Characterizing Positively Invariant Sets: Inductive and Topological Methods
CCharacterizing Positively Invariant Sets:
Inductive and Topological Methods
Khalil [email protected] Andrew [email protected] 19, 2020
Abstract
Set positive invariance is an important concept in the theory of dynamical systems and onewhich also has practical applications in areas of computer science, such as formal verification,as well as in control theory. Great progress has been made in understanding positively invariantsets in continuous dynamical systems and powerful computational tools have been developed forreasoning about them; however, many of the insights from recent developments in this area havelargely remained folklore and are not elaborated in existing literature. This article contributesan explicit development of modern methods for checking positively invariant sets of ordinarydifferential equations and describes two possible characterizations of positive invariants: onebased on the real induction principle, and a novel alternative based on topological notions.The two characterizations, while in a certain sense equivalent, lead to two different decisionprocedures for checking whether a given semi-algebraic set is positively invariant under the flowof a system of polynomial ordinary differential equations. keywords
Ordinary differential equations, dynamical systems, positively invariant sets, polyno-mial vector fields, decision procedures.
Reasoning about the behaviour of transition systems often relies on inductive invariants (i.e. prop-erties that are true initially and are preserved under the transition relation). The computer sciencenotion of an inductive invariant is analogous to that of a positively invariant set in dynamicalsystems (positively invariant sets are preserved under the evolution of the system according toits dynamics as time advances). Positively invariant sets (of both discrete and continuous dy-namical systems) have been studied extensively and there exists rich literature devoted to thissubject Blanchini [1999]. Systems that evolve continuously from state to state – e.g. systems de-scribed by ordinary differential equations (ODEs) – have become the focus of considerable researchinterest in computer science, especially in the area of so-called hybrid systems , which studies sys-tems that combine discrete and continuous dynamics. Significant progress has been made over thepast decade in the methods for algorithmically checking inductive invariants of ODEs (i.e. decidingwhether a given set is positively invariant); these methods provide powerful tools for reasoningabout the temporal behaviour of ODEs without the need to explicitly solve them. For example,one may use an inductive invariant to prove that a system cannot evolve from a given set of initialconditions into a state which is deemed undesirable or unsafe (e.g. if the ODEs describe the motionof physical objects, one may wish to know that there will be no collisions between these objects).1 a r X i v : . [ c s . C G ] S e p ontributions This article presents a self-contained development of two alternative characteri-zations of positively invariant sets of continuous systems: one based on the real induction principle (described in Section 3), and an alternative (and to the authors’ knowledge yet unpublished) topo-logical characterization (in Section 4) which is based on the notion of exit sets
Conley [1978]. Inthe case of semi-algebraic sets and polynomial ODEs, the two characterizations lend themselves totwo alternative decision procedures for checking positive set invariance, both of which are describedin detail. Section 4.3 presents a new algorithm that exploits concepts from both characterizationsin order to more efficiently decide positive invariance of semi-algebraic sets that are described byformulas with non-trivial Boolean structure. The procedure works by splitting the problem intosimpler sub-problems that are faster to check, reminiscent of divide-and-conquer algorithms.
A system of autonomous ordinary differential equations (ODEs) has the form: x (cid:48) = f ( x , . . . , x n ) , ... x (cid:48) n = f n ( x , . . . , x n ) , where x (cid:48) i stands for the time derivative dx i dt and f = ( f , f , . . . , f n ) is a vector-valued continuousfunction (which defines a vector field on R n ); we will write such a system more concisely as x (cid:48) = f ( x ).We will denote by ϕ ( · , x ) the solution to the initial value problem x (cid:48) = f ( x ), with initial value x ∈ R n . We will only consider systems in which solutions to initial value problems always exist(at least locally) and are unique (e.g. local Lipschitz continuity of f is sufficient to guarantee thisproperty). When we quantify solutions over time t , it only makes sense to consider t in the maximalinterval of existence I x , which in our case exists for any x and contains 0. In order to simplify ourpresentation, we will quantify over “all forward time” by writing ∀ t ≥ ϕ ( · , x ) may only be defined for t ∈ I x . The mapping ϕ is known as the (local) flow of thevector field f . Definition 1 (Positively invariant set) . Given system of ODEs x (cid:48) = f ( x ) , a set S ⊆ R n is positivelyinvariant if and only if no solution starting inside S can leave S in the future, i.e. just when thefollowing holds: ∀ x ∈ S. ∀ t ≥ . ϕ ( t, x ) ∈ S .
Remark 2.
Some authors (e.g. Blanchini and Miani [2008]) favour a definition of positively in-variant sets in which the solutions ϕ ( t, x ) are explicitly required to exist for all time t ≥ , byimposing a global Lipschitz continuity requirement on the vector field f , whereas others (e.g. Red-heffer [1972]) simply require that solutions emanating from the set S remain inside S for as longas they exist in the future (Definition 1 is stated in this spirit). The first necessary and sufficient condition (i.e. characterization) for positive invariance of closed sets and systems of ODEs with unique solutions (but without requiring knowledge of thesolutions ϕ ) was given by Nagumo [1942], and was later independently found by numerous othermathematicians (the interested reader is invited to consult Blanchini [1999],[Blanchini and Miani, Nagumo’s result was in fact a little more general in that it did not require unique solutions and focused onso-called weak positive invariance , which is identical to positive invariance when solutions are unique. § §
10, XV, XVI] for more details about Nagumo’stheorem and its multiple rediscoveries). Informally, Nagumo’s theorem states that a closed set S is positively invariant if and only if at each point x on the boundary of S the vector f ( x )points into the interior of the set or is tangent to it. The theorem may be easily applied in caseswhere the set S is a sub-level set of a differentiable real-valued function g , i.e. a set defined as { x ∈ R n | g ( x ) ≤ } , provided that the gradient vector ∇ g ( x ) is non-vanishing (i.e. non-zero)whenever g ( x ) = 0 (intuitively this ensures that the boundary of S is smooth): in this special caseNagumo’s theorem says that S is positively invariant if and only if g (cid:48) ( x ) ≤ x such that g ( x ) = 0, where g (cid:48) denotes the (first) Lie derivative of g with respect to the vector field f , which isdefined by g (cid:48) def = ∇ g · f = n (cid:88) i =1 ∂g∂x n f i . Remark 3.
Applying Nagumo’s theorem in practice becomes problematic when the boundary of S is not smooth, e.g. when the set { x ∈ R n | g ( x ) = 0 } contains singularities (points x where thegradient vanishes, i.e. ∇ g ( x ) = 0 ); these issues have been explored by Taly and Tiwari [2009].In order to apply the theorem more generally to sets that are intersections of sub-level sets, i.e. { x ∈ R n | g i ( x ) ≤ , i = 1 , . . . , k } , one likewise needs to be very careful; [Blanchini and Miani, 2008,Ch. 4, Def. 4.9] introduced so-called practical sets expressly to deal with these issues. In the following sections we will be concerned with characterizations of positive invariance thatare of a very different nature to that of Nagumo’s result (which provides a characterization only forclosed sets obtained using the tools of real analysis and is without effective computational meansof applying it). We begin with a characterization based on the principle of real induction, whichmay be effectively applied using tools from commutative algebra and real algebraic geometry.
Let us consider the following construction for a given set S ⊆ R n and a locally Lipschitz system ofODEs x (cid:48) = f ( x ):In f ( S ) def = { x ∈ R n | ∃ ε > . ∀ t ∈ (0 , ε ) . ϕ ( t, x ) ∈ S } . When the flow is reversed, one obtains a similar construction for negative time:In − f ( S ) = { x ∈ R n | ∃ ε > . ∀ t ∈ (0 , ε ) . ϕ ( − t, x ) ∈ S } . It is useful to intuitively think of these as sets of states from which the system will evolve inside S for some non-trivial time interval “immediately in the future” and, respectively, has evolved inside S for some non-trivial time interval “immediately in the past”. Remark 4.
Notice that the interior of S is always contained inside In f ( S ) and the inclusion S ⊆ In f ( S ) therefore holds trivially whenever S is an open set. When S is a closed set, itscomplement S c is open and we necessarily have the inclusion S c ⊆ In f ( S c ) . A quick glance at thedefinitions In f ( S c ) = { x ∈ R n | ∃ ε > . ∀ t ∈ (0 , ε ) . ϕ ( t, x ) (cid:54)∈ S } , In f ( S ) c = { x ∈ R n | ∀ ε > . ∃ t ∈ (0 , ε ) . ϕ ( t, x ) (cid:54)∈ S } , eveals the following inclusions: In f ( S c ) ⊆ In f ( S ) c . Whenever S is a closed set, we therefore havethat S c ⊆ In f ( S ) c or, if we prefer, In f ( S ) ⊆ S . These constructions can be used to state the following characterization of positively invariantsets, which is a corollary to [Liu et al., 2011, Thm. 19].
Theorem 5 (Liu et al. [2011]) . A set S ⊆ R n is positively invariant under the flow of the system x (cid:48) = f ( x ) if and only if S ⊆ In f ( S ) and S c ⊆ In − f ( S c ) . We remark that (unlike Nagumo’s theorem) the above result makes no assumptions about theset S being closed, or open. As such, Theorem 5 is very general and applies to all sets and systemsof ODEs with locally unique solutions.While not remarked upon at all by Liu et al. [2011], the result in Theorem 5 can be understoodand elegantly proved using induction over the non-negative real numbers . Though there are manydifferent variations of induction over the reals (e.g. see Clark [2019]), this method of proof appearsto be far less well known than standard mathematical induction over the natural numbers.
Lemma 6 (Real induction) . A predicate P ( t ) holds for all t ≥ if and only if:1. P (0) ,2. ∀ t ≥ . ¬ P ( t ) → ∃ ε > . ∀ T ∈ ( t − ε, t ) . ¬ P ( T ) .3. ∀ t ≥ . P ( t ) → ∃ ε > . ∀ T ∈ ( t, t + ε ) . P ( T ) .Proof. Necessity is obvious. Sufficiency is easy to show by considering (for contradiction) the time t ∗ = inf { t ≥ | ¬ P ( t ) } . By 1. and 3. we have that t ∗ (cid:54) = 0, so t ∗ must be positive, but in thiscase P ( t ) holds for all t ∈ [0 , t ∗ ) (by definition). If P ( t ∗ ), then t ∗ cannot be an infimum (by 3.),and if ¬ P ( t ∗ ) then (by 2.) we have that ¬ P ( t ) holds for all t ∈ ( t ∗ − ε, t ∗ ) for some ε >
0; acontradiction.We note that it is condition 2. in Lemma 6 which is responsible for obtaining the contradictionin the proof. In fact, condition 2. can be replaced by a weaker condition2*. ∀ t ≥ . ¬ P ( t ) → ∃ T ∈ [0 , t ) . ¬ P ( T ),from which one directly obtains the required contradiction (cf. proof of Lemma 6). This weakercondition may be equivalently stated in its contrapositive form, i.e.2*. ∀ t ≥ . P ( t ) ← ∀ T ∈ [0 , t ) . P ( T ) .In particular, many of the published induction principles for the reals are phrased this way. For completeness, we include below a statement of Hathaway’s continuity induction , which is verysimilar to the notion of real induction in Clark [2019]. The proof is essentially identical to that ofLemma 6.
Lemma 7 (Continuity induction Hathaway [2011]) . A predicate P ( t ) holds for all t ∈ [0 , T ] , where T > , if and only if: This idea was first suggested by Paul B. Jackson and Kousha Etessami (School of Informatics, University ofEdinburgh) in private communication with the second author. The difference between employing condition 2. as opposed to 2*. for real induction in Lemma 6 is in some senseanalogous to the difference between strong induction and ordinary mathematical induction over the natural numbers,respectively. . P (0) holds,2. ∀ τ ∈ (0 , T ] . (cid:16)(cid:0) ∀ τ (cid:48) ∈ [0 , τ ) . P ( τ (cid:48) ) (cid:1) → P ( τ ) (cid:17) ∀ τ ∈ [0 , T ) . (cid:16)(cid:0) ∀ τ (cid:48) ∈ [0 , τ ] . P ( τ (cid:48) ) (cid:1) → (cid:0) ∃ (cid:15) > . ∀ τ (cid:48)(cid:48) ∈ ( τ, τ + (cid:15) ) . P ( τ (cid:48)(cid:48) ) (cid:1)(cid:17) . Taking ϕ ( t, x ) ∈ S to be the predicate P ( t ), the real induction principle can be used to easilyprove Theorem 5. However, the main practical difficulty in applying Theorem 5 lies the fact that itsstatement features sets In f ( S ) and In − f ( S c ) which are defined in terms of solutions to a system ofdifferential equations; the theorem says nothing about our ability to construct these sets or reasonabout their inclusion. The following section will elucidate how this problem is addressed using toolsfrom algebraic geometry in the important case where the set S is semi-algebraic and the right-handside of the system x (cid:48) = f ( x ) is polynomial. In this section we describe a procedure for deciding whether a given set is positively invariant ornot. For this we first require a few basic results. Let g : R n → R denote a real-valued function. Thezero-th Lie derivative of g is g itself, the first order Lie derivative g (cid:48) def = ∇ g · f corresponds to thetotal derivative of t (cid:55)→ g ( ϕ ( t, x )) with respect to time t , and higher-order Lie derivatives are definedinductively, i.e. g (cid:48)(cid:48) = ( g (cid:48) ) (cid:48) ; the k -th order Lie derivative of g will be denoted by g ( k ) . We will requirethe fact that unique solutions to real analytic systems of ODEs are also real analytic [Chicone, 2006,Thm 1.3]. Whenever g is a real analytic function, its Taylor series expansion g ( ϕ ( t, x )) = g ( x ) + g (cid:48) ( x ) t + g (cid:48)(cid:48) ( x ) t
2! + · · · converges in some time interval ( (cid:15) l , (cid:15) u ), where (cid:15) l < < (cid:15) u . The set of states { x ∈ R n | g ( x ) = 0 } ,simply denoted by g = 0 in the sequel, remains invariant under the flow for some non-trivial forwardtime interval if and only if all Lie derivatives g ( k ) , k ≥
1, vanish whenever g ( x ) = 0. Remark 8.
We will abuse notation slightly in this article by interchangeably using sets and formulascharacterizing those sets. For example, we will use formulas in the arguments to In f and In − f (fromTheorem 5). However, when describing sets we will use set-theoretic symbols ∪ and ∩ for set unionand intersection, respectively, and will let S c denote the complement of S ; when we are workingwith formulas, we will instead employ the corresponding logical symbols ∨ and ∧ for disjunctionand conjunction, and ¬ for negation. The set R n (resp. ∅ ) will be syntactically represented by thesymbol T (resp. F ). For the characterization in Theorem 5, we thus haveIn f ( g = 0) = g = 0 ∩ g (cid:48) = 0 ∩ g (cid:48)(cid:48) = 0 ∩ g (cid:48)(cid:48)(cid:48) = 0 ∩ · · · which is characterized by the following infinite “formula” “ In f ( g = 0) ≡ g = 0 ∧ g (cid:48) = 0 ∧ g (cid:48)(cid:48) = 0 ∧ g (cid:48)(cid:48)(cid:48) = 0 ∧ · · · ” . Technically, a formula can only be finite, hence the quotes for such hypothetical objects. { x ∈ R n | g ( x ) < } , which we concisely denoted by theformula g <
0, the situation is similar: characterizing In f ( g <
0) in Theorem 5 requires an infiniteconstruction“ In f ( g < ≡ g < ∨ ( g = 0 ∧ g (cid:48) < ∨ ( g = 0 ∧ g (cid:48) = 0 ∧ g (cid:48)(cid:48) < ∨ ( g = 0 ∧ g (cid:48) = 0 ∧ g (cid:48)(cid:48) = 0 ∧ g (cid:48)(cid:48)(cid:48) < g needs to be negative at a point x satisfying g ( x ) = 0in order for the flow ϕ ( t, x ) to enter the set g < , (cid:15) ), for some positive (cid:15) . Remark 9.
One may draw physical analogies here, e.g. to the motion of a vehicle: if the velocity is , then it is the sign of the acceleration term that determines whether the vehicle will move forwardin the next time instant; if both the velocity and the acceleration are , it is the sign of the derivativeof the acceleration (i.e. the sign of the jerk term), and so forth. The decision procedure developed by Liu et al. [2011] rests on the fact that for a polynomialfunction p and a polynomial system of ODEs x (cid:48) = f ( x ), the formulas characterizing In f ( p = 0)and In f ( p <
0) are indeed finite . To see why this is true, note that whenever p and f , f , . . . , f n that make up f are polynomials, all the formal Lie derivatives p (cid:48) , p (cid:48)(cid:48) , · · · are also guaranteed tobe polynomials. Let us now recall the ascending chain property of ideals in the polynomial ring R [ x , . . . , x n ] – a consequence of Hilbert’s basis theorem and the fact that R is a Noetherian ring [Coxet al., 2015, Ch. 2, Thm. 7]. Lemma 10.
Let p ∈ R [ x , . . . , x n ] , then the ascending chain of ideals (cid:104) p (cid:105) ⊆ (cid:104) p, p (cid:48) (cid:105) ⊆ (cid:104) p, p (cid:48) , p (cid:48)(cid:48) (cid:105) ⊆ · · · is finite, i.e. there exists a k ∈ N such that (cid:104) p, p (cid:48) , . . . , p ( k ) (cid:105) = (cid:104) p, p (cid:48) , . . . , p ( K ) (cid:105) for all K ≥ k . For a given p , we denote the smallest k in the above lemma by ord f ( p ) and say that it definesthe order of p with respect to the system of polynomial ODEs x (cid:48) = f ( x ). In practice, we canalways compute ord f ( p ) by simply computing successive formal Lie derivatives of p and successivelychecking whether p ( k +1) ∈ (cid:104) p, p (cid:48) , p (cid:48)(cid:48) , . . . , p ( k ) (cid:105) holds for k = 1 , , , . . . , until the membership check succeeds, which would imply that the idealchain has stabilized (the fact that this process terminates is guaranteed by Lemma 10). Theideal membership check can be easily performed by reducing the polynomial p ( k +1) by the Gr¨obnerbasis of { p, p (cid:48) , . . . , p ( k ) } for each successive k and checking whether the remainder is 0. An upperbound on the length of the ascending chain of ideals generated by successive Lie derivatives of p was obtained by [Novikov and Yakovenko, 1999, Thm. 4]; this bound is doubly-exponential in the Using terminology from differential algebra Ritt [1950] one may say that the ideal (cid:104) p, p (cid:48) , . . . , p (ord f ( p )) (cid:105) is a differential ideal . p, p (cid:48) , . . . , p (ord f ( p )) are all simultaneously 0, allhigher derivatives must also be zero. More formally: p = 0 ∧ p (cid:48) = 0 ∧ p (cid:48)(cid:48) = 0 ∧ · · · ∧ p (ord f ( p )) = 0 → ∀ K > ord f ( p ) . p ( K ) = 0 . Using this fact one can construct perfectly legitimate formulas that provide a finite characterizationof In f ( p = 0) and In f ( p < In f ( p = 0) ≡ ( p = 0 ∧ p (cid:48) = 0 ∧ p (cid:48)(cid:48) = 0 ∧ · · · ∧ p (ord f ( p )) = 0) , In f ( p < ≡ p < ∨ ( p = 0 ∧ p (cid:48) < ∨ ( p = 0 ∧ p (cid:48) = 0 ∧ p (cid:48)(cid:48) < ∨ ( p = 0 ∧ p (cid:48) = 0 ∧ p (cid:48)(cid:48) = 0 ∧ · · · ∧ p (ord f ( p )) < . In f ( p = 0) and In f ( p < (cid:104) p, p (cid:48) , p (cid:48)(cid:48) , . . . , p ( k ) (cid:105) andconstruct In f ( p = 0) and In f ( p <
0) using these derivatives directly (as above), following Liu et al.[2011]. However, this construction can be improved if one realizes that only the remainders ofthe Lie derivatives are needed for this construction, as will be shown in the following lemma. Thepractical advantage afforded by doing this concerns the degree of the remainder polynomials, whichis typically lower than that of the Lie derivatives themselves.
Lemma 11.
Given a polynomial p and a system of polynomial ODEs x (cid:48) = f ( x ) , let rem = p and let rem i +1 be defined inductively as the remainder obtained from polynomial reduction (i.e. multivariatepolynomial division) of the Lie derivative rem (cid:48) i by the polynomials { rem , rem . . . , rem i } . Then forall i ≥ i = p ( i ) − i − (cid:88) j =0 α ij p ( j ) for some polynomials α ij .Proof. By strong induction. Base case: rem = p = p (0) . For an inductive hypothesis, assumethat rem k = p ( k ) − (cid:80) k − j =0 α kj p ( j ) holds for all k ≤ n . Since rem n +1 is the remainder upon thereduction of rem (cid:48) n by { rem , . . . , rem n } , we have rem n +1 = rem (cid:48) n − (cid:80) ni =0 β i rem i , where β , . . . , β n are polynomials. From our inductive hypothesis and by applying the product rule for differentiationwe haverem (cid:48) n = p ( n +1) − n − (cid:88) j =0 α nj p ( j ) (cid:48) = p ( n +1) − n (cid:88) j =0 γ j p ( j ) (1) In the construction of In f ( p <
0) the above property guarantees that all further disjuncts are False. γ , . . . , γ n are polynomials, andrem n +1 = rem (cid:48) n − n (cid:88) i =0 β i rem i [from the definition]= p ( n +1) − n (cid:88) j =0 γ j p ( j ) − n (cid:88) i =0 β i rem i [from (1)] , = p ( n +1) − n (cid:88) j =0 γ j p ( j ) − n (cid:88) i =0 β i (cid:32) p ( i ) − i − (cid:88) l =0 α il p ( l ) (cid:33) [by hypothesis] ,from which it is apparent that rem n +1 has the required form:rem n +1 = p ( n +1) − n (cid:88) j =0 α n +1 j p ( j ) . Lemma 12.
Let rem i be defined as in Lemma 11. Then In f ( p = 0) ≡ (rem = 0 ∧ rem = 0 ∧ rem = 0 ∧ · · · ∧ rem ord f ( p ) = 0) and In f ( p < ≡ rem < ∨ (rem = 0 ∧ rem < ∨ (rem = 0 ∧ rem = 0 ∧ rem < ... ∨ (rem = 0 ∧ rem = 0 ∧ rem = 0 ∧ · · · ∧ rem ord f ( p ) < . Proof.
For equalities In f ( p = 0) we show by induction that ∀ n ≥ . (cid:32) n (cid:94) i =0 rem i = 0 (cid:33) ≡ (cid:32) n (cid:94) i =0 p ( i ) = 0 (cid:33) . Base case: rem = p (0) = p by definition, so rem = 0 and p = 0 describe the same set. For theinductive hypothesis, let us assume that (cid:32) k (cid:94) i =0 rem i = 0 (cid:33) ≡ (cid:32) k (cid:94) i =0 p ( i ) = 0 (cid:33) holds for some k ≥
0. Then from the hypothesis we have that (cid:32) k +1 (cid:94) i =0 rem i = 0 (cid:33) ≡ (cid:32) k (cid:94) i =0 p ( i ) = 0 ∧ rem k +1 = 0 (cid:33)
8y Lemma 11 we have rem k +1 = p ( k +1) − (cid:80) kj =0 α k +1 j p ( j ) and hence (cid:32) k +1 (cid:94) i =0 rem i = 0 (cid:33) ≡ k (cid:94) i =0 p ( i ) = 0 ∧ p ( k +1) − k (cid:88) j =0 α k +1 j p ( j ) = 0 ≡ (cid:32) k (cid:94) i =0 p ( i ) = 0 ∧ p ( k +1) = 0 (cid:33) . The proof for In f ( p <
0) follows a similar inductive argument. In f Viewed as a set operator, In f distributes over set intersections:In f ( S ∩ S ) = In f ( S ) ∩ In f ( S ) . The operator In f does not, however, distribute over set union; only the following set inclusion isguaranteed to hold in general:In f ( S ∪ S ) ⊇ In f ( S ) ∪ In f ( S ) . Counterexample 13.
To see why the converse inclusion does not hold, consider the simple -dimensional system x (cid:48) = 1 and the set S = (cid:8) x ∈ R | x ≤ ∨ (cid:0) x > ∧ sin (cid:0) x − (cid:1) = 0 (cid:1)(cid:9) . The point ∈ R cannot be an element of In f ( S ) because ϕ ( t,
0) = t and for any positive (cid:15) thereexists a t ∈ (0 , (cid:15) ) such that sin (cid:0) t − (cid:1) (cid:54) = 0 and therefore ϕ ( t, (cid:54)∈ S . In other words, belongs to In f ( S ) c . At the same time, cannot be in In f ( S c ) either because the flow cannot move from thepoint at x = 0 without crossing one root of sin (cid:0) t − (cid:1) = 0 . Thus In f ( S ∪ S c ) = In f ( R n ) = R n (cid:54) = In f ( S ) ∪ In f ( S c ) . The example also shows that in general In f ( S c ) is not equal to In f ( S ) c since ∈ In f ( S ) c while (cid:54)∈ In f ( S c ) . The sets used in the above counterexample are described using functions that are not realanalytic (i.e. the set S is not semi-analytic ). For semi-analytic sets the In f operator does distribute over set unions. In particular, for semi-algebraic sets (a special class of semi-analytic sets) given by S = l (cid:91) i =1 m i (cid:92) j =1 p ij < ∩ M i (cid:92) j = m i +1 p ij = 0 , Recall from Remark 4 that In f ( S c ) ⊆ In f ( S ) c holds for any set S . The above counterexample demonstrates thatthe converse inclusion does not hold generally. p ij are polynomials, one has:In f ( S ) = l (cid:91) i =1 m i (cid:92) j =1 In f ( p ij < ∩ M i (cid:92) j = m i +1 In f ( p ij = 0) . A proof of this property may be found in [Liu et al., 2011, Lemma 20]. LZZ
Decision Procedure Based on Theorem 5
Given a quantifier-free formula describing a semi-algebraic set S ≡ l (cid:95) i =1 m i (cid:94) j =1 p ij < ∧ M i (cid:94) j = m i +1 p ij = 0 , and a polynomial system of ODEs x (cid:48) = f ( x ), in order to decide whether S is a positively invariantset, a basic decision procedure based on Theorem 5 (henceforth LZZ , after the authors Liu et al.[2011]) can be implemented by performing the following steps:1. Compute In f ( p ij (cid:46)(cid:47) ij (cid:46)(cid:47) ij ∈ { = , < } for all the atomic formulas appearing in S , andfrom these constructIn f ( S ) ≡ l (cid:95) i =1 m i (cid:94) j =1 In f ( p ij < ∧ M i (cid:94) j = m i +1 In f ( p ij = 0) . following the distributive property of In f for semi-algebraic sets S .2. Construct In − f ( S ) following the same process as in step 1 , but using the reversed system x (cid:48) = − f ( x ).3. Check the semi-algebraic set inclusions In − f ( S ) ⊆ S and S ⊆ In f ( S ) from Theorem 1 usinge.g. the CAD algorithm of Collins and Hong [1991].A basic implementation of the LZZ decision procedure based on Theorem 5 thus requires an algo-rithm for computing Gr¨obner bases (to compute In f in step 1 and step 2 ) and a decision procedure forthe universally (or existentially) quantified fragment of real arithmetic (to check the semi-algebraicset inclusions in step 3 ).In practice, the syntactic description of S may feature atomic formulas that are not of the form p < p = 0, e.g. S may feature the comparison operators >, ≥ , ≤ , and may have atomic formulaswhere the term on the right-hand side of the comparison operator is not 0 as assumed above. Toimplement step 1 and step 2 for this more general case (without tampering with the description of S )it is convenient to compute In f ( S ) by syntactically replacing all atomic formulas p lhs (cid:46)(cid:47) p rhs (where p lhs and p rhs are polynomials and (cid:46)(cid:47) ∈ { <, ≤ , = , (cid:54) = , ≥ , > } ) appearing in the syntactic description of S , with In f ( p lhs (cid:46)(cid:47) p rhs ), which can be defined for atoms in terms of the primitives In f ( p <
0) and See e.g. [Platzer and Tan, 2020, § f ( p = 0) in the following way (we use ‘:=’ to denote function definitions):In f ( T ) := T , In f ( F ) := F , In f ( p lhs = p rhs ) := In f ( p lhs − p rhs = 0) , In f ( p lhs < p rhs ) := In f ( p lhs − p rhs < , In f ( p lhs > p rhs ) := In f ( p rhs − p lhs < , and, using the fact that In f ( S c ) = In f ( S ) c for semi-algebraic sets S ,In f ( p lhs (cid:54) = p rhs ) := ¬ In f ( p lhs − p rhs = 0) , In f ( p lhs ≤ p rhs ) := ¬ In f ( p rhs − p lhs < , In f ( p lhs ≥ p rhs ) := ¬ In f ( p lhs − p rhs < . The primitives In f ( p <
0) and In f ( p = 0) are defined following Lemma 11 asIn f ( p = 0) := (rem = 0 ∧ rem = 0 ∧ rem = 0 ∧ · · · ∧ rem ord f ( p ) = 0) , In f ( p <
0) := (cid:16) rem < ∨ (rem = 0 ∧ rem < ∨ (rem = 0 ∧ rem = 0 ∧ rem < ∨ (rem = 0 ∧ rem = 0 ∧ rem = 0 ∧ · · · ∧ rem ord f ( p ) < (cid:17) . An implementation of the
LZZ decision procedure in the Wolfram Language can be achievedwith fewer than 35 lines of code following this approach. Remark 14.
Because the result of Liu et al. [2011] in Theorem 5 originated in the formal verifica-tion community, it is perhaps appropriate to put it into the context of formal methods: Theorem 5 does not in itself represent a decision procedure for checking positive invariance . Rather, it reducesquestions about positive invariance of semi-algebraic sets to purely real arithmetic sentences; these,in turn, belong to a decidable theory and may therefore be discharged (i.e. solved) using a decisionprocedure, such as the CAD algorithm. From a formal methods standpoint, it is more appropri-ate to view Theorem 5 as providing a blueprint for a verification condition generator for positiveinvariance that produces real arithmetic verification conditions (also known as proof obligations )characterizing the invariance property. The handling of these real arithmetic proof obligations isnot, strictly speaking, prescribed by the theorem.
In this section we develop an alternative characterization of positively invariant sets using theconcept of exit set as formulated by Conley [1978].Let s ∈ I x be a point in time within the maximal interval of existence of solution ϕ from initialvalue x , and let I ϕ ( s,x ) def = { t | t + s ∈ I x } , which is simply the time interval I x offset by s (or, Our implementation is available from Ghorbal [2020] ϕ ( s, x )). The mapping ϕ defines a local flow on the topological space R n since, for all x ∈ R n , ϕ (0 , x ) = x , and ∀ s ∈ I x . ∀ t ∈ I ϕ ( s,x ) . ϕ ( t, ϕ ( s, x )) = ϕ ( t + s, x ) . Let S be a subset of R n . Recall that a point x ∈ R n is a closure point of S if and only if everyopen set containing x intersects S in at least one point (not necessarily distinct from x itself if x happens to be in S ). Let S ◦ denote the interior of S . The closure of S , denoted ¯ S , is defined asthe smallest closed set containing S . As before, we use t > t ∈ I x ∩ (0 , + ∞ )and, similarly, by t < t ∈ I x ∩ ( −∞ , Definition 15 (Exit Set, Conley [1978]) . The exit set of S ⊆ R n with respect to the local flowinduced by x (cid:48) = f ( x ) is defined as follows: Exit f ( S ) def = { x ∈ S | ∀ t > . ∃ s ∈ (0 , t ) . ϕ ( s, x ) (cid:54)∈ S } . The exit set of S defines the set of points in S from which the flow cannot evolve forward intime without leaving the set S . As the name suggests, a flow starting at a point in Exit f ( S ) “leavesthe set S immediately” (regardless of where it was before). It is intuitive that such points can onlylie on the boundary of S . Lemma 16.
The set
Exit f ( S ) is a subset of ∂S (in addition of being a subset of S by definition).Proof. Let x ∈ Exit f ( S ) ∩ S ◦ , then there exists an open set U ⊂ S ◦ containing x . By continuityof ϕ ( · , x ) with respect to time, there exists a neighbourhood I of 0 in I x such that ϕ ( t, x ) ∈ U forall t ∈ I . Let t ∈ I ∩ (0 , + ∞ ). Since x ∈ Exit f ( S ), there exists s ∈ (0 , t ) ⊂ I such that ϕ ( s, x ) (cid:54)∈ S and, a fortiori, ϕ ( s, x ) (cid:54)∈ U , which contradicts the existence of I and thus Exit f ( S ) ∩ S ◦ = ∅ . SinceExit f ( S ) ⊆ S by definition, the exit set is a subset of ∂S .Positive invariance of a set S (as given in Definition 1) may be equivalently defined using theset of so-called escape points (also due to Conley [1978]): Escape f ( S ) def = { x ∈ S | ∃ t > . ϕ ( t, x ) (cid:54)∈ S } . (2)Notice the difference between the exit and escape sets: starting at an exit point, the flow immediately exits the set S , whereas for an escape point the flow may first evolve within S beforeleaving S at some point in time in the future (i.e., it must eventually leave S ). The set of escapepoints of S is empty precisely when S is a positively invariant set. Furthermore, this criterion canbe stated entirely in terms of exit sets. Theorem 17.
A set S ⊆ R n is positively invariant if and only if both Exit f ( S ) and Exit − f ( S c ) are empty.Proof. For necessity, it is easy to see that the set is not positively invariant whenever the exit setsare not both empty. Case (i): if Exit f ( S ) is non-empty, then for some point x ∈ S there exists a t > ϕ ( t, x ) (cid:54)∈ S . Case (ii): if Exit − f ( S c ) is non-empty, then for some y (cid:54)∈ S there existsa τ > ϕ ( − τ, y ) ∈ S . Taking z = ϕ ( − τ, y ), it is clear that z ∈ S and ϕ ( τ, z ) (cid:54)∈ S .For sufficiency we show that whenever S is not positively invariant, the sets Exit f ( S ) andExit − f ( S c ) cannot both be empty. Suppose (for contradiction) that both Exit f ( S ) and Exit − f ( S c ) The set of escape points is fundamental to the Wa˙zewski principle. See Conley [1978] where it is denoted as W ◦ for a set W . S is not positively invariant. The set of escape points of S is therefore non-empty. Consider an escape point x ∈ Escape f ( S ): by our hypothesis x cannot be in the empty setof exit points Exit f ( S ). Therefore there exists a positive t ∈ I x such that for all s ∈ (0 , t ) onehas ϕ ( s, x ) ∈ S , and there exists a t ∈ I x such that t ≤ t and ϕ ( t , x ) (cid:54)∈ S (i.e. ϕ ( t , x ) ∈ S c ).Let us define T (cid:48) = { t ∈ I x ∩ (0 , + ∞ ) | ∀ s ∈ (0 , t ) , ϕ ( s, x ) ∈ S } . Under our hypothesis, the set T (cid:48) is non-empty and has a supremum t (cid:48) such that t ≤ t (cid:48) ≤ t . Letus now define T (cid:48)(cid:48) = { t ∈ I x ∩ (0 , + ∞ ) | ϕ ( t, x ) (cid:54)∈ S } . This set is likewise non-empty (as it contains t ) and has an infimum t (cid:48)(cid:48) such that t ≤ t (cid:48)(cid:48) . Everyelement of T (cid:48)(cid:48) is an upper bound for T (cid:48) (otherwise there would exist a time t ∈ T (cid:48)(cid:48) at which both ϕ ( t, x ) ∈ S and ϕ ( t, x ) (cid:54)∈ S ). Clearly, since t (cid:48) is the least upper bound for T (cid:48) it can act as a lowerbound on T (cid:48)(cid:48) and we therefore have t (cid:48) ≤ t (cid:48)(cid:48) , where t (cid:48)(cid:48) is the greatest lower bound for T (cid:48)(cid:48) . Supposethe inequality is strict ( t (cid:48) < t (cid:48)(cid:48) ), then for all r ∈ [ t (cid:48) , t (cid:48)(cid:48) ) one has ϕ ( r, x ) ∈ S (otherwise t (cid:48)(cid:48) is notthe greatest lower bound for T (cid:48)(cid:48) ). But then t (cid:48) cannot be the least upper bound for T (cid:48) because ϕ ( s, x ) ∈ S for s ∈ ( t (cid:48) , t (cid:48)(cid:48) ). Thus t (cid:48) = t (cid:48)(cid:48) and we have two cases to consider: either (i) ϕ ( t (cid:48) , x ) ∈ S ,in which case ϕ ( t (cid:48) , x ) ∈ Exit f ( S ) and Exit f ( S ) is therefore non-empty, or (ii) ϕ ( t (cid:48) , x ) (cid:54)∈ S , in whichcase ϕ ( t (cid:48) , x ) ∈ Exit − f ( S c ), so Exit − f ( S c ) is non-empty. Both cases give us a contradiction. Remark 18.
Readers with a background in dynamical systems may find it a little counterintuitivethat one needs to consider the flow in the reversed system to characterize positive invariance. Indeed,for closed sets S it is well known that “local invariance” under the flow ϕ (viz. emptiness of Exit f ( S ) ) is equivalent to positive invariance (e.g. see [Cˆarj˘a et al., 2007, Ch. 4]). It is importantto remember that Theorem 17 makes no assumptions about the set S being open or closed. When S is open, local invariance holds trivially because the flow may always evolve within the set for sometime from any x ∈ S . Observe that the sets Exit f ( S ) and Exit − f ( S ) are not necessarily disjoint: for example, anyisolated point which is not an equilibrium would lie in both sets. Neither do they cover theintersection S ∩ ∂S : if S is an equilibrium point, then both Exit f ( S ) and Exit − f ( S ) are empty,whereas S ∩ ∂S = S .The operators Exit f and In f respectively capturing the main underlying concepts used in The-orems 5 and Theorem 17 are intimately related. Lemma 19.
For any set S ⊆ R n , Exit f ( S ) = In f ( S ) c ∩ S . Equivalently, one has Exit f ( S ) c ∩ S =In f ( S ) ∩ S .Proof. x ∈ In f ( S ) c ∩ S if and only if x ∈ S and for any positive t ∈ I x , there exists s ∈ (0 , t ) suchthat ϕ ( s, x ) (cid:54)∈ S , otherwise ϕ ( s, x ) ∈ S for all s ∈ (0 , t ) which would mean that x ∈ In f ( S ). Thelatter is exactly the definition of Exit f ( S ).The symmetric equality holds only for closed sets. Lemma 20.
For a closed set S ⊆ R n , In f ( S ) = Exit f ( S ) c ∩ S .Proof. If S is a closed set, then the inclusion In f ( S ) ⊆ S holds trivially, from Lemma 19 we haveExit f ( S ) c ∩ S = In f ( S ) ∩ S and the result follows.13sing Lemma 19, both characterizations of positively invariant sets in Theorem 5 and Theo-rem 17 can be recovered from one another using the following equivalences: ∅ = In f ( S ) c ∩ S (cid:124) (cid:123)(cid:122) (cid:125) Exit f ( S ) ⇐⇒ S ⊆ In f ( S ) , ∅ = In − f ( S c ) c ∩ S c (cid:124) (cid:123)(cid:122) (cid:125) Exit − f ( S c ) ⇐⇒ S c ⊆ In − f ( S c ) . The origins of exit sets in Theorem 17 lie in topology and it is the properties of exit setsthat make this characterization computationally interesting. As we shall see, exit sets afford avery different way of looking at the problem of checking positive invariance and their propertiescan be exploited to give a substantially different algorithmic solution than that offered by
LZZ inSection 3.1.3.
Let S , S ⊆ R n , we discuss below the distributive properties of Exit f over set intersection andunion. Lemma 21.
Exit f ( S ∩ S ) = (Exit f ( S ) ∩ S ) ∪ ( S ∩ Exit f ( S )) .Proof. The inclusion Exit f ( S ∩ S ) ⊇ (Exit f ( S ) ∩ S ) ∪ (Exit f ( S ) ∩ S ) is immediate: if x ∈ Exit f ( S ) ∩ S , then, for all positive t , there exists a positive s < t such that ϕ ( s, x ) (cid:54)∈ S andtherefore ϕ ( s, x ) (cid:54)∈ S ∩ S . Likewise for Exit f ( S ∩ S ) ⊇ Exit f ( S ) ∩ S . To prove the converse,let x ∈ Exit f ( S ∩ S ), then x ∈ ( S ∩ S ) and for all positive t , there exists a positive s < t suchthat ϕ ( s, x ) (cid:54)∈ S ∩ S which is equivalent to ϕ ( s, x ) (cid:54)∈ S or ϕ ( s, x ) (cid:54)∈ S . Lemma 22.
Exit f ( S ∪ S ) ⊆ (cid:0) Exit f ( S ) ∩ In f ( S ) c (cid:1) ∪ (cid:0) In f ( S ) c ∩ Exit f ( S ) (cid:1) .Proof. Let x ∈ Exit f ( S ∪ S ), then by definition, for all (cid:15) >
0, there exists t ∈ (0 , (cid:15) ) such that ϕ ( t, x ) (cid:54)∈ S ∪ S , which is equivalent to ϕ ( t, x ) (cid:54)∈ S and ϕ ( t, x ) (cid:54)∈ S . By hypothesis, x ∈ S ∪ S .Is x ∈ S then it has to belong to Exit f ( S ) as well as In f ( S ) c , by definition of the latter. If x ∈ S , we get a symmetric formula by swapping S and S , namely x ∈ Exit f ( S ) ∩ In f ( S ) c . Thedesired formula is the union of these two cases. Counterexample 23.
The reverse inclusion of Lemma 22 does not hold in general. Consider thesimple -dimensional system x (cid:48) = 1 and the sets S = { } ∪ (cid:8) x ∈ R | x > ∧ sin (cid:0) x − (cid:1) = 0 (cid:9) S = { } ∪ (cid:8) x ∈ R | x > ∧ sin (cid:0) x − (cid:1) (cid:54) = 0 (cid:9) The point belongs to both Exit f ( S ) and Exit f ( S ) . In addition, it doesn’t belong to neither In f ( S ) nor In f ( S ) . However, it is not in Exit f ( S ∪ S ) as the union ( x ≥ ) is clearly apositively invariant set for the considered flow. The astute reader may remark at this point that Theorem 17 admits a shorter proof using real induction viaLemma 19. This is indeed the case; however, such a proof would not rely on the concept of exit set nor would itexpose the topological insights that we wish to call upon later. x ∈ Exit f ( S ) ∩ In f ( S ) c , one can only conclude that forany positive (cid:15) , (cid:15) , there exist t ∈ (0 , (cid:15) ) and t ∈ (0 , (cid:15) ) such that ϕ ( t , x ) (cid:54)∈ S and ϕ ( t , x ) (cid:54)∈ S ;there is nothing to suggest that t should be equal to t , which is required for x to belong toExit f ( S ∪ S ). However, if one restricts attention to semi-analytic sets S (which includes semi-algebraic sets) then In f ( S c ) = In f ( S ) c (as observed in the previous section), and the inclusion ofLemma 22 becomes an equality. Lemma 24.
Let S , S be semi-analytic sets. Then Exit f ( S ∪ S ) = (cid:0) Exit f ( S ) ∩ In f ( S ) c (cid:1) ∪ (cid:0) In f ( S ) c ∩ Exit f ( S ) (cid:1) . Proof.
Exit f ( S ∪ S ) = In f ( S ∪ S ) c ∩ ( S ∪ S )= (In f ( S ) c ∩ In f ( S ) c ∩ S ) ∪ (In f ( S ) c ∩ In f ( S ) c ∩ S )= (cid:0) Exit f ( S ) ∩ In f ( S ) c (cid:1) ∪ (cid:0) Exit f ( S ) ∩ In f ( S ) c (cid:1) . ES Decision Procedure Based on Theorem 17
Given a quantifier-free formula describing a semi-algebraic set S and a polynomial system of ODEs x (cid:48) = f ( x ), Theorem 17 can be used to algorithmically decide whether S is positively invariant ornot with respect to f .A na¨ıve approach would be to first compute E = Exit f ( S ) ∪ Exit − f ( S c ) recursively on theBoolean structures of S and S c using Lemmas 22 and 24, then check whether E is empty or not.Such an approach would be very similar to the LZZ procedure described in section 3.1.3, andwould therefore suffer from the same problem, namely the impossibility of the current state-of-the-art quantifier elimination algorithms to check the emptiness of E in reasonable time, even forseemingly simple planar systems (cf. section 5). Indeed, one experimentally observes that, formany interesting examples, the construction of the set E is not computationally expensive despiterequiring several ideal membership tests as, often, the order (with respect to f ) of the polynomialsinvolved remains low. An overwhelming share of the running time for a typical problem is spent onproving emptiness of E (as is the case for checking the inclusions S ⊆ In f ( S ) and S c ⊆ In − f ( S c )using LZZ ).We will see in this section how the concept of exit sets, and more precisely Theorem 17, canbe used to overcome this bottleneck in a principled way. The main idea is to “chop the set E intosmaller pieces” (chunks) on which the emptiness test can be performed in a divide-and-conquerfashion, instead of constructing a formula characterizing E first and only then checking for itsemptiness. What is perhaps more interesting is that Theorem 17 suggests a natural way of splitting E into chunks in such a way that each chunk involves precisely one exit set of an atomic formula.This, in turn, allows one to exploit topological properties of atomic formulas, such as openness, inorder to check for set emptiness syntactically , obviating the need for expensive computations suchas real quantifier elimination.For clarity, we use the same notation for semi-algebraic sets and their formal representations as Semi-analyticity is only a sufficient condition that ensures this property. However, the sets In f ( S ) c ∩ S and Exit f ( S ), while equal, will have different syntactic descriptions. p < p , denotes the set of points x ∈ R n satisfying p ( x ) < p < p = 0,where p is a polynomial. The formulas p ≤ p (cid:54) = 0, are considered as syntactic sugar for( p < ∨ p = 0) and ( − p < ∨ p <
0) respectively. Similarly, p > , p ≥ − p < , − p ≤ F , T , and p < p = 0 necessarily lies on itsboundary, which is also given by p = 0. When the first Lie derivative of p does not vanish on p = 0, the flow necessarily leaves the set for some positive time. The same reasoning applies forhigher-order Lie derivatives. As with the construction of In f in Section 3.1.3, the construction ofthe exit set only involves a finite number of unions because the chain of ideals (cid:104) p (cid:105) ⊆ (cid:104) p, p (cid:48) (cid:105) ⊆ (cid:104) p, p (cid:48) , p (cid:48)(cid:48) (cid:105) ⊆ · · · stabilizes at (cid:104) p, p (cid:48) , . . . , p (ord f ( p )) (cid:105) . Therefore the exit set of p = 0 is characterized by the formulaExit f ( p = 0) ≡ (cid:0) p = 0 ∧ p (cid:48) (cid:54) = 0 ∨ p = 0 ∧ p (cid:48) = 0 ∧ p (cid:48)(cid:48) (cid:54) = 0... ∨ p = 0 ∧ p (cid:48) = 0 ∧ p (cid:48)(cid:48) = 0 ∧ · · · ∧ p (ord f ( p )) (cid:54) = 0 (cid:1) . Note that Lemma 11 also applies to Exit f ( p = 0) and the remainders rem i (as defined in the lemma)can be used instead of the Lie derivatives p ( i ) . In summary, the exit set of atomic formulas can beconstructed using a procedure Exit f which is defined as follows:Exit f ( F ) := F , Exit f ( T ) := F , Exit f ( p <
0) := F , Exit f ( p = 0) := (cid:0) rem = 0 ∧ rem (cid:54) = 0 ∨ rem = 0 ∧ rem = 0 ∧ rem (cid:54) = 0... ∨ rem = 0 ∧ rem = 0 ∧ rem = 0 ∧ · · · ∧ rem ord f ( p ) (cid:54) = 0 (cid:1) . We next define a recursive procedure called NonEmpty f , which is parametrized by f and takesas its arguments two quantifier-free real arithmetic formulas describing semi-algebraic sets S and R .NonEmpty f ( S, R ) returns False if and only if Exit f ( S ) ∩ R is empty (and returns True otherwise);16t is defined as follows:NonEmpty f ( A, R ) := Reduce ( ∃ x . . . . ∃ x n . Exit f ( A ) ∧ R ) , NonEmpty f ( S ∧ S , R ) := NonEmpty f ( S , S ∧ R ) ∨ NonEmpty f ( S , S ∧ R ) , NonEmpty f ( S ∨ S , R ) := NonEmpty f ( S , ¬ In f ( S ) ∧ R ) ∨ NonEmpty f ( S , ¬ In f ( S ) ∧ R ) , NonEmpty f ( ¬ S, R ) := NonEmpty f (Neg( S ) , R ) . In addition to Exit f , NonEmpty f relies on three other procedures: In f (already defined in Sec-tion 3.1.3), Neg, and Reduce. The procedure Neg applies negation ¬ to the formula it receives asits argument (but does not recursively apply negation to the sub-formulas). For atomic formulas,Neg simply negates the formula, expressing the result in terms of only the basic forms of atomicformulas ( T , F , p <
0, and p = 0):Neg( F ) := T , Neg( T ) := F , Neg( p <
0) := ( − p < ∨ ( − p = 0) , Neg( p = 0) := ( − p < ∨ ( p < . For non-atomic formulas Neg simply applies De Morgan’s laws and eliminates double negation:Neg( S ∧ S ) := ( ¬ S ) ∨ ( ¬ S ) , Neg( S ∨ S ) := ( ¬ S ) ∧ ( ¬ S ) , Neg( ¬ S ) := S .
The procedure Reduce performs real quantifier elimination for universally (or existentially) quanti-fied sentences of real arithmetic (functionality which is offered e.g. by implementations of CAD Collinsand Hong [1991] or RAGLib Safey El Din [2017]).In a nutshell, the main purpose of NonEmpty f is to recursively check for emptiness of exit sets,as stated more formally in the following lemma. Lemma 25.
Let S and R be two formulas describing semi-algebraic sets. Then NonEmpty f ( S, R ) returns False if and only if Exit f ( S ) ∩ R is empty.Proof. The proof is by induction on the depth of formula S . Base case: if S ∈ { F , T , p < , p = 0 } ,then NonEmpty f ( S, R ) isReduce ( ∃ x . . . . ∃ x n . Exit f ( S ) ∧ R )which is False if and only if Exit f ( S ) ∧ R is empty.For the inductive hypothesis, suppose the property holds for all formulas of depth less than orequal to k and let S , S , and S (cid:48) be such formulas.If S = S ∧ S , then by definition NonEmpty f ( S ∧ S , R ) is False if and only if both NonEmpty f ( S , S ∧ R ) and NonEmpty f ( S , S ∧ R ) are False. By the induction hypothesis, this means that bothExit f ( S ) ∧ ( S ∧ R ) and Exit f ( S ) ∧ ( S ∧ R ) are empty, and therefore their union is also empty.17ne gets the desired result by factoring out R then using Lemma 21: ∅ = (Exit f ( S ) ∩ ( S ∩ R )) ∪ (Exit f ( S ) ∩ ( S ∩ R ))= ((Exit f ( S ) ∩ S ) ∪ (Exit f ( S ) ∩ S )) ∩ R = Exit f ( S ∩ S ) ∩ R .
The disjunctive case can be proved similarly using Lemma 24.Finally, if S = ¬ S (cid:48) , NonEmpty f ( S, R ) = NonEmpty f (Neg( S (cid:48) ) , R ) and one may eliminate allnegations from Neg( S (cid:48) ) by applying De Morgan’s laws and double negation elimination and finallyapplying Neg to any remaining negated atoms. Since the property holds for atomic formulas,conjunctions and disjunctions, it holds for S as well.The procedure NonEmpty f can thus be used to check positive invariance as an immediatecorollary of Theorem 17 and Lemma 25 by setting R to T . Theorem 26.
A semi-algebraic set S is positively invariant for a system of ODEs x (cid:48) = f ( x ) ifand only if ¬ (cid:0) NonEmpty f ( S, T ) ∨ NonEmpty − f ( ¬ S, T ) (cid:1) . Accordingly, we define the ES decision procedure that checks the positive invariance of S withrespect to f as ES ( S, f ) := ¬ (cid:0) NonEmpty f ( S, T ) ∨ NonEmpty − f ( ¬ S, T ) (cid:1) . For given formulas S and R , in order to check emptiness of Exit f ( S ) ∩ R , the procedure NonEmpty f ( S, R )performs several calls to Reduce in order to eliminate existential quantifiers. The number of suchcalls depends only on the Boolean structure of S , in particular, the second argument R plays norole in the way the procedure operates. In this section, we first give upper and lower bounds of thenumber of such calls as a measure of the impact of the encoding of S . We then discuss further de-compositions of Exit f ( S ) as a union of basic semi-algebraic sets. Recall that a basic semi-algebraicset is a set described by a conjunction of atomic formulas (cid:86) i ( p i (cid:46)(cid:47) i (cid:46)(cid:47) i ∈ { <, = } and p i are polynomials. Proposition 27.
Suppose the set S is characterized by a formula in disjunctive normal form(DNF) (cid:87) ki =1 (cid:86) m i j =1 A ij , where A ij are atomic formulas. Let m = max i m i . Then the recursion depthof NonEmpty f ( S, T ) is bounded by k + m and the number of calls to Reduce is (cid:80) ki =1 m i ≤ km ,each of which has the form Reduce ∃ x . . . ∃ x n . Exit f ( A rs ) ∧ R rs , where R rs ≡ m r (cid:94) j =1 ,j (cid:54) = s A rj ∧ ¬ In f k (cid:95) i =1 ,i (cid:54) = s m i (cid:94) j =1 A ij . Proof.
The form of the real quantifier elimination (QE) problems is immediate from the definitionof NonEmpty f . The equivalence of R rs is obtained by using the distributive properties (overdisjunctions and conjunctions) of the In f operator.For instance, suppose S ≡ ( A ∧ A ) ∨ A ∨ A ( k = 3, m = m = 2, m = m = 1). Then,18n the worst case, the procedure NonEmpty f ( S, T ) has to call Reduce 4 times (at most):Reduce ∃ x . . . ∃ x n . Exit f ( A ) ∧ A ∧ ¬ In f ( A ∨ A )Reduce ∃ x . . . ∃ x n . Exit f ( A ) ∧ A ∧ ¬ In f ( A ∨ A )Reduce ∃ x . . . ∃ x n . Exit f ( A ) ∧ ¬ In f (( A ∧ A ) ∨ A )Reduce ∃ x . . . ∃ x n . Exit f ( A ) ∧ ¬ In f (( A ∧ A ) ∨ A ) Proposition 28.
Suppose the set S is characterized by a formula in conjunctive normal form(CNF) (cid:86) ki =1 (cid:87) m i j =1 A ij where A ij are atomic formulas, and let m = max i m i . Then the recursiondepth of NonEmpty f ( S, T ) is bounded by k + m and the number of calls to Reduce is (cid:80) ki =1 m i ≤ km ,each of which has the form Reduce ∃ x . . . ∃ x n . Exit f ( A rs ) ∧ R rs , where R rs ≡ ¬ In f m r (cid:94) j =1 ,j (cid:54) = s A rj ∧ k (cid:94) i =1 ,i (cid:54) = s m i (cid:95) j =1 A ij . For instance, suppose S ≡ ( A ∨ A ) ∧ A ∧ A , ( k = 3, m = m = 2, m = m = 1). Then,in the worst case, the procedure NonEmpty f ( S, T ) has to call Reduce 4 times (at most):Reduce ∃ x . . . ∃ x n . Exit f ( A ) ∧ ¬ In f ( A ) ∧ ( A ∧ A )Reduce ∃ x . . . ∃ x n . Exit f ( A ) ∧ ¬ In f ( A ) ∧ ( A ∧ A )Reduce ∃ x . . . ∃ x n . Exit f ( A ) ∧ (( A ∧ A ) ∨ A )Reduce ∃ x . . . ∃ x n . Exit f ( A ) ∧ (( A ∧ A ) ∨ A ) Remark 29.
Suppose S ≡ (cid:87) ki =1 (cid:86) m i j =1 A ij and let S (cid:48) denote the same formal expression as S exceptthat ∨ and ∧ are swapped. Then the QE problems that NonEmpty f ( S (cid:48) , T ) has to solve could beobtained syntactically from those of NonEmpty f ( S, T ) by swapping A ij and ¬ In f ( A ij ) (and leaving Exit f ( A ij ) untouched). The encoding of the set S to be checked may have a significant impact on the number of callsto Reduce in NonEmpty f ( S, T ). For instance, suppose S is encoded as S ≡ ( A ∨ ( A ∧ A )) ∧ ( A ∨ ( A ∧ A )) where the A i are atomic formulas. Then NonEmpty f ( S , T ) calls Reduce 6 times.In this case, none of the upper bounds of Propositions 27 nor 28 apply because S is neither inDNF nor in CNF. If one uses the equivalent (DNF) encoding S ≡ ( A ∧ A ) ∨ ( A ∧ A ) for S ,then NonEmpty f ( S , T ) calls Reduce only 4 times at most. Lemma 30.
The number of calls to
Reduce is bounded below by the number of distinct atomicformulas in S (regardless of the encoding of S ).Proof. The procedure NonEmpty f requires one call to Reduce for each problem of the formExit f ( A ) ∧ R (where A is an atomic formula), and R any arbitrary formula. Depending on the en-coding of S , NonEmpty f might call Reduce once for Exit f ( A ) ∧ ( R ∨ R ), or twice for Exit f ( A ) ∧ R and Exit f ( A ) ∧ R separately. In the best case, the encoding of S is such that each call to Reducefeatures a distinct Exit f ( A ) (otherwise, the several calls with the same Exit f ( A ) can be factoredout), and the result follows. 19n interesting open question is whether there exists a systematic way of finding an encodingof S which always results in the minimal number of calls to Reduce that is possible. We leave thisquestion open while observing that one can build simple examples for which neither the DNF northe CNF encoding of S are adequate in this regard (it suffices to consider encodings with redundantatomic formulas).The QE problems to solve in propositions 27 can be split further (by distributivity) into (cid:81) ki =1 ,i (cid:54) = r m i ≤ m k − “smaller” problems of the formReduce ∃ x . . . ∃ x n . Exit f ( A rs ) ∧ m r (cid:94) j =1 ,j (cid:54) = s A rj ∧ k (cid:94) i =1 ,i (cid:54) = r ¬ In f ( A i(cid:96) i )Likewise, the QE problems to solve in propositions 28 can be split further into (cid:81) ki =1 ,i (cid:54) = r m i ≤ m k − problems of the formReduce ∃ x . . . ∃ x n . Exit f ( A rs ) ∧ m r (cid:94) j =1 ,j (cid:54) = s ¬ In f ( A rj ) ∧ k (cid:94) i =1 ,i (cid:54) = r A i(cid:96) i We could further evaluate Exit f and In f for atomic formulas. To do so, one has to account forthe system of ODEs x (cid:48) = f ( x ) as well as the order of the involved polynomials with respect to f .Let deg( p ) denote the (total) degree of a polynomial p , and deg( f ) the maximum degree of thepolynomials appearing in the right-hand side of x (cid:48) = f ( x ). Recall that the degree of p (cid:48) , the first(Lie) derivative of p with respect to f , has a total degree which is at most deg( p ) + (deg( f ) − p ( s ) is at most deg( p ) + s (deg( f ) − f ( p ) denote the order of p withrespect to f .The set Exit f ( p (cid:46)(cid:47)
0) is the union of ord f ( p ) basic semi-algebraic sets, whereas In f ( p (cid:46)(cid:47)
0) isthe union of ord f ( p ) + 1 basic semi-algebraic sets. Lemma 31.
Let p i , ≤ i ≤ m , and q j , ≤ j ≤ k denote some polynomials and let ρ denote themaximum of their respective order with respect to f . The expression Exit f ( p (cid:46)(cid:47) ∧ m (cid:94) i =2 ( p i (cid:46)(cid:47) i ∧ k (cid:94) j =1 In f (cid:0) q j (cid:46)(cid:47) j (cid:1) is the union of at most ρ ( r + 1) k basic semi-algebraic sets. Each basic semi-algebraic set is aconjunction of at most m − k + 1)( ρ + 1) expression of the form p (cid:46)(cid:47) .Proof. The expression is a union of at most ord f ( p ) (cid:81) kj =1 (ord f ( q j ) + 1) basic semi-algebraic sets.From which one immediately deduces the ρ ( ρ + 1) k upper bound. Each basic semi-algebraic set is aconjunction of at most (ord f ( p ) + 1) + ( m −
1) + (cid:80) kj =1 (ord f ( q j ) + 1) ≤ m + k + ( k + 1) ρ literals.For instance, Exit f ( p = 0) ∧ ( p < ∧ In f ( q <
0) where ord f ( p ) = ord f ( q ) = 2, (thus m = 2,20 = 1, and ρ = 2) is the following union p = 0 ∧ p (cid:48) (cid:54) = 0 ∧ p < ∧ q < ∨ p = 0 ∧ p (cid:48) (cid:54) = 0 ∧ p < ∧ q = 0 ∧ q (cid:48) < ∨ p = 0 ∧ p (cid:48) (cid:54) = 0 ∧ p < ∧ q = 0 ∧ q (cid:48) = 0 ∧ q (cid:48)(cid:48) < ∨ p = 0 ∧ p (cid:48) = 0 ∧ p (cid:48)(cid:48) (cid:54) = 0 ∧ p < ∧ q < ∨ p = 0 ∧ p (cid:48) = 0 ∧ p (cid:48)(cid:48) (cid:54) = 0 ∧ p < ∧ q = 0 ∧ q (cid:48) < ∨ p = 0 ∧ p (cid:48) = 0 ∧ p (cid:48)(cid:48) (cid:54) = 0 ∧ p < ∧ q = 0 ∧ q (cid:48) = 0 ∧ q (cid:48)(cid:48) < Theorem 32.
Let S be a semi-algebraic set encoded either as (cid:86) ki =1 (cid:87) m i j =1 ( p ij (cid:46)(cid:47) ij (DNF) or as (cid:87) ki =1 (cid:86) m i j =1 ( p ij (cid:46)(cid:47) ij (CNF) for some polynomials p ij . Let m = max i m i , d = max i,j deg( p ij ) , and ρ = max i,j ord f ( p ij ) . Then Exit f ( S ) ∨ Exit − f ( ¬ S ) is a union of at most kρm k ( ρ + 1) k − basicsemi-algebraic sets q (cid:46)(cid:47) ∧ . . . ∧ q s (cid:46)(cid:47) s , where s ≤ m − k ( ρ + 1) and deg( q j ) ≤ d + ρ (deg( f ) − .Proof. Suppose S ≡ (cid:87) ki =1 (cid:86) m i j =1 ( p ij (cid:46)(cid:47) ij
0) (the same reasoning applies when S is in CNF). Thus ¬ S ≡ (cid:86) ki =1 (cid:87) m i j =1 ¬ ( p ij (cid:46)(cid:47) ij f ( S ) is a union of at most km k basic semi-algebraic sets, each involving Exit f ( p ij (cid:46)(cid:47) ij − f ( ¬ S ) is the unionof at most km k basic semi-algebraic sets, each involving Exit − f ¬ ( p ij (cid:46)(cid:47) ij p ij (cid:46)(cid:47) ij f ( p rs (cid:46)(cid:47) rs ∧ m r (cid:94) j =1 ,j (cid:54) = s ( p rj (cid:46)(cid:47) rj ∧ k (cid:94) i =1 ,i (cid:54) = r ¬ In f ( p i(cid:96) i (cid:46)(cid:47) i(cid:96) i − f ¬ ( p rs (cid:46)(cid:47) rs ∧ m r (cid:94) j =1 ,j (cid:54) = s In − f ( p rj (cid:46)(cid:47) rj ∧ k (cid:94) i =1 ,i (cid:54) = r ¬ ( p i(cid:96) i (cid:46)(cid:47) i(cid:96) i km k .Now, according to Lemma 31, each of the above expressions is the union of at most ρ ( ρ + 1) k − basic semi-algebraic sets (after evaluating In f and Exit f for atomic formulas). Thus Exit f ( S ) ∨ Exit − f ( ¬ S ) is the union of at most km k ρ ( ρ +1) k − basic semi-algebraic sets, as stated. The boundson the total number of the involved polynomials as well as their degrees are direct consequences ofLemma 31 and of the bound on the total degree of high-order Lie derivatives, namely d + ρ (deg( f ) − km k ρ ( ρ + 1) k − ) smaller real quantifier elimination problems as in Theorem 32; these smallerproblems furthermore only involve basic semi-algebraic sets (fine granularity).In theory, there exist decision procedures for deciding universally (or existentially) quantified21entences of real arithmetic that have singly exponential worst case complexity ( sd ) O ( n ) , where s is the number of polynomials, d their maximum degree and n the number of variables Renegar[1992]. Each of the smaller QE problems features fewer polynomials with a lower maximumdegree than the original QE problem. The potential gain in complexity is however mitigated bythe number of these smaller problems, which is exponential in the number of basic semi-algebraicsets composing S (as stated in Theorem 32).The procedure ES , as defined in Section 4.2, seeks a trade-off between the fine and coarsegranularity (in the above sense) which translates as a trade-off between the computational cost ofQE problems versus the number of QE problems to solve. Combined with the syntactic reductionsto False of Exit f ( A ) whenever A is an atomic formula encoding an open set, the concept of exitset delivers a powerful tool from a computational standpoint—in addition to its ability to fullycharacterize positively invariant sets.The next section provides some examples that are out of reach for LZZ (cf. Section 3.1.3)and where ES (cf. Section 4.2) succeeds in discharging the required proof obligations. Noticethat, although one can chop the QE problem of LZZ into basic semi-algebraic sets, such approachwon’t benefit from the syntactic reductions to False offered by Exit f (without paying an extracomputational overhead to detect such cases). We remark that Lemma 12 can be applied toconstruct In f as well as Exit f for atomic formulas. For checking positive invariance of sets described by a single atomic formula (e.g. p <
LZZ and ES procedures. However, thereis a very palpable difference between the two procedures when checking positive invariance of setsdescribed by more interesting formulas with non-trivial Boolean structure. The examples belowserve to illustrate illustrate this difference. Example 33.
Consider the non-linear system x (cid:48) = − x , y (cid:48) = − y + x . To construct a semi-algebraic set with non-trivial Boolean structure, let us consider the sequence of points obtained froma rational parametrization of the unit circle x + y = 1 , e.g. a sequence of points ( x t , y t ) =( tt +1 , − − t t +1 ) ∈ Q . From the arithmetic sequence of rational numbers t = − , t n +1 = t n + with t in the range [ − , , we can construct a sequence of half-planes that include the unit disccentred at the origin and are tangent to the unit circle at the points ( x t , y t ) . The intersection ofthese half-planes results in a droplet-like shape shown in Fig. 1a and is characterized by a formula S which is a conjunction of linear inequalities.By inspecting the phase portrait of the system in Fig. 1a, the set defined by this formula ap-pears to be positively invariant, which is something we should be able to check using the proceduresdescribed in the previous sections. Checking positive invariance of S using our implementation of ES returns False within 0.3 seconds. Indeed, while it is difficult to see from inspecting Fig. 1a,a closer examination (Fig. 1b) reveals that the set characterized by S is not positively invariantbecause the flow does in fact leave the droplet region. On the other hand, no answer to this positiveinvariance question could be obtained using LZZ within reasonable time ( > hours). Example 34.
Now let us consider the system x (cid:48) = − x , y (cid:48) = − y and the set corresponding to thetilted Maltese cross in Figure 2a, which, unlike the previous example, is not described by a purely However, these singly-exponential decision procedures are known to be impractical and cannot compete with theCAD algorithm Hong [1991]. Using Mathematica 12.0, running on a machine with an Intel Core i5-7300U CPU clocked at 2.6GHz with 16GBof RAM. - - - - - x y (a) “Droplet” invariant candidate - - - - - - - - - - x y (b) Flow leaving the droplet Figure 1: Checking positive invariance (droplet). conjunctive formula, but is instead given by a disjunction of conjunctive formulas describing thearms of the cross. For this example, one can verify that the set is indeed a positive invariantusing ES , which returns True within 164 seconds. Once more, no answer could be obtained using
LZZ within reasonable time ( > hours). - - - - - - x y (a) Semi-linear invariant - - - - - - x y (b) Semi-algebraic invariant Figure 2: Proving positive invariance.
The set shown in Figure 2a is semi-linear because its formal description only features polyno-mials of maximum degree . Figure 2b illustrates a semi-algebraic set which is not semi-linear,featuring quadratic polynomials in its formal description; the vector field shown in Figure 2b cor-responds to x (cid:48) = − x − y, y (cid:48) = − y + x . Using ES we are able to check (within 7 seconds) thatthe set is indeed positively invariant under the flow of the system, whereas LZZ produces the sameanswer in over 30 minutes.
Besides the standard notion of set positive invariance (as given in Definition 1), more generalnotions have been considered. For example continuous invariance (as it is known in the formalverification literature; see e.g. Liu et al. [2011], Platzer and Clarke [2008]) extends positive invarianceto accommodate cases in which there is a constraint (given by some Q ⊆ R n ) imposed on the23volution of the system. Definition 35 (Continuous invariant) . A set S ⊆ R n is a continuous invariant under an evolutionconstraint Q ⊆ R n if and only if the following holds: ∀ x ∈ S. ∀ t ≥ . (( ∀ τ ∈ [0 , t ] . x ( x , τ ) ∈ Q ) → x ( x , t ) ∈ S ) . Essentially, in a “continuous invariant” positive invariance is predicated on the constraint Q being maintained. Thus, positive invariance may be regarded as a special case of “continuousinvariance” as defined above, i.e. the special case where the constraint Q is all of R n .Indeed, the work of Liu et al. [2011] was developed in this slightly more general setting ofcontinuous invariance, rather than positive invariance. A semi-algebraic set S subject to a semi-algebraic evolution constraint Q is a continuous invariant of the system x (cid:48) = f ( x ) if and only if [Liuet al., 2011, Thm. 19]: S ∩ Q ∩ In f ( Q ) ⊆ In f ( S ) and S c ∩ Q ∩ In − f ( Q ) ⊆ In − f ( S ) c .The new ES algorithm presented in this article is likewise easily lifted to check continuousinvariance. Remark 36.
Readers familiar with temporal logics such as LTL may (very loosely speaking) thinkof continuous invariance as being in a certain sense analogous to temporal modal operators such as
Weak Until ( W ) , i.e. one may think of a continuous invariant described by formula S subject to anevolution constraint described by Q as satisfying the temporal logic formula S W ¬ Q . Of course,the semantics of such a formula needs to be defined over the trajectories of the continuous systemrather than discrete traces, e.g. as is done in Signal Temporal Logic (STL). Problems involving positive invariance checking under evolution constraints (i.e. continuous invari-ance in the sense of Definition 35) arise frequently in the area of formal verification. Invariantsdescribed using formulas with non-trivial Boolean structure are particularly important to verifi-cation methods based on discrete abstractions of continuous dynamical systems. Briefly, discreteabstraction involves partitioninig the state space (e.g. R n ) into disjoint sets that correspond toequivalence classes representing states in a discrete transition system. For example, such a par-titioning can be obtained from an algebraic decomposition of R n using a finite set of polynomials { p , . . . , p k } . Each cell of this decomposition is described by a conjunction of sign conditions onthese polynomials, e.g. the formula S ≡ p > ∧ p = 0 ∧ · · · ∧ p k < sound if the absence of a discrete transition fromthe state described by S i to another state described by S j in the transition relation implies that thecontinuous system cannot evolve from any state within the set S i to any state within S j withoutleaving the union S i ∪ S j ; an abstraction is said to be exact if the presence of such a transitionimplies the existence of a trajectory which starts at a state within S i and reaches some state in S j without leaving the union S i ∪ S j in the process. In order to construct the transition relation fora sound and exact discrete abstraction one considers the union of neighbouring cells S i and S j inthe algebraic decomposition and checks whether the set described by S j is a continuous invariantsubject to the constraint S i ∨ S j . There can be no transition from cell S i to S j in the discretetransition relation if and only if S j is continuous invariant under constraint S i ∨ S j in the sense of This is done in the implementation Ghorbal [2020]. Naturally, the Boolean structure of the formulas involved make the constructionof discrete abstractions a potentially very fruitful area of application for the ES algorithm. The method of applying the ascending chain condition to ideals generated by successive Lie deriva-tives of polynomials in order to prove invariance of algebraic varieties in polynomial vector fieldswas employed by Novikov and Yakovenko [1999], Ghorbal and Platzer [2014], and more recentlyby Harms et al. [2017]. Liu et al. [2011] were the first to address positive invariance of semi-algebraicsets using techniques described in Section 3 of this article. Dowek [2003] investigated the use ofreal induction to solve kinematic problems involving ODEs.Platzer and Tan [2020] recently developed a system of formal axioms (one of which formalizesthe real induction principle) for reasoning about continuous invariants in differential dynamic logic.The axiomatization is complete in the sense that a formal proof of continuous invariance of a semi-analytic set S represented by a formula can be derived in differential dynamic logic from the axiomswhenever this property holds, and a refutation can be constructed in the logic whenever it doesnot.Among characterizations of positive set invariance in a less general setting than that consideredin this article, we note the work of Castelan and Hennet [1993], who reported necessary and sufficientconditions for positive invariance of convex polyhedra in linear vector fields. Conclusion
This article describes two alternative characterizations of positively invariant sets for systems ofODEs with unique solutions. The first characterization (along with its associated
LZZ decisionprocedure for checking positive invariance of semi-algebraic sets in poylnomial vector fields) orig-inally appeared in Liu et al. [2011]. While the relationship between the work of Liu et al. [2011]and the principle of real induction has been known informally to a number of researchers, this im-portant link has not been adequately elaborated in existing literature. One of our aims in writingthis article has been to make this relationship more widely appreciated and also to create an ac-cessible account of the original
LZZ decision procedure, along with our own improvements to thismethod (Section 3.1.1) and nuances in its practical implementation informed by our experience(Section 3.1.3).The second part of the article contributes an alternative characterization of set positive invari-ance and is based on the notion of exit sets Conley [1978]. The topological origins of this notionafford certain computational vistas that suggest a very different approach to developing a deci-sion procedure for checking positive invariance than that of
LZZ . The ES procedure developed inSection 4.2 is, to the authors’ knowledge, entirely novel. Its main advantage over LZZ lies in itsefficient handling of formulas with non-trivial Boolean structure (a class of problems where the
LZZ procedure generally performs poorly). The complexity analysis undertaken in Section 4.3sheds some light on the computational advantages of using ES , which is empirically confirmed in anumber of examples in Section 5.Important topics not touched upon in this article include robustness of positively invariant setsunder small perturbations of the system dynamics; indeed, in practical applications, the system of The interested reader may find more details about discrete abstractions of continuous systems in Sogokon et al.[2016].
Acknowledgement
The authors are indebted to Dr Paul B. Jackson and Dr Kousha Etessamiat the University of Edinburgh for their insights into the real induction principle underpinning thework of Liu, Zhan and Zhao, and extend special thanks to Yong Kiam Tan at Carnegie MellonUniversity for suggesting improvements to the writing in an early draft of this work (and forbringing the authors’ attention to the article [Clark, 2019] of which they were previously unaware);his formal development of an invariant checking procedure in differential dynamic logic appearedin [Platzer and Tan, 2018] and [Platzer and Tan, 2020].
References
F. Blanchini, Set invariance in control, Automatica 35 (1999) 1747–1767. doi: .C. C. Conley, Isolated Invariant Sets and the Morse Index, number 38 in Regional Conference Seriesin Mathematics, American Mathematical Society, 1978. doi: .F. Blanchini, S. Miani, Set-Theoretic Methods in Control, Springer, 2008. doi: .R. Redheffer, The theorems of Bony and Brezis on flow-invariant sets, The American MathematicalMonthly 79 (1972) 740–747. doi: .M. Nagumo, ¨Uber die Lage der Integralkurven gew¨ohnlicher Differentialgleichungen, Proceedingsof the Physico-Mathematical Society of Japan. 3rd Series 24 (1942) 551–559. doi: .W. Walter, Ordinary Differential Equations, Springer, 1998. doi: .A. Taly, A. Tiwari, Deductive verification of continuous dynamical systems, in: R. Kannan, K. N.Kumar (Eds.), IARCS Annual Conference on Foundations of Software Technology and Theoret-ical Computer Science, FSTTCS 2009, December 15-17, 2009, IIT Kanpur, India, volume 4 of
LIPIcs , 2009, pp. 383–394. doi: .J. Liu, N. Zhan, H. Zhao, Computing semi-algebraic invariants for polynomial dynamical systems,in: S. Chakraborty, A. Jerraya, S. K. Baruah, S. Fischmeister (Eds.), Proceedings of the 11thInternational Conference on Embedded Software, EMSOFT 2011, part of the Seventh EmbeddedSystems Week, ESWeek 2011, Taipei, Taiwan, October 9-14, 2011, ACM, 2011, pp. 97–106.doi: .P. L. Clark, The instructors guide to real induction, Mathematics Magazine 92 (2019) 136–150.doi: .D. Hathaway, Using continuity induction, The College Mathematics Journal 42 (2011) 229–231.doi: .C. Chicone, Ordinary Differential Equations with Applications, volume 34 of
Texts in AppliedMathematics , second ed., Springer, 2006. doi: .26. Cox, J. Little, D. O’Shea, Ideals, Varieties, and Algorithms, Undergraduate Texts in Mathe-matics, fourth ed., Springer, 2015. doi: .J. F. Ritt, Differential Algebra, volume 33, American Mathematical Soc., 1950.D. Novikov, S. Yakovenko, Trajectories of polynomial vector fields and ascending chains of polyno-mial ideals, in: Annales de l’institut Fourier, volume 49, 1999, pp. 563–609. doi: .A. Platzer, Y. K. Tan, Differential equation invariance axiomatization, J. ACM 67 (2020) 6:1–6:66.doi: .G. E. Collins, H. Hong, Partial cylindrical algebraic decomposition for quantifier elimination, J.Symb. Comput. 12 (1991) 299–328. doi: .K. Ghorbal, Implementation and examples (requires Wolfram Mathematica), http://khalilghorbal.info/assets/sources/PositiveInvariance.zip , 2020.O. Cˆarj˘a, M. Necula, I. I. Vrabie, Viability, Invariance and Applications, volume 207 of
North-Holland Mathematics Studies , North-Holland, 2007. doi: .M. Safey El Din, RAGlib: A library for real solving polynomial systems of equations and inequali-ties, , 2007–2017.J. Renegar, On the computational complexity and geometry of the first-order theory of the reals,J. Symb. Comput. 13 (1992) 255 – 299. doi: .H. Hong, Comparison of Several Decision Algorithms for the Existential Theory of the Reals, Tech-nical Report, Research Institute for Symbolic Computation (RISC), Johannes Kepler University,1991. URL: http://citeseerx.ist.psu.edu/viewdoc/versions?doi=10.1.1.30.8707 .A. Platzer, E. M. Clarke, Computing differential invariants of hybrid systems as fixedpoints,in: A. Gupta, S. Malik (Eds.), Computer Aided Verification, 20th International Conference,CAV 2008, Princeton, NJ, USA, July 7-14, 2008, Proceedings, volume 5123 of
Lecture Notes inComputer Science , Springer, 2008, pp. 176–189. doi: .A. Sogokon, K. Ghorbal, P. B. Jackson, A. Platzer, A method for invariant generation for polyno-mial continuous systems, in: B. Jobstmann, K. R. M. Leino (Eds.), Verification, Model Checking,and Abstract Interpretation - 17th International Conference, VMCAI 2016, St. Petersburg, FL,USA, January 17-19, 2016. Proceedings, volume 9583 of
Lecture Notes in Computer Science ,Springer, 2016, pp. 268–288. doi: .K. Ghorbal, A. Platzer, Characterizing algebraic invariants by differential radical invariants, in:E. ´Abrah´am, K. Havelund (Eds.), Tools and Algorithms for the Construction and Analysis ofSystems - 20th International Conference, TACAS 2014, Held as Part of the European JointConferences on Theory and Practice of Software, ETAPS 2014, Grenoble, France, April 5-13,2014. Proceedings, volume 8413 of
Lecture Notes in Computer Science , Springer, 2014, pp. 279–294. doi: .M. Harms, C. Schilli, E. Zerz, Polynomial control systems: invariant sets given by algebraicequations/inequations, IFAC-PapersOnLine 50 (2017) 677–680. doi: . 27. Dowek, Preliminary investigations on induction over real numbers (2003). URL: http://citeseerx.ist.psu.edu/viewdoc/versions?doi=10.1.1.123.9866 .E. B. Castelan, J.-C. Hennet, On invariant polyhedra of continuous-time linear systems, IEEETransactions on Automatic control 38 (1993) 1680–1685. doi: .A. Platzer, Y. K. Tan, Differential equation axiomatization: The impressive power of differentialghosts, in: A. Dawar, E. Gr¨adel (Eds.), Proceedings of the 33rd Annual ACM/IEEE Symposiumon Logic in Computer Science, LICS 2018, Oxford, UK, July 09-12, 2018, ACM, 2018, pp. 819–828. doi:10.1145/3209108.3209147