lemmas in this derivation. For example, by proving the premise Γ (cid:96) [ x (cid:48) = f ( x ) & Q ] C ,2 Y. K. Tan and A. Platzerthe cut C can now be assumed in the domain constraints of subsequent steps. Just like the cut rulefrom sequent calculus, differential cuts dC allow safety proofs for ODEs to be staged through asequence of lemmas about those ODEs.For proof modularity and maintainability, it is desirable to enable a similar staging for ODEliveness proofs. Concretely, suppose that the formula [ x (cid:48) = f ( x ) & Q ] C has been proved as a cut: Γ (cid:96) [ x (cid:48) = f ( x ) & Q ] C · · · cut Γ (cid:96) (cid:104) x (cid:48) = f ( x ) & Q (cid:105) P The challenge is how to (soundly) use this lemma in subsequent derivation steps (shown as · · · ). Note that na¨ıvely replacing Q with Q ∧ C in the domain constraint of the succedent doesnot work. This may even do more harm than good because the resulting ODE liveness questionbecomes more difficult (Section 6).The refinement-based approach to ODE liveness provides a natural answer. Recall that eachrefinement step in the chain (2) requires the user to prove an additional box modality formula. Theinsight is that, for these box modality formulas, any relevant lemmas that have been proved can besoundly added to the domain constraint. For example, suppose that rule K (cid:104) & (cid:105) is used to continuethe proof after the cut. The left premise of K (cid:104) & (cid:105) can now be strengthened to include C in itsdomain constraint: K (cid:104) & (cid:105) dC Γ , [ x (cid:48) = f ( x ) & Q ] C (cid:96) [ x (cid:48) = f ( x ) & Q ∧ ¬ P ∧ C ] ¬ G Γ , [ x (cid:48) = f ( x ) & Q ] C (cid:96) [ x (cid:48) = f ( x ) & Q ∧ ¬ P ] ¬ G Γ , [ x (cid:48) = f ( x ) & Q ] C (cid:96) (cid:104) x (cid:48) = f ( x ) & Q (cid:105) G Γ , [ x (cid:48) = f ( x ) & Q ] C (cid:96) (cid:104) x (cid:48) = f ( x ) & Q (cid:105) P Users could manually track and apply lemmas using dC as shown above, but this quickly be-comes tedious in larger liveness proofs. The implementation instead provides users with tactics thatautomatically search the antecedents Γ for compatible assumptions that can be used to strengthenthe domain constraints. These tactics also use a form of ODE unification when determining com-patibility. More precisely, consider the box modality formula [ x (cid:48) = f ( x ) & Q ] P , which may ariseas a box refinement during a liveness proof. The antecedent formula [ y (cid:48) = g ( y ) & R ] C is called a compatible assumption for [ x (cid:48) = f ( x ) & Q ] P if:1. The set of ODEs y (cid:48) = g ( y ) is a subset of the set of ODEs x (cid:48) = f ( x ) . This is order-agnostic,e.g., the ODE u (cid:48) = v, v (cid:48) = u is a subset of the ODE v (cid:48) = u, u (cid:48) = v, w (cid:48) = u + v + w .2. The domain constraint Q implies domain constraint R , i.e., Q → R is valid.Under these conditions, the ODE y (cid:48) = g ( y ) & R permits more trajectories than the ODE of con-cern x (cid:48) = f ( x ) & Q . Thus, if formula C is always true along solutions of the former ODE, then italso stays true along solutions of the latter. Combining compatible assumptions with implementa-tions of liveness proof rules yields turbo-charged versions of those rules. For example, in rule dV ∃ (cid:60) ,instead of simply assuming the negation of the postcondition ( ¬ ( p (cid:60) → · · · ) when determiningthe existence of suitable ε , all postconditions of compatible assumptions can be assumed, e.g., with ¬ ( p (cid:60) ∧ C → · · · for postcondition C of a compatible assumption.n Axiomatic Approach to Existence and Liveness for Differential Equations 33 Existence and Liveness Proof Rules.
The ODE liveness arguments surveyed in this article wereoriginally presented in various notations, ranging from proof rules [25, 39, 41] to other mathemati-cal notation [34, 35, 36, 39]. All of them were justified directly through semantical or mathematicalmeans. This article unifies and corrects all of these arguments, and presents them as dL proof ruleswhich are syntactically derived by refinement from dL axioms.To the best of knowledge, this article is also the first to present a deductive approach for syntac-tic proofs of existence properties for ODEs. In the surveyed liveness arguments [25, 34, 35, 36, 39,41], sufficient existence duration is either assumed explicitly or is implicitly used in the correctnessproofs. Such a hypothesis is unsatisfactory, since the global existence of solutions for (nonlinear)ODEs is a non-trivial question; in fact, it is undecidable even for polynomial ODEs [14]. Formalproofs of any underlying existence assumptions thus yield stronger (unconditional) ODE livenessproofs. Of course, such existence properties are an additional proof burden, but Section 7 alsoshows that implementations can help by automating easy existence questions, e.g., for affine sys-tems where global existence is well-known. A related problem arising in the study of hybridsystems is Zeno phenomena [18, 44], where a trajectory of a hybrid model makes infinitely many(discrete) transitions in finite (continuous) time. Like finite time blow up, Zeno phenomena typi-cally occur as abstraction artifacts of hybrid systems models, and they do not occur in real system.Thus, analogous to the question of global existence, absence of Zeno phenomena must either be as-sumed (or Zeno trajectories explicitly excluded) [18, 25], or proved when specifying and verifyingproperties of such systems [44].
Other Liveness Properties.
The liveness property studied in this article is the continuous analogof eventually [22] or eventuality [35, 39] from temporal logics. In discrete settings, temporal logicspecifications give rise to a zoo of liveness properties [22]. In continuous settings, weak eventu-ality (requiring almost all initial states to reach the goal region) and eventuality-safety have beenstudied [34, 35]. In adversarial settings, differential game variants [29] enable proofs of winningstrategies for differential games. In dynamical systems and controls, the study of asymptotic stabil-ity requires both stability (an invariance property) with asymptotic attraction towards a fixed pointor periodic orbit (an eventuality-like property) [6, 36]. For hybrid systems, various authors haveproposed generalizations of classical asymptotic stability, such as persistence [40], stability [32],and inevitability [8].
Controlled versions of these properties are also of interest, e.g., (controlled)reachability and attractivity [1, 41]. Eventuality(-like) properties are fundamental to all of theseadvanced liveness properties. The formal understanding of eventuality in this article is therefore akey step towards enabling formal analysis of more advanced liveness properties.
Automated Liveness Proofs.
Automated reachability analysis tools [5, 9] can also be used forliveness verification. For an ODE and initial set X , computing an over-approximation O of thereachable set X t ⊆ O at time t shows that all states in X reach O at time t [40] (if solutions donot blow up). Similarly, an under-approximation U ⊆ X t shows that some state in X eventuallyreaches U [13] (if U is non-empty). Neither approach handles domain constraints directly [13, 40]4 Y. K. Tan and A. Platzerand, unlike deductive approaches, the use of reachability tools limits them to concrete time bounds t and bounded initial sets X . Deductive liveness approaches can also be (partially) automated, asshown in Section 7. Lyapunov functions guaranteeing (asymptotic) stability can be found by sum-of-squares (SOS) optimization [24]. Liveness arguments can be similarly combined with SOSoptimization to find suitable differential variants [34, 35]. Other approaches are possible, e.g., aconstraint solving-based approach can be used for finding the so-called set Lyapunov functions [36](e.g., the term p used in SLyap,SLyap & ). Crucially, automated approaches must ultimately bebased on sound underlying liveness arguments. The correct justification of these arguments isprecisely what this article enables. This article presents a refinement-based approach for proving liveness and, as a special case, globalexistence properties for ODEs in dL . The associated KeYmaera X implementation demonstratesthe utility of this approach for formally proving concrete ODE liveness questions. Beyond theparticular proof rules derived in the article, the exploration of new and more general ODE livenessproof rules is enabled by simply piecing together more refinement steps in dL , or in the KeY-maera X implementation of those steps. Given its wide applicability and correctness guarantees,this approach is a suitable framework for justifying ODE liveness arguments, even for readers lessinterested in the logical aspects. Acknowledgments.
The authors thank members of the Logical Systems Lab at Carnegie MellonUniversity for their feedback on the KeYmaera X implementation, and Katherine Cordwell, FrankPfenning, Andrew Sogokon, and the FM’19 anonymous reviewers for their feedback on the earlierconference version. This material is based upon work supported by the Alexander von HumboldtFoundation and the AFOSR under grant number FA9550-16-1-0288. The first author was alsosupported by A*STAR, Singapore.The views and conclusions contained in this document are those of the authors and should notbe interpreted as representing the official policies, either expressed or implied, of any sponsoringinstitution, the U.S. government or any other entity.
A Proof Calculus
This appendix presents the dL proof calculus that underlies the refinement approach of this article.For ease of reference, all of the core axioms and proof rules presented in the main article aresummarized here, along with their proofs (where necessary). A.1 Base Calculus
The following lemma summarizes the base dL axioms and proof rules used in this article. Lemma 28subsumes Lemma 1 with the addition of the differential ghost axiom (DG from Section 2.3) andn Axiomatic Approach to Existence and Liveness for Differential Equations 35three axioms ( [ · ] ∧ ,DMP,DX). The latter three additions are used in derivations in Appendix B. Lemma 28 (Axioms and proof rules of dL [28, 30, 31]) . The following are sound axioms and proofrules of dL . In axiom DG, the ∃ quantifier can be replaced with a ∀ quantifier. (cid:104)·(cid:105) (cid:104) α (cid:105) P ↔ ¬ [ α ] ¬ P K [ α ]( R → P ) → ([ α ] R → [ α ] P ) dI (cid:60) Q (cid:96) . p ≥ . q Γ , p (cid:60) q (cid:96) [ x (cid:48) = f ( x ) & Q ] p (cid:60) q (where (cid:60) is either ≥ or > )dC Γ (cid:96) [ x (cid:48) = f ( x ) & Q ] C Γ (cid:96) [ x (cid:48) = f ( x ) & Q ∧ C ] P Γ (cid:96) [ x (cid:48) = f ( x ) & Q ] P M [ (cid:48) ] Q, R (cid:96) P Γ (cid:96) [ x (cid:48) = f ( x ) & Q ] R Γ (cid:96) [ x (cid:48) = f ( x ) & Q ] P dW Q (cid:96) P Γ (cid:96) [ x (cid:48) = f ( x ) & Q ] P M (cid:104) (cid:48) (cid:105) Q, R (cid:96) P Γ (cid:96) (cid:104) x (cid:48) = f ( x ) & Q (cid:105) R Γ (cid:96) (cid:104) x (cid:48) = f ( x ) & Q (cid:105) P DG [ x (cid:48) = f ( x ) & Q ( x )] P ( x ) ↔ ∃ y [ x (cid:48) = f ( x ) , y (cid:48) = a ( x ) y + b ( x ) & Q ( x )] P ( x )[ · ] ∧ [ α ]( P ∧ R ) ↔ [ α ] P ∧ [ α ] R DMP [ x (cid:48) = f ( x ) & Q ]( Q → R ) → ([ x (cid:48) = f ( x ) & R ] P → [ x (cid:48) = f ( x ) & Q ] P ) DX [ x (cid:48) = f ( x ) & Q ] P ↔ ( Q → P ∧ [ x (cid:48) = f ( x ) & Q ] P ) ( x (cid:48) (cid:54)∈ P, Q ) Proof of Lemma 28 (implies Lemma 1).
The soundness of all axioms and proof rules in Lemma 28are proved elsewhere [28, 30, 31].Axiom [ · ] ∧ derives from axiom K [28, 30]. It commutes box modalities and their conjunctivepostconditions because the conjunction P ∧ R is true after all runs of hybrid program α iff theindividual conjuncts P, R are themselves true after all runs of α . Axiom DMP is the modus po-nens principle for domain constraints. The differential skip axiom DX is a reflexivity property ofdifferential equation solutions. The “ ← ” direction says if domain constraint Q is initially false,then the formula [ x (cid:48) = f ( x ) & Q ] P is trivially true in that initial state because no solution of theODE stays in the domain constraint. Thus, this direction of DX allows domain constraint Q to beassumed true initially when proving [ x (cid:48) = f ( x ) & Q ] P (shown below, on the left). The “ → ” direc-tion has the following equivalent contrapositive reading using (cid:104)·(cid:105) and propositional simplification: Q ∧ P → (cid:104) x (cid:48) = f ( x ) & Q (cid:105) P , i.e., if the domain constraint Q and postcondition P were both trueinitially, then (cid:104) x (cid:48) = f ( x ) & Q (cid:105) P is true because of the trivial solution of duration zero. Whenproving the liveness property (cid:104) x (cid:48) = f ( x ) & Q (cid:105) P , one can therefore always additionally assume ¬ ( Q ∧ P ) because, by DX, there is nothing to prove otherwise (shown below, on the right). Γ , Q (cid:96) [ x (cid:48) = f ( x ) & Q ] P DX Γ (cid:96) [ x (cid:48) = f ( x ) & Q ] P Γ , ¬ ( Q ∧ P ) (cid:96) (cid:104) x (cid:48) = f ( x ) & Q (cid:105) P DX Γ (cid:96) (cid:104) x (cid:48) = f ( x ) & Q (cid:105) P Rule dGt from Section 4 is useful for adding a fresh time variable t in ODE existence andliveness proofs. It derives as shown below, using axiom (cid:104)·(cid:105) to switch between the box and dia-mond modalities, and using DG to introduce a universally quantified time variable t which is theninstantiated using ∀ L to t = 0 .6 Y. K. Tan and A. PlatzerRule: dGt Γ , t = 0 (cid:96) (cid:104) x (cid:48) = f ( x ) , t (cid:48) = 1 & Q (cid:105) P Γ (cid:96) (cid:104) x (cid:48) = f ( x ) & Q (cid:105) P Derivation: Γ , t = 0 (cid:96) (cid:104) x (cid:48) = f ( x ) , t (cid:48) = 1 & Q (cid:105) P (cid:104)·(cid:105) , ¬ L Γ , t = 0 , [ x (cid:48) = f ( x ) , t (cid:48) = 1 & Q ] ¬ P (cid:96) false ∀ L Γ , ∀ t [ x (cid:48) = f ( x ) , t (cid:48) = 1 & Q ] ¬ P (cid:96) false DG Γ , [ x (cid:48) = f ( x ) & Q ] ¬ P (cid:96) false (cid:104)·(cid:105) , ¬ R Γ (cid:96) (cid:104) x (cid:48) = f ( x ) & Q (cid:105) P The bounded differential ghost axiom BDG from Lemma 2 (quoted and proved below) is a newvectorial generalization of DG which allows differential ghosts with provably bounded ODEs tobe added.BDG [ x (cid:48) = f ( x ) , y (cid:48) = g ( x, y ) & Q ( x )] (cid:107) y (cid:107) ≤ p ( x ) → (cid:0) [ x (cid:48) = f ( x ) & Q ( x )] P ( x ) ↔ [ x (cid:48) = f ( x ) , y (cid:48) = g ( x, y ) & Q ( x )] P ( x ) (cid:1) Proof of Lemma 2.
The proof of BDG is similar to that for the differential ghosts axiom [28], butgeneralizes it to support vectorial, nonlinear ODEs by adding a precondition on boundedness ofsolutions. Let y be a vector of m fresh variables and y (cid:48) = g ( x, y ) be its corresponding vector ofghost ODEs. Both directions of the (inner) equivalence of axiom BDG are proved separately.“ → ” The (easier) “ → ” direction does not require the outer bounding assumption of BDG, i.e., theimplication [ x (cid:48) = f ( x ) & Q ( x )] P ( x ) → [ x (cid:48) = f ( x ) , y (cid:48) = g ( x, y ) & Q ( x )] P ( x ) is valid forany ODE y (cid:48) = g ( x, y ) meeting the freshness condition on y . The proof for this direction isidentical to the proof of soundness for differential ghosts [28, Theorem 38].“ ← ” In the “ ← ” direction, consider an initial state ω ∈ S and let ϕ : [0 , T ) → S , < T ≤ ∞ bethe unique, right-maximal solution [6, 43] to the ODE x (cid:48) = f ( x ) with initial value ϕ (0) = ω .Similarly, let ϕ y : [0 , T y ) → S , < T y ≤ ∞ be the unique, right-maximal solution to theODE x (cid:48) = f ( x ) , y (cid:48) = g ( x, y ) with initial value ϕ y (0) = ω . Assume that ω satisfies bothassumptions on the left of the implications in BDG, i.e., ω ∈ [[[ x (cid:48) = f ( x ) , y (cid:48) = g ( x, y ) & Q ( x )] (cid:107) y (cid:107) ≤ p ( x )]] (14) ω ∈ [[[ x (cid:48) = f ( x ) , y (cid:48) = g ( x, y ) & Q ( x )] P ( x )]] (15)To show ω ∈ [[[ x (cid:48) = f ( x ) & Q ( x )] P ( x )]] , unfold the box modality and consider any finitetime τ with ≤ τ < T where ϕ ( ζ ) ∈ [[ Q ( x )]] for all ≤ ζ ≤ τ . It is proved further belowthat (cid:63) (cid:13) : τ < T y . By uniqueness, ϕ , ϕ y agree on the values of x on their common existenceinterval, which includes the time interval [0 , τ ] by (cid:63) (cid:13) . Therefore, by coincidence for termsand formulas [28], ϕ y ( ζ ) ∈ [[ Q ( x )]] for all ≤ ζ ≤ τ . Thus, by (15), ϕ y ( τ ) ∈ [[ P ( x )]] andby coincidence for formulas [28], ϕ ( τ ) ∈ [[ P ( x )]] .In order to prove (cid:63) (cid:13) , suppose for contradiction that T y ≤ τ . Let x ( · ) : [0 , T ) → R n denotethe projection of solution ϕ onto its x coordinates, and let p ( x ( · )) : [0 , T ) → R denoten Axiomatic Approach to Existence and Liveness for Differential Equations 37the evaluation of term p along x ( · ) . Since the projection x ( · ) and its composition with apolynomial evaluation function p ( x ( · )) are continuous in t [28], p ( x ( · )) is bounded aboveby (and attains) its maximum value p max ∈ R on the compact interval [0 , τ ] .Let y ( · ) : [0 , T y ) → R m similarly denote the projection of ϕ y onto its y coordinates and (cid:107) y ( · ) (cid:107) denote the squared norm evaluated along y ( · ) . Since T y ≤ τ < T , note that y ( · ) must be the unique right-maximal solution of the time-dependent differential equation y (cid:48) = g ( x ( t ) , y ) . Otherwise, if there is a longer solution ψ : [0 , ζ ) → R m for y (cid:48) = g ( x ( t ) , y ) which exists for time ζ with T y < ζ ≤ T , then the combined solution given by ( x ( t ) , ψ ( t )) :[0 , ζ ) → R n × R m extends ϕ y beyond T y (by keeping all variables other than x, y constantat their initial values in state ω ). This contradicts right-maximality of ϕ y . Moreover, since T y ≤ τ , for all times ≤ ζ < T y , by assumption, ϕ ( ζ ) ∈ [[ Q ( x )]] , so the solution ϕ y satisfies ϕ y ( ζ ) ∈ [[ Q ( x )]] by coincidence for formulas [28]. Thus, from (14), for all times ≤ ζ < T y , the squared norm is bounded by p max : (cid:107) y ( ζ ) (cid:107) ≤ p ( x ( ζ )) ≤ p max Hence y ( · ) remains trapped within the compact R m ball of radius √ p max on [0 , T y ) . By [6,Theorem 1.4], and right-maximality of y ( · ) for the time-dependent ODE y (cid:48) = g ( x ( t ) , y ) , thedomain of definition of solution y ( · ) is equal to the domain of definition of y (cid:48) = g ( x ( t ) , y ) ,i.e., T y = T , which contradicts T y ≤ τ < T .The following lemma presents additional dL ODE invariance proof rules that are used in thederivations in Appendix B. These invariance proof rules are not the main focus of this article butthey are nevertheless useful for simplifying or deriving the premises of this article’s existence andliveness proof rules.
Lemma 29 (ODE invariance proof rules of dL [31]) . The following are derived ODE invarianceproof rules of dL . In rule dbx (cid:60) , g is any polynomial cofactor term. In rule sAI & , . Q ( ∗ ) , . P ( ∗ ) , . Q − ( ∗ ) , . ( ¬ P ) − ( ∗ ) are semialgebraic progress formulas [31, Def. 6.4] with respect to x (cid:48) = f ( x ) . Inrule Enc, formula P is formed from finite conjunctions and disjunctions of strict inequalities >, < ,and formula P ≥ > is identical to P but with non-strict inequalities ≥ , ≤ in place of >, < respectively. dbx (cid:60) Q (cid:96) . p ≥ gpp (cid:60) (cid:96) [ x (cid:48) = f ( x ) & Q ] p (cid:60) (where (cid:60) is either ≥ or > )sAI & P, Q, . Q ( ∗ ) (cid:96) . P ( ∗ ) ¬ P, Q, . Q − ( ∗ ) (cid:96) . ( ¬ P ) − ( ∗ ) P (cid:96) [ x (cid:48) = f ( x ) & Q ] P Barr
Q, p = 0 (cid:96) . p > , p (cid:60) (cid:96) [ x (cid:48) = f ( x ) & Q ] p (cid:60) (where (cid:60) is either ≥ or > )Enc Γ (cid:96) P ≥ > Γ (cid:96) [ x (cid:48) = f ( x ) & Q ∧ P ≥ > ] P Γ (cid:96) [ x (cid:48) = f ( x ) & Q ] P Proof.
These ODE invariance proof rules are all derived from the complete dL axiomatization forODE invariants [31].8 Y. K. Tan and A. PlatzerRule dbx (cid:60) is the Darboux inequality proof rule for the invariance of p (cid:60) which derives us-ing dI (cid:60) ,dC,DG, see [31, Section 3.2] for an extensive explanation of the proof rule. Rule sAI & is dL ’s complete proof rule for ODE invariants, i.e., the formula P is invariant for ODE x (cid:48) = f ( x ) & Q iff it proves by rule sAI & . For closed (resp. open) semialgebraic formulas P , the right (resp. left)premise of rule sAI & closes trivially [31]. This simplification is useful for obtaining more succinctproof rules, e.g., rule dV makes use of it. Rule Barr is a dL rendition of the strict barrier certificatesproof rule [7, 33] for invariance of p (cid:60) . Intuitively, the premise says that p = 0 is a barrier along which the value of p is increasing along solutions (succedent . p > ), so it is impossiblefor solutions starting from p (cid:60) to cross this barrier into p (cid:52) . It derives as a special case ofrule sAI & . Finally, rule Enc says that, in order to prove invariance for formula P which character-izes an open set, it suffices to prove it assuming P ≥ > in the domain constraint, where P ≥ > relaxes allstrict inequalities in P and thus provides an over-approximation of the topological closure of theset characterized by P . A.2 Refinement Calculus
The following ODE liveness refinement axioms are quoted from Lemma 3, and their syntacticderivations in the dL proof calculus are given below.K (cid:104) & (cid:105) [ x (cid:48) = f ( x ) & Q ∧ ¬ P ] ¬ G → (cid:0) (cid:104) x (cid:48) = f ( x ) & Q (cid:105) G → (cid:104) x (cid:48) = f ( x ) & Q (cid:105) P (cid:1) DR (cid:104)·(cid:105) [ x (cid:48) = f ( x ) & R ] Q → (cid:0) (cid:104) x (cid:48) = f ( x ) & R (cid:105) P → (cid:104) x (cid:48) = f ( x ) & Q (cid:105) P (cid:1) BDG (cid:104)·(cid:105) [ x (cid:48) = f ( x ) , y (cid:48) = g ( x, y ) & Q ( x )] (cid:107) y (cid:107) ≤ p ( x ) → (cid:0) (cid:104) x (cid:48) = f ( x ) & Q ( x ) (cid:105) P ( x ) → (cid:104) x (cid:48) = f ( x ) , y (cid:48) = g ( x, y ) & Q ( x ) (cid:105) P ( x ) (cid:1) DDG (cid:104)·(cid:105) [ x (cid:48) = f ( x ) , y (cid:48) = g ( x, y ) & Q ( x )] 2 y · g ( x, y ) ≤ L ( x ) (cid:107) y (cid:107) + M ( x ) → (cid:0) (cid:104) x (cid:48) = f ( x ) & Q ( x ) (cid:105) P ( x ) → (cid:104) x (cid:48) = f ( x ) , y (cid:48) = g ( x, y ) & Q ( x ) (cid:105) P ( x ) (cid:1) Proof of Lemma 3.
The four axioms are derived in order.K (cid:104) & (cid:105) Axiom K (cid:104) & (cid:105) is derived as follows, starting with (cid:104)·(cid:105) , ¬ L, ¬ R to dualize the diamond modali-ties in the antecedent and succedent to box modalities. A dC step using the right antecedentcompletes the proof. ∗ dC [ x (cid:48) = f ( x ) & Q ∧ ¬ P ] ¬ G, [ x (cid:48) = f ( x ) & Q ] ¬ P (cid:96) [ x (cid:48) = f ( x ) & Q ] ¬ G (cid:104)·(cid:105) , ¬ L, ¬ R [ x (cid:48) = f ( x ) & Q ∧ ¬ P ] ¬ G, (cid:104) x (cid:48) = f ( x ) & Q (cid:105) G (cid:96) (cid:104) x (cid:48) = f ( x ) & Q (cid:105) P DR (cid:104)·(cid:105) Axiom DR (cid:104)·(cid:105) similarly derives from axiom DMP with (cid:104)·(cid:105) [31].BDG (cid:104)·(cid:105)
Axiom BDG (cid:104)·(cid:105) derives from axiom BDG after using axiom (cid:104)·(cid:105) to dualize diamond modal-ities to box modalities. The leftmost antecedent is abbreviated: R ≡ [ x (cid:48) = f ( x ) , y (cid:48) = g ( x, y ) & Q ( x )] (cid:107) y (cid:107) ≤ p ( x ) n Axiomatic Approach to Existence and Liveness for Differential Equations 39 ∗ BDG R, [ x (cid:48) = f ( x ) , y (cid:48) = g ( x, y ) & Q ( x )] ¬ P ( x ) (cid:96) [ x (cid:48) = f ( x ) & Q ( x )] ¬ P ( x ) (cid:104)·(cid:105) , ¬ L, ¬ R R, (cid:104) x (cid:48) = f ( x ) & Q ( x ) (cid:105) P ( x ) (cid:96) (cid:104) x (cid:48) = f ( x ) , y (cid:48) = g ( x, y ) & Q ( x ) (cid:105) P ( x ) DDG (cid:104)·(cid:105)
Axiom DDG (cid:104)·(cid:105) derives as a differential version of axiom BDG (cid:104)·(cid:105) with the aid of DG. Thederivation starts with (cid:104)·(cid:105) , ¬ L, ¬ R to turn diamond modalities in the sequent to box modalities.Axiom DG then introduces fresh ghost ODE z (cid:48) = L ( x ) z + M ( x ) , where the antecedents areuniversally quantified over ghost variable z while the succedent is existentially quantified.The quantifiers are then instantiated using ∀ L, ∃ R, with z = (cid:107) y (cid:107) so that z stores the initialvalue of the squared norm of y . Axiom BDG is used with y (cid:48) = g ( x, y ) as the ghost ODEsand with p ( x, z ) ≡ z . The antecedents are abbreviated: R ≡ [ x (cid:48) = f ( x ) , y (cid:48) = g ( x, y ) & Q ( x )] 2 y · g ( x, y ) ≤ L ( x ) (cid:107) y (cid:107) + M ( x ) R z ≡ [ x (cid:48) = f ( x ) , y (cid:48) = g ( x, y ) , z (cid:48) = L ( x ) z + M ( x ) & Q ( x )] 2 y · g ( x, y ) ≤ L ( x ) (cid:107) y (cid:107) + M ( x ) S ≡ [ x (cid:48) = f ( x ) , y (cid:48) = g ( x, y ) & Q ( x )] ¬ P ( x ) S z ≡ [ x (cid:48) = f ( x ) , y (cid:48) = g ( x, y ) , z (cid:48) = L ( x ) z + M ( x ) & Q ( x )] ¬ P ( x ) (cid:104)·(cid:105) , ¬ L, ¬ RDG ∀ L, ∃ RBDG z = (cid:107) y (cid:107) , R z (cid:96) [ x (cid:48) = f ( x ) , y (cid:48) = g ( x, y ) , z (cid:48) = L ( x ) z + M ( x ) & Q ( x )] (cid:107) y (cid:107) ≤ zz = (cid:107) y (cid:107) , R z , S z (cid:96) [ x (cid:48) = f ( x ) , z (cid:48) = L ( x ) z + M ( x ) & Q ( x )] ¬ P ( x ) ∀ z R z , ∀ z S z (cid:96) ∃ z [ x (cid:48) = f ( x ) , z (cid:48) = L ( x ) z + M ( x ) & Q ( x )] ¬ P ( x ) R, S (cid:96) [ x (cid:48) = f ( x ) & Q ( x )] ¬ P ( x ) R, (cid:104) x (cid:48) = f ( x ) & Q ( x ) (cid:105) P ( x ) (cid:96) (cid:104) x (cid:48) = f ( x ) , y (cid:48) = g ( x, y ) & Q ( x ) (cid:105) P ( x ) From the resulting open premise, a dC step adds the postcondition of R z to the domainconstraint of the succedent, while M [ (cid:48) ] rearranges the postcondition into the form expectedby rule dbx (cid:60) . The proof is completed using dbx (cid:60) with cofactor g = L ( x ) . The resultingarithmetic proves because the Lie derivative of z − (cid:107) y (cid:107) is bounded above by the followingcalculation, where the inequality from the domain constraint is used in the second step. L x (cid:48) = f ( x ) ,y (cid:48) = g ( x,y ) ,z (cid:48) = L ( x ) z + M ( x ) ( z − (cid:107) y (cid:107) ) = L ( x ) z + M ( x ) − y · g ( x, y ) ≥ L ( x ) z + M ( x ) − ( L ( x ) (cid:107) y (cid:107) + M ( x ))= L ( x )( z − (cid:107) y (cid:107) ) The ODEs x (cid:48) = f ( x ) , y (cid:48) = g ( x, y ) , z (cid:48) = L ( x ) z + M ( x ) are abbreviated · · · in the derivationbelow. dCM [ (cid:48) ] dbx (cid:60) R ∗ y · g ( x, y ) ≤ L ( x ) (cid:107) y (cid:107) + M ( x ) (cid:96) L ( x ) z + M ( x ) − y · g ( x, y ) ≥ L ( x )( z − (cid:107) y (cid:107) ) z = (cid:107) y (cid:107) (cid:96) [ · · · & Q ( x ) ∧ y · g ( x, y ) ≤ L ( x ) (cid:107) y (cid:107) + M ( x )] z − (cid:107) y (cid:107) ≥ z = (cid:107) y (cid:107) (cid:96) [ · · · & Q ( x ) ∧ y · g ( x, y ) ≤ L ( x ) (cid:107) y (cid:107) + M ( x )] (cid:107) y (cid:107) ≤ zz = (cid:107) y (cid:107) , R z (cid:96) [ · · · & Q ( x )] (cid:107) y (cid:107) ≤ z (cid:104)·(cid:105) ODE refinement axioms are quoted from Lemmas 4 and 26.The topological side conditions for these axioms are listed in Lemmas 4 and 26 respectively. Forsemialgebraic postcondition P and domain constraints Q, R , these refinement axioms derive syn-tactically from dL ’s real induction axiom [31, Lemma A.2]. For the sake of generality, the proofsbelow directly use the topological conditions.COR ¬ P ∧ [ x (cid:48) = f ( x ) & R ∧ ¬ P ] Q → (cid:0) (cid:104) x (cid:48) = f ( x ) & R (cid:105) P → (cid:104) x (cid:48) = f ( x ) & Q (cid:105) P (cid:1) CR ¬ P ∧ [ x (cid:48) = f ( x ) & R ∧ ¬ P ] ˚ Q → (cid:0) (cid:104) x (cid:48) = f ( x ) & R (cid:105) P → (cid:104) x (cid:48) = f ( x ) & Q (cid:105) P (cid:1) SAR [ x (cid:48) = f ( x ) & R ∧ ¬ ( P ∧ Q )] Q → (cid:0) (cid:104) x (cid:48) = f ( x ) & R (cid:105) P → (cid:104) x (cid:48) = f ( x ) & Q (cid:105) P (cid:1) Proof of Lemmas 4 and 26.
Let ω ∈ S and ϕ : [0 , T ) → S , < T ≤ ∞ be the unique, right-maximal solution [6, 43] to the ODE x (cid:48) = f ( x ) with initial value ϕ (0) = ω . By definition, ϕ isdifferentiable, and therefore continuous. This proof uses the fact that preimages under continuousfunctions of open sets are open [37, Theorem 4.8]. In particular, for an open set O , if ϕ ( t ) ∈ O atsome time ≤ t < T then the preimage of a sufficiently small open ball O ε ⊆ O centered at ϕ ( t ) is open. Thus, if t > , then ϕ stays in the open set O for some open time interval around t , i.e.,for some ε > : ϕ ( ζ ) ∈ O for all t − ε ≤ ζ ≤ t + ε (16)For the soundness proof of axioms COR, CR, and SAR, assume that ω ∈ [[ (cid:104) x (cid:48) = f ( x ) & R (cid:105) P ]] ,i.e., there is a time τ ∈ [0 , T ) such that ϕ ( τ ) ∈ [[ P ]] and ϕ ( ζ ) ∈ [[ R ]] for all ≤ ζ ≤ τ .COR For axiom COR, suppose further that ω ∈ [[ ¬ P ∧ [ x (cid:48) = f ( x ) & R ∧ ¬ P ] Q ]] . Consider theset { t | ϕ ( ζ ) / ∈ [[ P ]] for all ≤ ζ ≤ t } which is non-empty since ω = ϕ (0) / ∈ [[ P ]] . This sethas a supremum t with ≤ t ≤ τ and ϕ ( ζ ) / ∈ [[ P ]] for all ≤ ζ < t . – Suppose
P, Q both characterize topologically closed sets. Since P characterizes a topo-logically closed set, its complement formula ¬ P characterizes a topologically open set.If ϕ ( t ) / ∈ [[ P ]] , i.e., ϕ ( t ) ∈ [[ ¬ P ]] , then by (16), t is not the supremum, which is a con-tradiction. Thus, ϕ ( t ) ∈ [[ P ]] and < t because ϕ (0) / ∈ [[ P ]] . Hence, ϕ ( ζ ) ∈ [[ R ∧¬ P ]] for all ≤ ζ < t , which, together with the assumption ω ∈ [[[ x (cid:48) = f ( x ) & R ∧ ¬ P ] Q ]] implies ϕ ( ζ ) ∈ [[ Q ]] for all ≤ ζ < t . Since Q characterizes a topologically closedset, this implies ϕ ( t ) ∈ [[ Q ]] ; otherwise, ϕ ( t ) ∈ [[ ¬ Q ]] and ¬ Q characterizes an openset, so (16) implies ϕ ( ζ ) ∈ [[ ¬ Q ]] for some ≤ ζ < t , which contradicts the earlier ob-servation that ϕ ( ζ ) ∈ [[ Q ]] for all ≤ ζ < t . Thus, ω ∈ [[ (cid:104) x (cid:48) = f ( x ) & Q (cid:105) P ]] because ϕ ( t ) ∈ [[ P ]] and ϕ ( ζ ) ∈ [[ Q ]] for all ≤ ζ ≤ t . – Suppose
P, Q both characterize topologically open sets. Then, ϕ ( t ) / ∈ [[ P ]] ; otherwise, ϕ ( t ) ∈ [[ P ]] and since P characterizes an open set, by (16), there is a time ≤ ζ < t where ϕ ( ζ ) ∈ [[ P ]] , which contradicts t being the supremum. Note that t < τ and ϕ ( ζ ) ∈ [[ R ∧ ¬ P ]] for all ≤ ζ ≤ t , which, together with the assumption ω ∈ In case t = 0 , the time interval in (16) is truncated to the left with ϕ ( ζ ) ∈ O for all ≤ ζ < t + ε . n Axiomatic Approach to Existence and Liveness for Differential Equations 41 [[[ x (cid:48) = f ( x ) & R ∧ ¬ P ] Q ]] implies ϕ ( ζ ) ∈ [[ Q ]] for all ≤ ζ ≤ t . Since Q characterizesa topologically open set, by (16), there exists ε > where t + ε < τ such that ϕ ( t + ζ ) ∈ [[ Q ]] for all ≤ ζ ≤ ε . By definition of the supremum, for every such ε > , thereexists ϕ ( t + ζ ) ∈ [[ P ]] for some ζ where < ζ ≤ ε . This yields the desired conclusion.CR For axiom CR, assume that ω ∈ [[ ¬ P ]] and ω ∈ [[[ x (cid:48) = f ( x ) & R ∧ ¬ P ] ˚ Q ]] (17)Consider the set { t | ϕ ( ζ ) / ∈ [[ P ]] for all ≤ ζ ≤ t } which is non-empty since ω = ϕ (0) / ∈ [[ P ]] . This set has a supremum t with ≤ t ≤ τ and ϕ ( ζ ) / ∈ [[ P ]] for all ≤ ζ < t .Furthermore, ϕ ( ζ ) ∈ [[ R ∧ ¬ P ]] for all ≤ ζ < t , so by (17), ϕ ( ζ ) ∈ [[ ˚ Q ]] for all ≤ ζ < t .By assumption, formula ˚ Q characterizes the open topological interior of the closed formula Q so by continuity of ϕ , ϕ ( t ) ∈ [[ Q ]] . Furthermore, the interior of a set is contained in theset itself, i.e., [[ ˚ Q ]] ⊆ [[ Q ]] , so ϕ ( ζ ) ∈ [[ Q ]] for all ≤ ζ ≤ t . Classically, either ϕ ( t ) ∈ [[ P ]] or ϕ ( t ) / ∈ [[ P ]] . – If ϕ ( t ) ∈ [[ P ]] , then since ϕ ( ζ ) ∈ [[ Q ]] for all ≤ ζ ≤ t , by definition, ω ∈ [[ (cid:104) x (cid:48) = f ( x ) & Q (cid:105) P ]] . – If ϕ ( t ) / ∈ [[ P ]] , then t < τ and furthermore, by (17), ϕ ( t ) ∈ [[ ˚ Q ]] . Since the interior istopologically open, by (16), there exists ε > where t + ε < τ such that ϕ ( t + ζ ) ∈ [[ ˚ Q ]] ⊆ [[ Q ]] for all ≤ ζ ≤ ε . By definition of the supremum, for every such ε > ,there exists ϕ ( t + ζ ) ∈ [[ P ]] for some ζ where < ζ ≤ ε . This yields the desiredconclusion.SAR For axiom SAR, assume that ω ∈ [[[ x (cid:48) = f ( x ) & R ∧ ¬ ( P ∧ Q )] Q ]] (18)If ω ∈ [[ P ∧ Q ]] , then ω ∈ (cid:104) x (cid:48) = f ( x ) & Q (cid:105) P trivially by following the solution ϕ forduration . Thus, assume ω / ∈ [[ P ∧ Q ]] . From (18), ω ∈ [[ Q ]] which further implies ω / ∈ [[ P ]] .Consider the set of times { t | ϕ ( ζ ) / ∈ [[ P ]] for all ≤ ζ ≤ t } which is non-empty since ω = ϕ (0) / ∈ [[ P ]] . This set has a supremum t with ≤ t ≤ τ and ϕ ( ζ ) / ∈ [[ P ]] for all ≤ ζ < t . Thus, ϕ ( ζ ) ∈ [[ R ∧ ¬ ( P ∧ Q )]] for all ≤ ζ < t . By (18), ϕ ( ζ ) ∈ [[ Q ]] for all ≤ ζ < t . Classically, either ϕ ( t ) ∈ [[ P ]] or ϕ ( t ) / ∈ [[ P ]] . – Suppose ϕ ( t ) ∈ [[ P ]] , then if ϕ ( t ) ∈ [[ Q ]] , ϕ ( ζ ) ∈ [[ Q ]] for all ≤ ζ ≤ t andso by definition, ω ∈ [[ (cid:104) x (cid:48) = f ( x ) & Q (cid:105) P ]] . On the other hand, if ϕ ( t ) / ∈ [[ Q ]] , then ϕ ( ζ ) ∈ [[ R ∧ ¬ ( P ∧ Q )]] for all ≤ ζ ≤ t , so from (18), ϕ ( t ) ∈ [[ Q ]] , which yields acontradiction.If the formula P is further assumed to characterize a closed set, this sub-case (with ϕ ( t ) ∈ [[ P ]] ) is the only possibility. Otherwise, ϕ ( t ) ∈ [[ ¬ P ]] and ¬ P characterizesan open set, so by (16), for some ε > , ϕ ( t + ζ ) ∈ [[ ¬ P ]] for all ≤ ζ < ε whichcontradicts t being the supremum.2 Y. K. Tan and A. Platzer – Suppose ϕ ( t ) / ∈ [[ P ]] , then t < τ and ϕ ( ζ ) ∈ [[ R ∧ ¬ ( P ∧ Q )]] for all ≤ ζ ≤ t , sofrom (18), ϕ ( t ) ∈ [[ Q ]] . Since Q is a formula of first-order real arithmetic, solutionsof polynomial ODEs either locally progress into the set characterized by Q or ¬ Q [31,39]. In particular, there exists ε > , where t + ε < τ , such that either 1 (cid:13) ϕ ( t + ζ ) ∈ [[ Q ]] for all < ζ ≤ ε or 2 (cid:13) ϕ ( t + ζ ) / ∈ [[ Q ]] for all < ζ ≤ ε . By definition of thesupremum, for every such ε there exists ϕ ( t + ζ ) ∈ [[ P ]] for some ζ where < ζ ≤ ε .In case 1 (cid:13) , since ϕ ( t + ζ ) ∈ [[ P ]] and ϕ ( ν ) ∈ [[ Q ]] for all ≤ ν ≤ t + ζ , then ω ∈ [[ (cid:104) x (cid:48) = f ( x ) & Q (cid:105) P ]] . If the formula Q is further assumed to characterize an openset, this sub-case ( 1 (cid:13) ) is the only possibility, even if Q is not a formula of first-orderreal arithmetic, because ϕ ( t ) ∈ [[ Q ]] implies ϕ continues to satisfy Q for some timeinterval to the right of t by (16).In case 2 (cid:13) , observe that ϕ ( ν ) ∈ [[ R ∧ ¬ ( P ∧ Q )]] for all ≤ ν ≤ t + ζ , from (18), ϕ ( t + ζ ) ∈ [[ Q ]] , which yields a contradiction.The refinement axioms are pieced together in refinement chains (2) to build ODE existence andliveness proof rules in a step-by-step manner. However, all such refinement chains (2) start froman initial hypothesis (cid:104) x (cid:48) = f ( x ) & Q (cid:105) P from which the subsequent implications are proved. Thetime existence axiom TEx from Section 4.1 provides the sole initial hypothesis that is needed forthe refinement approach of this article.TEx ∀ τ (cid:104) t (cid:48) = 1 (cid:105) t > τ Proof of Lemma 5.
Axiom TEx derives directly from dL ’s solution axiom [28]. It also has an easysemantic soundness proof which is given here. Consider an initial state ω and the correspondingmodified state ω dτ where the value of variable τ is replaced by an arbitrary d ∈ R . The (right-maximal) solution of ODE t (cid:48) = 1 from state ω dτ is given by the function ϕ : [0 , ∞ ) → S , where ϕ ( ζ )( t ) = ω dτ ( t ) + ζ = ω ( t ) + ζ , and ϕ ( ζ )( y ) = ω dτ ( y ) for all other variables y . In particular, ϕ ( ζ )( τ ) = d . Thus, at any time ζ > d − ω ( t ) , ϕ ( ζ )( t ) = ω ( t ) + ζ > d = ϕ ( ζ )( τ ) . This time ζ witnesses (cid:104) t (cid:48) = 1 (cid:105) t > τ . A.3 Topological Side Conditions
In Section 2.2, topological conditions are defined for formulas φ that only mention free variables x occurring in an ODE x (cid:48) = f ( x ) . For example, φ is said to characterize an open set with respectto x iff the set [[ φ ]] is open when considered as a subset of R n (over variables x = ( x , . . . , x n ) ).This section defines a more general notion, where φ is allowed to mention additional free pa-rameters y that do not occur in the ODE. Adopting these (parametric) side conditions makes thetopological refinement axioms that use them, like COR,CR, more general. Let x = ( x , . . . , x n ) , ( y , . . . , y r ) = V \ { x } be parameters, and ω ∈ S be a state. For brevity, write y = ( y , . . . , y r ) for the parameters and ω ( y ) = ( ω ( y ) , . . . , ω ( y r )) ∈ R r for the component-wise projection, and This property is specific to sets characterized by first-order formulas of real arithmetic and is not necessarily truefor arbitrary sets and ODEs. n Axiomatic Approach to Existence and Liveness for Differential Equations 43similarly for ω ( x ) ∈ R n . Given the set [[ φ ]] ⊆ S and γ ∈ R r , define: [[ φ ]] γ def = { ω ( x ) ∈ R n | ω ∈ [[ φ ]] , ω ( y ) = γ } The set [[ φ ]] γ ⊆ R n is the projection onto variables x of all states ω that satisfy φ and having val-ues γ for the parameters y . Formula φ characterizes a (topologically) open (resp. closed, bounded,compact) set with respect to variables x iff for all γ ∈ R r , the set [[ φ ]] γ ⊆ R n is topologically open(resp. closed, bounded, compact) with respect to the Euclidean topology.These topological side conditions are decidable [3] for first-order formulas of real arithmetic P, Q because in Euclidean spaces they can be phrased as conditions using first-order real arith-metic. The following conditions are standard [3], although special care is taken to universallyquantify over the parameters y . Let P ( x, y ) be a formula mentioning variables x and parameters y , then it is (with respect to variables x ): • open if the formula ∀ y ∀ x (cid:16) P ( x, y ) → ∃ ε> ∀ z (cid:0) (cid:107) x − z (cid:107) < ε → P ( z, y ) (cid:1)(cid:17) is valid, wherethe variables z = ( z , . . . , z n ) are fresh for P ( x, y ) , • closed if its complement formula ¬ P ( x, y ) is open, • bounded if the formula ∀ y ∃ r> ∀ x (cid:0) P ( x, y ) → (cid:107) x (cid:107)
This appendix derives all of the existence and liveness proof rules of the main article. Thesederivations are based on the sound dL axioms presented in Appendix A. For ease of reference, thisappendix is organized into four sections, corresponding to Sections 4–7 of the main article. Thehigh-level intuition behind these proofs is available in the main article while motivation for im-portant proof steps is given directly in the subsequent proofs. Further motivation for the surveyedliveness arguments can also be found in their original presentations [25, 34, 35, 36, 39, 41]. B.1 Proofs for Global Existence
Proof of Corollary 6.
Assume that the ODE x (cid:48) = f ( x ) is in dependency order (4). The deriva-tion progressively removes the ODEs y k , y k − , . . . , y in reverse dependency order using eitheraxiom BDG (cid:104)·(cid:105) or DDG (cid:104)·(cid:105) , as shown below. This continues until all of the ODEs are removed andthe rightmost premise closes by axiom TEx. The left premises arising from BDG (cid:104)·(cid:105) ,DDG (cid:104)·(cid:105) arethe premises of rule DEx. They are collectively labeled (cid:63) (cid:13) and explained below. (cid:63) (cid:13) (cid:63) (cid:13) (cid:63) (cid:13) ∗ TEx Γ (cid:96) (cid:104) t (cid:48) = 1 (cid:105) t > τ BDG (cid:104)·(cid:105) ,DDG (cid:104)·(cid:105) ...
BDG (cid:104)·(cid:105) ,DDG (cid:104)·(cid:105) Γ (cid:96) (cid:104) y (cid:48) = g ( y ) , . . . , y (cid:48) k − = g k − ( y , . . . , y k − ) , t (cid:48) = 1 (cid:105) t > τ BDG (cid:104)·(cid:105) ,DDG (cid:104)·(cid:105) Γ (cid:96) (cid:104) y (cid:48) = g ( y ) , . . . , y (cid:48) k − = g k − ( y , . . . , y k − ) , y (cid:48) k = g k ( y , . . . , y k ) , t (cid:48) = 1 (cid:105) t > τ ∀ R Γ (cid:96) ∀ τ (cid:104) y (cid:48) = g ( y ) , . . . , y (cid:48) k − = g k − ( y , . . . , y k − ) , y (cid:48) k = g k ( y , . . . , y k ) (cid:124) (cid:123)(cid:122) (cid:125) x (cid:48) = f ( x ) written in dependency order , t (cid:48) = 1 (cid:105) t > τ At each step i , for i = k, . . . , , the ODE y i is removed using either axiom BDG (cid:104)·(cid:105) or DDG (cid:104)·(cid:105) ,depending on the form (Corollary 6) of postcondition P i .B (cid:13) In case formula P i ≡ (cid:107) y i (cid:107) ≤ p i ( t, y , . . . , y i − ) is of form B (cid:13) (as defined in Corollary 6),axiom BDG (cid:104)·(cid:105) is used. This yields two stacked premises, the top premise corresponds topremise (cid:63) (cid:13) . Note that the dependency order (4) enables the sound use of axiom BDG (cid:104)·(cid:105) for this refinement step because the ODEs for y , . . . , y i − are not allowed to depend onvariables y i . The term p ( t, y , . . . , y i − ) also meets the dependency requirements of BDG (cid:104)·(cid:105) because it does not depend on y i . BDG (cid:104)·(cid:105) Γ (cid:96) [ y (cid:48) = g ( y ) , . . . , y (cid:48) i − = g i − ( y , . . . , y i − ) , y (cid:48) i = g i ( y , . . . , y i ) , t (cid:48) = 1] P i Γ (cid:96) (cid:104) y (cid:48) = g ( y ) , . . . , y (cid:48) i − = g i − ( y , . . . , y i − ) , t (cid:48) = 1 (cid:105) t > τ Γ (cid:96) (cid:104) y (cid:48) = g ( y ) , . . . , y (cid:48) i − = g i − ( y , . . . , y i − ) , y (cid:48) i = g i ( y , . . . , y i ) , t (cid:48) = 1 (cid:105) t > τ D (cid:13) In case formula P i ≡ y i · g i ( y , . . . , y i ) ≤ L i ( t, y , . . . , y i − ) (cid:107) y i (cid:107) + M i ( t, y , . . . , y i − ) isof form D (cid:13) (as defined in Corollary 6), axiom DDG (cid:104)·(cid:105) is used instead. As before, termsn Axiomatic Approach to Existence and Liveness for Differential Equations 45 L i ( t, y , . . . , y i − ) , M i ( t, y , . . . , y i − ) meet the dependency requirements of DDG (cid:104)·(cid:105) be-cause they do not depend on y i . The top premise corresponds to premise (cid:63) (cid:13) above, while theODE for y i is removed in the bottom premise. DDG (cid:104)·(cid:105) Γ (cid:96) [ y (cid:48) = g ( y ) , . . . , y (cid:48) i − = g i − ( y , . . . , y i − ) , y (cid:48) i = g i ( y , . . . , y i ) , t (cid:48) = 1] P i Γ (cid:96) (cid:104) y (cid:48) = g ( y ) , . . . , y (cid:48) i − = g i − ( y , . . . , y i − ) , t (cid:48) = 1 (cid:105) t > τ Γ (cid:96) (cid:104) y (cid:48) = g ( y ) , . . . , y (cid:48) i − = g i − ( y , . . . , y i − ) , y (cid:48) i = g i ( y , . . . , y i ) , t (cid:48) = 1 (cid:105) t > τ Proof of Corollary 7.
The derivation closely follows the proof sketch for Corollary 7 but with anextra step to ensure that the chosen terms
L, M are within the term language of dL . Let the ODE x (cid:48) = f ( x ) be globally Lipschitz and C be the (positive) Lipschitz constant for f , i.e., (cid:107) f ( x ) − f ( y ) (cid:107) ≤ C (cid:107) x − y (cid:107) . Then f satisfies the following inequality, where the first step (7) is provedin the sketch but its RHS contains norms (cid:107) · (cid:107) which are not in the term syntax (Section 2.1). Theinequality (7) is prolonged by using inequality (5) to remove these non-squared norm terms, whichyields corresponding choices of bounding dL terms L, M . x · f ( x ) (7) ≤ (cid:0) C + (cid:107) f (0) (cid:107) (cid:1) (cid:107) x (cid:107) + (cid:107) f (0) (cid:107) (5) ≤ (cid:0) C + 12 (1 + (cid:107) f (0) (cid:107) ) (cid:1)(cid:124) (cid:123)(cid:122) (cid:125) L (cid:107) x (cid:107) + 12 (1 + (cid:107) f (0) (cid:107) ) (cid:124) (cid:123)(cid:122) (cid:125) M (19)The inequality (19) is a valid real arithmetic formula and thus provable by rule R . This enablesthe derivation below using axiom DDG (cid:104)·(cid:105) because L, M satisfy the respective variable constraintsof the axiom. The resulting left premise proves, after a dW step, by R . The resulting right premise,after the ODEs x (cid:48) = f ( x ) have been removed, proves by axiom TEx. ∗ R (cid:96) x · f ( x ) ≤ L (cid:107) x (cid:107) + M dW (cid:96) [ x (cid:48) = f ( x ) , t (cid:48) = 1]2 x · f ( x ) ≤ L (cid:107) x (cid:107) + M ∗ TEx (cid:96) (cid:104) t (cid:48) = 1 (cid:105) t > τ DDG (cid:104)·(cid:105) (cid:96) (cid:104) x (cid:48) = f ( x ) , t (cid:48) = 1 (cid:105) t > τ ∀ R (cid:96) ∀ τ (cid:104) x (cid:48) = f ( x ) , t (cid:48) = 1 (cid:105) t > τ Proof of Corollary 8.
Assume that the ODE x (cid:48) = f ( x ) has affine dependency order (4), i.e., whereeach ODE y (cid:48) i = g i ( y , . . . , y i ) is of the affine form y (cid:48) i = A i ( y , . . . , y i − ) y i + b i ( y , . . . , y i − ) forsome matrix and vector terms A i , b i respectively with the indicated variable dependencies. Fromthe proof sketch for Corollary 8, A i , b i satisfy inequality (8) for each i = 1 , . . . , k . Like the proofof inequality (19), inequality (8) is prolonged by inequality (5) to remove non-squared norm termsin its RHS, which yields corresponding choices of bounding dL terms L i , M i . y i · ( A i y i + b i ) (8) ≤ (2 (cid:107) A i (cid:107) + (cid:107) b i (cid:107) ) (cid:107) y i (cid:107) + (cid:107) b i (cid:107) (5) ≤ (cid:0) (cid:107) A i (cid:107) + 12 (1 + (cid:107) b i (cid:107) ) (cid:1)(cid:124) (cid:123)(cid:122) (cid:125) L i (cid:107) y i (cid:107) + 12 (1 + (cid:107) b i (cid:107) ) (cid:124) (cid:123)(cid:122) (cid:125) M i (20)6 Y. K. Tan and A. PlatzerThe inequality from (20) is a valid real arithmetic formula, and thus provable by R for each i = 1 , . . . , k . The derivation uses rule DEx, where each premise is chosen to be of form D (cid:13) so theyprove, after a dW step, with R with the above choice of L i , M i for each i = 1 , . . . , k . ∗ R (cid:96) y · ( A y + b ) ≤ L (cid:107) y (cid:107) + M dW (cid:96) [ y (cid:48) = g ( y ) , t (cid:48) =1] P · · · ∗ R (cid:96) y k · ( A k y k + b k ) ≤ L k (cid:107) y k (cid:107) + M k dW (cid:96) [ y (cid:48) = g ( y ) , . . . , y (cid:48) k = g k ( y , . . . , y k ) , t (cid:48) =1] P k DEx (cid:96) ∀ τ (cid:104) x (cid:48) = f ( x ) , t (cid:48) =1 (cid:105) t > τ Proof of Corollary 9.
The derivation starts by Skolemizing with ∀ R, then switching the diamondmodality in the succedent to a box modality in the antecedent using (cid:104)·(cid:105) , ¬ R. The postconditionof the box modality is simplified using the propositional tautologies ¬ ( φ ∨ ψ ) ↔ ¬ φ ∧ ¬ ψ and ¬¬ φ ↔ φ . Axiom [ · ] ∧ , ∧ L splits the conjunction in the antecedent, before (cid:104)·(cid:105) is used again toflip the left antecedent to a diamond modality in the succedent. These (mostly) propositional stepsrecover the more verbose phrasing of BEx from (9). [ x (cid:48) = f ( x ) , t (cid:48) = 1] B ( x ) (cid:96) (cid:104) x (cid:48) = f ( x ) , t (cid:48) = 1 (cid:105) t > τ (cid:104)·(cid:105) , ¬ L [ x (cid:48) = f ( x ) , t (cid:48) = 1] ¬ ( t > τ ) , [ x (cid:48) = f ( x ) , t (cid:48) = 1] B ( x ) (cid:96) false [ · ] ∧ , ∧ L [ x (cid:48) = f ( x ) , t (cid:48) = 1]( ¬ ( t > τ ) ∧ B ( x )) (cid:96) false (cid:104)·(cid:105) , ¬ R (cid:96) (cid:104) x (cid:48) = f ( x ) , t (cid:48) = 1 (cid:105) ( t > τ ∨ ¬ B ( x )) ∀ R (cid:96) ∀ τ (cid:104) x (cid:48) = f ( x ) , t (cid:48) = 1 (cid:105) ( t > τ ∨ ¬ B ( x )) The formula B ( x ) is assumed to characterize a bounded set with respect to the variables x . Theclosure of this set is compact, and thus, the continuous norm function (cid:107) x (cid:107) attains its maximumvalue on that set. Hence, the formula ∃ D ∀ x ( B ( x ) → (cid:107) x (cid:107) ≤ D ) is valid in first-order real arith-metic, and thus provable by R . The derivation continues with a cut of this formula and Skolemizingwith ∃ L. Axiom BDG (cid:104)·(cid:105) is then used to remove the ODE x (cid:48) = f ( x ) , with p ( x ) = D . The resultingright premise proves with TEx, while the resulting left premise is labeled 1 (cid:13) and continued below.1 (cid:13) ∗ TEx (cid:96) (cid:104) t (cid:48) = 1 (cid:105) t > τ BDG (cid:104)·(cid:105) [ x (cid:48) = f ( x ) , t (cid:48) = 1] B ( x ) , ∀ x ( B ( x ) → (cid:107) x (cid:107) ≤ D ) (cid:96) (cid:104) x (cid:48) = f ( x ) , t (cid:48) = 1 (cid:105) t > τ cut, R , ∃ L [ x (cid:48) = f ( x ) , t (cid:48) = 1] B ( x ) (cid:96) (cid:104) x (cid:48) = f ( x ) , t (cid:48) = 1 (cid:105) t > τ From premise 1 (cid:13) , a dC step adds the postcondition of the leftmost antecedent, B ( x ) , to thedomain constraint. Since the remaining antecedent is universally quantified over variables x ,it is soundly kept across an application of a subsequent dW step, and the proof is completedwith ∀ L, → L. ∗ ∀ L, → L ∀ x ( B ( x ) → (cid:107) x (cid:107) ≤ D ) , B ( x ) (cid:96) (cid:107) x (cid:107) ≤ D dW ∀ x ( B ( x ) → (cid:107) x (cid:107) ≤ D ) (cid:96) [ x (cid:48) = f ( x ) , t (cid:48) = 1 & B ( x )] (cid:107) x (cid:107) ≤ D dC [ x (cid:48) = f ( x ) , t (cid:48) = 1] B ( x ) , ∀ x ( B ( x ) → (cid:107) x (cid:107) ≤ D ) (cid:96) [ x (cid:48) = f ( x ) , t (cid:48) = 1] (cid:107) x (cid:107) ≤ D n Axiomatic Approach to Existence and Liveness for Differential Equations 47 Proof of Corollary 10.
Assume the ODE x (cid:48) = f ( x ) is in dependency order (4), and the indices i = 1 , . . . , k are partitioned into disjoint sets L, N as in Corollary 10. The first step Skolemizeswith ∀ R. (cid:96) (cid:104) x (cid:48) = f ( x ) , t (cid:48) = 1 (cid:105) (cid:0) t > τ ∨ (cid:87) j ∈ N ¬ B j ( y j ) (cid:1) ∀ R (cid:96) ∀ τ (cid:104) x (cid:48) = f ( x ) , t (cid:48) = 1 (cid:105) (cid:0) t > τ ∨ (cid:87) j ∈ N ¬ B j ( y j ) (cid:1) The derivation uses ideas from Corollaries 6,8, and 9 to remove the ODE y (cid:48) i = g i ( y , . . . , y i ) at each step. The corresponding disjunct ¬ B i ( y i ) (if present) is also removed from the succedentwhen i ∈ N . At each step i , the derivation reduces a succedent of the form: (cid:104) y (cid:48) = g ( y ) , . . . , y (cid:48) i − = g i − ( y , . . . , y i − ) , y (cid:48) i = g i ( y , . . . , y i ) , t (cid:48) =1 (cid:105) (cid:0) t > τ ∨ (cid:95) j ∈ N ∩{ ,...,i } ¬ B j ( y j ) (cid:1) (21)To the form: (cid:104) y (cid:48) = g ( y ) , . . . , y (cid:48) i − = g i − ( y , . . . , y i − ) , t (cid:48) =1 (cid:105) (cid:0) t > τ ∨ (cid:95) j ∈ N ∩{ ,...,i − } ¬ B j ( y j ) (cid:1) (22)The derivation proceeds with two cases depending if i ∈ L or i ∈ N . • For each i ∈ L (similarly to Corollary 8), the ODE y (cid:48) i = A i ( y , . . . , y i − ) y i + b i ( y , . . . , y i − ) is affine for some matrix and vector terms A i , b i respectively with the indicated variabledependencies The RHS of this affine ODE satisfies the inequality (20) with terms L i , M i as given in (20). Axiom DDG (cid:104)·(cid:105) is used with those choices of L i , M i , which removes theODEs for y i in the resulting right premise. The resulting left premise is labeled 1 (cid:13) andexplained below. Note that the freshness conditions of axiom DDG (cid:104)·(cid:105) are met because thepostcondition of the succedent does not mention variables y i for i ∈ L . Similarly, the indicesfrom j ∈ N ∩ { , . . . , i } are equal to those from j ∈ N ∩ { , . . . , i − } because i / ∈ N . DDG (cid:104)·(cid:105) (cid:13) (cid:96) (cid:104) y (cid:48) = g ( y ) , . . . , y (cid:48) i − = g i − ( y , . . . , y i − ) , t (cid:48) =1 (cid:105) (cid:0) t > τ ∨ (cid:87) i ∈ N ∩{ ,...,i − } ¬ B i ( y i ) (cid:1) (cid:96) (cid:104) y (cid:48) = g ( y ) , . . . , y (cid:48) i − = g i − ( y , . . . , y i − ) , y (cid:48) i = g i ( y , . . . , y i ) , t (cid:48) =1 (cid:105) (cid:0) t > τ ∨ (cid:87) i ∈ N ∩{ ,...,i } ¬ B i ( y i ) (cid:1) From premise 1 (cid:13) , the proof completes with a dW and R steps using inequality (20). ∗ R (cid:96) y i · ( A i y i + b i ) ≤ L i (cid:107) y i (cid:107) + M i dW (cid:96) [ y (cid:48) = g ( y ) , . . . , y (cid:48) i = g i ( y , . . . , y i ) , t (cid:48) = 1]2 y i · ( A i y i + b i ) ≤ L i (cid:107) y i (cid:107) + M i • For each i ∈ N (similarly to Corollary 9), the boundedness assumption on y i is first extractedfrom the succedent, with the abbreviation R ≡ ( t > τ ∨ (cid:87) j ∈ N ∩{ ,...,i − } ¬ B j ( y j )) . Thebottommost succedent is similarly abbreviated using the propositional tautology (cid:0) t > τ ∨ (cid:87) j ∈ N ∩{ ,...,i } ¬ B j ( y j ) (cid:1) ↔ R ∨ ¬ B i ( y i ) . (cid:104)·(cid:105) , ¬ R [ · ] ∧ , ∧ L (cid:104)·(cid:105) , ¬ L [ y (cid:48) = g ( y ) , . . . , y (cid:48) i = g i ( y , . . . , y i ) , t (cid:48) =1] B i ( y i ) (cid:96) (cid:104) y (cid:48) = g ( y ) , . . . , y (cid:48) i = g i ( y , . . . , y i ) , t (cid:48) =1 (cid:105) R [ y (cid:48) = g ( y ) , . . . , y (cid:48) i = g i ( y , . . . , y i ) , t (cid:48) =1] ¬ R, [ y (cid:48) = g ( y ) , . . . , y (cid:48) i = g i ( y , . . . , y i ) , t (cid:48) =1] B i ( y i ) (cid:96) false [ y (cid:48) = g ( y ) , . . . , y (cid:48) i = g i ( y , . . . , y i ) , t (cid:48) =1] (cid:0) ¬ R ∧ B i ( y i ) (cid:1) (cid:96) false (cid:96) (cid:104) y (cid:48) = g ( y ) , . . . , y (cid:48) i = g i ( y , . . . , y i ) , t (cid:48) =1 (cid:105) ( R ∨ ¬ B i ( y i )) B i ( y i ) is assumed to characterize a bounded set with respect to the variables y i . Thus, similarly to Corollary 9, the formula ∃ D i ∀ y i ( B i ( y i ) → (cid:107) y i (cid:107) ≤ D i ) provesby R . The derivation continues with a cut of this formula and Skolemizing, abbreviating S ≡ [ y (cid:48) = g ( y ) , . . . , y (cid:48) i = g i ( y , . . . , y i ) , t (cid:48) = 1] B i ( y i ) . Axiom BDG (cid:104)·(cid:105) is then used with p ( y i ) = D i , which removes the ODEs for y i in the resulting right premise. The resulting leftpremise is labeled 2 (cid:13) and explained below.2 (cid:13) (cid:96) (cid:104) y (cid:48) = g ( y ) , . . . , y (cid:48) i − = g i − ( y , . . . , y i − ) , t (cid:48) =1 (cid:105) R BDG (cid:104)·(cid:105) S, ∀ y i ( B i ( y i ) → (cid:107) y i (cid:107) ≤ D i ) (cid:96) (cid:104) y (cid:48) = g ( y ) , . . . , y (cid:48) i = g i ( y , . . . , y i ) , t (cid:48) =1 (cid:105) R cut, R , ∃ L S (cid:96) (cid:104) y (cid:48) = g ( y ) , . . . , y (cid:48) i = g i ( y , . . . , y i ) , t (cid:48) =1 (cid:105) R The derivation continues from premise 2 (cid:13) identically to Corollary 9, with a dC step to add thepostcondition of the antecedent S to the domain constraint. The proof is completed with dWand ∀ L, → L. ∗ ∀ L, → L ∀ y i ( B ( y i ) → (cid:107) y i (cid:107) ≤ D i ) , B ( y i ) (cid:96) (cid:107) y i (cid:107) ≤ D i dW ∀ y i ( B ( y i ) → (cid:107) y i (cid:107) ≤ D i ) (cid:96) [ y (cid:48) i = f ( y i ) , t (cid:48) =1 & B ( y i )] (cid:107) y i (cid:107) ≤ D i dC S, ∀ y i ( B ( y i ) → (cid:107) y i (cid:107) ≤ D i ) (cid:96) [ y (cid:48) = g ( y ) , . . . , y (cid:48) i = g i ( y , . . . , y i ) , t (cid:48) =1] (cid:107) y i (cid:107) ≤ D i Using the steps for i = k, . . . , (where either i ∈ L or i ∈ N ) removes the ODEs y k , . . . , y i .This is shown in the derivation below, and the proof is completed using TEx. ∗ TEx (cid:96) (cid:104) t (cid:48) =1 (cid:105) t > τ (cid:96) (cid:104) t (cid:48) =1 (cid:105) (cid:0) t > τ ∨ (cid:87) j ∈ N ∩∅ ¬ B j ( y j ) (cid:1) ... (cid:96) (cid:104) y (cid:48) = g ( y ) , . . . , y (cid:48) k − = g k − ( y , . . . , y k − ) , t (cid:48) =1 (cid:105) (cid:0) t > τ ∨ (cid:87) j ∈ N ∩{ ,...,k − } ¬ B j ( y j ) (cid:1) (cid:96) (cid:104) y (cid:48) = g ( y ) , . . . , y (cid:48) k − = g k − ( y , . . . , y k − ) , y (cid:48) k = g k ( y , . . . , y k ) , t (cid:48) =1 (cid:105) (cid:0) t > τ ∨ (cid:87) j ∈ N ¬ B j ( y j ) (cid:1) Proof of Proposition 11.
The ODE x (cid:48) = f ( x ) is assumed to have a global solution that is, more-over, syntactically representable by polynomial term X ( t ) the term language (Section 2.1). For-mally, the representability condition means that for any initial state ω , the mathematical solution ϕ : [0 , ∞ ) → S exists globally and in addition, for each time τ ∈ [0 , ∞ ) , the solution satisfies ϕ ( τ ) = ω τt [[ X ( t )]] , where ω τt [[ X ( t )]] is the value of term X ( t ) in state ω with the value of time vari-able t set to τ . This implies that the following formula is valid because terms x, t − t have value ϕ ( τ ) and τ respectively at time τ ∈ [0 , ∞ ) along the ODE x (cid:48) = f ( x ) , t (cid:48) = 1 . The variables x , t store the initial values of x, t respectively, which may be needed for the syntactic representation X ( t ) of the solution. t = t ∧ x = x → [ x (cid:48) = f ( x ) , t (cid:48) = 1] x = X ( t − t ) (23)n Axiomatic Approach to Existence and Liveness for Differential Equations 49Validity of formula (23) further implies that (23) is provable because of the dL completenesstheorem for equational invariants [28, 31, Theorem 4.5]. The derivation of global existence for x (cid:48) = f ( x ) first Skolemizes with ∀ R, then introduces fresh variables x , t storing the initial valuesof x, t with cut, R , ∃ L. Axiom BDG (cid:104)·(cid:105) is used with p ( t ) = (cid:107) X ( t − t ) (cid:107) to remove the ODEs x (cid:48) = f ( x ) . The resulting right premise proves by TEx. The resulting left premise is abbreviated1 (cid:13) and proved below. 1 (cid:13) ∗ TEx (cid:96) (cid:104) t (cid:48) = 1 (cid:105) t > τ BDG (cid:104)·(cid:105) t = t ∧ x = x (cid:96) (cid:104) x (cid:48) = f ( x ) , t (cid:48) = 1 (cid:105) t > τ cut, R , ∃ L (cid:96) (cid:104) x (cid:48) = f ( x ) , t (cid:48) = 1 (cid:105) t > τ ∀ R (cid:96) ∀ τ (cid:104) x (cid:48) = f ( x ) , t (cid:48) = 1 (cid:105) t > τ From 1 (cid:13) , the derivation continues with a dC using the provable formula (23). The premiseafter dW proves by R by rewriting the succedent with the equality x = X ( t − t ) and by reflexivityof ≤ . ∗ R x = X ( t − t ) (cid:96) (cid:107) x (cid:107) ≤ (cid:107) X ( t − t ) (cid:107) dW (cid:96) [ x (cid:48) = f ( x ) , t (cid:48) = 1 & x = X ( t − t )] (cid:107) x (cid:107) ≤ (cid:107) X ( t − t ) (cid:107) dC t = t ∧ x = x (cid:96) [ x (cid:48) = f ( x ) , t (cid:48) = 1] (cid:107) x (cid:107) ≤ (cid:107) X ( t − t ) (cid:107) Note that, instead of assuming that X ( t ) is an explicit solution for the ODE x (cid:48) = f ( x ) , it alsosuffices in this derivation that premise 1 (cid:13) is provable, i.e., (cid:107) X ( t − t ) (cid:107) is a provable upper boundon the squared norm of x along solutions of the ODE. B.2 Proofs for Liveness Without Domain Constraints
Proof of Corollary 12.
The complete derivation of rule dV Γ (cid:60) using refinement axiom K (cid:104) & (cid:105) is al-ready given in the proof sketch for Corollary 12 so it is not repeated here.The derivation of dV (cid:60) (as a corollary of dV Γ (cid:60) ) starts by introducing fresh variables p , i rep-resenting the initial values of p and the multiplicative inverse of ε () respectively using arithmeticcuts (cut, R ) and Skolemizing ( ∃ L). It then uses dGt to introduce a fresh time variable to the systemof differential equations: Γ , ε () > , p = p , iε () = 1 , t = 0 (cid:96) (cid:104) x (cid:48) = f ( x ) , t (cid:48) = 1 (cid:105) p (cid:60) dGt Γ , ε () > , p = p , iε () = 1 (cid:96) (cid:104) x (cid:48) = f ( x ) (cid:105) p (cid:60) ∃ L Γ , ε () > , ∃ p p = p , ∃ i iε () = 1 (cid:96) (cid:104) x (cid:48) = f ( x ) (cid:105) p (cid:60) cut, R Γ , ε () > (cid:96) (cid:104) x (cid:48) = f ( x ) (cid:105) p (cid:60) Next, an initial liveness assumption (cid:104) x (cid:48) = f ( x ) , t (cid:48) = 1 (cid:105) p + ε () t > is cut into the antecedentsafter which rule dV Γ (cid:60) is used to obtain the premise of dV (cid:60) . Intuitively, this initial liveness assump-tion says that the solution exists for sufficiently long, so that p , which is provably bounded below0 Y. K. Tan and A. Platzerby p + ε () t , becomes positive when starting from its initial value p . The proof of this cut isabbreviated 1 (cid:13) and proved below. ¬ ( p (cid:60) (cid:96) . p ≥ ε () dV Γ (cid:60) Γ , p = p , t = 0 , (cid:104) x (cid:48) = f ( x ) , t (cid:48) = 1 (cid:105) p + ε () t > (cid:96) (cid:104) x (cid:48) = f ( x ) , t (cid:48) = 1 (cid:105) p (cid:60) (cid:13) cut Γ , ε () > , p = p , iε () = 1 , t = 0 (cid:96) (cid:104) x (cid:48) = f ( x ) , t (cid:48) = 1 (cid:105) p (cid:60) From premise 1 (cid:13) , a monotonicity step M (cid:104) (cid:48) (cid:105) equivalently rephrases the postcondition of the cutin real arithmetic. The arithmetic rephrasing works using the constant assumption ε () > andthe choice of i as the multiplicative inverse of ε () . Since the ODE x (cid:48) = f ( x ) is assumed to haveprovable global solutions, axiom GEx finishes the derivation by instantiating τ = − ip , which isconstant for the ODE. ∗ GEx Γ (cid:96) (cid:104) x (cid:48) = f ( x ) , t (cid:48) = 1 (cid:105) t > − ip R ,M (cid:104) (cid:48) (cid:105) Γ , ε () > , iε () = 1 (cid:96) (cid:104) x (cid:48) = f ( x ) , t (cid:48) = 1 (cid:105) p + ε () t > Proof of Corollary 13.
Rule dV M = derives directly from dV = with a M (cid:104) (cid:48) (cid:105) monotonicity step: p = 0 (cid:96) P p < (cid:96) . p ≥ ε () dV = Γ , ε () > , p ≤ (cid:96) (cid:104) x (cid:48) = f ( x ) (cid:105) p = 0 M (cid:104) (cid:48) (cid:105) Γ , ε () > , p ≤ (cid:96) (cid:104) x (cid:48) = f ( x ) (cid:105) P The derivation of rule dV = starts using axiom K (cid:104) & (cid:105) with G ≡ p ≥ and rule dV (cid:60) (with (cid:60) being ≥ ) on the resulting right premise, which yields the sole premise of dV = (on the right): p ≤ (cid:96) [ x (cid:48) = f ( x ) & p (cid:54) = 0] p < p < (cid:96) . p ≥ ε () dV (cid:60) Γ , ε () > (cid:96) (cid:104) x (cid:48) = f ( x ) (cid:105) p ≥ K (cid:104) & (cid:105) Γ , ε () > , p ≤ (cid:96) (cid:104) x (cid:48) = f ( x ) (cid:105) p = 0 From the left premise after using K (cid:104) & (cid:105) , axiom DX allows the domain constraint to be assumedtrue initially, which strengthens the antecedent p ≤ to p < . Rule Barr completes the proofbecause the antecedents p (cid:54) = 0 , p = 0 in its resulting premise are contradictory: ∗ R p (cid:54) = 0 , p = 0 (cid:96) . p < Barr p < (cid:96) [ x (cid:48) = f ( x ) & p (cid:54) = 0] p < DX p ≤ (cid:96) [ x (cid:48) = f ( x ) & p (cid:54) = 0] p < Proof of Corollary 14.
Rule dV k (cid:60) can be derived in several ways. For example, because . p ( k ) isstrictly positive, one can prove that the solution successively reaches states where . p ( k − is strictlypositive, followed by . p ( k − and so on. The following derivation shows how dC can be elegantlyused for this argument. The idea is to extend the derivation of rule dV (cid:60) to higher Lie derivativesby (symbolically) integrating with respect to the time variable t using the following sequencen Axiomatic Approach to Existence and Liveness for Differential Equations 51of inequalities, where . p ( i )0 is a symbolic constant that represents the initial value of the i -th Liederivative of p along x (cid:48) = f ( x ) for i = 0 , , . . . , k − : . p ( k ) ≥ ε () . p ( k − ≥ . p ( k − + ε () t . p ( k − ≥ . p ( k − + . p ( k − t + ε () t ... (24) . p (1) ≥ . p (1)0 + · · · + . p ( k − t k − ( k − ε () t k − ( k − p ≥ p + . p (1)0 t + · · · + . p ( k − t k − ( k − ε () t k k ! (cid:124) (cid:123)(cid:122) (cid:125) q ( t ) The RHS of the final inequality in (24) is a polynomial q ( t ) in t which is positive for sufficientlylarge values of t because its leading coefficient ε () is strictly positive. That is, with antecedent ε () > , the formula ∃ t ∀ t > t q ( t ) > is provable in real arithmetic.The derivation of dV k (cid:60) starts by introducing fresh ghost variables that remember the initial val-ues of p and the (higher) Lie derivatives . p (1) , . . . , . p ( k − using cut, R , ∃ L. The resulting antecedentsare abbreviated with Γ ≡ (cid:0) Γ , p = p , . . . , . p ( k − = . p ( k − (cid:1) . It also uses dGt to introduce afresh time variable t into the system. Finally, the arithmetic fact that q ( t ) is eventually positive isintroduced with cut, R , ∃ L. Γ , t = 0 , ∀ t > t q ( t ) > (cid:96) (cid:104) x (cid:48) = f ( x ) , t (cid:48) = 1 (cid:105) p (cid:60) cut, R , ∃ L Γ , ε () > , t = 0 (cid:96) (cid:104) x (cid:48) = f ( x ) , t (cid:48) = 1 (cid:105) p (cid:60) dGt Γ , ε () > , p = p , . . . , . p ( k − = . p ( k − (cid:96) (cid:104) x (cid:48) = f ( x ) (cid:105) p (cid:60) cut, R , ∃ L Γ , ε () > (cid:96) (cid:104) x (cid:48) = f ( x ) (cid:105) p (cid:60) Next, an initial liveness assumption, (cid:104) x (cid:48) = f ( x ) , t (cid:48) = 1 (cid:105) q ( t ) > , is cut into the assumptions.Like the derivation of rule dV (cid:60) , this initial liveness assumption says that the solution exists forsufficiently long for p to become positive using the lower bound from (24). The cut premise isabbreviated 1 (cid:13) and proved below. The derivation continues from the remaining (unabbreviated)premise using K (cid:104) & (cid:105) , with G ≡ q ( t ) > : Γ , t = 0 (cid:96) [ x (cid:48) = f ( x ) , t (cid:48) = 1 & ¬ ( p (cid:60) q ( t ) ≤ K (cid:104) & (cid:105) Γ , t = 0 , (cid:104) x (cid:48) = f ( x ) , t (cid:48) = 1 (cid:105) q ( t ) > (cid:96) (cid:104) x (cid:48) = f ( x ) , t (cid:48) = 1 (cid:105) p (cid:60) (cid:13) cut Γ , t = 0 , ∀ t > t q ( t ) > (cid:96) (cid:104) x (cid:48) = f ( x ) , t (cid:48) = 1 (cid:105) p (cid:60) From the resulting open premise after K (cid:104) & (cid:105) , monotonicity M [ (cid:48) ] strengthens the postconditionto p ≥ q ( t ) using the domain constraint ¬ ( p (cid:60) . Notice that the resulting postcondition p ≥ q ( t ) is the final inequality from the sequence of inequalities (24): Γ , t = 0 (cid:96) [ x (cid:48) = f ( x ) , t (cid:48) = 1 & ¬ ( p (cid:60) p ≥ q ( t ) M [ (cid:48) ] Γ , t = 0 (cid:96) [ x (cid:48) = f ( x ) , t (cid:48) = 1 & ¬ ( p (cid:60) q ( t ) ≤ . p ( k − ≥ . p ( k − + ε () t to the domain constraint.The proof of this cut yields the premise of dV k (cid:60) after a dI (cid:60) step, see the derivation labeled (cid:63) (cid:13) immediately below: Γ , t = 0 (cid:96) [ x (cid:48) = f ( x ) , t (cid:48) = 1 & ¬ ( p (cid:60) ∧ . p ( k − ≥ . p ( k − + ε () t ] p ≥ q ( t ) (cid:63) (cid:13) dC Γ , t = 0 (cid:96) [ x (cid:48) = f ( x ) , t (cid:48) = 1 & ¬ ( p (cid:60) p ≥ q ( t ) From (cid:63) (cid:13) : ¬ ( p (cid:60) (cid:96) . p ( k ) ≥ ε () dI (cid:60) Γ , t = 0 (cid:96) [ x (cid:48) = f ( x ) , t (cid:48) = 1 & ¬ ( p (cid:60) . p ( k − ≥ . p ( k − + ε () t Subsequent dC,dI (cid:60) step progressively add the inequality bounds from (24) to the domain con-straint until the last step where the postcondition is proved invariant with dI (cid:60) : ∗ dI (cid:60) Γ , t = 0 (cid:96) [ x (cid:48) = f ( x ) , t (cid:48) = 1 & · · · ∧ . p (1) ≥ . p (1)0 + · · · + ε () t k − ( k − ] p ≥ q ( t ) dC,dI (cid:60) ... dC,dI (cid:60) Γ , t = 0 (cid:96) [ x (cid:48) = f ( x ) , t (cid:48) = 1 & · · · ∧ . p ( k − ≥ . p ( k − + . p ( k − t + ε () t ] p ≥ q ( t ) dC,dI (cid:60) Γ , t = 0 (cid:96) [ x (cid:48) = f ( x ) , t (cid:48) = 1 & ¬ ( p (cid:60) ∧ . p ( k − ≥ . p ( k − + ε () t ] p ≥ q ( t ) From premise 1 (cid:13) , a monotonicity step M (cid:104) (cid:48) (cid:105) rephrases the postcondition of the cut using the(constant) assumption ∀ t > t q ( t ) > . Axiom GEx, with instance τ = t , finishes the derivationbecause the ODE x (cid:48) = f ( x ) is assumed to have provable global solutions. ∗ GEx Γ (cid:96) (cid:104) x (cid:48) = f ( x ) , t (cid:48) = 1 (cid:105) t > t M (cid:104) (cid:48) (cid:105) Γ , ∀ t > t q ( t ) > (cid:96) (cid:104) x (cid:48) = f ( x ) , t (cid:48) = 1 (cid:105) q ( t ) > Proof of Corollary 15.
The derivation of rule SP begins by using axiom K (cid:104) & (cid:105) with G ≡ ¬ S . Theresulting left premise is the left premise of SP, which is the staging property of the formula S thatsolutions of the ODE x (cid:48) = f ( x ) can only leave S by entering P : Γ (cid:96) [ x (cid:48) = f ( x ) & ¬ P ] S Γ , ε () > (cid:96) (cid:104) x (cid:48) = f ( x ) (cid:105)¬ S K (cid:104) & (cid:105) Γ , ε () > (cid:96) (cid:104) x (cid:48) = f ( x ) (cid:105) P The derivation continues on the right premise, similarly to dV (cid:60) , by introducing fresh variables p , i representing the initial value of p and the multiplicative inverse of ε () respectively usingarithmetic cuts (cut, R ). It then uses dGt to introduce a fresh time variable: Γ , ε () > , p = p , iε () = 1 , t = 0 (cid:96) (cid:104) x (cid:48) = f ( x ) , t (cid:48) = 1 (cid:105)¬ S dGt Γ , ε () > , p = p , iε () = 1 (cid:96) (cid:104) x (cid:48) = f ( x ) (cid:105)¬ S ∃ L Γ , ε () > , ∃ p p = p , ∃ i iε () = 1 (cid:96) (cid:104) x (cid:48) = f ( x ) (cid:105)¬ S cut, R Γ , ε () > (cid:96) (cid:104) x (cid:48) = f ( x ) (cid:105)¬ S n Axiomatic Approach to Existence and Liveness for Differential Equations 53The next cut introduces an initial liveness assumption (cut premise abbreviated 1 (cid:13) ). Thepremise 1 (cid:13) is proved identically to the correspondingly abbreviated premise from the derivationof dV (cid:60) using axiom GEx because the ODE x (cid:48) = f ( x ) is assumed have provable global solutions. Γ , p = p , t = 0 , (cid:104) x (cid:48) = f ( x ) , t (cid:48) = 1 (cid:105) p + ε () t > (cid:96) (cid:104) x (cid:48) = f ( x ) , t (cid:48) = 1 (cid:105)¬ S (cid:13) cut Γ , ε () > , p = p , i > , iε () = 1 , t = 0 (cid:96) (cid:104) x (cid:48) = f ( x ) , t (cid:48) = 1 (cid:105)¬ S From the remaining open premise, axiom K (cid:104) & (cid:105) is used with G ≡ p + ε () t > : Γ , p = p , t = 0 (cid:96) [ x (cid:48) = f ( x ) , t (cid:48) = 1 & S ] p + ε () t ≤ K (cid:104) & (cid:105) Γ , p = p , t = 0 , (cid:104) x (cid:48) = f ( x ) , t (cid:48) = 1 (cid:105) p + ε () t > (cid:96) (cid:104) x (cid:48) = f ( x ) , t (cid:48) = 1 (cid:105)¬ S Finally, a monotonicity step M [ (cid:48) ] simplifies the postcondition using domain constraint S , yield-ing the left conjunct of the right premise of rule SP. The right premise after monotonicity isabbreviated 2 (cid:13) and continued below. S (cid:96) p ≤ R S, p ≥ p + ε () t (cid:96) p + ε () t ≤ (cid:13) M [ (cid:48) ] Γ , p = p , t = 0 (cid:96) [ x (cid:48) = f ( x ) , t (cid:48) = 1 & S ] p + ε () t ≤ From 2 (cid:13) , rule dI (cid:60) yields the right conjunct of the right premise of rule SP. S (cid:96) . p ≥ ε () dI (cid:60) Γ , p = p , t = 0 (cid:96) [ x (cid:48) = f ( x ) , t (cid:48) = 1 & S ] p ≥ p + ε () t Proof of Corollary 16.
Rule SP b is derived first since rule SP c follows as a corollary. Both proofrules make use of the fact that continuous functions on compact domains attain their extrema [37,Theorem 4.16]. Polynomial functions are continuous so this fact can be stated and proved as aformula of first-order real arithmetic [3]. The derivation of SP b is essentially similar to SP exceptreplacing the use of the global existence axiom GEx with the bounded existence axiom BEx. Itstarts by using axiom K (cid:104) & (cid:105) with G ≡ ¬ S , yielding the left premise of SP b : Γ (cid:96) [ x (cid:48) = f ( x ) & ¬ P ] S Γ , ε () > (cid:96) (cid:104) x (cid:48) = f ( x ) (cid:105)¬ S K (cid:104) & (cid:105) Γ , ε () > (cid:96) (cid:104) x (cid:48) = f ( x ) (cid:105) P Continuing on the resulting right from K (cid:104) & (cid:105) (similarly to SP), the derivation introduces freshvariables p , i representing the initial value of p and the multiplicative inverse of ε () respectivelyusing arithmetic cuts and Skolemizing (cut, R , ∃ L). Rule dGt introduces a fresh time variable: Γ , ε () > , p = p , iε () = 1 , t = 0 (cid:96) (cid:104) x (cid:48) = f ( x ) , t (cid:48) = 1 (cid:105)¬ S cut, R , ∃ L,dGt Γ , ε () > (cid:96) (cid:104) x (cid:48) = f ( x ) (cid:105)¬ S The set characterized by formula S is bounded so its closure is compact (with respect to vari-ables x ). On this compact closure, the continuous polynomial function p attains its maximumvalue, which implies that the value of p is bounded above in S and cannot increase without boundwhile staying in S . That is, the formula ∃ p R ( p ) where R ( p ) ≡ ∀ x ( S ( x ) → p ≤ p ) is valid4 Y. K. Tan and A. Platzerin first-order real arithmetic and thus provable by R . This formula is added to the assumptions nextand the existential quantifier is Skolemized with ∃ L. The resulting symbolic constant p representsthe upper bound of p on S . Note that R ( p ) is constant for the ODE x (cid:48) = f ( x ) , t (cid:48) = 1 because itdoes not mention any of the variables x (nor t ) free: Γ , ε () > , p = p , iε () = 1 , t = 0 , R ( p ) (cid:96) (cid:104) x (cid:48) = f ( x ) , t (cid:48) = 1 (cid:105)¬ S ∃ L Γ , ε () > , p = p , iε () = 1 , t = 0 , ∃ p R ( p ) (cid:96) (cid:104) x (cid:48) = f ( x ) , t (cid:48) = 1 (cid:105)¬ S cut, R Γ , ε () > , p = p , iε () = 1 , t = 0 (cid:96) (cid:104) x (cid:48) = f ( x ) , t (cid:48) = 1 (cid:105)¬ S Next, a cut introduces an initial liveness assumption saying that sufficient time exists for p to become greater than its upper bound p on S , which implies that the solution must leave S .This assumption is abbreviated T ≡ (cid:104) x (cid:48) = f ( x ) , t (cid:48) = 1 (cid:105) ( ¬ S ∨ p + ε () t > p ) . The main differ-ence from SP is that assumption T also adds a disjunction for the possibility of leaving S (whichcharacterizes a bounded set). This cut premise is abbreviated 1 (cid:13) and proved below. Γ , p = p , t = 0 , R ( p ) , T (cid:96) (cid:104) x (cid:48) = f ( x ) , t (cid:48) = 1 (cid:105)¬ S (cid:13) cut Γ , ε () > , p = p , iε () = 1 , t = 0 , R ( p ) (cid:96) (cid:104) x (cid:48) = f ( x ) , t (cid:48) = 1 (cid:105)¬ S Continuing from the open premise on the left, axiom K (cid:104) & (cid:105) is used with G ≡ ¬ S ∨ p + ε () t > p : Γ , p = p , t = 0 , R ( p ) (cid:96) [ x (cid:48) = f ( x ) , t (cid:48) = 1 & S ]( S ∧ p + ε () t ≤ p ) K (cid:104) & (cid:105) Γ , p = p , t = 0 , R ( p ) , T (cid:96) (cid:104) x (cid:48) = f ( x ) , t (cid:48) = 1 (cid:105)¬ S The postcondition of the resulting box modality is simplified with a M [ (cid:48) ] monotonicity step.This crucially uses the assumption R ( p ) which is constant for the ODE. A dI (cid:60) step yields theremaining premise of SP b on the right, see the derivation labeled (cid:63) (cid:13) immediately below: ∗ R S, R ( p ) (cid:96) p ≤ p R S, R ( p ) , p ≥ p + ε () t (cid:96) S ∧ p + ε () t ≤ p (cid:63) (cid:13) M [ (cid:48) ] Γ , p = p , t = 0 , R ( p ) (cid:96) [ x (cid:48) = f ( x ) , t (cid:48) = 1 & S ]( S ∧ p + ε () t ≤ p ) From (cid:63) (cid:13) : S (cid:96) . p ≥ ε () dI (cid:60) Γ , p = p , t = 0 (cid:96) [ x (cid:48) = f ( x ) , t (cid:48) = 1 & S ] p ≥ p + ε () t From premise 1 (cid:13) , a monotonicity step M (cid:104) (cid:48) (cid:105) equivalently rephrases the postcondition of the cut.Axiom BEx finishes the proof because formula S ( x ) is assumed to be bounded over variables x . ∗ BEx (cid:96) (cid:104) x (cid:48) = f ( x ) , t (cid:48) = 1 (cid:105) ( ¬ S ∨ t > i ( p − p )) R ,M (cid:104) (cid:48) (cid:105) ε () > , iε () = 1 (cid:96) T Next, to derive rule SP c from SP b , the compactness of the set characterized by S ( x ) impliesthat the (abbreviated) formula ∃ ε> A ( ε ) where A ( ε ) ≡ ∀ x ( S ( x ) → . p ≥ ε ) and the (abbreviated)n Axiomatic Approach to Existence and Liveness for Differential Equations 55formula B ≡ ∀ x ( S ( x ) → . p > are provably equivalent in first-order real arithmetic. Briefly, thisprovable equivalence follows from the fact that the continuous polynomial function . p is boundedbelow by its minima on the compact set characterized by S ( x ) and this minima is strictly positive.The following derivation of SP c threads these two formulas through the use of rule SP b . AfterSkolemizing ∃ ε> A ( ε ) with ∃ L, the resulting formula A ( ε ) is constant for the ODE x (cid:48) = f ( x ) soit is kept as a constant assumption across the use of SP b , leaving only the two premises of rule SP c : Γ (cid:96) [ x (cid:48) = f ( x ) & ¬ P ] S ∗ R S, A ( ε ) (cid:96) . p ≥ ε SP b Γ , ε > , A ( ε ) (cid:96) (cid:104) x (cid:48) = f ( x ) (cid:105) P ∃ L Γ , ∃ ε> A ( ε ) (cid:96) (cid:104) x (cid:48) = f ( x ) (cid:105) P S (cid:96) . p > ∀ R, → R (cid:96) B R (cid:96) ∃ ε> A ( ε ) cut Γ (cid:96) (cid:104) x (cid:48) = f ( x ) (cid:105) P Proof of Corollary 17.
Rule SLyap derives from SP c with S ≡ ¬ P ∧ K , since the intersection ofa closed set with a compact set is compact. The resulting right premise from using SP c is the rightpremise of SLyap: Γ , p (cid:60) (cid:96) [ x (cid:48) = f ( x ) & ¬ P ]( K ∧ ¬ P ) ¬ P, K (cid:96) . p > SP c Γ , p (cid:60) (cid:96) (cid:104) x (cid:48) = f ( x ) (cid:105) P Continuing from the left premise, a monotonicity step with the premise p ≥ (cid:96) K turns thepostcondition to p (cid:60) . Rule Barr is used, which, along with the premise p ≥ (cid:96) K results in thepremise of rule SLyap: p ≥ (cid:96) K ¬ P, K (cid:96) . p > p ≥ (cid:96) K R ¬ P, p = 0 (cid:96) K cut ¬ P, p = 0 (cid:96) . p > Barr p (cid:60) (cid:96) [ x (cid:48) = f ( x ) & ¬ P ] p (cid:60) M [ (cid:48) ] Γ , p (cid:60) (cid:96) [ x (cid:48) = f ( x ) & ¬ P ]( K ∧ ¬ P ) B.3 Proofs for Liveness With Domain Constraints
Proof of Corollary 18.
The derivation uses axiom COR choosing R ≡ true , noting that p ≥ (resp. p > ) characterizes a topologically closed (resp. open) set so the appropriate topologicalrequirements of COR are satisfied. The resulting left premise is the left premise of dV (cid:60) & : Γ (cid:96) [ x (cid:48) = f ( x ) & ¬ ( p (cid:60) Q Γ , ε () > (cid:96) (cid:104) x (cid:48) = f ( x ) (cid:105) p (cid:60) COR Γ , ε () > , ¬ ( p (cid:60) (cid:96) (cid:104) x (cid:48) = f ( x ) & Q (cid:105) p (cid:60) The proof continues from the resulting right premise identically to the derivation of dV (cid:60) until thestep where dV Γ (cid:60) is used. The steps are repeated briefly here. Γ , p = p , t = 0 , (cid:104) x (cid:48) = f ( x ) , t (cid:48) = 1 (cid:105) p + ε () t > (cid:96) (cid:104) x (cid:48) = f ( x ) , t (cid:48) = 1 (cid:105) p (cid:60) cut,GEx Γ , ε () > , p = p , iε () = 1 , t = 0 (cid:96) (cid:104) x (cid:48) = f ( x ) , t (cid:48) = 1 (cid:105) p (cid:60) dGt Γ , ε () > , p = p , iε () = 1 (cid:96) (cid:104) x (cid:48) = f ( x ) (cid:105) p (cid:60) cut, R , ∃ L Γ , ε () > (cid:96) (cid:104) x (cid:48) = f ( x ) (cid:105) p (cid:60) Γ (cid:60) , axiom K (cid:104) & (cid:105) is used with G ≡ p () + ε () t > . The key differenceis an additional dC step, which adds Q to the domain constraint. The proof of this differentialcut uses the left premise of dV (cid:60) & , it is labeled 1 (cid:13) and shown below. K (cid:104) & (cid:105) dC Γ , p = p () , t = 0 (cid:96) [ x (cid:48) = f ( x ) , t (cid:48) = 1 & ¬ ( p (cid:60) ∧ Q ] p () + ε () t ≤ (cid:13) Γ , p = p () , t = 0 (cid:96) [ x (cid:48) = f ( x ) , t (cid:48) = 1 & ¬ ( p (cid:60) p () + ε () t ≤ , p = p , t = 0 , (cid:104) x (cid:48) = f ( x ) , t (cid:48) = 1 (cid:105) p + ε () t > (cid:96) (cid:104) x (cid:48) = f ( x ) , t (cid:48) = 1 (cid:105) p (cid:60) The derivation from the resulting left premise (after the cut) continues similarly to dV Γ (cid:60) usinga monotonicity step M [ (cid:48) ] to rephrase the postcondition, followed by dI (cid:60) which results in the rightpremise of dV (cid:60) & : ¬ ( p (cid:60) , Q (cid:96) . p ≥ ε () dI (cid:60) Γ , p = p () , t = 0 (cid:96) [ x (cid:48) = f ( x ) , t (cid:48) = 1 & ¬ ( p (cid:60) ∧ Q ] p ≥ p () + ε () t M [ (cid:48) ] Γ , p = p () , t = 0 (cid:96) [ x (cid:48) = f ( x ) , t (cid:48) = 1 & ¬ ( p (cid:60) ∧ Q ] p () + ε () t ≤ The derivation from 1 (cid:13) removes the time variable t using the inverse direction of rule dGt [28,30, 31]. Just as rule dGt allows introducing a fresh time variable t for the sake of proof, its inversedirection simply removes the variable t since it is irrelevant for the proof of the differential cut. Γ (cid:96) [ x (cid:48) = f ( x ) & ¬ ( p (cid:60) Q dGt Γ , p = p () , t = 0 (cid:96) [ x (cid:48) = f ( x ) , t (cid:48) = 1 & ¬ ( p (cid:60) Q Proof of Corollary 19.
The derivations of rules dV = & ,dV M = & are similar to the derivations ofrules dV = ,dV M = respectively. Rule dV M = & derives from dV = & by monotonicity: Q, p = 0 (cid:96) P Γ (cid:96) [ x (cid:48) = f ( x ) & p < Q p < , Q (cid:96) . p ≥ ε () dV = & Γ , ε () > , p ≤ , Q (cid:96) (cid:104) x (cid:48) = f ( x ) & Q (cid:105) p = 0 M (cid:104) (cid:48) (cid:105) Γ , ε () > , p ≤ , Q (cid:96) (cid:104) x (cid:48) = f ( x ) & Q (cid:105) P The derivation of rule dV = & starts by using axiom K (cid:104) & (cid:105) with G ≡ p ≥ . The resultingbox modality (right) premise is abbreviated 1 (cid:13) and proved below. On the resulting left premise,a DX step adds the negated postcondition p < as an assumption to the antecedents since thedomain constraint Q is true initially. Following that, rule dV (cid:60) & is used (with (cid:60) being ≥ , since Q characterizes a closed set). This yields the two premises of dV = & : Γ (cid:96) [ x (cid:48) = f ( x ) & p < Q p < , Q (cid:96) . p ≥ ε () dV (cid:60) & Γ , ε () > , p < (cid:96) (cid:104) x (cid:48) = f ( x ) & Q (cid:105) p ≥ DX Γ , ε () > , Q (cid:96) (cid:104) x (cid:48) = f ( x ) & Q (cid:105) p ≥ (cid:13) K (cid:104) & (cid:105) Γ , ε () > , p ≤ , Q (cid:96) (cid:104) x (cid:48) = f ( x ) & Q (cid:105) p = 0 From premise 1 (cid:13) , the derivation is closed similarly to dV = using DX and Barr: ∗ R p (cid:54) = 0 , p = 0 (cid:96) . p < Barr p < (cid:96) [ x (cid:48) = f ( x ) & Q ∧ p (cid:54) = 0] p < DX p ≤ (cid:96) [ x (cid:48) = f ( x ) & Q ∧ p (cid:54) = 0] p < Notably, the implemented differential cuts automation from Section 7.2 can add such a cut automatically. n Axiomatic Approach to Existence and Liveness for Differential Equations 57
Proof of Corollary 20.
The derivation of rule SLyap & starts by using DX to add assumption ¬ P tothe antecedents since the domain constraint p > is in the antecedents. Next, axiom COR is used.Its topological restrictions are met since both formulas P and p > characterize open sets. Fromthe resulting right premise, rule SLyap yields the corresponding two premises of SLyap & becauseformula K (resp. P ) characterizes a compact set (resp. open set): Γ , p > (cid:96) [ x (cid:48) = f ( x ) & ¬ P ] p > p ≥ (cid:96) K ¬ P, K (cid:96) . p > SLyap Γ , p > (cid:96) (cid:104) x (cid:48) = f ( x ) (cid:105) P COR Γ , p > , ¬ P (cid:96) (cid:104) x (cid:48) = f ( x ) & p > (cid:105) P DX Γ , p > (cid:96) (cid:104) x (cid:48) = f ( x ) & p > (cid:105) P From the leftmost open premise after COR, rule Barr is used and the resulting p = 0 assumptionis turned into K using the left premise of SLyap & . The resulting open premises are the premisesof SLyap & : ¬ P, K (cid:96) . p > p ≥ (cid:96) K R p = 0 (cid:96) K cut ¬ P, p = 0 (cid:96) . p > Barr Γ , p > (cid:96) [ x (cid:48) = f ( x ) & ¬ P ] p > Proof of Corollary 21.
The derivation starts by using axiom SAR which results in two premises: Γ (cid:96) [ x (cid:48) = f ( x ) & ¬ ( P ∧ Q )] Q Γ (cid:96) (cid:104) x (cid:48) = f ( x ) (cid:105) P SAR Γ (cid:96) (cid:104) x (cid:48) = f ( x ) & Q (cid:105) P From the left premise after SAR, a monotonicity step turns the postcondition into S , yielding theleft premise and first conjunct of the right premise of SP & . S (cid:96) Q Γ (cid:96) [ x (cid:48) = f ( x ) & ¬ ( P ∧ Q )] S M [ (cid:48) ] Γ (cid:96) [ x (cid:48) = f ( x ) & ¬ ( P ∧ Q )] Q From the right premise after using axiom SAR, rule SP yields the remaining two premises of SP & : Γ (cid:96) [ x (cid:48) = f ( x ) & ¬ ( P ∧ Q )] S dW,DMP Γ (cid:96) [ x (cid:48) = f ( x ) & ¬ P ] S S (cid:96) p ≤ ∧ . p ≥ ε () SP Γ (cid:96) (cid:104) x (cid:48) = f ( x ) (cid:105) P The dW,DMP step uses the propositional tautology ¬ P → ¬ ( P ∧ Q ) to weaken the domainconstraint so that it matches the premise of rule SP & . Proof of Corollary 22.
The chimeric proof rule SP kc & amalgamates ideas behind the rules SP & dV k (cid:60) SP c . It is therefore unsurprising that the derivation of SP kc & uses various steps from thederivations of those rules. The derivation of SP kc & starts similarly to SP & (following Corollary 21)using axiom SAR: Γ (cid:96) [ x (cid:48) = f ( x ) & ¬ ( P ∧ Q )] Q Γ (cid:96) (cid:104) x (cid:48) = f ( x ) (cid:105) P SAR Γ (cid:96) (cid:104) x (cid:48) = f ( x ) & Q (cid:105) P S , yieldingthe left premise and first conjunct of the right premise of SP kc & . Γ (cid:96) [ x (cid:48) = f ( x ) & ¬ ( P ∧ Q )] S S (cid:96) Q M [ (cid:48) ] Γ (cid:96) [ x (cid:48) = f ( x ) & ¬ ( P ∧ Q )] Q From the right premise after SAR, the derivation continues using K (cid:104) & (cid:105) with G ≡ ¬ S , followedby dW,DMP. The resulting left premise is (again) the left premise of SP kc & , while the resultingright premise is abbreviated 1 (cid:13) and continued below: Γ (cid:96) [ x (cid:48) = f ( x ) & ¬ ( P ∧ Q )] S dW,DMP Γ (cid:96) [ x (cid:48) = f ( x ) & ¬ P ] S (cid:13) K (cid:104) & (cid:105) Γ (cid:96) (cid:104) x (cid:48) = f ( x ) (cid:105) P The derivation continues from 1 (cid:13) by intertwining proof ideas from Corollary 14 and Corol-lary 16. First, compactness of the set characterized by S ( x ) implies that the formula ∃ ε> A ( ε ) where A ( ε ) ≡ ∀ x ( S ( x ) → . p ( k ) ≥ ε ) and the formula B ≡ ∀ x ( S ( x ) → . p ( k ) > are prov-ably equivalent in first-order real arithmetic. These facts are added to the assumptions similarly tothe derivation of SP c . The resulting right open premise is the right conjunct of the right premiseof SP kc & : Γ , ε > , A ( ε ) (cid:96) (cid:104) x (cid:48) = f ( x ) (cid:105)¬ S ∃ L Γ , ∃ ε> A ( ε ) (cid:96) (cid:104) x (cid:48) = f ( x ) (cid:105)¬ S S (cid:96) . p ( k ) > ∀ R, → R (cid:96) B R (cid:96) ∃ ε> A ( ε ) cut Γ (cid:96) (cid:104) x (cid:48) = f ( x ) (cid:105)¬ S From the left premise, recall the derivation from Corollary 14 which introduces fresh variablesfor the initial values of the Lie derivatives with cut, R , ∃ L. The derivation continues similarly here,with the resulting antecedents abbreviated Γ ≡ (cid:0) Γ , p = p , . . . , . p ( k − = . p ( k − (cid:1) . Rule dGt is alsoused to add time variable t to the system of equations. Γ , ε > , A ( ε ) , t = 0 (cid:96) (cid:104) x (cid:48) = f ( x ) , t (cid:48) = 1 (cid:105)¬ S dGt Γ , ε > , A ( ε ) (cid:96) (cid:104) x (cid:48) = f ( x ) (cid:105)¬ S cut, R , ∃ L Γ , ε > , A ( ε ) (cid:96) (cid:104) x (cid:48) = f ( x ) (cid:105)¬ S Recall from Corollary 16 that the formula R ( p ) ≡ ∀ x ( S ( x ) → p ≤ p ) can be added to theassumptions using cut, R , ∃ L, for some fresh variable p symbolically representing the maximumvalue of p on the compact set characterized by S : Γ , ε > , A ( ε ) , t = 0 , R ( p ) (cid:96) (cid:104) x (cid:48) = f ( x ) , t (cid:48) = 1 (cid:105)¬ S cut, R , ∃ L Γ , ε > , A ( ε ) , t = 0 (cid:96) (cid:104) x (cid:48) = f ( x ) , t (cid:48) = 1 (cid:105)¬ S One last arithmetic cut is needed to set up the sequence of differential cuts (24). Recall thepolynomial q ( t ) from (24) is eventually positive for sufficiently large values of t because its lead-ing coefficient is strictly positive. The same applies to the polynomial q ( t ) − p so cut, R (andSkolemizing with ∃ L) adds the formula ∀ t > t q ( t ) − p > to the assumptions: Γ , ε > , A ( ε ) , t = 0 , R ( p ) , ∀ t > t q ( t ) − p > (cid:96) (cid:104) x (cid:48) = f ( x ) , t (cid:48) = 1 (cid:105)¬ S cut, R , ∃ L Γ , ε > , A ( ε ) , t = 0 , R ( p ) (cid:96) (cid:104) x (cid:48) = f ( x ) , t (cid:48) = 1 (cid:105)¬ S n Axiomatic Approach to Existence and Liveness for Differential Equations 59Once all the arithmetic cuts are in place, an additional cut introduces a (bounded) sufficientduration assumption (antecedents temporarily abbreviated with . . . for brevity). The cut premise,abbreviated 1 (cid:13) , is proved below: Γ , . . . , (cid:104) x (cid:48) = f ( x ) , t (cid:48) = 1 (cid:105) ( ¬ S ∨ q ( t ) − p > (cid:96) (cid:104) x (cid:48) = f ( x ) , t (cid:48) = 1 (cid:105)¬ S (cid:13) cut Γ , ε > , A ( ε ) , t = 0 , R ( p ) , ∀ t > t q ( t ) − p > (cid:96) (cid:104) x (cid:48) = f ( x ) , t (cid:48) = 1 (cid:105)¬ S From the open premise on the left, axiom K (cid:104) & (cid:105) is used with G ≡ ¬ S ∨ q ( t ) − p > : Γ , ε > , A ( ε ) , t = 0 , R ( p ) (cid:96) [ x (cid:48) = f ( x ) , t (cid:48) = 1 & S ]( S ∧ q ( t ) − p ≤ K (cid:104) & (cid:105) Γ , . . . , (cid:104) x (cid:48) = f ( x ) , t (cid:48) = 1 (cid:105) ( ¬ S ∨ q ( t ) − p > (cid:96) (cid:104) x (cid:48) = f ( x ) , t (cid:48) = 1 (cid:105)¬ S Next, a monotonicity step M [ (cid:48) ] simplifies the postcondition using the (constant) assumption R ( p ) and the domain constraint S : Γ , t = 0 , A ( ε ) (cid:96) [ x (cid:48) = f ( x ) , t (cid:48) = 1 & S ] p ≥ q ( t ) M [ (cid:48) ] Γ , ε > , A ( ε ) , t = 0 , R ( p ) (cid:96) [ x (cid:48) = f ( x ) , t (cid:48) = 1 & S ]( S ∧ q ( t ) − p ≤ The derivation closes using the chain of differential cuts from (24). In the first dC step, the(constant) assumption A ( ε ) is used, see the derivation labeled (cid:63) (cid:13) immediately below: Γ , t = 0 (cid:96) [ x (cid:48) = f ( x ) , t (cid:48) = 1 & S ∧ . p ( k − ≥ . p ( k − + ε () t ] p ≥ q ( t ) (cid:63) (cid:13) dC Γ , t = 0 , A ( ε ) (cid:96) [ x (cid:48) = f ( x ) , t (cid:48) = 1 & S ] p ≥ q ( t ) From (cid:63) (cid:13) : ∗ R A ( ε ) , S (cid:96) . p ( k ) ≥ ε () dI (cid:60) Γ , t = 0 , A ( ε ) (cid:96) [ x (cid:48) = f ( x ) , t (cid:48) = 1 & S ] . p ( k − ≥ . p ( k − + ε () t Subsequent dC,dI (cid:60) steps are similar to the derivation in Corollary 14: ∗ dI (cid:60) Γ , t = 0 (cid:96) [ x (cid:48) = f ( x ) , t (cid:48) = 1 & · · · ∧ . p (1) ≥ . p (1)0 + · · · + ε () t k − ( k − ] p ≥ q ( t ) dC,dI (cid:60) ... dC,dI (cid:60) Γ , t = 0 (cid:96) [ x (cid:48) = f ( x ) , t (cid:48) = 1 & S ∧ . p ( k − ≥ . p ( k − + ε () t ] p ≥ q ( t ) From premise 1 (cid:13) , a monotonicity step M (cid:104) (cid:48) (cid:105) rephrases the postcondition of the cut using theassumption ∀ t > t q ( t ) − p > . Axiom BEx finishes the derivation since formula S ( x ) charac-terizes a compact (hence bounded) set: ∗ BEx (cid:96) (cid:104) x (cid:48) = f ( x ) , t (cid:48) = 1 (cid:105) ( ¬ S ∨ t > t ) M (cid:104) (cid:48) (cid:105) ∀ t > t q ( t ) − p > (cid:96) (cid:104) x (cid:48) = f ( x ) , t (cid:48) = 1 (cid:105) ( ¬ S ∨ q ( t ) − p > Proof of Corollary 23.
Rule E c & derives from SP kc & with S ≡ Q ∧ ¬ P and k = 1 because formula Q ∧ ¬ P is assumed to characterize a compact set, as required by rule SP kc & : Γ (cid:96) [ x (cid:48) = f ( x ) & ¬ ( P ∧ Q )] Q M [ (cid:48) ] Γ (cid:96) [ x (cid:48) = f ( x ) & ¬ ( P ∧ Q )]( Q ∧ ¬ P ) Q, ¬ P (cid:96) . p > Q, ¬ P (cid:96) Q ∧ . p > SP c Γ (cid:96) (cid:104) x (cid:48) = f ( x ) & Q (cid:105) P The M [ (cid:48) ] step uses the propositional tautology ¬ ( P ∧ Q ) ∧ Q → Q ∧ ¬ P . B.4 Proofs for Implementation
Proof of Corollary 24.
The derivation starts with a cut of the sole premise of dV ∃ (cid:60) (the left premisebelow). The existentially bound variable ε is renamed to δ throughout the derivation for clarity.After Skolemizing (with ∃ L), rule dV (cid:60) is used with ε () = δ . The universally quantified antecedentis constant for the ODE x (cid:48) = f ( x ) so it is soundly kept across the application of dV (cid:60) . This proofis completed propositionally ∀ L, → L. Γ (cid:96) ∃ δ > ∀ x (cid:0) ¬ ( p (cid:60) → . p ≥ δ (cid:1) ∗ ∀ L, → L ∀ x (cid:0) ¬ ( p (cid:60) → . p ≥ δ (cid:1) , ¬ ( p (cid:60) (cid:96) . p ≥ δ dV (cid:60) δ > , ∀ x (cid:0) ¬ ( p (cid:60) → . p ≥ δ (cid:1) (cid:96) (cid:104) x (cid:48) = f ( x ) & Q (cid:105) p (cid:60) ∃ L, ∧ L ∃ δ > ∀ x (cid:0) ¬ ( p (cid:60) → . p ≥ δ (cid:1) (cid:96) (cid:104) x (cid:48) = f ( x ) & Q (cid:105) p (cid:60) cut Γ (cid:96) (cid:104) x (cid:48) = f ( x ) & Q (cid:105) p (cid:60) Proof of Corollary 25.
Assume that formulas
P, G P are in normal form as in Corollary 25. Thederivation of rule dV uses variable b as a lower bound on the initial values of all terms p, q appearingin formula P . Formally, the formula ∃ b (cid:86) Mi =0 (cid:16) (cid:86) m ( i ) j =0 p ij ≥ b ∧ (cid:86) n ( i ) j =0 q ij ≥ b (cid:17) is a valid formula ofreal arithmetic and proves by R because P is a finite formula.The derivation starts similarly to dV (cid:60) by introducing fresh variables b (for the bound above),and i representing the multiplicative inverse of ε () using arithmetic cuts cut, R . It then Skolemizes( ∃ L) and uses dGt to introduce a fresh time variable to the system of differential equations: Γ , ε () > , (cid:86) Mi =0 (cid:16) (cid:86) m ( i ) j =0 p ij ≥ b ∧ (cid:86) n ( i ) j =0 q ij ≥ b (cid:17) , iε () = 1 , t = 0 (cid:96) (cid:104) x (cid:48) = f ( x ) , t (cid:48) = 1 (cid:105) P dGt Γ , ε () > , (cid:86) Mi =0 (cid:16) (cid:86) m ( i ) j =0 p ij ≥ b ∧ (cid:86) n ( i ) j =0 q ij ≥ b (cid:17) , iε () = 1 (cid:96) (cid:104) x (cid:48) = f ( x ) (cid:105) P ∃ L Γ , ε () > , ∃ b (cid:86) Mi =0 (cid:16) (cid:86) m ( i ) j =0 p ij ≥ b ∧ (cid:86) n ( i ) j =0 q ij ≥ b (cid:17) , ∃ i iε () = 1 (cid:96) (cid:104) x (cid:48) = f ( x ) (cid:105) P cut, R Γ , ε () > (cid:96) (cid:104) x (cid:48) = f ( x ) (cid:105) P Next, the refinement axiom K (cid:104) & (cid:105) is used with G ≡ ( b + ε () t > . This yields two premises,the right of which proves by GEx (after monotonically rephrasing with R ,M (cid:104) (cid:48) (cid:105) ) because the ODE x (cid:48) = f ( x ) is assumed to have provable global solutions. The left premise from K (cid:104) & (cid:105) is abbreviatedn Axiomatic Approach to Existence and Liveness for Differential Equations 611 (cid:13) and continued below. K (cid:104) & (cid:105) R ,M (cid:104) (cid:48) (cid:105) GEx ∗ Γ (cid:96) (cid:104) x (cid:48) = f ( x ) , t (cid:48) = 1 (cid:105) t > − ib (cid:13) Γ , ε () > , iε () = 1 (cid:96) (cid:104) x (cid:48) = f ( x ) , t (cid:48) = 1 (cid:105) ( b + ε () t > , ε () > , (cid:86) Mi =0 (cid:16) (cid:86) m ( i ) j =0 p ij ≥ b ∧ (cid:86) n ( i ) j =0 q ij ≥ b (cid:17) , iε () = 1 , t = 0 (cid:96) (cid:104) x (cid:48) = f ( x ) , t (cid:48) = 1 (cid:105) P Continuing from premise 1 (cid:13) , monotonicity strengthens the postcondition from b + ε () t ≤ to G P under the domain constraint assumption ¬ P . This strengthening works because, assuming that ¬ P and G P is true in a given state, then propositionally, at least one of the following pairs (eachpair listed horizontally) of sub-formulas of ¬ P and G P for some indices i, j are true in that state: p ij < p ij − ( b + ε () t ) ≥ q ij ≤ q ij − ( b + ε () t ) ≥ Either pair of formulas imply that formula b + ε () t ≤ is also true in that state, so the strength-ening proves by M [ (cid:48) ] , R . Next, a cut, R step adds the formula G P to the antecedents since t = 0 initially. Rule sAI & yields the sole premise of rule dV because G P characterizes a closed set(Lemma 29). ¬ P, . ( ¬ P ) ( ∗ ) , G P (cid:96) . ( G P ) ( ∗ ) sAI & G P (cid:96) [ x (cid:48) = f ( x ) , t (cid:48) = 1 & ¬ P ] G P cut, R Γ , (cid:86) Mi =0 (cid:16) (cid:86) m ( i ) j =0 p ij ≥ b ∧ (cid:86) n ( i ) j =0 q ij ≥ b (cid:17) , t = 0 (cid:96) [ x (cid:48) = f ( x ) , t (cid:48) = 1 & ¬ P ] G P M [ (cid:48) ] , R Γ , (cid:86) Mi =0 (cid:16) (cid:86) m ( i ) j =0 p ij ≥ b ∧ (cid:86) n ( i ) j =0 q ij ≥ b (cid:17) , t = 0 (cid:96) [ x (cid:48) = f ( x ) , t (cid:48) = 1 & ¬ P ] (cid:0) b + ε () t ≤ (cid:1) Proof of Corollary 27.
The derivation of rule cR is seemingly straightforward using axiom CRfollowed by rule Enc on the resulting middle premise. There is a minor subtlety to address be-cause the formula Q > ≥ (with strict inequalities replacing non-strict ones in Q ) is only a syntactic under-approximation of the interior of the set characterized by Q , and so the axiom CR does notimmediately apply as stated. For example, formula x < x characterizes the empty set, whilethe formula x ≤ x characterizes the set of all states, whose interior is also the set of all states.However, since Q is a semialgebraic formula, there is a computable quantifier-free formula ˚ Q thatexactly characterizes its topological interior [3].The derivation starts with a cut of the formula Q which yields the leftmost premise of Rule cR.This is followed with DX, which adds formula ¬ P to the antecedents because there is nothingto prove if both formulas Q and P are already true initially. The derivation then uses CR withthe computable formula ˚ Q characterizing the topological interior of formula Q . This yields twopremises, the right of which corresponds to the rightmost premise of rule cR. From the resultingleft premise (with postcondition ˚ Q ), an M [ (cid:48) ] , R monotonicity step strengthens the postcondition2 Y. K. Tan and A. Platzerbecause Q > ≥ → ˚ Q is a valid formula of real arithmetic. Rule Enc completes the derivation. Γ (cid:96) Q Γ (cid:96) [ x (cid:48) = f ( x ) & R ∧ ¬ P ∧ Q ] Q > ≥ Enc Γ , Q (cid:96) [ x (cid:48) = f ( x ) & R ∧ ¬ P ] Q > ≥ M [ (cid:48) ] , R Γ , Q (cid:96) [ x (cid:48) = f ( x ) & R ∧ ¬ P ] ˚ Q Γ (cid:96) (cid:104) x (cid:48) = f ( x ) & R (cid:105) P CR Γ , Q, ¬ P (cid:96) (cid:104) x (cid:48) = f ( x ) & Q (cid:105) P DX Γ , Q (cid:96) (cid:104) x (cid:48) = f ( x ) & Q (cid:105) P cut Γ (cid:96) (cid:104) x (cid:48) = f ( x ) & Q (cid:105) P C Counterexamples
This appendix gives explicit counterexamples to illustrate the soundness errors identified in Sec-tions 5 and 6.
C.1 Finite Time Blow Up
The soundness errors identified in Section 5 all arise because of incorrect handling of the fact thatsolutions may blow up in finite time. This phenomenon is studied in detail in Section 4, and itis illustrated by α n (see Fig. 1) or α b (see Example 1). The following is a counterexample forthe original presentation of dV = (and dV M = ,dV = & ,dV M = & ) [41]. Similar counterexamples can beconstructed for [35, Remark 3.6] and for the original presentation of SLyap,SLyap & [36]. Counterexample . Consider rule dV = without the restriction that the ODE has provable globalsolutions. This unrestricted rule, denoted dV = (cid:18) , is unsound as shown by the following derivationusing it with ε ()=1 : ∗ R v − < (cid:96) ≥ dV = (cid:18) v − ≤ (cid:96) (cid:104) u (cid:48) = u , v (cid:48) = 1 (cid:105) v − The conclusion of this derivation is not valid. Consider an initial state ω satisfying the formula u = 1 ∧ v = 0 . The explicit solution of the ODE from ω is given by u ( t ) = − t , v ( t ) = t for t ∈ [0 , . The solution does not exist beyond the time interval [0 , because the u -coordinateasymptotically approaches ∞ , i.e., blows up, as time approaches t = 1 . It is impossible to reach astate satisfying v − from ω along this solution since at least time units are required.This counterexample further illustrates the difficulty in handling nonlinear ODEs. Neither theprecondition ( v − ≤ ) nor postcondition ( v − ) mention the variable u , and the ODEs u (cid:48) = u , v (cid:48) = 1 do not depend on variables v, u respectively. It is tempting to discard the variable u entirely. Indeed, the liveness property v − ≤ → (cid:104) v (cid:48) = 1 (cid:105) v − is valid. Yet, for livenessquestions about the (original) ODE u (cid:48) = u , v (cid:48) = 1 , the two variables are inextricably linkedthrough the time axis of solutions to the ODE.n Axiomatic Approach to Existence and Liveness for Differential Equations 63 C.2 Topological Considerations
The soundness errors identified in Section 6 arise because of incorrect topological reasoning insubtle cases where the topological boundaries of the sets characterized by the domain constraintand desired liveness postcondition intersect. The original presentation of dV (cid:60) & [25] gives thefollowing proof rule for atomic inequalities p (cid:60) . For simplicity, assume that the ODE x (cid:48) = f ( x ) is globally Lipschitz continuous so that solutions exist for all time.dV (cid:60) & (cid:18) Γ (cid:96) [ x (cid:48) = f ( x ) & p ≤ Q ¬ ( p (cid:60) , Q (cid:96) . p ≥ ε ()Γ , ε () > (cid:96) (cid:104) x (cid:48) = f ( x ) & Q (cid:105) p (cid:60) Compared to dV (cid:60) & , this omits the assumption ¬ ( p (cid:60) and makes no topological assumptionson the domain constraint Q . The following two counterexamples show that these two assumptionsare necessary. Counterexample . Consider the following derivation using the unsound rule dV (cid:60) & (cid:18) with ε () = 1 : ∗ dW, R u > (cid:96) [ u (cid:48) = 1 & u ≤ u ≤ ∗ R u < , u ≤ (cid:96) ≥ dV (cid:60) & (cid:18) u > (cid:96) (cid:104) u (cid:48) = 1 & u ≤ (cid:105) u ≥ The conclusion of this derivation is not valid. In states where u > is true initially, the domainconstraint is violated immediately so the diamond modality in the succedent is trivially false inthese states. Counterexample . This counterexample is adapted from [38, Example 142], which has aminor typographical error (the sign of an inequality is flipped). Consider the following derivationusing the unsound rule dV (cid:60) & (cid:18) with ε () = 1 : ∗ dW, R (cid:96) [ u (cid:48) = 1 & u ≤ u ≤ ∗ R u ≤ , u ≤ (cid:96) ≥ dV (cid:60) & (cid:18) (cid:96) (cid:104) u (cid:48) = 1 & u ≤ (cid:105) u > The conclusion of this derivation is not valid and, in fact, unsatisfiable. The domain constraint u ≤ and postcondition u > are contradictory so no solution can reach a state satisfying bothsimultaneously.The next two counterexamples are for the liveness arguments from [34, Corollary 1] and [35,Theorem 3.5]. For clarity, the original notation from [35, Theorem 3.5] is used. The followingconjecture is quoted from [35, Theorem 3.5]: Conjecture 30.
Consider the system x (cid:48) = f ( x ) , with f ∈ C ( R n , R n ) . Let X ⊂ R n , X ⊆ X , and X r ⊆ X be bounded sets. If there exists a function B ∈ C ( R n ) satisfying: B ( x ) ≤ ∀ x ∈ X (25) B ( x ) > ∀ x ∈ ∂ X \ ∂ X r (26) ∂B∂x f ( x ) < ∀ x ∈ X \ X r (27)4 Y. K. Tan and A. Platzer - u - v - - u - - v Figure 4: (Left)
Visualization of Counterexample 10. The solution from initial point u = 0 , v = 1 ( X , in black) leaves the domain unit disk ( X , boundary in blue) immediately without ever reach-ing its interior ( X r , in green with dashed boundary). The interior is slightly shrunk for clarity inthe visualization: the blue and green boundaries should actually overlap exactly. (Right) Visual-ization of Counterexample 11. Solutions from the initial set ( X , in black with dashed boundary)eventually enter the goal region ( X r , in green with dashed boundary). However, the domain ( X , inblue with dashed boundary) shares an (open) boundary with X r at v = 0 which solutions are notallowed to cross. As before, the sets are slightly shrunk for clarity in the visualization: the blueand green boundaries should actually overlap exactly. The level curve B = 0 is plotted in red. Allpoints above the curve satisfy B < , while all points below it satisfy B > . Then the eventuality property holds, i.e., for all initial conditions x ∈ X , the trajectory x ( t ) of the system starting at x (0) = x satisfies x ( T ) ∈ X r and x ( t ) ∈ X for all t ∈ [0 , T ] for some T ≥ . The notation X (resp. ∂ X ) denotes the topological closure (resp. boundary) of the set X . In [34, Corollary 1], stronger conditions are required. In particular, the sets X , X r , X areadditionally required to be topologically open, and the inequality in (25) is strict, i.e., B ( x ) < instead of B ( x ) ≤ .The soundness errors in both of these liveness arguments stem from the condition (26) beingtoo permissive. For example, notice that if the sets ∂ X , ∂ X r are equal then (26) is vacuouslytrue. The first counterexample below applies for the requirements of [35, Theorem 3.5], while thesecond applies even for the more restrictive requirements of [34, Corollary 1]. Counterexample . Let the system x (cid:48) = f ( x ) be u (cid:48) = 0 , v (cid:48) = 1 . Let X r be the open unit diskcharacterized by u + v < , X be the closed unit disk characterized by u + v ≤ , and X be the single point characterized by u = 0 ∧ v = 1 . All of these sets are bounded. Note that ∂ X \ ∂ X r = ∅ since both topological boundaries are the unit circle u + v = 1 . Let B ( u, v ) = − v ,so that ∂B∂x f ( x ) = ∂B∂u ∂B∂v − < and B ≤ on X .All conditions of [35, Theorem 3.5] are met but the eventuality property is false. The trajectoryfrom X leaves X immediately and never enters X r . This is visualized in Fig. 4 (Left). Counterexample . Let the system x (cid:48) = f ( x ) be u (cid:48) = 0 , v (cid:48) = 1 . Let X r be the set characterizedby the formula u + v < ∧ v > , X be the set characterized by the formula u + v < ∧ v (cid:54) = 0 ,and X be the set characterized by the formula u + ( v + 1) < . All of these sets are boundedn Axiomatic Approach to Existence and Liveness for Differential Equations 65and topologically open. Let B ( u, v ) = − v + u − , so that ∂B∂x f ( x ) = ∂B∂u ∂B∂v − < , and B < on X . The set ∂ X \ ∂ X r is characterized by formula u + v = 5 ∧ v ≤ and B is strictlypositive on this set. These claims can be checked arithmetically, see Fig. 4 (Right) for a plot of thecurve B = 0 .All conditions of [34, Corollary 1] are met but the eventuality property is false. Solutionsstarting in X eventually enter X r but can only do so by leaving the domain constraint X at v = 0 ,see Fig. 4 (Right). References [1] Alessandro Abate, Alessandro D’Innocenzo, Maria Domenica Di Benedetto, and ShankarSastry. Understanding deadlock and livelock behaviors in hybrid control systems.
NonlinearAnal. Hybrid Syst. , 3(2):150 – 162, 2009. doi:10.1016/j.nahs.2008.12.005 .[2] Rajeev Alur.
Principles of Cyber-Physical Systems . MIT Press, 2015.[3] Jacek Bochnak, Michel Coste, and Marie-Franc¸oise Roy.
Real Algebraic Geometry . Springer,Heidelberg, 1998. doi:10.1007/978-3-662-03718-8 .[4] Brandon Bohrer, Yong Kiam Tan, Stefan Mitsch, Andrew Sogokon, and Andr´e Platzer.A formal safety net for waypoint-following in ground robots.
IEEE Robot. Autom. Lett. ,4(3):2910–2917, 2019. doi:10.1109/LRA.2019.2923099 .[5] Xin Chen, Erika ´Abrah´am, and Sriram Sankaranarayanan. Flow*: An analyzer for non-linearhybrid systems. In Natasha Sharygina and Helmut Veith, editors,
CAV , volume 8044 of
LNCS ,pages 258–263, Heidelberg, 2013. Springer. doi:10.1007/978-3-642-39799-8_18 .[6] Carmen Chicone.
Ordinary Differential Equations with Applications . Springer, New York,second edition, 2006. doi:10.1007/0-387-35794-7 .[7] Laurent Doyen, Goran Frehse, George J. Pappas, and Andr´e Platzer. Verification of hybridsystems. In Edmund M. Clarke, Thomas A. Henzinger, Helmut Veith, and Roderick Bloem,editors,
Handbook of Model Checking , pages 1047–1110. Springer, Cham, 2018. doi:10.1007/978-3-319-10575-8_30 .[8] Parasara Sridhar Duggirala and Sayan Mitra. Lyapunov abstractions for inevitability of hybridsystems. In Thao Dang and Ian M. Mitchell, editors,
HSCC , pages 115–124, New York, 2012.ACM. doi:10.1145/2185632.2185652 .[9] Goran Frehse, Colas Le Guernic, Alexandre Donz´e, Scott Cotton, Rajarshi Ray, OlivierLebeltel, Rodolfo Ripado, Antoine Girard, Thao Dang, and Oded Maler. SpaceEx: Scal-able verification of hybrid systems. In Ganesh Gopalakrishnan and Shaz Qadeer, edi-tors,
CAV , volume 6806 of
LNCS , pages 379–395, Heidelberg, 2011. Springer. doi:10.1007/978-3-642-22110-1_30 .6 Y. K. Tan and A. Platzer[10] Nathan Fulton, Stefan Mitsch, Brandon Bohrer, and Andr´e Platzer. Bellerophon: Tacticaltheorem proving for hybrid systems. In Mauricio Ayala-Rinc´on and C´esar A. Mu ˜noz, edi-tors,
ITP , volume 10499 of
LNCS , pages 207–224, Cham, 2017. Springer. doi:10.1007/978-3-319-66107-0_14 .[11] Nathan Fulton, Stefan Mitsch, Jan-David Quesel, Marcus V ¨olp, and Andr´e Platzer. KeY-maera X: an axiomatic tactical theorem prover for hybrid systems. In Amy P. Felty and AartMiddeldorp, editors,
CADE , volume 9195 of
LNCS , pages 527–538, Cham, 2015. Springer. doi:10.1007/978-3-319-21401-6_36 .[12] Khalil Ghorbal and Andr´e Platzer. Characterizing algebraic invariants by differential radicalinvariants. In Erika ´Abrah´am and Klaus Havelund, editors,
TACAS , volume 8413 of
LNCS ,pages 279–294, Heidelberg, 2014. Springer. doi:10.1007/978-3-642-54862-8_19 .[13] Eric Goubault and Sylvie Putot. Forward inner-approximated reachability of non-linear con-tinuous systems. In Goran Frehse and Sayan Mitra, editors,
HSCC , pages 1–10, New York,2017. ACM. doi:10.1145/3049797.3049811 .[14] Daniel S. Grac¸a, Jorge Buescu, and Manuel Lameiras Campagnolo. Boundedness of thedomain of definition is undecidable for polynomial ODEs.
Electron. Notes Theor. Comput.Sci. , 202:49–57, 2008. doi:10.1016/j.entcs.2008.03.007 .[15] Daniel S. Grac¸a, Manuel L. Campagnolo, and Jorge Buescu. Computability with polynomialdifferential equations.
Adv. Appl. Math. , 40(3):330 – 349, 2008. doi:10.1016/j.aam.2007.02.003 .[16] Wassim M. Haddad and VijaySekhar Chellaboina.
Nonlinear Dynamical Systems and Con-trol: A Lyapunov-based Approach . Princeton University Press, Princeton, NJ, 2008.[17] David Harel.
First-Order Dynamic Logic , volume 68 of
LNCS . Springer, 1979. doi:10.1007/3-540-09237-4 .[18] Thomas A. Henzinger. The theory of hybrid automata. In
LICS , pages 278–292. IEEEComputer Society, 1996. doi:10.1109/LICS.1996.561342 .[19] Hassan K. Khalil.
Nonlinear Systems . Macmillan Publishing Company, New York, 1992.[20]
Logic in Computer Science (LICS), 2012 27th Annual IEEE Symposium on , Los Alamitos,2012. IEEE.[21] Jiang Liu, Naijun Zhan, and Hengjun Zhao. Computing semi-algebraic invariants for poly-nomial dynamical systems. In Samarjit Chakraborty, Ahmed Jerraya, Sanjoy K. Baruah,and Sebastian Fischmeister, editors,
EMSOFT , pages 97–106, New York, 2011. ACM. doi:10.1145/2038642.2038659 .n Axiomatic Approach to Existence and Liveness for Differential Equations 67[22] Zohar Manna and Amir Pnueli.
The Temporal Logic of Reactive and Concurrent Systems -Specification . Springer, New York, 1992. doi:10.1007/978-1-4612-0931-7 .[23] Susan S. Owicki and Leslie Lamport. Proving liveness properties of concurrent pro-grams.
ACM Trans. Program. Lang. Syst. , 4(3):455–495, 1982. doi:10.1145/357172.357178 .[24] A. Papachristodoulou and S. Prajna. On the construction of Lyapunov functions using thesum of squares decomposition. In
CDC , volume 3, pages 3482–3487. IEEE, 2002. doi:10.1109/CDC.2002.1184414 .[25] Andr´e Platzer. Differential-algebraic dynamic logic for differential-algebraic programs.
J.Log. Comput. , 20(1):309–352, 2010. doi:10.1093/logcom/exn070 .[26] Andr´e Platzer. The complete proof theory of hybrid systems. In LICS [20], pages 541–550. doi:10.1109/LICS.2012.64 .[27] Andr´e Platzer. Logics of dynamical systems. In LICS [20], pages 13–24. doi:10.1109/LICS.2012.13 .[28] Andr´e Platzer. A complete uniform substitution calculus for differential dynamic logic.
J.Autom. Reasoning , 59(2):219–265, 2017. doi:10.1007/s10817-016-9385-1 .[29] Andr´e Platzer. Differential hybrid games.
ACM Trans. Comput. Log. , 18(3):19:1–19:44,2017. doi:10.1145/3091123 .[30] Andr´e Platzer.
Logical Foundations of Cyber-Physical Systems . Springer, Cham, 2018. doi:10.1007/978-3-319-63588-0 .[31] Andr´e Platzer and Yong Kiam Tan. Differential equation invariance axiomatization.
J. ACM ,67(1), 2020. doi:10.1145/3380825 .[32] Andreas Podelski and Silke Wagner. Model checking of hybrid systems: From reachabilitytowards stability. In Jo˜ao P. Hespanha and Ashish Tiwari, editors,
HSCC , volume 3927 of
LNCS , pages 507–521, Heidelberg, 2006. Springer. doi:10.1007/11730637_38 .[33] Stephen Prajna, Ali Jadbabaie, and George J. Pappas. A framework for worst-caseand stochastic safety verification using barrier certificates.
IEEE Trans. Automat. Contr. ,52(8):1415–1428, 2007. doi:10.1109/TAC.2007.902736 .[34] Stephen Prajna and Anders Rantzer. Primal-dual tests for safety and reachability. In ManfredMorari and Lothar Thiele, editors,
HSCC , volume 3414 of
LNCS , pages 542–556, Heidelberg,2005. Springer. doi:10.1007/978-3-540-31954-2_35 .[35] Stephen Prajna and Anders Rantzer. Convex programs for temporal verification of nonlin-ear dynamical systems.
SIAM J. Control Optim. , 46(3):999–1021, 2007. doi:10.1137/050645178 .8 Y. K. Tan and A. Platzer[36] Stefan Ratschan and Zhikun She. Providing a basin of attraction to a target region ofpolynomial systems by computation of Lyapunov-like functions.
SIAM J. Control Optim. ,48(7):4377–4394, 2010. doi:10.1137/090749955 .[37] Walter Rudin.
Principles of Mathematical Analysis . McGraw-Hill, third edition, 1976.[38] Andrew Sogokon.
Direct methods for deductive verification of temporal properties in con-tinuous dynamical systems . PhD thesis, Laboratory for Foundations of Computer Science,School of Informatics, University of Edinburgh, 2016.[39] Andrew Sogokon and Paul B. Jackson. Direct formal verification of liveness properties incontinuous and hybrid dynamical systems. In Nikolaj Bjørner and Frank S. de Boer, edi-tors, FM , volume 9109 of LNCS , pages 514–531, Cham, 2015. Springer. doi:10.1007/978-3-319-19249-9_32 .[40] Andrew Sogokon, Paul B. Jackson, and Taylor T. Johnson. Verifying safety and persistence inhybrid systems using flowpipes and continuous invariants.
J. Autom. Reasoning , 63(4):1005–1029, 2019. doi:10.1007/s10817-018-9497-x .[41] Ankur Taly and Ashish Tiwari. Switching logic synthesis for reachability. In Luca P. Carloniand Stavros Tripakis, editors,
EMSOFT , pages 19–28, New York, 2010. ACM. doi:10.1145/1879021.1879025 .[42] Yong Kiam Tan and Andr´e Platzer. An axiomatic approach to liveness for differen-tial equations. In Maurice H. ter Beek, Annabelle McIver, and Jos´e N. Oliveira, ed-itors, FM , volume 11800 of LNCS , pages 371–388. Springer, 2019. doi:10.1007/978-3-030-30942-8_23 .[43] Wolfgang Walter.
Ordinary Differential Equations . Springer, New York, 1998. doi:10.1007/978-1-4612-0601-9 .[44] Jun Zhang, Karl Henrik Johansson, John Lygeros, and Shankar Sastry. Zeno hybrid systems.
Int. J. Robust Nonlinear Control. , 11(5):435–451, 2001. doi:10.1002/rnc.592doi:10.1002/rnc.592