90. DOI : 10.1109/JPROC.2011.2165270

5.3 Dynamic Axioms for Dynamical Systems

5.3.4 Dynamic Axioms for Differential Equations

Some of the decompositions of the bouncing-ball safety property led to safety prop- erties of differential equations, for example (4.29) discussed again at the end of Sect.5.2.

HPs often involve differential equations. Recall their semantics from Sect.3.3.2.

Definition3.3(Transition semantics of ODEs).

[[x⁰=f(x)&Q]] =(ω,ν):ϕ(0) =ωexcept atx⁰andϕ(r) =νfor a solution ϕ:[0,r]→Sof any durationrsatisfyingϕ|=x⁰=f(x)∧Q whereϕ|=x⁰=f(x)∧Q, iff for all times 0≤z≤r: ϕ(z)∈[[x⁰= f(x)∧Q]]with ϕ(z)(x⁰)^def= ^dϕ(t)(x)_dt (z)andϕ(z) =ϕ(0)except atx,x⁰.

ω x⁰=f(x) ν x:=y(t) p(x)

5.3 Dynamic Axioms for Dynamical Systems 149 One possible approach to prove properties of differential equations is to work with a solution if one is available (and expressible indL). Indeed, probably the first thing you learned about what to do with differential equations was to solve them.

Lemma 5.3 ([⁰]solution axiom). Thesolution axiom schemais sound:

[⁰] [x⁰= f(x)]p(x)↔ ∀t≥0[x:=y(t)]p(x) (y⁰(t) =f(y)) where y(·)solves the symbolic initial value problem y⁰(t) =f(y),y(0) =x.

Solutiony(·)is unique sincef(x)is smooth (Theorem2.2). Given such a solution y(·), continuous evolution along differential equationx⁰= f(x)can be replaced by a discrete assignmentx:=y(t)with an additional quantifier for the evolution timet.

It goes without saying that variables such ast are fresh in axiom[⁰]and other ax- ioms. Conventional initial value problems (Definition2.1) are numerical with con- crete numbers as initial values, not symbolic variablesx. This is not enough for our purpose, because we need to consider all states in which the ODE can start, which may be uncountably many. That is why axiom[⁰]solves one symbolic initial value problem, instead, since we can hardly solve uncountably many numerical ini- tial value problems. Observe that axiom[⁰]refers toy(t)at all timest≥0, which implies that the global solutionyneeds to exist for all times for axiom[⁰].

Note 33 (Discrete vs. continuous dynamics)Notice something quite intrigu- ing and peculiar about axiom[⁰]. It relates a property of a continuous system to a property of a discrete system. The HP on the left-hand side describes a smoothly changing continuous process, while the right-hand side describes an abruptly, instantaneously changing discrete process. Still, their respective properties coincide, thanks to the time quantifier. This is the beginning of an astonishingly intimate relationship of discrete and continuous dynamics [9].

What we have seen so far about the dynamics of differential equations does not yet help us prove properties of differential equations with evolution domain con- straints (x⁰=f(x)&q(x)). It also does not yet tell us what to do if we cannot solve the differential equation or if the solution is too complicated to be expressed as a term. We will get to those matters in more detail in PartII. But the evolution domain constraintq(x)can be handled directly as well by adding a condition checking that the evolution domain was always true until the point in time of interest:

Lemma 5.4 ([⁰]solution with domain axiom). This axiom schema is sound:

[⁰] [x⁰=f(x)&q(x)]p(x)↔ ∀t≥0 (∀0≤s≤t q(y(s)))→[x:=y(t)]p(x) where y(·)solves the symbolic initial value problem y⁰(t) =f(y),y(0) =x.

The effect of the additional constraint onq(x)is to restrict the continuous evolu- tion such that its solutiony(s)remains in the evolution domainq(x)at all intermedi- ate timess≤t. This constraint simplifies totrueif the evolution domainq(x)istrue,

150 5 Dynamical Systems & Dynamic Axioms which makes sense, because there are no special constraints on the evolution (other than the differential equations) if the evolution domain is described bytrue; hence it is the full state space. In fact, because both axioms from Lemmas5.3and5.4give essentially the same result ifq(x)istrue, we gave both the same name[⁰]. For axiom schema[⁰], it is important, however, thatx⁰=f(x)&q(x)is an explicit differential equation, so nox⁰occurs in f(x)orq(x)(orp(x)), because otherwise the notions of solutions become more complicated.

Axiom[⁰]explains the rôle of evolution domain constraints quite directly. ThedL formula[x⁰=f(x)&q(x)]p(x)is true iff the postconditionp(x)is true in all states that can be reached by following the solution of the differential equationx⁰=f(x) if that solution has always been in the evolution domainq(x)at all times.

In order to build our way up to using axiom[⁰]on the formula (4.29) that was repeated in Sect.5.2, first consider a case with only one differential equation:

A→[x⁰=v]E

Axiom[⁰]swiftly uses the unique solutionx(t) =x+vt to reduce this formula to:

A→ ∀t≥0[x:=x+vt]E

Let’s add the second differential equation, the one for velocityv, back in:

A→[x⁰=v,v⁰=−g]p(x) (5.9) Axiom[⁰]simplifies this formula, too, but things become a bit more complicated:

A→ ∀t≥0[x:=x+vt−g

2t²]p(x) (5.10)

First of all, the solution forxbecame more complex, because the velocity vnow keeps changing over time in (5.9). That is perfectly in line with what we have learned about the solutions of differential equations in Chap.2. Thinking carefully, we notice that (5.10) is the correct reduction of (5.9) by axiom schema[⁰]only if its postconditionp(x)indeed only mentions the positionxand not the velocityv. In fact, this is the reason why the postcondition was somewhat suggestively phrased as p(x)in (5.9) to indicate that it is a condition onx. For a postcondition p(x,v)onx andvor a general postconditionEthat can mention any variable, axiom schema[⁰] for differential equation systems solves all such differential equations. Thus,

A→[x⁰=v,v⁰=−g]E (5.11)

simplifies by axiom schema[⁰]to:

A→ ∀t≥0[x:=x+vt−g

2t²;v:=v−gt]E (5.12) Now, the only remaining issue is that even this insight does not quite take care of handling the bouncing ball’s gravity property (4.29), since that is restricted to the

5.3 Dynamic Axioms for Dynamical Systems 151 evolution domain constraintx≥0. But adapting these thoughts to the presence of an evolution domain constraint has now become as easy as switching from using ax- iom schema[⁰]from Lemma5.3without evolution domains to, instead, using axiom schema[⁰]from Lemma5.4with evolution domains. Then

A→[x⁰=v,v⁰=−g&x≥0]E

simplifies by the evolution domain solution axiom schema[⁰]from Lemma5.4to A→ ∀t≥0

∀0≤s≤t(x+vs−g

2s²≥0)

→[x:=x+vt−g

2t²;v:=v−gt]E Significantly more advanced techniques for proving properties of more compli- cated differential equations, including differential equations without closed-form solutions, will be explored in PartII.