Towards Formalising Schutz’ Axioms for Minkowski Spacetime in Isabelle/HOL

Abstract

Special relativity is a cornerstone of modern physical theory. While a standard coordinate model is well known and widely taught today, multiple axiomatic systems for SR have been constructed over the past century. This paper reports on the formalisation of one such system, which is closer in spirit to Hilbert’s axiomatic approach to Euclidean geometry than to the vector space approach employed by Minkowski. We present a mechanisation in Isabelle/HOL of the system of axioms as well as theorems relating to temporal order. Some proofs are discussed, particularly where the formal work required additional steps, alternative approaches or corrections to Schutz’ prose.

1 Introduction

Formal foundations are a re-emerging trend in modern physics. While philosophical, mathematical and empirical studies were inseparably entwined in antiquity, formal mathematics and physical science drifted apart in the eighteenth and nineteenth centuries [51].

The mathematical deduction employed for example in Ptolemy’s Harmonics is taken to be almost divine. Thus, he considers “arithmetic and geometry, as instruments of indisputable authority” [3,  p. 507]. In contrast, the main physical theories of the twentieth century were developed as physics first and retro-fitted with rigorous mathematical foundations later. An example particularly relevant to this work is that of special relativity (SR) [14]. The comprehensive mathematical treatment given by Minkowski [29] was at first dismissed as unnecessarily complicated [10]. Early work on axiomatising SR (e.g. by Robb [38]) went largely unnoticed by the physical research community, even though it responded to the famous call for axiomatisation of foundational physics in Hilbert’s sixth problem in 1900.

But the search for a formal foundation to modern physics gained wider support in the second half of the twentieth century. Philosophical essays [51], the successes of the new mathematical quantum and relativity theories [4, 41], and increasing interest from theoretical physicists and mathematicians alike, all contributed to works ranging from differential geometry and General Relativity (GR) to the Wightman axioms in particle physics [50].

We will present here a mechanisation of an axiom system for Minkowski spacetime, the main ingredient of the theory of SR, given by Schutz in 1997 [44]. This system is of particular interest for its geometrical nature: it captures the central idea of relativity, namely that there is no canonical observer, quite naturally. In fact, most of Schutz’ work revolves around deriving a geometry in fully abstract terms, without considering a model: the main addition necessary to recover the standard formulation of SR is indeed the (arbitrary) fixing of a coordinate frame. This means any intuition for the quantities involved in the axioms remains much closer to the most central concepts of SR, presenting a decisive pedagogical advantage. Clarifying a theory by properly axiomatising it can also simplify comparison with different theories (in this case, general relativity springs to mind, cf Sect. 2.2), and may be a starting point for philosophical discussion by identifying its most essential statements.

We use the proof assistant Isabelle/HOL, briefly introduced in Sect. 2, for our mechanisation. Short overviews of basic SR and related work are also provided in this background section. We then proceed to an exhibition of the axioms in Sect. 3 and describe the mechanisation of some of our lemmas and theorems in Sect. 4.¹ We conclude and briefly discuss future work in Sect. 5.

2 Background

The following section provides a brief introduction to SR (Sect. 2.1), as well as a short overview of axiomatisations of SR and related work (Sect. 2.2). We then refer to well-known axiomatisations of geometry that influenced Schutz in his monograph (Sect. 2.3), and to work investigating these axioms using interactive theorem proving (Sect. 2.4). This background section concludes with an introduction to Isabelle/HOL (Sect. 2.5).

2.1 Special Relativity

Relativity studies the relationship between measurements made by observers that are moving with different velocities. Each observer defines their own reference frame, which can be likened to a spatial coordinate system equipped with a clock. Galilean Relativity is the most naive setting for this study, where velocities are simply additive and can take any value. Special Relativity studies this same relationship in the context of two additional postulates: that light moves at a fixed speed c (in a vacuum) for any observer and any light source, and that the laws of physics are identical for any observer that is not accelerating.

While in Galilean Relativity, two observers will always agree on the Euclidean distance between two points in space (i.e. the Euclidean metric is invariant), this does not hold in SR: instead, two observers do agree on a different invariant called the Minkowski metric. This metric depends not just on spatial coordinates, but on the time coordinate as well: therefore, a geometric approach to Special Relativity must treat 4-dimensional spacetime, rather than 3-dimensional space only. This spacetime equipped with the Minkowski metric is called Minkowski spacetime, or just Minkowski space. In modern physics, relativity is often treated as a study of the coordinate transformations that relate different observers. SR is then the theory of the Lorentz (and Poincaré) groups, and we refer the reader to other sources for more details [53,  chap. 1] and [14,  chap. 6].

One consequence of the postulates of SR is that all massive particles move slower than light, for any observer. Although different non-accelerated observers may, in SR, disagree on whether two events (in different locations) happen at the same time, they always agree on whether a massive particle can travel between two given points in spacetime (while respecting the slower-than-light restriction). In particular, different observers agree on lightcones: the region of spacetime bounded by lightrays emitted from any given point in spacetime.

We will be interested here in a set of geometric axioms published by Schutz in 1997 [44], which specify the speed limit as the non-existence of trajectories between certain points of spacetime. Schutz only derives a coordinate formulation including the Lorentz transformations much later (see Sect. 3.6).

2.2 Formalisation in Special Relativity

Several axiom systems have been proposed for Minkowski spacetime. Schutz himself developed several iterations, starting with a formulation based on primitive particles and the binary signal relation in 1973 [42]. The next iteration in 1981 replaces signals with a binary temporal order relation, and light signals then become an entirely derived notion, whose existence is proven, not assumed [43]. It is the final axiom system, published in a monograph in 1997 that is of primary interest to us: it contains many of the axioms of earlier systems as theorems, while also boasting the property of independence (see Sect. 3 for details). Systems formulated by Szekeres [52] and Walker [56] also rely on undefined bases and axioms inspired by physical intuition, and Schutz cites them as direct predecessors to his work. Another early approach is that of Robb [38], based on events and an ordering relation, and continued by Mundy [30, 31]. A first-order alternative to Schutz is given by Goldblatt [11, 12], who relies on a relation of orthogonality in addition to the betweenness Schutz employs in his system of 1997.

More recently, an extension of Tarski’s Euclidean ideas using Goldblatt’s approach to Minkowski spacetime was given by Cocco and Babic [6]. Their system is mostly formulated in first-order logic, but with a second-order continuity axiom in order to show the usual four-dimensional Minkowski spacetime is a model. A flexible first-order system of axioms describing several different theories of relativity was given by Andréka et al. [1, 2]. They provide related theories for SR, SR with accelerating observers and General Relativity. Notably, there exists a mechanisation of this approach in Isabelle/HOL by Stannett and Németi [49]. In contrast to what we propose here, Stannett and Németi assume an underlying coordinate formulation and use first-order axioms, while Schutz’ system is second-order, and his Isomorphism Theorem linking it to the usual coordinate model is one of his final results.

2.3 Axiomatic Geometries

Geometry is arguably the oldest discipline to have seen successful axiomatisation in the form of Euclid’s Elements [20]. Over two millennia later, Hilbert’s Grundlagen der Geometrie [21] built on Euclid to propose a new, self-contained system of axioms using modern language and standards of rigour. Many alternative Euclidean systems have been postulated and examined since then. Schutz acknowledges clear parallels between several of his theorems and those of Veblen [55], whose axioms for Euclidean geometry replace Hilbert’s primitives (points, lines, planes and several relations between them) to use only points and a single relation. Tarski’s system of elementary Euclidean geometry [54] is influential too: points as well as two undefined relations are his only primitive notions. His axioms can be formulated in primitive notions only, using first-order logic (with identity and using an axiom schema). Schutz [44] similarly strives for simplicity, though his continuity axiom is second-order, and while a line-like primitive exists, only a single undefined relation is required.

2.4 Mechanisation in Geometry

Several axiomatic approaches to geometry have been (at least partially) formalised in Isabelle/HOL. Hilbert’s Grundlagen has seen work in Isabelle by Meikle, Scott and Fleuriot [28, 46], and further investigation of both the axioms and tools for their study in HOL Light [47, 48]. Tarski’s axiom system was investigated by Narboux in Coq [32], and its independence verified in Isabelle by Makarios [27]. Geometric formalisations also exist e.g. for projective geometry in Coq [26] and again for Tarski’s geometry in Mizar [16]. We refer to a recent review for a more comprehensive picture [33].

Our formalisation bears some similitude to the above work on Hilbert’s Grundlagen in a number of respects since several of Schutz’ axioms originate in the Grundlagen (see Sect. 3). For example, our definition of chains (Sect. 3.2), one of the most fundamental constructs in this paper, relies on an adapted definition due to Scott’s work on the Grundlagen in HOL Light [47]. As another example, we employ the same weakening of Schutz’ Axiom O3 that can be found in Scott’s formalisation of Hilbert’s Axiom II.1. Scott also finds a result very similar to our

(see Sect. 4.7): while he obtains it from a remark of Hilbert’s [47,  Sect. 6.7.2], we derived it by necessity in an early version of our proof of Theorem 12, and found the correspondence only later. Notice the formalisations of Hilbert’s Grundlagen cited here focus on the first three groups of axioms, which exclude the parallel and continuity axioms.

2.5 Isabelle/HOL

Computer-based theorem proving, verification and proof exploration is the dominant area of automated reasoning today. A breakthrough development for the field was Scott’s work on LCF [45], a typed version of the \(\lambda \)-calculus, and the subsequent construction of an interactive theorem prover of the same acronym by Gordon et al. [13]. Isabelle is a generic proof assistant which continues the LCF style of automated reasoning [37, 59]. Its generic meta-logic (the simple type system responsible for validity checking) supports multiple instances of object logic: we will be using higher order logic (HOL), but instances for e.g. first-order logic (FOL) and ZFC set theory exist.

We review several salient aspects of Isabelle below, including our use of locales to organise our formalisation, and refer to the extensive Isabelle documentation for a detailed practical introduction [34, 58].

2.5.1 Automation and Readability

Considering the above quote, the advantage of computer assistance in logical and mathematical proof is clear. Using Isabelle (for example), we can write a proof of any (provable) theorem, and provided our readers are convinced of the soundness² of Isabelle’s trusted kernel, they can take the theorem as fact without manually verifying the proof. A famous and well-popularised success of computer-verified mathematics was the Flyspeck project [18]. A computer-assisted proof of the Kepler conjecture was submitted for review in 1998, but only published (without the reviewers’ complete certification) in 2006 [17, 25]. The Flyspeck project was a 12-year effort to formalise this proof, accepted into a mathematical journal in 2017.

Even if a proof is certified and trusted, it is often still instructive to read through it. One may identify proof methods and patterns to be used in similar problems, or to be generalised to unrelated areas of inquiry. Intuition is built for the behaviour of the mathematical entities manipulated throughout the proof. Readability is, therefore, important, particularly for proofs as verbose as those often found in mechanisations. Isabelle provides us with the language Isar (Intelligible semi-automated reasoning) [57] that can be used for proofs that are both human readable and supported by automatic tools. Isar proofs merge the forward reasoning common in mathematical texts and natural for human readers to follow, and the backward reasoning often useful in exploring possible avenues for a proof to be completed (see the next section for a glimpse of Isar).

Several tools for proof discovery come with the Isabelle distribution. In particular, the umbrella tool sledgehammer [36] automatically chooses a range of (several hundred) facts to pass to different first-order solvers (both resolution and SMT provers), and, if successful, provides a reconstruction of the automatic proof in Isabelle/HOL. In practice, automatic proof discovery is useful, but sometimes struggles to justify steps that seem obvious to the reader, or returns proofs relying on highly unexpected facts. This may be due to the complexity of some of our definitions or to the difficulty in reductions to first-order logic.

2.5.2 Locales

One useful feature, particularly for sizeable axiom systems such as ours, is Isabelle’s

mechanism. One can think of a locale as a parameterised context: it names one or more “arbitrary but fixed” parameters and assumes some initial properties. In our case, these are undefined notions and axioms, respectively. Since the formulation of axioms often changes as proofs are attempted because they are found wanting (e.g. Axiom O4, see Theorem 1 in Sect. 4.1), we try to limit the amount of logic that is affected and possibly invalidated by such a change. Containing small groups of related axioms in their own separate locales circumscribes the scope of their influence. For instance, this purpose is served by our locale

(see Sect. 4.7, and below), which contains an assumption (in this case an additional, hidden assumption needed for one of Schutz’ proofs) that we do not want to spill outside the locale.

Locales have additional practical benefits: they are augmented by each theorem proven inside them, they can extend other locales and they can be interpreted. Locales can be interpreted, i.e. one can show that a concrete structure is an instance of the abstract concept represented by the locale, and then one can use any results proven abstractly (in the locale) for this particular instance. For example, SO(3) (the set of rotations in 3D space) can interpret the group locale, and one can then use group-theoretic results (e.g. talk about subgroups).

An example locale from our formalisation is given below (see Sect. 4.5.2). The locale MinkowskiDense extends MinkowskiSpacetime with the additional assumption named path_dense. Theorems of MinkowskiSpacetime, such as seg_betw, are proved and available in MinkowskiDense as well.

Since proofs about models are outside the scope of this work, locales serve mostly an organisational purpose for our formalisation: axioms and definitions are gathered into conceptual groups and introduced as a hierarchy of locales.

3 Axioms

Schutz proves several properties of his axiomatic system in his monograph [44]: consistency (relative to the real numbers), categoricity and independence. He insists upon independence, i.e. that none of his axioms can be derived from any combination of the others: he considers that the search for independence has made his axioms more intuitive.

Some of the axioms as we encode them in Isabelle are subtly different from Schutz’ statements, which we quote throughout this section. For example, some axioms are shorter (for legibility), when the full axiom can be obviously restored using another axiom we introduce at the same time. In the case of Axiom O4, Schutz formulation overlooks an edge case required for the very first proof of his monograph. We also often collect quantifiers in a different way to Schutz’ prose, again for legibility and simplicity of the mechanised axioms (e.g. Axiom O6). Several axioms have additional variables in the formalisation: this is a result of our definition of chains using sequences with explicit functions \({\mathord {\mathbb N}}\rightarrow \mathcal {E}\) (Sec. 3.2). Where we differ from the prose axioms, Schutz’ formulation can be easily restored as a theorem, by using the entire system of axioms.

Schutz lays out his axioms in two main groups: order and incidence. The first relates betweenness to events and paths, and establishes a kind of plane geometry with axiom O6. The second deals with the relationships between events and paths, and also contains statements regarding unreachable subsets, which make a Euclidean/Galilean model impossible. In contrast to Schutz, we present axioms according to their specificity to Minkowski spacetime. In particular, our main comparison is with Hilbert’s Grundlagen der Geometrie [21], which introduced the separation of incidence and order axioms.

Since several definitions of derived objects are required for stating some axioms, we construct our system as a hierarchy of locales (Sect. 2.5.2), defining objects in the locale they make most sense in, and often just before they are needed. This section follows the same hierarchy: we introduce axioms for plane geometry first, then introduce additional order-theoretic structures, axiomatise the non-Euclidean parts of the theory and complete the system with the Axioms of Continuity and Symmetry. Sect. 3.6, finally, explores the correspondences between undefined primitives and axiomatic structures, and their equivalents in the \({\mathord {\mathbb R}}^4\) model of SR. Definitions, axioms, theorems and proofs in prose are cited from Schutz’ monograph [44], which serves as the source for our formalisation.

3.1 Primitives and Simple Axioms

The first axioms, introduced in the locale

together with the primitive notions of events and paths (which are introduced with the keyword

), are similar to examples found in many other geometric axiom systems, notably Hilbert’s [21]. Schutz names them I1, I2, I3 [44,  p. 13], and they assert basic properties of two primitives: a set of events, \(\mathcal {E}\), and a set of paths, \(\mathcal {P}\), where each path is a set of events.

Axiom I1

(Existence) \(\mathcal {E}\) is not empty.

Axiom I2

(Connectedness) For any two distinct events \(a,b \in \mathcal {E}\) there are paths R, S such that \(a \in R\), \(b\in S\) and \(R\cap S\ne \emptyset \).

Axiom I3

(Uniqueness) For any two distinct events, there is at most one path which contains both of them.

As an example for the verbosity of a full formalisation, contrast Axiom I3 with the many premises of its formalised version

below, and its customary translation of “there is at most one” as “if given two such objects, they must be equal”. Importantly, note that we also require one axiom Schutz does not have:

, which excludes the possibility of non-event objects of the appropriate type being in a path and guarantees \(\mathcal {P}\) is a subset of the powerset of \(\mathcal {E}\).

Nothing initially defines \(\mathcal {E}\) apart from the type of its elements, yet we do not take \(\mathcal {E}\) to be the universal set of type

. This choice is made since it may lead to easier model instantiations in the future: for example, it allows building a model where \(\mathcal {E}\) is a strict subset of the natural numbers while using the underlying type

(without defining an extra type). A universal set of events would also differ from Schutz’ language. For example, types are never empty in Isabelle/HOL, so a universal set of events already implies Axiom I1.

The set of paths \(\mathcal {P}\) is always envisaged as a strict subset of the powerset of \(\mathcal {E}\) – otherwise the axioms introduced later in Sect. 3.3 lose all relevance. The locale

allows us to define many of the objects we need to specify more complicated axioms, such as unreachable subsets (from an event; Sect. 3.3) kinematic triangles and s (Sect. 3.5).

Our final undefined notion, called betweenness, is a ternary relation on the set of events. Schutz denotes betweenness as \([\_\;\_\;\_]\). The first five axioms of order specify simple properties of betweenness; we reproduce Schutz’ formulation below.

The axioms of order in Schutz’ system are in close analogy with axioms of the same name in Hilbert’s Grundlagen (i.e. his group II). Hilbert’s Axiom II.1 combines Schutz’ Axioms O1, O2, O3; Hilbert’s II.2 becomes Schutz’ Theorem 6, II.3 becomes Theorem 1. Pasch’s axiom exists in both systems, respectively as II.4 and O6.

Axiom O1

For events \(a,b,c \in \mathcal {E}\),

$$\begin{aligned}{}[a\;b\;c] \implies \exists Q \in \mathcal {P}: a,b,c \in Q. \end{aligned}$$

Axiom O2

For events \(a,b,c \in \mathcal {E}\),

$$\begin{aligned}{}[a\;b\;c] \implies [c\;b\;a]. \end{aligned}$$

Axiom O3

For events \(a,b,c \in \mathcal {E}\),

$$\begin{aligned}{}[a\;b\;c] \implies a,b,c \text { are distinct.} \end{aligned}$$

Axiom O4

For distinct events \(a,b,c,d \in \mathcal {E}\),

$$\begin{aligned}{}[a\;b\;c] \text { and } [b\;c\;d] \implies [a\;b\;d]. \end{aligned}$$

Axiom O5

For any path \(Q \in \mathcal {P}\) and any three distinct events \(a,b,c \in Q\),

$$\begin{aligned}{}[a\;b\;c] \;\text { or }\; [b\;c\;a] \;\text { or }\; [c\;a\;b] \; \text { or } \\ [c\;b\;a] \;\text { or }\; [a\;c\;b] \;\text { or }\; [b\;a\;c]. \end{aligned}$$

Since Schutz’ notation \([\_\;\_\;\_]\) is used for lists in Isabelle, we write betweenness as

. This has two advantages: we do not need to interfere with list syntax at all, and the distinction between arguments is clarified by the semicolons, avoiding ambiguous grammar and allowing easy generalisations to different arities for betweenness. The first five axioms of order are formalised as follows:

Three of these have mild changes compared to Schutz: our O3 and O5 are slightly weaker (having weaker conclusions) since the original statements are actually derivable (in the same locale). In O4, Schutz’ condition that a, b, c, d be distinct has to be removed. This is because distinctness of a, c and b, d is already implied by O3, and the premise \(a\ne d\) makes Schutz’ proof of Theorem 1 impossible (see Sect. 4.1). We prove Schutz’ Axiom O3 from

,

, and

; and Schutz’ Axiom O5 from

and

.

3.2 Chains

The final axiom of order given by Schutz is analogous to the axiom of Pasch, which is common in axiomatic geometric systems. It is stated in terms of particular subsets of paths called chains, which Schutz defines as follows [44,  p. 11].

Definition 1

(Chain) A sequence of events \(Q_0, Q_1, Q_2, \dots \) (of a path Q) is called a chain if:

1. (i)

   it has two distinct events, or

2. (ii)

   it has more than two distinct events and for all \(i \ge 2\),

   $$[Q_{i-2}\;Q_{i-1}\;Q_{i}]\;.$$

This is hard to reproduce exactly in Isabelle because of the notion of a sequence as an indexed set. The informal naming convention of using a label \(Q_i\) for an event encodes two pieces of information: that the event lies on path Q, and that several betweenness relations hold with other events indexed by adjacent natural numbers. Following Palmer and Fleuriot [35] and Scott [47,  p. 110], we explicitly give a function \(I \rightarrow Q\) (with \(I \subseteq {\mathord {\mathbb N}}\)) that is order preserving, and use this to define chains. The predicate

formalises what we mean by “order-preserving”, taking as arguments an indexing function

, a ternary relation

on the codomain of

and a set of events

.³

Our chains differ from Schutz’ in that they use sets and an indexing function instead of his sequences, and that while he assumes (long) chains to lie on paths, we prove this as a theorem (chain_on_path). Notice in the following that we split the definition between chains of two events, short_ch and chains with at least three events, local_long_ch_by_ord, as Schutz does. The cardinality of a set X, denoted |X| in prose, is card X in Isabelle. It is a natural number, and infinite sets have cardinality 0, just like the empty set does. The conditions involving cardinality in local_ordering are used to ensure that a natural number is a valid index into the chain. We will explicitly give the types of only the most basic chains we define, and let type inference handle the rest.

The definition of ch_by_ord takes advantage of the fact that we can trivially index a set of two events: the conditions involving betweenness are void. The predicate ch X \(\equiv \) \(\exists \) f. [f \(\leadsto \) X], using the syntax sugar introduced for ch_by_ord, formalises the statement “X is a chain”. We introduce separate definitions and notation for finite chains, since they will be the focus of most theorems formalised in our work. Events in positions of interest can be named in a similar fashion to betweenness, giving the combined notation \([f\,{\rightsquigarrow }\, X | a .. b]\) for a chain where a is at index 0, and b is at index . One can additionally assert that an event c lies on the chain and is different from a and b by writing .

Axiom O6

If Q, R, S are distinct paths which meet at events \(a \in Q \cap R\), \(b \in Q\cap S\), \(c \in R \cap S\) and if:

1. (i)

   there is an event \(d \in S\) such that \([b\;c\;d]\), and

2. (ii)

   there is an event \(e \in R\) and a path T which passes through both d and e such that \([c\;e\;a]\),

then T meets Q in an event f which belongs to a finite chain .

Our formalised version of this axiom has slightly different structure–we remove all quantifiers in the premise for a more symmetrical, straightforward statement:

Although the statement is technical, the intention of O6 (or Pasch’s axiom) is simple. Using some intuition from Euclidean geometry, a rough translation is: if three paths meet in a triangle, then a fourth path which intersects one side of the triangle externally, and another internally, must meet the third side internally as well (see Fig. 1). Such an intuitive understanding can be justified by noting that similar axioms occur e.g. in Hilbert’s Grundlagen [21] and its mechanisation [28]; it is not O6 that makes our system non-Euclidean.

Fig. 1

Intuitive visualisation of axiom O6. A path T that meets S externally to the triangle QRS (in d) and meets R internally (in e), must meet the third side of the triangle internally (in f)

3.3 Unreachability

While the axioms of the previous sections establish a geometry, nothing in them excludes a Euclidean space with Galilean relativity, i.e. velocities that are additive across reference frames [44,  p. 12]. Crucially, no speed limit is implied so far, and thus, there is no trajectory through space and time that is forbidden. The next group of axioms (I5-I7) specifies existence and basic properties of unreachable sets, a concept tightly linked to the lightcones often used in relativistic physics [14,  sect. 1.4]. In fact, if we pre-empt significantly and hypothesise our undefined paths to relate to observer worldlines, one can glean the notion of an ultimate speed limit hidden in the condition that certain regions of spacetime should not be connected by paths. Ultimately, saying that nothing can move faster than some speed c is merely the statement that certain histories or trajectories through space and time should not occur. We begin by formalising Schutz’ various notions of unreachable sets.

Definition 2

(Unreachable subset from an event) Given a path Q and an event \(b \notin Q\), we define the unreachable subset of Q from b to be

$$\begin{aligned} Q(b,\emptyset ) := \left\{ x : \text {there is no path which contains } b \hbox { and } x, x \in Q \right\} . \end{aligned}$$

The pen-and-paper definition is simple enough: it collects all the events x of a path Q that cannot be connected (by a path) to another event \(b \notin Q\). In prose, we continue using Schutz’ notation \(Q(b,\emptyset )\). To avoid the symbol \(\emptyset \), which is conventionally read as the empty set, the more verbose mixfix notation

is used in Isabelle.

The second definition is more complex: if Q meets R at x, Schutz defines the set \(Q(Q_a,R,x,\emptyset )\) to collect all events \(Q_y \in Q\) that are on the side of the intersection x given by \(Q_a\), and where some event on R is connected neither to \(Q_a\) nor \(Q_y\) (see Fig. 2).

Definition 3

(Unreachable subset via a path) For any two distinct paths Q, R which meet at an event x, we define the unreachable subset of Q from \(Q_a\) via R to be

$$\begin{aligned} Q(Q_a,R,x,\emptyset ) := \left\{ Q_y : [x\;Q_y\;Q_a] \text { and } \exists R_w \text { such that } Q_a, Q_y \in Q(R_w,\emptyset ) \right\} . \end{aligned}$$

In Isabelle, we use verbose mixfix notation again, as above:

Fig. 2

The event \(Q_y\) belongs to the unreachable subset of Q from \(Q_a\) via R. Thus, there is an event \(R_w\), such that there are no paths connecting \((Q_a, R_w)\) or \((Q_y, R_w)\) (dashed lines). In this case, \(R_w\) also belongs to the unreachable subset of R from \(Q_a\)

Since we will be able to prove that distinct paths intersect at most once, we define the mixfix notation unreach-via P on Q from Qa for the unreachable subset of Q via R from \(Q_a\), where the path intersection x is omitted. This is equivalent to the definition above in the setting Schutz considers (i.e. distinct paths that meet at x). Next, we give the formalised Axioms I5–I7, introduced in the locale

, together with their prose formulation and some comment. Axiom I5 is simple once unreachable sets from events are understood. It has important implications for many proofs, since it is necessary to guarantee that the empty set is not a path. It is the only axiom that mentions the existence of events on a path.

Axiom I5

For any path Q and any event \(b \notin Q\), the unreachable set \(Q(b,\emptyset )\) contains (at least) two events.

Axiom I5 is the first of three locale assumptions of

:

Schutz calls Axiom I6 “Connectedness of the Unreachable Set”. Indeed, given two unreachable (from b) events \(Q_x, Q_z\) on a path Q, it essentially states that any points between \(Q_x, Q_z\) must be unreachable too. This is phrased in terms of a finite chain with endpoints \(Q_x,Q_z\).

Axiom I6

Given any path Q, any event \(b \notin Q\) and distinct events \(Q_x, Q_z \in Q(b,\emptyset )\), there is a finite chain \([Q_0 \;\dots \; Q_n]\) with \(Q_0 = Q_x\) and \(Q_n = Q_z\) such that for all \(i \in \left\{ 1,2,\dots ,n\right\} \),

1. (i)

   \(Q_i \in Q(b,\emptyset )\)

2. (ii)

   \([Q_{i-1}\;Q_y\;Q_i] \implies Q_y \in Q(b,\emptyset )\).

In the case of short chains (containing only two events), the indexing function f has no meaning in terms of ordering (see Sect. 3.2), but having a unified definition for the chain \([f \rightsquigarrow X]\) makes statements like Axiom I6 much easier to formalise.

Axiom I7 about the “Boundedness of the Unreachable Set” is reminiscent of the Archi-medean property, namely that one can “leave” the unreachable set in finitely many “steps”. A simplified illustration is given in Fig. 5.

Axiom I7

Given any path Q, any event \(b \notin Q\) and events \(Q_x \in Q \setminus Q(b,\emptyset )\) and \(Q_y \in Q(b,\emptyset )\), there is a finite chain

with \(Q_0 = Q_x\), \(Q_m = Q_y\) and \(Q_n \in Q \setminus Q(b,\emptyset )\).

We drop the double naming of the events \(Q_x=Q_0\) and \(Q_y=Q_m\), noting the index of \(Q_x\) is implied once the chain is defined. The complement of the unreachable set, \(Q \setminus Q(b,\emptyset )\), is best thought of as all the events of path Q that can be reached by a path passing through b. Axiom I7 is then formalised as:

3.4 Symmetry and Continuity

The final two axioms, symmetry and continuity, both receive their own locale. Although neither is used in proofs in this paper, we still present them for completeness. The axiom of symmetry is a hefty statement that, according to Schutz [44], serves as a replacement of an entire axiom group in geometries such as Hilbert’s Grundlagen.

Axiom

S (Symmetry) If Q, R, S are distinct paths which meet at some event x and if \(Q_a \in Q\) is an event distinct from x such that

$$\begin{aligned} Q(Q_a,R,x,\emptyset ) = Q(Q_a,S,x,\emptyset ) \end{aligned}$$

then

1. (i)

   there is a mapping \(\theta :\mathcal {E}\longrightarrow \mathcal {E}\)

2. (ii)

   which induces a bijection \(\Theta :\mathcal {P}\longrightarrow \mathcal {P}\), such that

3. (iii)

   the events of Q are invariant and

4. (iv)

   \(\Theta : R \longrightarrow S\).

Fig. 3

Visualisation of Axiom 3.4. The unreachable subsets of Q from \(Q_a\) via R and S (indicated by dashed lines) are equal, so the induced symmetry mapping \(\Theta \) takes R to S

Continuity is simple to state, but relies on mechanised definitions of bounds and closest bounds. We break up the presentation of the formalised axiom of symmetry, explaining the conclusion as we go along. See also Fig. 3.

The first line of the axiom above essentially says that Q, R, S are distinct paths in

(see Sect. 3.5) and obtains an event \(Q_a \ne x\) on Q. The second states that the unreachable sets of Q via R and S are the same. We split up the conclusion of the axiom below, reproducing Schutz’ prose [44,  p. 16] for each of the parts (i)–(iv); notice the first line below quantifies the entire conclusion.

1. (i)

   there is a mapping \(\theta :\mathcal {E}\longrightarrow \mathcal {E}\)

   

2. (ii)

   which induces⁴ a bijection \(\Theta :\mathcal {P}\longrightarrow \mathcal {P}\)

   

3. (iii)

   the events of Q are invariant and

   

4. (iv)

   \(\Theta : R \longrightarrow S\)

   

We take the events of Q to be \(\theta \)-invariant, so in particular, \(\theta \) preserves the ordering of events on Q.

The axiom of continuity compares to the property of least upper bounds on the real numbers (also called Dedekind completeness). Indeed, Schutz’ Theorem of Continuity, the first to use this axiom, deals with sets that look very similar to Dedekind cuts [8]. Bounds are defined by Schutz only for infinite chains.

Definition 4

((Closest) Bound) Given a path \(Q \in \mathcal {P}\) and an infinite chain \([Q_0, Q_1 \;\dots \; ]\) of events in Q, the set

$$\begin{aligned} \mathcal {B} = \left\{ Q_b : i < j \implies [Q_i\;Q_j\;Q_b]; Q_i, Q_j, Q_b \in Q\right\} , \end{aligned}$$

is called the set of bounds of the chain: if \(\mathcal {B}\) is non-empty we say that the chain is bounded. If there is a bound \(Q_b \in \mathcal {B}\) such that for all \(Q_{b'} \in \mathcal {B} \setminus \left\{ Q_b \right\} \),

$$\begin{aligned}{}[Q_0\;Q_b\;Q_{b'}] \end{aligned}$$

we say that \(Q_b\) is a closest bound.

Axiom

C (Continuity) Any bounded infinite chain has a closest bound.

The formalisation in this case is straightforward. We formally define bounds first.

Since the premise

below already implies that Q is a chain, the axiom of continuity is short and simple and the locale below is easily readable.

3.5 Path Dependence and Dimension

The final axiom we introduce is that of dimension. It comes last in our hierarchy of locales because spacetimes in different numbers of dimensions can then be constructed. Thus, we found it sensible to have an easily replaceable top layer that specifies only the axiom least critical to the general Minkowski spacetime structure, in case one wants to explore other dimensions.

However, this axiom has a hidden purpose much more fundamental than we first realised: it is the only one that excludes a singleton set of events with an empty set of paths from being a model. As a result, the axiom of dimension turns out to be crucial to several fairly basic proofs involving geometric construction of several paths (that without it could not be guaranteed to exist), and we end up working inside the full

locale for many more proofs than originally expected (notably, any proof requiring the overlapping ordering lemmas presented in Sect. 4.5). A minor restructuring could isolate an axiom for existence of at least one path: if applications in higher or lower dimensions are deemed important in future work, this is easily done.⁵ We keep Schutz’ formulation.

Defining dimensionality in linear algebra requires the idea of linear dependence and independence. Since vector spaces are not included in our axioms, we need a more basic notion, namely an idea of paths depending on other paths. This relation is defined only for a set of paths that all cross in one point and is called a \(\text {SPRAY}\) [44,  p. 13].

Definition 5

(SPRAY) Given any event x,

$$\begin{aligned} \text {SPRAY}[x] := \left\{ R: R \ni x, R \in \mathcal {P}\right\} . \end{aligned}$$

Path dependence in a \(\text {SPRAY}\) is defined first for a set of three paths [44,  p. 13]:

Definition 6

(Path dependence (3 paths)) A subset of three paths of a \(\text {SPRAY}\) is dependent if there is a path which does not belong to the \(\text {SPRAY}\) and which contains one event from each of the three paths: we also say any one of the three paths is dependent on the other two. Otherwise the subset is independent.

We have two corresponding definitions in Isabelle: one that keeps track of the (source of the) SPRAY, and one that only asserts there is some SPRAY containing the three paths.

To obtain path dependence for an arbitrary number of paths, we extend the base case above by induction, quoting Schutz [44,  p. 14]:

Definition 7

(Path dependence) A path T is dependent on the set of n paths (where \(n \ge 3\))

$$\begin{aligned} S = \left\{ Q^{(i)} : i = 1, 2, \dots , n;\; Q^{(i)} \in \text {SPRAY}[x]\right\} \end{aligned}$$

if it is dependent on two paths \(S^{(1)}\) and \(S^{(2)}\), where each of these two paths is dependent on some subset of \(n - 1\) paths from the set S. We also say that the set of \(n+1\) paths \(S\cup \left\{ T\right\} \) is a dependent set. If a set of paths has no dependent subset, we say that the set of paths is an independent set.

The corresponding Isabelle definition uses the keyword

, which allows us to give a non-recursive base case and induction rules, to create the minimal set of pairs T, S such that

:

We point out two consequences of this definition. It is not necessary that the paths \(S_1, S_2\) belong to the set S (there only has to be some SPRAY containing \(S_1, S_2, T\)), and thus, in general \(S' \cup \{S_1\} \ne S\). This can be compared to Fig. 4b in Sect. 3.6, with the point P approaching the boundary of the circle.⁶ Also notice that the relation between

and dep_set (insert T S) is meaningless if the path T is a member of the set S, since then \(\{T\} \cup S = S\).

This leaves us with only the job of transforming this inductive definition into an analytical one, such that a set of paths can be examined and found dependent or not, rather than being able only to construct such sets to measure.

Now the axiom of dimension can be given as follows, with a final definition:

Definition 8

(3-SPRAY) A \(\text {SPRAY}\) is a 3-\(\text {SPRAY}\) if:

1. (i)

   it contains four independent paths and

2. (ii)

   all paths of the \(\text {SPRAY}\) are dependent on these four paths.

Axiom I4

(Dimension) If \(\mathcal {E}\) is non-empty, then there is at least one 3-\(\text {SPRAY}\).

We point out that Schutz introduces Axiom I1 into the antecedent of Axiom I4. This serves the purpose of conserving independence: the empty event set is an obvious model for proving independence of I1, and in this formulation, the empty event set trivially satisfies Axiom I4.

We formalise the 3-SPRAY as a special case of its obvious generalisation, the n-\(\text {SPRAY}\), which is not given by Schutz. This is useful for the discussion in Sect. 3.6, since lower dimensions are easier to visualise. It also hints at a possibility for keeping the number of dimensions flexible. The axiom of dimension is stated in

to complete our hierarchy of locales.

3.6 Correspondence Between Schutz’ Axiomatics and the Coordinate Formulation

One of the ultimate results of Schutz’ monograph is the Isomorphism Theorem, which shows that the usual coordinate formulation of SR (i.e. \({\mathord {\mathbb R}}^4\) equipped with the Minkowski metric) is not just a model of his axioms, but possesses the same derived geometric structures too. We give an overview of the correspondences between the main objects defined in the axiomatic theory that appear in this paper, and their analogues in the \({\mathord {\mathbb R}}^4\) model of SR. The relevant sections of Schutz’ monograph are mainly [44,  Theorems 80 and 86, Sects. 9.2 and 9.5, Chapter 10].

In the \({\mathord {\mathbb R}}^4\) model, events are points in the 4-dimensional spacetime, and paths are timelike lines, i.e. paths correspond to trajectories that are (strictly) slower than light. For example, Axiom I3 translates to the statement that there is at most one fixed-velocity (subluminal) trajectory that intercepts two points in space at given times. Since all points in \({\mathord {\mathbb R}}^4\) can be connected by lines, unreachable events are those connected by spacelike (faster than light) or lightlike trajectories: the unreachable set \(Q(x,\emptyset )\) on path Q is a closed interval (i.e. bounded and connected, see Theorems 5 and 12) with boundaries given by the photon trajectories through x. Schutz’ relation of betweenness is then betweenness in the sense of the usual ordering of the real numbers, on any timelike line; similarly a chain is a countable ordered set on a timelike line, with a least or greatest element (or both).

3-SPRAYs are lightcones,⁷ i.e. bundles of timelike lines through the source of the 3-SPRAY. Paths in a 3-SPRAY can also be interpreted as points on the intersection of the future lightcone and a 3-sphere of fixed radius. One of Schutz’ later results is indeed that each 3-SPRAY is a convex subset of three-dimensional projective space [55].

Fig. 4

A 2-SPRAY with paths \(S = \{S_1, S_2, S_3\}\), depicted as a subset of projective 2-space in the context of a \({\mathord {\mathbb R}}^3\) spacetime model. In this two dimensional example, three paths in the 2-SPRAY are dependent if they are coplanar

A set S of three distinct paths in a SPRAY are dependent if there is a path (i.e. a timelike line) that crosses all three (but not the source of the SPRAY). In the setting of \({\mathord {\mathbb R}}^4\), this translates to the three lines of S being coplanar. Thus, dependence of a fourth path P on S means the following: there are two paths \(S_1\) and \(S_2\), each of which is coplanar with two paths of S, such that \(S_1\), \(S_2\) and P are coplanar (and distinct). Then the two parts of the definition of the 3-SPRAY translate to the dimension (as a real projective space) of the lightcone being (i) at least and (ii) at most three. Thus, once we identify paths as lines, we conclude they must live in a 4-dimensional vector space, so that the projective space they form has the correct number of dimensions.

The 2-SPRAY analogue of this is depicted in Fig. 4 (Schutz does not define 2-SPRAYs, but his concept easily generalises to n-SPRAY, \(n>1\)). The same figure clarifies path dependence and the axiom of dimension: one needs three points to define lines spanning all dimensions of a slice of a lightcone in \({\mathord {\mathbb R}}^3\), which is a disc.

We should point out that path dependence applies only to sets of distinct paths, while linear dependence in \({\mathord {\mathbb R}}^4\) can apply to 4-vectors that are scalar multiples of each other (and therefore, define the same line in a lightcone). This difference is due to the inductive nature of path dependence: if we want to reason by incrementing the cardinality of the dependent set, then the path added has to be different to any path in the set.

The Axiom of Symmetry introduces Lorentz transforms, which are the induced symmetry mappings (\(\Theta \) in Axiom 3.4) that also leave the coordinate origin unchanged. This is somewhat harder to see from the axioms alone: while it can be guessed that the symmetry transform is somehow related to lightcones (by identifying paths with equivalent unreachable sets), showing that the mapping induced on all other paths correspond to the Lorentz transform takes some work [44,  Chap. 10].

4 Formalisation: Temporal Order on a Path

We have formalised all of Schutz’ results from Chapter 3 (Temporal Order on a Path) of his monograph, except for the Theorem of Continuity (see Sect. 5 for a short discussion). In many cases, his statements had to be extended or amended to pass Isabelle’s unforgiving scrutiny. In what follows, rather than giving formal proofs for all of these results, we sketch the proofs given by Schutz and highlight interesting features of their formalisation. We refer to the Isabelle proof document⁸ for the complete proof script, and the original monograph [44] for sometimes more extensive prose, when we do not reproduce it.

We endeavour to present proof procedures at a comfortable level of detail. Fairly often, extra steps required in Isabelle are obvious to the inspecting reader and their omission does not obscure the flow of the overall argument. We, therefore, employ “snipping” rather freely. We denote by

a proof that was excised from the paper, but exists in the associated proof script. The notation

is used for cutting away multiple not necessarily related lines, or even just a part of a line. This relaxation is possible because we trust the Isabelle verification of our proof: if one wanted to verify all the statements in this paper, one could simply make sure they exist in the Isabelle theory, identify the introduced axioms, and let Isabelle check the entire file. Regardless of these cuts, all results presented are fully formalised in Isabelle.

The following section is ordered as in Schutz’ monograph, and this structure is reflected in the formal proof document as well. The only exception is Sect. 4.2, which includes both collinearity theorems, not just the first. We repeat that prose theorems, definitions and proofs are quoted from Schutz’ monograph for comparison [44], but the numbering of theorems differs slightly.

4.1 Order on a Finite Chain

Theorem 1

If \([a\;b\;c]\) then \([c\;b\;a]\) and no other order.

The point of this theorem is really to exclude other orders, as \([c\;b\;a]\) is explicitly established by Axiom O2. Schutz proceeds by contradiction, and following him forced us to change Axiom O4. For example, Schutz claims that \([b\;c\;a]\) implies (with \([a\;b\;c]\)) the order \([a\;b\;a]\) via Axiom O4. This works only if Axiom O4 is changed to allow, in the notation of its definition in Sect. 3, the case \(a=d\). We obtain a contradiction from \([a\;b\;a]\) and Axiom O3, which applies here to give \(a \ne a\).

Our formalisation is concerned only with two of the four impossible orderings, the rest being trivial via Axiom O2. In addition to

, we prove a similar result called

. This concludes only the impossible orderings from \([a\;b\;c]\) and is used frequently in the rest of the formalisation. It follows from O2, O3 and O4 like Theorem 1.

The second theorem, “Order on a Finite Chain”, extends the local order defined on a chain to a total order. Notice Schutz proves the first part of this theorem by induction (on decreasing j for \(j<l\) and increasing j for \(i<j\)), and thus, it holds only for finite chains.⁹ The induction step propagates ordering relations along increasing/decreasing indices using Axioms O2 and O4.

Theorem 2

(Order on a finite chain) On any finite chain

, there is a betweenness relation for each ordered triple; that is

$$\begin{aligned} 0 \le i< j < l \le n \implies [Q_i\;Q_j\;Q_l]\;. \end{aligned}$$

Furthermore all events of a chain are distinct.

The proof is interesting only for the case of chains with more than two elements. Therefore, the theorem we prove is only concerned with long chains, and the exact analogue of Schutz’ formulation of Theorem 2 emerges as a corollary in Isabelle:

Distinctness of chain events is an obvious conclusion of the first part of the theorem and Axiom O3. Our explicit handling of indices allows for a clearer statement of this property, namely that distinct indices label distinct events (i.e. the indexing function is injective). Several such statements are included in the formalisation, and we give an example below. The proof relies notably on Axiom O3 only, but involves a few case splits according to how we can find a third element for the betweenness relation (e.g. whether a natural number exists between i and j or not). We also present a converse to Theorem 2, which is not given in Schutz’ monograph.

Schutz follows the statement of Theorem 2 with the remark that Theorem 10 extends it to any finite subset of a path. Indeed, there is a tight relationship between these two results. An early version of this formalisation used chains that were totally ordered by definition: Theorem 2 then becomes obvious, while Theorem 10 requires an additional proof step that is equivalent to proving Theorem 2 with local ordering as above. This variant avoids repeated uses of variants of Theorem 2 by encapsulating it in the definition; however, it is only equivalent to Schutz’ monograph in the case of finite chains.

4.2 First and Second Collinearity Theorems

We begin by defining a fundamental structure for the geometric proofs to come, the kinematic triangle [44,  p. 20]. Indeed, this can be intuited about much like a triangle in plane geometry.

Definition 9

(Kinematic triangle) A set of three distinct events \(\left\{ a,b,c \right\} \) is called a kinematic triangle if each pair of events belongs to one of three distinct paths: we will refer to the kinematic triangle \(\triangle abc\), or simply \(\triangle abc\).

Furthermore, since each path is uniquely defined by any two distinct points that lie on it (thanks to Axiom  I3), we shall denote a path that contains two distinct events a and b as ab. In Isabelle, this shorthand is not possible, but we approximate it using the following Isabelle abbreviations.

Theorem  3 is a straightforward application of the Axiom of Collinearity (O6, see also Fig. 1), and named after it. Schutz provides three results of this name, of increasing complexity, with Theorem 4 being the other one included in our formalisation. The Third Collinearity Theorem, numbered 15, is fundamental to Schutz’ treatment of optical lines and causality [44,  chap. 4]. Its proof relies heavily on the preceding Collinearity Theorems.

Theorem 3

(Collinearity) Given a kinematic triangle \(\triangle abc\) and events d, e such that

1. (i)

   there is a path de and

2. (ii)

   \([b\;c\;d]\) and \([c\;e\;a]\)

then de meets ab in an event f such that \([a\;f\;b]\).

The proof in Isabelle again follows Schutz closely. His proof, a single sentence quoting Axiom O6 and Theorem 2, is expanded upon merely by finding the precise paths to use in the Axiom of Collinearity (O6), namely ac and bc.

The Second Collinearity Theorem extends the First (Theorem 3) by adding the ordering \([d\;e\;f]\) to the conclusion. Schutz only proves this theorem later (as his Theorem 7), but we include it here: the proof (whether in prose or in Isabelle) does not rely on Theorems 5 to 7.

Theorem 4

(Second collinearity theorem) In the notation of Theorem 3,

$$\begin{aligned}{}[a\;f\;b] \text { and } [d\;e\;f] \;. \end{aligned}$$

The Isabelle proof follows Schutz’ proof by contradiction overall, using Theorem 3 to construct impossible triangles, but with some additional intermediate steps required. Since the two Collinearity Theorems are so similar, we include only a listing of the second one. The assumption

below already includes the requirement for events d and e to be distinct.

4.3 Boundedness of the Unreachable Set

In the spirit of Theorem 3, Schutz continues to strengthen the statements made by his axioms. Theorem 5 (Boundedness of the Unreachable Set, see also Fig. 5) is concerned with restating the Axiom I7, which shares its name, in the context of the chain order established in Theorem 2. Schutz’ proof is a one-liner referencing these two results.

Theorem 5

(Boundedness of the unreachable set) Let Q be any path and let b be any event such that \(b \notin Q\). Given events \(Q_x \in Q \setminus Q(b, \emptyset )\) and \(Q_y \in Q(b, \emptyset )\), there is an event \(Q_z \in Q \setminus Q(b, \emptyset )\) such that

1. (i)

   \([Q_x\;Q_y\;Q_z]\) and

2. (ii)

   \(Q_x \ne Q_z\).

Fig. 5

Boundedness of the unreachable set. Given \(Q_x\) (reachable from b) and \(Q_y\) (unreachable from b), Theorem 5 obtains \(Q_z\) (reachable from b). Axiom I7 furthermore states that all three events must be part of a finite chain

The formalisation is very simple: in fact, Theorem 5 can be proven in a single step by Isabelle’s

.

Theorem 6 allows one to generate additional events and paths, given an event and a path: a second event on the same path and a reachable event outside the path. After Theorem 3, this is the next more involved proof of the monograph. The events provided by Theorem 6 form a triangle of paths, thus, enabling geometric proofs of several lemmas leading up to Theorem 9. These lemmas are, in practice, amongst the most important results for this work, both practically and conceptually, allowing us to conclude new betweenness relations from existing ones (similarly to Axiom O4).

Theorem 6

(First existence theorem) Given a path Q and an event \(a \in Q\), there is

1. (i)

   an event \(b \in Q\) with b distinct from a and

2. (ii)

   an event \(c \notin Q\) and a path ac (distinct from Q).

Again, the formalisation follows Schutz’ contradiction, up to one additional (and needed) application of Axiom I5 to exclude the possibility of singleton paths. Axiom I5 is already used in a different part of Schutz’ proof, so this is a minor change.

4.4 Prolongation

Theorem 7 goes a little further in justifying our intuition of paths as line-like objects by showing they are infinite. This also gives us the means to always find more events on a path.

Theorem 7

(Prolongation)

1. (i)

   If a, b are distinct events of a path Q, then there is an event \(c \in Q\) such that \([a\;b\;c]\).

2. (ii)

   Each path contains an infinite set of distinct events.

Schutz’ proof [44,  p. 21] of the first part is straightforward and remains so in Isabelle: the formal proof reads almost exactly like Schutz’ prose. Theorem 6(ii) provides an event \(e \notin Q\) and a path ae. Axiom I5 then guarantees the existence of an event \(f \in ae\) that is unreachable from b; thus, \(b \in Q(f, \emptyset )\). Theorem 5 delivers the desired event c.

While the second part of Theorem 7 can be proven almost by inspection by the reader, it is slightly longer to formalise. Schutz says that “By the preceding theorem [...,] part (i), Theorem 1, and induction, the path Q contains an infinite set of distinct events”. Our mechanisation is in fact a proof by contradiction, where the contradiction is obtained from part (i) and a lemma, which is proved by induction as above and provides bounds to any finite set of events on a path.

We can now prove that the cardinality of a path must be 0. The cases for less than three events on a path are dispensed with separately, using Theorem 6 (as is hinted in the prose we gave above), while for three or more (but finitely many) events, part (i) of Theorem 7 contradicts

.¹⁰

However, we also know that the empty set is not a path (from Axioms I1 and I5); thus, all paths must be infinite. The formalised result is slightly more simply stated than Schutz’ “Each path contains an infinite set of distinct events”, since any path that contains an infinite subset must be infinite (and conversely, since paths contain only events, an infinite path must have infinite subsets of events).

4.5 Order on a Path

This section gives the chapter its name and will allow us to work much more freely with the betweenness relation, bringing it closer to the intuition we have from Euclidean geometry. Theorem 8 is a preliminary result, but provides an intuitive piece of information about kinematic triangles. Theorems 9 and 10 establish finite subsets of paths as totally ordered sets.¹¹ The proof of Theorem 9 hinges on three lemmas that are, to any practical purpose, as important as any result of this chapter and allow us to work with orderings of overlapping sets of events.

Theorem 8 presupposes the easy result (not explicitly mentioned by Schutz) that \(\triangle abc\) implies no betweenness ordering of a, b, c exists and extends it to events on the paths defining the triangle (rather than its vertices). Using some geometric intuition, Theorem 8 might be likened to the statement that no path can cross all three sides of a kinematic triangle internally.¹²

Theorem 8

Given a kinematic triangle \(\triangle abc\) with events \(a', b', c'\) such that \([a\;b'\;c]\), \([b\;c'\;a]\) and \([c\;a'\;b]\), then there is no path which contains \(a'\), \(b'\) and \(c'\).

The proof of Theorem 8 is by contradiction. We assume that there is some ordering of \(a',b',c'\) (i.e. a path containing them exists) and derive a contradiction. Schutz does this for the ordering \([a'\;b'\;c']\) and dismisses the remaining cases by “cyclic interchange of the symbols a, b, c (and \(a'\), \(b'\), \(c'\)) throughout the proof” [44,  p. 23]. This is an instance of reasoning “without loss of generality” (WLOG), which we will discuss in more depth later. In this case, we prove the theorem for \([a'\;b'\;c']\) as a lemma, and let Isabelle provide the remaining cases using this lemma. We do note that “cyclic interchange” is not sufficient: Axiom O2 is required as well. Later WLOG reasoning (such as for Theorem 13) requires significant supporting machinery. The mechanised Theorem 8 is given below.

Theorem 9 is the base case for the inductive Theorem 10. One might compare these two results to parts (i) and (ii) of Theorem 7, but the induction is more complicated in the case of Theorem 10 and hides a few more surprises when attempting a formalisation.

Theorem 9

Any four distinct events on a path form a chain, so they may be represented by the symbols a, b, c, d in such a way that .

This result extends the Axiom O5, with a chain being the appropriate generalisation of betweenness via Theorem 2. Thus, the main point of Theorem 9 is to do with overlapping betweenness relations between subsets of three out of four events. The proof is split into three lemmas that, together, allow us to propagate betweenness relations along a chain. The first one is the hardest to prove: the other two (and several similar results not printed in Schutz’ monograph) follow from it easily.

Lemma 1

If \([a\;b\;c]\) and \([a\;b\;d]\) and \(c \ne d\) then either \([b\;c\;d]\) or \([b\;d\;c]\).

In Isabelle, Lemma 1 reads:

To prove

, we note that b, c, d all lie on the same path (by path uniqueness (Axiom I3) and

(Axiom O1)), so some ordering of them must exist. Multiple triangles are constructed using Theorem 5 and their interaction shows the ordering \([d\;b\;c]\) would contradict Theorem 8. The two main cases are shown in Fig. 6. We had to clarify Schutz’ proof, where multiple possible triangle constructions are considered at the same time, into two lemmas obtaining events with only those properties we are interested in, considering all possible triangles only inside the proof of these existential results. The rest of the mechanised proof follows Schutz’s prose and does not warrant any further remark.

Fig. 6

Visualisation of an intermediate state (some events and orderings have been obtained) in the proof of Lemma 1 [44,  pp. 23–24]. Since the proof is by contradiction, and plane geometry obeys the axioms of order and incidence, it is impossible to draw a correct figure. Thus, each of these diagrams must ignore one of the assumptions in order to be drawable on paper, and visualises a different instance of the contradiction appearing (a) Triangle \(\triangle ace\), ignoring the assumption \([a\;b\;d]\) (b) Triangle \(\triangle dec\), ignoring the assumption \([a\;b\;c]\)

Lemma 2

If \([a\;b\;c]\) and \([a\;b\;d]\) and \(c \ne d\) then either \([a\;c\;d]\) or \([a\;d\;c]\).

Lemma 3

If \([a\;b\;c]\) and \([a\;c\;d]\) then \([b\;c\;d]\).

The two remaining lemmas follow quickly from Theorem 1, Axiom O4 and Lemma 1. In addition, we prove several further, similar results that follow readily too, such as

$$\begin{aligned}{}[a\;b\;d] \wedge [b\;c\;d] \implies [a\;b\;c]\;, \text { and}\\ [a\;b\;e] \wedge [a\;d\;e] \wedge [b\;c\;d] \implies [a\;c\;e]. \end{aligned}$$

Theorem 9 is now rather easy to prove, since the main requirement for a chain is order, and this follows from the lemmas above. We are able to follow Schutz’ prose closely. However, we state the result in a different way: the prosaic “...may be represented by the symbols a, b, c, d in such a way that ...” from Theorem 9 above is more easily expressed in Isabelle as a property of the set of all four events.

Theorem 10

Any finite set of distinct events of a path forms a chain. That is, any set of n distinct events can be represented by the notation \(a_1,a_2,\dots ,a_n\) such that \([a_1 \; a_2 \dots a_n]\).

There is, of course, nothing special about a set of four elements on a path: one would expect the result of Theorem 9 to extend to larger sets too. Theorem 10 proves that this is so. Mechanising it was a major undertaking.

Like for Theorem 9, we ignore the second sentence of Schutz’ formulation, which essentially restates the first, but is harder to express in Isabelle. Schutz’ somewhat implicit assumption that \(n\ge 2\) (a one-element set cannot be a chain) becomes a condition on |X| in Isabelle.

The proof is by induction, as in Schutz [44], and largely follows the prose. We examine here the way in which we use a symmetry result about chains. Schutz uses a four-element chain as his base case, so we have to provide two (simple) extra cases: two- and three-element sets, which are discharged by definition, respectively, by Axiom O5. The case of \(|X|=4\) follows directly from Theorem 9.

The remaining proof is structured into the same three cases Schutz considers: we induct on the number of elements in X and must consider a new element b being added at the left edge, the right edge, or in the middle of the existing chain \([f \rightsquigarrow X | a_1 \ldots a_n]\). We obtain the three possible betweenness relations that \(a_1, a_n, b\) can be in and consider each in turn:

The main proof steps needed for the first case, with \([b\;a_1\;a_n]\), are in

. Schutz’ prose for this case is given below [44,  p. 25]; his final sentence implies an ordering function g we can use to define a chain on the set \(X \cup \{b\}\).

Proof

(Case (i)) By the inductive hypothesis and Theorem 2 we have \([a_1\;a_2\;a_n]\), so the previous theorem (Theorem 9) implies that \([b \; a_1 \; a_2 \; a_n]\) which implies that \([b\;a_1\;a_2]\). Thus, b is an element of a chain \([a^{*}_{1} \; a^{*}_{2} \; \dots \; a^{*}_{n+1}]\) where \(a^{*}_{1} = b\) and (for \(j\in \left\{ 2,\dots ,n+1\right\} \)) \(a^{*}_{j} := a_{j-1}\). \(\square \)

The final sentence of the above proof implies the indexing function we want and is formalised as follows:

We now go back to Theorem 10’s induction. Two cases remain: b being the middle element (ii) and b being on the right (iii). Case (iii) is symmetric with case (i), and Schutz leaves the proof to the reader. Instead of copy pasting the entire proof for

, we, therefore, choose to use a general result,

, to give a more interesting, shorter proof using symmetry.

This relationship between a finite chain and its reversal is not explicitly mentioned in Schutz, an omission which leads to some complication also in our proof of Theorem 12 (Sect. 4.7). The lemma

allows for a proof of Case (iii) that makes use of Case (i).

By applying

to f and g, we obtain reversed functions \(f_2\) and \(g_2\): if f indexes a chain “left-to-right”, \(f_2\) counts “right-to-left”. We can show \(g_2\) orders X into a chain using

, and then reverse it again using

to get \(g_1\), which, thus, orders X. Finally, we show \(g_1=g\):

$$\begin{aligned} g_1(n) = g_2(|X|-1-n)&= {\left\{ \begin{array}{ll} f_2(|X|-2-n) \;\; &{}\text { if} \; |X|-1-n\ge 1\\ b \; &{}\text { otherwise} \end{array}\right. }\\ {}&= {\left\{ \begin{array}{ll} f(|Y|+1-|X|+n) \;\; &{}\text { if} \; |X|-2\ge n\\ b \; &{}\text { otherwise} \end{array}\right. } \\ {}&= g(n) \end{aligned}$$

This concludes the cases of appending events at the end of a chain. Schutz’ prose proof for the case of adding an event inside a chain is longer, and the Isabelle proof is even longer. This is due to having to verify existence of special indices and events necessary for the proof, as well as splitting it into more separate parts than Schutz does. The overall reasoning, however, remains much the same: we identify a suitable indexing function and show a chain can be defined on the set \(X \cup \{b\}\). This final case proves Theorem 10: any finite set of at least two events on a path forms a chain (i.e. can be totally ordered).

Theorem 11

Any finite set of N distinct events of a path separates it into \(N-1\) segments and two prolongations of segments.

Proof

As in the proof of the previous Theorem 10, any event distinct from the \(a_i\) (\(i=1,\dots ,N\)) belongs to a segment (Case (ii)) or a prolongation (Cases (i) and (iii)). Theorem 1 implies that the \(N-1\) segments and two prolongations are disjoint. \(\square \)

The final result of Schutz’ section 3.6 (Order on a path), Theorem 11 allows us to use any finite subset of a path in order to split it into disjoint regions. Schutz provides a three-line argument by analogy with the proof of Theorem 10, arguing this result is a direct consequence of Theorems 10 and 1, employing the same case split as in the proof of the preceding Theorem 10. However, we found that Schutz’ statement is unprovable at the point where he states it. A weaker version can be proven immediately though, but Schutz’ full theorem only holds once Theorem 17 can be established. We discuss this issue after defining segments and intervals.

Schutz defines the segment between distinct events a, b of a path ab as the set \((ab) = \left\{ x : [a\;x\;b],\; x \in ab \right\} \). Similarly, he defines the interval |ab| as \((ab) \cup \left\{ a,b \right\} \) and the prolongation of (ab) beyond b as \(\left\{ x : [a\;b\;x],\; x \in ab \right\} \). In Isabelle, we denote these sets as

,

and

, respectively.

Theorem 11 and its proof sound natural enough to the geometric intuition, taking a path to be somehow line-like. However, the part of the statement regarding the number of segments is impossible to prove at this point. Given two events a and b on a path P, Theorem 7 (on prolongation, Sect. 4.4) guarantees the existence of \(c \in P\) such that \([a\;b\;c]\) (or alternatively, such that \([c\;a\;b]\)), but we can guarantee the existence of an element c such that \([a\;c\;b]\) only after Theorem 17 (in Schutz’ Chapter 4, not considered here). Since no such element can be guaranteed to exist, segments can be empty. Then since they are defined as sets, all empty segments are equal (to the empty set), and this degeneracy can reduce the number of segments that exist in the segmentation. The problem is that formally, Theorem 17 relies on Theorem 12, which in turn requires Theorem 11, so we cannot just postpone proving this result.

One could fix this problem by taking intervals instead of segments. By definition, no interval is empty, so all intervals with different endpoints are distinct sets. However, the intervals would in this case overlap at their endpoints, losing disjointness. We surmise that one could also prove that there are at most \(N-1\) segments. We prove two versions of Theorem 11. In one we omit the conclusion about the number of segments (Sect. 4.5.1); in the other we include it, but have to assume path density (Sect. 4.5.2).

Ultimately, the problem is not fatal: we do not need to know how many segments there are for the proof of Theorem 12, only that a segmentation exists given a chain of events. The disjointness of the segmentation is also added as a conclusion, while Schutz only mentions it in his proof.

4.5.1 Without Additional Assumptions

One could formalise Schutz’ Theorem 11 faithfully, as a purely existential statement:

However, in order to show the set of segments S and the two prolongations \(P_1\) and \(P_2\) have the desired properties, we have to construct them explicitly. This leads to the more practical theorem

. In fact, this is the statement we prove and

can then be derived from it quite easily by using Theorem 10 to obtain an indexing function f for the set of events Q (and this makes the assumption

redundant).

The assumption

turns out to be required in order to follow Schutz’ proof of Theorem 12, as well as allowing us to give an explicit definition of S. Strictly adhering to Schutz’ formulation for Theorem 11 (like in

) would lead to additional complexity when proving Theorem 12 (see Sect. 4.7).

The main lemma is that the set S of segments covers the “inside” of a long chain:

Similar lemmas exist for the remaining conclusions of Theorem 11. The main result is the segmentation of the interval: the prolongations just act as a two-sided catch-all for any other element. Furthermore, disjointness of the segments (in the set S) follows from the ordering of finite chains, and obtaining a chain from a finite subset of a path is easy using Theorem 10.

4.5.2 Assuming Path Density

Since Schutz omitted so many of the conclusions of our own show_segmentation from his Theorem 11, but did insist on the number of segments, we created an additional locale, called MinkowskiDense, to contain an assumed version of Schutz’ Theorem 17 (the locale is listed in Sect. 2.5.2). Once Theorem 17 is proven, one can show that MinkowskiSpacetime is an interpretation of MinkowskiDense and inherit its theorems. We prove that the cardinality of the set S of segments in the theorem show_segmentation is indeed \(N-1\) if path density is assumed.

The number-of-segments statement is most interesting if \(N\ge 3\). The remaining conditions are those of the helper lemmas for Theorem 11. Schutz’ “\(N-1\) segments” turns into a proposition on the cardinality of the set of segments S.

We prove this lemma by showing that the map \(i \mapsto (Q_i Q_{i+1})\) is a bijection between the sets \(\{0\;\dots \;|Q|-2\}\) and S.

4.6 Continuity and the Monotonic Sequence Property

As mentioned in the introduction to Sect. 4, the Theorem of Continuity is not included in this formalisation. See Sect. 5 for a brief discussion.

4.7 Connectedness of the Unreachable Set

Since it was impossible to prove the full version of Schutz’ Theorem 11, one may wonder if Schutz’ results relying on this theorem remain valid. As laid out in Sect. 4.5, the part of Theorem 11 formalised in

relies indirectly on Theorem 12. Thus, mechanising Theorem 12 while using only the weaker, verified version of Theorem 11, serves to dispel any doubts. We give the prose statement and proof below and follow them with the formalised theorem. Schutz here introduces a new notation for “non-strict ordering” [44,  p. 27]:

$$\begin{aligned} {[}a \; b \; c ]\!] \equiv [a\;b\;c] \text { or } b = c\;. \end{aligned}$$

Theorem 12

(Connectedness of the unreachable set) Given any path Q, any event \(b\notin Q\) and distinct events \(Q_x, Q_z \in Q(b,\emptyset )\), then

$$\begin{aligned}{}[Q_x\;Q_y\;Q_z] \Longrightarrow Q_y \in Q(b, \emptyset )\;. \end{aligned}$$

Proof

By axiom I6 there is a finite chain \([Q_0 \; Q_1 \; \dots \; Q_{n-1} \; Q_n]\) (where \(Q_0 = Q_x\) and \(Q_n = Q_z\)) so Theorem 11 implies that for some \(i \in \left\{ 1, \dots , n \right\} \), \([Q_{i-1} \; Q_y \; Q_i ]\!]\) whence axiom I6 implies that \(Q_y \in Q(b, \emptyset )\).

Theorem 12 is mechanised as

:

We follow Schutz’ proof at the start, obtaining a chain on Q from Axiom I6. We call this chain X, with indexing function f, while Schutz distinguishes the chain \(\{Q_i\}_{i=0\dots n}\) from the path Q only by the subscripts.

Next, we use Theorem 11, or more specifically only the result relating to the segmentation of an interval on a path, i.e.

(see Sect. 4.5). To keep the proof as simple as possible, it is vital that the set of events X is already indexed as a chain. To see why, assume we have no indexing function, but only a set of events. Then

(see Sect. 4.5) does provide a set of segments, but we have no handle on their endpoints: in particular, there is no proof that the segments are made up of events that are adjacent according to the ordering f. An early version of the proof of Theorem 12 did go this route, using the interesting uniqueness result

to relate a chain obtained from the segment endpoints to the chain X (obtained from Axiom I6). With the more explicit formulation of Theorem 11,

, this extra complexity disappears, because we can directly use the chain X to segment the interval between \(Q_x\) and \(Q_z\).

If \(Q_y\) is an event of the chain X, I6 immediately implies \(Q_y \in Q(b,\emptyset )\). If not, i.e. \(Q_y \notin X\), we obtain the relevant segment from Theorem 11 much like Schutz does in prose: we find the index i such that \([f(i-1)\;Q_y\;f(i)]\) and prove our goal \(Q_y \in Q(b,\emptyset )\) using Axiom I6.

The completion of this proof demonstrates several benefits of mechanisation of formal mathematics. First, resolution of a minor lapse in the prose led to a proof of a result not found in the original text,

. This is interesting in its own right, as it generalises Theorem 1 to chains much like

generalises Axiom O2. Secondly, we were able to reconcile a follow-on result with a necessarily weaker version of the required Theorem 11 (

).

Theorem 13

(Second existence theorem)

1. (i)

   Given a path Q and a pair of events \(a,b \notin Q\), each of which can be joined to Q by some path, there are events \(y,z \in Q\) such that

   $$\begin{aligned}{}[y\;Q(a,\emptyset )\;z] \text { and } [y\;Q(b,\emptyset )\;z]\;. \end{aligned}$$
2. (ii)

   Given a path Q and a pair of events \(a,b \notin Q\) each of which can be joined to Q by some path and a pair of events \(c,d \in Q\), there is an event \(e \in Q\) and paths ae, be such that \([c\;d\;e]\).

3. (iii)

   Given two paths Q and R which meet at x, an event \(a \in R \setminus \lbrace x \rbrace \) and an event \(b \notin Q\) which can be joined to Q by some path, there is an event e and paths ae, be such that \([x\;Q(a,\emptyset )\;e]\).

The betweenness relation is here extended to sets of events: for a set S,

$$\begin{aligned}{}[a\;S\;b] \iff \forall x \in S: [a\;x\;b]\;. \end{aligned}$$

The First Existence Theorem (Theorem 6) provides the basic geometric setup for the proofs of Theorem 7 and the important Lemma 1 (leading to Theorems 9 and 10). Using several results of Chapter 3, which it concludes, Theorem 13 provides similar constructions for use in the geometric proofs of subsequent chapters. A visualisation of parts (i) and (iii) is provided in Fig. 7 (part (ii) is similar to (i)).

Fig. 7

Visualisation of Theorem 13. a Theorem 13(i). Both events a and b must be reachable from the path Q in order to obtain bounding events y, z. b Theorem 13(iii). By construction, \(x\notin Q(a,\emptyset )\) and given an event b reachable from Q, we find e (and paths ae, be) which bounds the unreachable set \(Q(a,\emptyset )\) together with x

Schutz’ proofs for each of the three statements are short [44,  p. 30]. We were able to follow his prose closely for parts (ii) and (iii) of the theorems and omit details of their mechanisation here. The first part of the theorem required a lemma to represent reasoning “without loss of generality” (WLOG), which we examine after stating Theorem 13(i) in Isabelle.

Proof

(Theorem 13(i)) Theorem 5 implies that both sets \(Q(a,\emptyset )\) and \(Q(b,\emptyset )\) are bounded in both directions by events which do not belong to the unreachable sets themselves, so the union \(Q(a,\emptyset ) \cup Q(b,\emptyset )\) is bounded by distinct events y, z which do not belong to the union of the unreachable sets. \(\square \)

In the proof above, Schutz implicitly extends his notion of boundedness to sets. We assume that he means a similar property as he did for chains, i.e. using strict betweenness. We take a set of events S to be bounded by a, b if \([a\;S\;b]\), or equivalently \(\forall x \in S: [a\;x\;b]\), and we will keep this explicit in our formalisation.¹³

We note immediately that Theorem 5 provides separate bounds y(x), z(x) for each event \(x \in Q(b,\emptyset )\). Showing there are fixed events y, z that bound the entire set \(Q(b,\emptyset )\) requires Theorem 12, a minor lapse in the prose proof.

It remains to prove that a union of bounded sets is bounded. Thinking about this proof as a mathematician, it is clear what happens: there are two bounds for each set, one on each side, and no matter what the relationship of the sets to one another is, there are always two bounds that qualify as bounds of the union. However, this reasoning breaks down into many case splits in Isabelle, because once we obtain bounds explicitly, we need to consider any possible ordering of all four of them, as well as the possibility of any subset of them being equal. Notice this is not just a problem of the naming of events—the problem arises because we recognise that event orderings only matter:

1. 1.

   insofar that they influence the relationship between the bounded sets: disjointness, overlap, or inclusion (see Fig. 8);

2. 2.

   up to the symmetries of the betweenness relation.

Our lemma

allows us to prove a statement about a generic predicate P over sets of events I, J related to¹⁴ events a, b and c, d respectively, by considering only certain essentially distinct orderings of these four events. This can be compared to standard results, e.g.

and

in the

theory of Isabelle/HOL; interactive reasoning “without loss of generality” was also examined by Harrison [19].

Figure 8 visualises the lemma for the case where I, J are intervals between events a, b and c, d, respectively. We refer the reader to [39,  pp. 124–126] for more details. Note that the relation \(I = |ab|\) is only one example of relating a set to two events—the same WLOG lemma can also be used e.g. for the relation \([a\;I\;b]\), as is done in proving Theorem 12.

Fig. 8

The three essentially distinct cases for intervals \(I = |a,b|\) (blue) and \(J = |c,d|\) (red) required by the WLOG lemma for distinct (end)points. This lemma identifies, for example, the orderings \([a \; b \; c \; d]\), \([b \; a \; c \; d]\) and \([c \; d \; a \; b]\) as equivalent (to the left-most case) when interested in specific proofs

After the hard work of part (i), the remainder of Theorem 13 is easier to prove, as we do not need WLOG results and can rely on the first part of the theorem to provide the general setup. In fact, we follow Schutz’ proofs of parts (ii) and (iii) with little trouble.

5 Conclusion and Future Work

Our formalisation of temporal order on paths in Schutz’ axiomatic Minkowski space is over nine thousand lines long. Schutz’ admirably detailed account (for prose) covers 22 pages. Estimating thirty lines on each page, this leaves us with a de Bruijn factor [7, 60] of roughly 12. This is not exceptional: while many formalisations only report de Bruijn factors as low as 3 to 6, values above 20 can be found [9]. We also note that our formalisation has undergone several rewritings and includes results that seem to be present in Schutz’ thinking, but not his monograph, so this estimated factor may be further reducible.

One should note that the axiomatisation by itself (with some simple lemmas) would have a factor of only around 5. The thirteen formalised theorems and their proofs, together with most added intermediate lemmas, have de Bruijn factor of roughly 17. This, we estimate, is largely due to the later proofs of the chapter relying more strongly on Schutz’ geometric intuition, the validation of which in the context of his axioms is the main goal of Chapter 3. Thus, our formal constructions had to become more and more elaborate (the prime example is our collection of WLOG lemmas) and supported by lengthy existence proofs omitted in the original prose. This trend indicates that formalisation of the remainder of Schutz’ monograph is possible, but likely to be a significant undertaking, which holds interesting challenges for automated reasoning and may provide a proving ground for automation tools.

Several required lemmas were not stated in the original text, most notably, in the proof of Theorem 10. Our formalisation effort has also led to minor corrections to Axiom O4 and clarification in several definitions, such as boundedness for sets. We identified a minor, but necessary, correction to Theorem 11, while Theorem 13 required WLOG style lemmas to avoid a large number of case splits. Refinement of these WLOG lemmas is one avenue to pursue in future work, as it could prove useful in a large number of formalisations beyond ours and captures a kind of mathematical reasoning device employed frequently, and to great effect, in prose. A similar investigation could try to link results of symmetry, such as a chain being reversible (

), and the “essentially distinct” cases relevant to a proof involving symmetric predicates. Ideally, such cases might be generated automatically and employed to split the proof, based on the symmetry considered.

Our formalisation covers the second and third chapters of Schutz’ monograph, with the exception of the Continuity Theorem. This is the only result of Chapter 3 that intensely relies on working with infinite chains, and thus, falls outside the scope of this paper. Avoiding continuity in a first effort to formalise a geometry has precedence, for example in the work of Meikle and Fleuriot, which largely focuses on the first three groups of axioms of Hilbert’s Grundlagen (continuity appears in the fifth), or the investigation of the first four groups in Coq by Braun and Narboux [5, 28]. We do note here that we have made some progress towards mechanising the Continuity Theorem. In particular, we have formalised its first part, which partitions any path into two rays. The second part attempts to show continuity formulated in a manner analogous to the construction of \({\mathord {\mathbb R}}\) as Dedekind cuts of \({\mathord {\mathbb Q}}\). This is not yet formalised, though we have made promising progress in investigating the Axiom of Continuity.

While Schutz insists upon the independence of his axiomatic system, even mentioning it in the title of his monograph, future work on this formalisation may emphasise this property less, in favour of easier, more modular organisation, as well as more succinct definitions and axioms. If the great reward of the quest for independence was, as Schutz claims, a set of intuitive and clear axioms, then it seems justified to step away from strict independence towards a clearer organisation in Isabelle’s locales. Another potential aspect of further work lies in trying to apply automation tools from similar formalisations, such as automated tactics to translate from problems of ordering on events to natural numbers and proof discovery tools [47, 48].

Once a candidate system of axioms is constructed, its formalisation in a proof assistant such as Isabelle is a natural continuation, both for the certainty of correctness it offers and for the analysis (and maybe even automation) of the employed reasoning. Although we have not formalised a model of the theory, enough theorems were verified here that we are confident in the formulation of our axioms of order and incidence. A geometrically inspired system such as the one of Schutz can be a valuable link between geometric intuition and physical theorems. The standard approach to SR in \({\mathord {\mathbb R}}^4\) reduces most problems to calculations in linear algebra and is, thus, very practical for applications. But translating a physical problem into a matrix calculation is often tricky and prone to error: a geometric approach such as Schutz’ may simplify the phrasing of problems in terms of theoretical entities.

In our case, intuitive axioms similar to those of Hilbert’s Grundlagen der Geometrie meet an order-theoretic approach that may be compared to ideas for the foundations of physics drawing on measure and information theory [15, 23]. The flexibility of changing axioms independently of each other makes a system such as Schutz’ a promising starting point for investigating the links between SR and GR, and maybe even quantum theories [1, 22].

Thus, this formalisation contributes not only a study of the foundations of Special Relativity, but may provide a link between approaches from synthetic geometry and foundational physics. We hope that future work will not only extend our mechanisation to include and clarify more of Schutz’ results, but will also investigate more general aspects of automated reasoning in axiomatic physics.

Change history

• 13 January 2023

  A Correction to this paper has been published: https://doi.org/10.1007/s10817-022-09651-1