An Axiomatic Approach to Existence and Liveness for Differential Equations

This article presents an axiomatic approach for deductive verification of existence and liveness for ordinary differential equations (ODEs) with differential dynamic logic (dL). The approach yields proofs that the solution of a given ODE exists long enough to reach a given target region without leaving a given evolution domain. Numerous subtleties complicate the generalization of discrete liveness verification techniques, such as loop variants, to the continuous setting. For example, ODE solutions may blow up in finite time or their progress towards the goal may converge to zero. These subtleties are handled in dL by successively refining ODE liveness properties using ODE invariance properties which have a complete axiomatization. This approach is widely applicable: several liveness arguments from the literature are surveyed and derived as special instances of axiomatic refinement in dL. These derivations also correct several soundness errors in the surveyed literature, which further highlights the subtlety of ODE liveness reasoning and the utility of an axiomatic approach. An important special case of this approach deduces (global) existence properties of ODEs, which are a fundamental part of every ODE liveness argument. Thus, all generalizations of existence properties and their proofs immediately lead to corresponding generalizations of ODE liveness arguments. Overall, the resulting library of common refinement steps enables both the sound development and justification of new ODE existence and of liveness proof rules from dL axioms. These insights are put into practice through an implementation of ODE liveness proofs in the KeYmaera X theorem prover for hybrid systems.


Introduction
Hybrid systems are mathematical models describing discrete and continuous dynamics, and interactions thereof. This flexibility makes them natural models of cyber-physical systems (CPSs) which feature interactions between discrete computational control and continuous real world physics [2,30]. Formal verification of hybrid systems is of significant practical interest because the CPSs they model frequently operate in safety-critical settings. Verifying properties of the differential equations describing the continuous dynamics present in hybrid system models is a key aspect of any such endeavor.
This article focuses on deductive verification of liveness properties 1 for ordinary differential equations (ODEs), i.e., the question whether an ODE solution exists for long enough to reach a given region without leaving its domain of evolution. Such questions can be phrased naturally in differential dynamic logic (dL) [27,28,30], a logic for deductive verification of hybrid systems whose relatively complete axiomatization [26,28] lifts ODE verification results to hybrid systems, and whose theorem prover KeYmaera X [11] enables an implementation.
For discrete systems, methods for proving liveness are well-known: loop variants show that discrete loops eventually reach a desired goal [17], while temporal logic is used to specify and study liveness properties in concurrent and infinitary settings [22,23]. Deduction of (continuous) ODE liveness properties, however, is hampered by several difficulties: i) solutions of ODEs may converge towards a goal without ever reaching it, ii) solutions of nonlinear ODEs may blow up in finite time leaving insufficient time for the desired goal to be reached, and iii) the goal may be reachable but only by (illegally) leaving the evolution domain constraint. In contrast, invariance properties for ODEs are better understood [12,21] and have a complete dL axiomatization [31]. Motivated by the aforementioned difficulties, this article presents dL axioms enabling systematic, step-by-step refinement of ODE liveness properties with a sequence of ODE invariance properties. This refinement approach is a powerful framework for understanding ODE liveness arguments as it brings the full deductive power of dL's ODE invariance proof rules to bear on liveness proofs. It is used in this article to survey several arguments from the literature and derive them all as (corrected) dL proof rules, see Table 1. This logical presentation has two key benefits: • The proof rules are syntactically derived from sound axioms of dL, which guarantees their correctness. Many of the surveyed arguments contain subtle soundness errors, see Table 1. These errors do not diminish the surveyed work. Rather, they emphasize the need for an axiomatic, uniform way of presenting and analyzing ODE liveness arguments instead of relying on ad hoc approaches.
• The approach identifies common refinement steps that form a basis for the surveyed liveness arguments. This library of building blocks enables sound development and justification of new ODE liveness proof rules, e.g., by generalizing individual refinement steps or by exploring different combinations of those steps. Corollaries 14,16,and 22 are examples of new ODE liveness proof rules that can be derived and justified from the uniform approach that this article follows.
This article extends the author's earlier conference version [42]. The key new insight is that all of the aforementioned liveness arguments (Table 1) are based on reducing liveness properties of ODEs to assumptions about sufficient existence duration for their solutions. In fact, many of those arguments become significantly simpler (and sound) when the ODEs of concern are assumed to have global solutions, i.e., they do not blow up in finite time. It is reasonable and commonplace to make such an assumption for the continuous dynamics in models of CPSs [2, Section 6]. 2 After all, most real world systems do not simply cease to exist after a short time! Logically though, a priori assuming global existence for ODEs means that the correctness of any subsequent verification results for the ODEs and hybrid system models are conditional on an unproved existence duration hypothesis. While global existence is well-known to be true for linear systems, even the simplest nonlinear ODEs (see Section 4) fail to meet the hypothesis without further assumptions. This article therefore adopts the view that (global) existence should be proved rather than assumed for the continuous dynamics in hybrid system models. The new contributions of this article are: • Section 4 presents deductive dL proofs of global existence for ODE solutions. Together with the liveness proofs of Sections 5 and 6, this enables unconditional proofs of ODE liveness properties entirely within the uniform dL refinement framework without existence presuppositions.
• Section 7 discusses an implementation of ODE existence and liveness proof rules in the KeYmaera X theorem prover for hybrid systems [11]. The section focuses on key practical insights, namely: i) the design of new proof rules that are practically useful and well-suited for implementation (Section 7.1), ii) the design of proof automation to aid users in existence and liveness proofs (Section 7.2).
The unconditional liveness proofs enabled by Section 4 fit particularly well to an implementation in KeYmaera X (Section 7) because the axiomatic refinement approach closely mirrors KeYmaera X's design principles. KeYmaera X implements dL's uniform substitution calculus [28] and it is designed to minimize the soundness-critical code that has to be trusted in order to trust its verification results. On top of the soundness-critical core, KeYmaera X's tactics framework [10] adds support and automation for proofs, but tactics are not soundness-critical. Liveness proofs are similarly based on a series of small refinement steps which are, in turn, implemented as (untrusted) tactics based only on a small number of derived refinement axioms. More complicated liveness arguments, such as those from Table 1 or from new user insights, are implemented by piecing those tactics together using tactic combinators [10]. The implementation only required minor changes to ≈155 lines of soundness-critical code in KeYmaera X, while the remaining ≈1500 lines consist of new ODE existence and liveness proof rules implemented as tactics. These additions suffice to prove all of the examples in this article and in ODE models elsewhere [39,4].
Throughout this article, core dL axioms underlying the refinement approach are presented in lemmas, which are summarized and proved in Appendix A. Existence and liveness proof rules that derive syntactically from those axioms (e.g., Table 1) are listed in corollaries. The derivations of these proof rules are given in Appendix B. Counterexamples explaining the soundness errors in Table 1 are given in Appendix C.

Background: Differential Dynamic Logic
This section reviews the syntax and semantics of dL, focusing on its continuous fragment, which has a complete axiomatization for ODE invariants [31]. Full presentations of dL, including its discrete fragment, are available elsewhere [27,28,30].

Syntax
The grammar of dL terms is as follows, where x ∈ V is a variable and c ∈ Q is a rational constant. These terms are polynomials over the set of variables V: p, q ::= x | c | p + q | p · q The grammar of dL formulas is as follows, where ∼ ∈ {=, =, ≥, >, ≤, <} is a comparison operator and α is a hybrid program: φ, ψ ::= First-order formulas of real arithmetic P,Q The notation p q (resp. ) is used when the comparison operator can be either ≥ or > (resp. ≤ or <). Other standard logical connectives, e.g., →, ↔, are definable as in classical logic. Formulas not containing the modalities [·], · are formulas of first-order real arithmetic and are written as P, Q. The box ([α]φ) and diamond ( α φ) modality formulas express dynamic properties of the hybrid program α. This article focuses on continuous programs, where α is given by a system of ODEs x = f (x) & Q.
Here, x = f (x) is an n-dimensional system of differential equations, x 1 = f 1 (x), . . . , x n = f n (x), over variables x = (x 1 , . . . , x n ), where the LHS x i is the time derivative of x i and the RHS f i (x) is a polynomial over variables x. The domain constraint Q specifies the set of states in which the ODE is allowed to evolve continuously. When there is no domain constraint, i.e., Q is the formula true, the ODE is also written as x = f (x). For ndimensional vectors x, y, x · y def = n i=1 x i y i denotes the dot product and x 2 def = n i=1 x 2 i denotes the squared Euclidean norm.Other norms are explicitly defined in the article when used.
Two running example ODEs are visualized in Fig. 1 with directional arrows corresponding to their RHS evaluated at points on the plane. The first ODE, α l ≡ u = −v − u, v = u − v, is linear because its RHS depends linearly on u, v. The second ODE, , is nonlinear. The nonlinearity of α n results in more complex behavior for its solutions, e.g., the difference in spiraling behavior inside or outside the red disk shown in Fig. 1. In fact, solutions of α n blow up in finite time iff they start outside the disk characterized by u 2 + v 2 ≤ 1 4 . The finite time blow up phenomena is precisely defined and investigated in Section 4. Finite time blow up is impossible for linear ODEs like α l [6,43].
When terms (or formulas) appear in contexts involving ODEs x = f (x), it is sometimes necessary to restrict the set of free variables they are allowed to mention. These restrictions are always stated explicitly and are also indicated as arguments 3 to terms (or formulas), e.g., p() means the term p does not mention any of x 1 , . . . , x n free, while P (x) means the formula P may mention all of them.

Semantics
States ω : V → R assign real values to each variable in V; the set of all states is written S. The semantics of polynomial term p in state ω ∈ S is the real value ω [[p]] of the corresponding polynomial function evaluated at ω. The semantics of dL formula φ is the set of states [[φ]] ⊆ S in which that formula is true and is defined compositionally [28,30]. The semantics of first-order logical connectives are defined as usual, e.g., ]. For ODEs, the semantics of the modal operators is defined directly as follows. Let ω ∈ S and ϕ : [0, T ) → S (for some 0 < T ≤ ∞), be the unique solution maximally extended to the right [6,43] for the ODE x = f (x) with initial value ϕ(0) = ω, then: Informally, the safety property [x = f (x) & Q]φ is true in initial state ω if all states reached by following the ODE from ω while remaining in the domain constraint Q satisfy postcondition φ. Dually, the liveness property x = f (x) & Q φ is true in initial state ω if some state which satisfies the postcondition φ is eventually reached in finite time by following the ODE from ω while staying in domain constraint Q at all times. Figure 1 suggests that formulas 4 α l 1 4 ≤ (u, v) ∞ ≤ 1 2 and α n u 2 + v 2 ≥ 2 are true for initial states ω on the unit circle. These liveness properties are rigorously proved in Examples 2 and 3 respectively.
Variables y ∈ V \ {x} not occurring on the LHS of ODE x = f (x) remain constant along solutions ϕ : [0, T ) → S of the ODE, with ϕ(τ )(y) = ϕ(0)(y) for all τ ∈ [0, T ). Since only the values of x = (x 1 , . . . , x n ) change along the solution ϕ it may also be viewed geometrically as a trajectory in R n , dependent on the initial values of the constant parameters y. Similarly, the values of terms and formulas depend only on the values of their free variables [28]. Thus, terms (or formulas) whose free variables are all parameters for x = f (x) also have provably constant (truth) values along solutions of the ODE. For formulas φ that only mention free variables x, [[φ]] can also be viewed geometrically as a subset of R n . Such a formula is said to characterize a (topologically) open (resp. closed, bounded, compact) set with respect to variables x iff the set [[φ]] ⊆ R n is topologically open (resp. closed, bounded, compact) with respect to the Euclidean topology. These topological conditions are used as side conditions for some of the axioms and proof rules in this article. In Appendix A.3, a more general definition of these side conditions is given for formulas φ that mention parameters y. These side conditions are decidable [3] when φ is a formula of first-order real arithmetic and there are simple syntactic criteria for checking if they hold (Appendix A.3).
Unfolding the semantics, this means that from any initial state ω satisfying I, all states reached by the solution of the ODE x = f (x) from ω while staying in the domain constraint Q satisfy I. Similarly, if the liveness formula R → x = f (x) & Q P is valid, then, for all initial states ω satisfying assumptions R, the target region P can be reached in finite time by following the ODE solution from ω while remaining in the domain constraint Q. 4 · ∞ denotes the supremum norm, with x ∞ ≡ max n i=1 |x i | for an n-dimensional vector x. The inequality (u, v) ∞ ≤ 1 2 is expressible in first-order real arithmetic as

Proof Calculus
All derivations are presented in a classical sequent calculus with usual rules for manipulating logical connectives and sequents. The semantics of sequent Γ φ is equivalent to the formula ( ψ∈Γ ψ) → φ and a sequent is valid iff its corresponding formula is valid. Completed branches in a sequent proof are marked with * . First-order real arithmetic is decidable [3] so proof steps are labeled with R whenever they follow from real arithmetic. An axiom (schema) is sound iff all its instances are valid. Proof rules are sound iff validity of all premises (above the rule bar) entails validity of the conclusion (below the rule bar). Axioms and proof rules are derivable if they can be deduced from sound dL axioms and proof rules. Soundness of the base dL axiomatization ensures that derived axioms and proof rules are sound [28,30].
The dL proof calculus (briefly recalled below) is complete for ODE invariants [31], i.e., any true ODE invariant expressible in first-order real arithmetic can be proved in the calculus. The proof rule dI (below) uses the Lie derivative of polynomial p with respect to the ODE p (1) . Syntactically, Lie derivatives . p (i) are polynomials in the term language, and they are provably definable in dL using differentials [28]. Semantically, the value of Lie derivative . p is equal to the time derivative of the value of p along solution ϕ of the ODE x = f (x).
Lemma 1 (Axioms and proof rules of dL [28,30,31]). The following are sound axioms and proof rules of dL.
Axiom · expresses the duality between the box and diamond modalities. It is used to switch between the two in proofs and to dualize axioms between the box and diamond modalities. Axiom K is the modus ponens principle for the box modality. Differential invariants dI say that if the Lie derivatives obey the inequality . p ≥ . q, then p q is an invariant of the ODE. Differential cuts dC say that if one can separately prove that formula C is always satisfied along the solution, then C may be assumed in the domain constraint when proving the same for formula P . In the box modality, solutions are restricted to stay in the domain constraint Q. Thus, differential weakening dW says that postcondition P is always satisfied along solutions if it is already implied by the domain constraint. Using dW,K, · , the final two monotonicity proof rules M[ ],M for differential equations are derivable. They strengthen the postcondition from P to R, assuming domain constraint Q, for the box and diamond modalities respectively.
Notice that the premises of some proof rules, e.g., dI ,dW, discard all assumptions Γ on initial states when moving from conclusion to premises. This is necessary for soundness because the premises of these rules internalize reasoning that happens along solutions of the ODE x = f (x) & Q rather than in the initial state. On the other hand, the truth value of constant assumptions P () do not change along solutions, so they can be soundly kept across rule applications [30]. These additional constant contexts are useful when working with assumptions on symbolic parameters, e.g., v() > 0 to model a (constant) positive velocity.
Besides rules dI ,dC,dW shown above, the key to completeness for ODE invariants in dL is the differential ghosts [28,31] axiom shown below. The ∃ quantifier in the axiom can be replaced with a ∀ quantifier.
Axiom DG says that, in order to prove safety postcondition P (x) for the ODE x = f (x), it suffices to prove it for a larger system with an added ODE y = a(x)y + b(x) that is linear in the ghost variable y (because a(x), b(x) do not mention y). Intuitively, this addition is sound because the ODE x = f (x) does not mention the added variables y, and so the evolution of x = f (x) should be unaffected by the addition of an ODE for y. However, this intuition is only true if the additional ODEs do not unsoundly restrict the duration of the original solution by blowing up too early [28]. The linearity restriction prevents such a blow up. Using axiom DG in a proof seems counterintuitive though, because the axiom tries to prove a property for a seemingly easier (lower-dimensional) ODE by instead studying a more difficult (higher-dimensional) one! Yet, the DG axiom, is crucially used for completeness because it enables mathematical (or geometric) transformations to be carried out syntactically in the dL proof calculus [31]. This completeness result only requires a scalar version of DG that adds one ghost variable at time. More general vectorial versions of the axiom (where a(x) is a matrix and b(x) is a vector) have also been used elsewhere [31]. This article uses a new vectorial generalization, which allows differential ghosts with provably bounded ODEs to be added.
Lemma 2 (Bounded differential ghosts). The following bounded differential ghosts axiom BDG is sound, where y = (y 1 , . . . , y m ) is a m-dimensional vector of fresh variables (not appearing in x), g(x, y) is a corresponding m-dimensional vector of terms, y 2 is the squared Euclidean norm of y. Term p(x) and formulas P (x), Q(x) are dependent only on free variables x (and not y).

BDG
[ Like DG, axiom BDG allows an arbitrary vector of ghost ODEs y = g(x, y) to be added syntactically to the ODEs. However, it places no additional syntactic restriction on the RHS of the ODE (such as linearity in axiom DG). For soundness, BDG instead adds a new precondition requiring a provable bound y 2 ≤ p(x) in terms of x on the squared norm of y along solutions of the augmented ODE. This syntactic precondition ensures that y cannot blow up before x so that solutions of x = f (x), y = g(x, y) exist as long as solutions of x = f (x). Section 4 shows how to prove these preconditions so that axiom BDG enables ODE existence proofs through the refinement approach of Section 3.

ODE Liveness via Box Refinements
This section explains step-by-step refinement for proving ODE liveness properties in dL. Suppose that an initial liveness property x = f (x) & Q 0 P 0 is known for the ODE x = f (x). How could this be used to prove a desired liveness property x = f (x) & Q P for that ODE? Logically, this amounts to proving: Proving implication (1) refines the initial liveness property to the desired one. As a simple example, if the formula Q 0 → Q is provable (thus, valid), then implication (1) proves by monotonicity because any solution staying in the smaller domain Q 0 must also stay in the larger domain Q. Similarly, implication (1) would also be provable if P 0 → P were a provable formula. However, neither of these monotonicity-based arguments are sufficiently powerful for liveness proofs because they do not account for the specific ODE x = f (x) under consideration at all. This article's approach is instead built on refinement axioms that conclude implications like (1) from box modality formulas involving the ODE x = f (x). The following are four derived ODE refinement axioms of dL that are used for the approach.
Lemma 3 (Diamond ODE refinement axioms). The following · ODE refinement axioms derive in dL. In axioms BDG · ,DDG · , y = (y 1 , . . . , y m ) is an m-dimensional vector of fresh variables (not appearing in x) and g(x, y) is a corresponding m-dimensional vector of terms. Terms p(x), L(x), M (x) and formulas P (x), Q(x) are dependent only on free variables x (and not y).
¬G says G never happens along the solution while ¬P holds. Thus, the solution cannot get to G unless it gets to P first. In axiom DR · , formula [x = f (x) & R]Q says that the ODE solution never leaves Q while staying in R, so if the solution gets to P within R, then it also gets to P within Q.
The latter two refinement axioms BDG · ,DDG · are both derived from BDG. The (nested) refinement in both axioms says that, if the ODE x = f (x) can reach P (x), then the ODE x = f (x), y = g(x, y), with the added variables y, can also reach P (x). Axiom BDG · is the derived diamond version of BDG, obtained by directly dualizing BDG's inner equivalence with · and propositional simplification. The intuition behind BDG · is identical to BDG: if the added ghost ODEs y never blow up in norm, then they do not affect whether the solution of the original ODEs Axiom DDG · is a derived, differential version of BDG · . Instead of bounding the squared norm y 2 explicitly, DDG · instead limits the rate of growth of the ghost ODEs by bounding the Lie derivative 5 L x =f (x),y =g(x,y) ( y 2 ) = 2y · g(x, y) of the squared norm. This derivative bound in turn implicitly bounds the squared norm of the ghost ODEs by the solution of the linear differential equation z = L(x)z + M (x), with dependency on the value of x along solutions of the ODE x = f (x). This ensures that premature blow-up of y before x itself blows up is impossible.
Axioms K & ,DR · ,BDG · ,DDG · all prove implication (1) in just one refinement step. Logical implication is transitive though, so a sequence of such steps can be chained together to prove implication (1). This is shown in (2), with neighboring implications informally chained together for illustration: With its side conditions, i.e., the box modality formulas, proven, the chain of refinements (2) proves the desired implication (1). However, a proof of the liveness property x = f (x) & Q P on the right still needs a proof of the hypothesis x = f (x) & Q 0 P 0 at the beginning of the chain. Typically, this hypothesis is a (simple) existence assumption for the differential equation. Formalizing and proving such existence properties is the focus of Section 4. Those proofs are also based on refinements and make use of axioms BDG · ,DDG · .
Refinement with axiom DR · requires proving the formula [x = f (x) & R]Q. Naïvely, one might expect that adding ¬P to the domain constraint should also work, i.e., the solution only needs to be in Q while it has not yet gotten to P : This conjectured axiom is unsound (indicated by ) as the solution could sneak out of Q exactly when it crosses from ¬P into P . In continuous settings, the language of topology makes precise what this means. The following topological refinement axioms soundly restrict what happens at the crossover point: Lemma 4 (Topological ODE refinement axioms). The following topological · ODE refinement axioms are sound. In axiom COR, P, Q either both characterize topologically open or both characterize topologically closed sets over variables x.
Axiom COR is the more informative topological refinement axiom. Like the (unsound) axiom candidate DR · , it allows formula ¬P to be assumed in the domain constraint when proving the box refinement. For soundness though, axiom COR has crucial topological side conditions on formulas P, Q so it can only be used when these conditions are met. Several variations of COR are possible (with similar soundness proofs), but they require alternative topological restrictions and additional topological notions. One useful variation involving the topological interior is given in Lemma 26. When these topological restrictions are enforced syntactically, axiom COR derives from dL's real induction axiom [31]. For the sake of generality, this article gives semantic topological side conditions with associated semantic soundness proofs in Appendix A.2.
Axiom SAR applies more generally than COR but only assumes the less informative formula ¬(P ∧ Q) in the domain constraint for the box modality. Its proof crucially relies on Q being a formula of real arithmetic so that the set it characterizes has tame topological behavior [3], see the proof in Appendix A.2 for more details. By topological considerations, axiom SAR is also sound if formula P (or resp. Q) characterizes a topologically closed (resp. open) set over the ODE variables x. These additional cases are also proved in Appendix A.2 without relying on the fact that Q is a formula of real arithmetic.

Finite Time Blow Up and Global Existence
This section explains how global existence properties can be proved for a given ODE x = f (x), subject to assumptions Γ about the initial states for the ODE. The existence and uniqueness theorems for ODEs [6,43] guarantee that polynomial ODEs like x = f (x) always have a unique, right-maximal solution from any initial state, ϕ : [0, T ) → S for some 0 < T ≤ ∞. However, these theorems give no guarantees about the precise duration T . In particular, ODEs can exhibit a technical phenomenon known as finite time blow up of solutions [6], where ϕ is only defined on a bounded time interval [0, T ) with T < ∞. Additionally, it is possible that such finite time blow up phenomena only happens for some initial conditions (and corresponding solutions) of the ODE. However, these initial conditions (with finite time blow up) may not be relevant to the model of concern, especially when the dynamics of real world systems are controlled to stay away from the blow up. For example, α n from Fig. 1 exhibits finite blow up of solutions only outside the red disk and, even then, the blow up occurs well after its solutions have reached the target region.
As an example for this section, consider the nonlinear ODE If v 0 < 0 initially, then this solution is only defined to the right for the finite time interval [0, −v 0 ), because the denominator v 0 + t is 0 at t = −v 0 . On the other hand, for v 0 > 0 (and when v 0 = 0), the existence interval to the right is [0, ∞). Thus, α b exhibits finite time blow up of solutions, but only for v 0 < 0.

Global Existence Proofs
The discussion above uses the mathematical solution v(t) of the ODE α b . Syntactic proofs of existence for such solutions start by expressing existence properties in dL as a special form of ODE liveness property. The first step is to add a fresh variable t with t = 1 that tracks the progress of time 6 . Then, using a fresh variable τ not in x, t, the following formula expresses that the ODE has a global solution, because its solutions can reach any arbitrary time τ : The simplest instance of (3) is for the ODE t = 1 by itself without any ODE x = f (x). In this case, the formula (3) is valid because t = 1 is an ODE with constant RHS and its solution exists for all time. The axiom TEx below expresses this fact and it derives directly from the solution axiom of dL [28]: Lemma 5 (Time existence). The following axiom derives in dL.
TEx ∀τ t = 1 t > τ Other instances of (3) can be proved using axioms BDG · ,DDG · with appropriate assumptions about the initial conditions for the additional ODEs x = f (x). This is exemplified for the ODE α b next.
Example 1 (Velocity of particle with air resistance). The ODE α b can be viewed as a model of the velocity of a particle that is slowing down due to air resistance. Of course, it does not make physical sense for the velocity of such a particle to "blow up". However, the solution of α b only exists globally if the particle starts with positive initial velocity v > 0, otherwise, it only has shortlived solutions. The reason is that α b only makes physical sense for positive velocities v > 0, so that the air resistance term −v 2 slows the particle down instead of speeding it up. Global existence (3) can be proved for α b if its initial velocity is positive, i.e., the dL formula v > 0 → ∀τ v = −v 2 , t = 1 t > τ is valid. The derivation is as follows: After basic propositional steps (→R,∀R), axiom DDG · is used with v = −v 2 as the ghost equation with the trivial choice of bounds L ≡ 0, M ≡ 0. This yields two premises, the right of which proves using TEx. The resulting left premise requires proving the formula 2v · (−v 2 ) ≤ 0 along the ODE. Mathematically, this says that the derivative of the squared norm v 2 is nonnegative along α b , so that v 2 is non-increasing and can not blow up. 7 An M[ ] step strengthens the postcondition to v > 0 since v > 0 implies 2v · (−v 2 ) ≤ 0 in real arithmetic. The resulting premise is an invariance property for v > 0 which proves in dL (proof omitted [31]). The initial assumption v > 0 is crucially used in this step, as expected.
Section 3 offers another view of the derivation above as a single refinement step in the chain (2). Here, an initial existence property for the ODE t = 1 is refined to an existence property for the 7 The fact that v 2 is non-increasing can also be used in an alternative derivation with axiom BDG · and the bound p ≡ v 2 0 , where v 0 syntactically stores the initial value of v.
ODE v = −v 2 , t = 1. The refinement step is justified using DDG · with the box modality This chain can be extended to prove global existence for more complicated ODEs x = f (x) in a stepwise fashion, and (possibly) alternating between uses of DDG · or BDG · for the refinement step. To do this, note that any ODE x = f (x) can be written in dependency order, where each group y i is a vector of variables and each g i corresponds to the respective vectorial RHS of the ODE for y i for i = 1, . . . , k. The RHS of each y i is only allowed to depend on the preceding variables (inclusive) y 1 , . . . , y i . y 1 = g 1 (y 1 ), y 2 = g 2 (y 1 , y 2 ), y 3 = g 3 (y 1 , y 2 , y 3 ), . . . , y k = g k (y 1 , y 2 , y 3 , . . . , y k ) x =f (x) written in dependency order (4) Corollary 6 (Dependency order existence). Consider the ODE x = f (x) in dependency order (4), and where τ is a fresh variable not in x, t. The following rule with k stacked premises derives from BDG · ,DDG · and TEx, where the postcondition of each premise P i for 1 ≤ i ≤ k can be chosen to be either of the form: . . , y i−1 ) for some term p i with the indicated dependencies, or, D P i ≡ 2y i · g i (y 1 , . . . , y i ) ≤ L i (t, y 1 , . . . , y i−1 ) y i 2 + M i (t, y 1 , . . . , y i−1 ) for some terms L i , M i with the indicated dependencies.
Proof Sketch (Appendix B.1). The derivation proceeds (backwards) by successively using either BDG · for premises corresponding to the form B or DDG · for those corresponding to D , with the ghost equations for g i and the respective bounds p i or L i , M i at each step for i = k, . . . , 1.
Rule DEx corresponds to a refinement chain (2) of length k, with successive BDG · ,DDG · steps, e.g.: −→ y 1 =g 1 (y 1 ), . . . , y k =g k (y 1 , . . . , y k ), t = 1 t > τ In rule DEx any choice of the shape of premises ( B and D ) is sound as these correspond to an underlying choice of axiom BDG · ,DDG · to apply at each step, respectively. Another source of flexibility arises when choosing the dependency ordering (4) for the ODE x = f (x), as long as the requisite dependency requirements are met. For example, one can always choose the coarsest dependency order y 1 ≡ x, g 1 ≡ f (x), and directly prove global existence in one step using appropriate choice of bounds L 1 , M 1 . The advantage of using finer dependency orders in DEx is that it allows the user to choose the bounds L i , M i in a step-by-step manner for i = 1, . . . , k. This flexibility is used in Corollaries 8 and 10.
The discussion thus far proves global existence for ODEs by encoding existence properties with an explicit time variable t. This is not a serious restriction for the liveness proofs in later sections of this article. Such a fresh time variable can always be added using the rule dGt below, which derives from DG. The rule also adds the assumption t = 0 initially without loss of generality for ease of proof.

Derived Existence Axioms
Rule DEx gives a general recipe for proving global existence of an ODE by refinement with BDG · DDG · . However, it still requires the user to manually prove all k premises resulting from application of the rule. For certain classes of ODEs and initial conditions, there are well-known mathematical techniques to prove global existence. These techniques also have purely syntactic renderings in dL as special cases of BDG · ,DDG · ,DEx. In particular, this section shows how axioms GEx,BEx (shown below), which were proved semantically in the earlier conference version [42], can be derived syntactically. The refinement approach also yields natural generalizations of these axioms.

Globally Lipschitz ODEs
A function f : R m → R n is called globally Lipschitz continuous if there is a (positive) Lipschitz constant C ∈ R such that the inequality f (x) − f (y) ≤ C x − y holds for all x, y ∈ R m , where · are appropriate norms. Since norms are equivalent on finite dimensional vector spaces [43, §5.V], without loss of generality, the Euclidean norm is used for the following discussion. An ODE is globally Lipschitz continuous. Solutions of such ODEs always exist globally for all time [43,§10.VII]. This global Lipschitz continuity condition is satisfied, e.g., by α l , and more generally by linear ODEs of the form x = Ax, where A is a matrix of (constant) parameters [43] because of the following (mathematical) inequality with Lipschitz constant A , i.e., the (matrix-Euclidean) Frobenius norm of A: This calculation uses the Euclidean norm · , which is not a term in dL (Section 2.1) because it is not a polynomial. This syntactic exclusion is not an oversight: it is crucial to the soundness of dL that such non-differentiable terms are excluded from its syntax. For example, x is not differentiable at x = 0. Thus, a subtle technical challenge in proofs is to appropriately rephrase mathematical inequalities, typically involving norms, into ones that can be reasoned about soundly also in the presence of differentiation. In this respect, the Euclidean norm is useful, because expanding the inequality 0 ≤ (1 − x ) 2 and rearranging yields: Notice that, unlike the Euclidean norm x , the RHS of the square inequality (5) can be represented syntactically. Indeed, the squared Euclidean norm is already used in axioms BDG BDG · DDG · . To support intuition, the proof sketches below continue to use mathematical inequalities involving Euclidean norms, while the actual proofs in the appendix use rephrasings with (5) instead. The following corollary shows how global existence for globally Lipschitz ODEs is derived using a norm inequality as a special case of rule DEx.
Corollary 7 (Global existence). The following global existence axiom derives from DDG · in dL, where τ is a fresh variable not in x, t, and x = f (x) is globally Lipschitz. GEx Proof Sketch (Appendix B.1). Let C be the Lipschitz constant for f . The proof uses DDG · and two (mathematical) inequalities. The first inequality (6) bounds f (x) linearly in x . The constant 0 is chosen here to simplify the resulting arithmetic.
The second inequality uses bound (6) on f (x) to further bound 2x · f (x) linearly in x 2 along the ODE with appropriate choices of L, M that only depend on the (positive) Lipschitz constant C and f (0) .
The derivation of axiom GEx uses DDG · , but global existence extends to more complicated ODEs with the aid of DEx as long as appropriate choices of L, M can be made. A useful example of such an extension is global existence for ODEs that have an affine dependency order (4), i.e., each are respectively matrix and vector terms with appropriate dimensions and the indicated variable dependencies.
Corollary 8 (Affine dependency order global existence). Axiom GEx is derivable from DDG · in dL for ODEs x = f (x) with affine dependency order.
Proof Sketch (Appendix B.1). The proof is similar to Corollary 7 but uses DEx to prove global existence step-by-step for the dependency order. It uses the following (mathematical) inequality and corresponding choices of L i , M i (shown below) for i = 1, . . . , k at each step: This inequality is very similar to the one used for Corollary 7, where A i corresponds to C, and b i corresponds to f (0) . The difference is that terms L i , M i are allowed to depend on the preceding variables y 1 , . . . , y i−1 . Importantly for soundness, both terms meet the appropriate variable dependency requirements of DDG · because the terms A i , b i are not allowed to depend on y i in the affine dependency order.
With the extended refinement chain underlying DEx, Corollary 8 enables more general proofs of global existence for certain multi-affine ODEs that are not necessarily globally Lipschitz. For example, the ODE u = u, v = uv meets the dependency requirements of Corollary 8 so it has provable global solutions but its RHS is not a globally Lipschitz function of u, v.

Bounded Existence
Returning to the example ODEs α b and α n , observe that axiom GEx applies to neither of those ODEs because they do not have affine dependency order. As observed earlier in Example 1 and Fig. 1 respectively, neither α b nor α n have global solutions from all initial states. Although Example 1 shows how global existence for α b can be proved from assumptions motivated by physics, it is also useful to have general axioms (similar to GEx) corresponding to well-known mathematical techniques for proving global existence of solutions for nonlinear ODEs under particular assumptions. One such mathematical technique is briefly recalled next.
Suppose that the solution of ODE x = f (x) is trapped within a bounded set (whose compact closure contained in the domain of the ODE), then, the ODE solution exists globally. For a proof, see [16,Corollary 2.5] and [19,Theorem 3.3]. In control theory, this principle is used to show the global existence of solutions near stable equilibria [16,19]. It also applies in case the model of interest has state variables that are a priori known to range within a bounded set [2,Section 6].
This discussion suggests that the following formula is valid for any ODE x = f (x), where B(x) characterizes a bounded set over the variables x so the assumption [x = f (x)]B(x) says that the ODE solution is always trapped within the bounded set characterized by B(x).
Formula (9) is rewritten more succinctly in the following corollary by negating the box modality.
Corollary 9 (Bounded existence). The following bounded existence axiom derives from BDG · in dL, where τ is a fresh variable not in x, t, and formula B(x) characterizes a bounded set over variables x. BEx Proof Sketch (Appendix B.1). The squared norm x 2 function is continuous in x so it is bounded above by a constant D on the compact closure of the set characterized by B(x). Axiom BDG · is used with p(x)=D.
Axiom BEx removes the global Lipschitz (or affine dependency) requirement of GEx but weakens the postcondition to say that solutions must either exist for sufficient duration or blow up and leave the bounded set characterized by formula B(x). Like axiom GEx, axiom BEx is derived by refinement using axiom BDG · . This commonality again yields a more general version of BEx, which also incorporates ideas from GEx.
Corollary 10 (Dependency order bounded existence). Consider the ODE x = f (x) in dependency order (4), and where τ is a fresh variable not in x, t. The following axiom derives from BDG · DDG · in dL, where the indices i = 1 . . . , k is partitioned in two disjoint index sets L, N such that: Proof Sketch (Appendix B.1). The derivation is similar to rule DEx, with an internal DDG · step (similar to GEx) for i ∈ L and an internal BDG · step (similar to BEx) for i ∈ N .
The index set L in Corollary 10 indicates those variables of x = f (x) whose global existence (with respect to the other variables) can be automatically proved. On the other hand, the index set N indicates the variables that may cause finite time blow up of solutions. The postcondition of axiom GBEx says that solutions either exist for sufficient duration or they blow up and leave one of the bounded sets indexed by N . Therefore, an immediate modeling application of Corollary 10 is to identify which of the state variables in a model must be proved (or assumed) to take on bounded values [2, Section 6]. This underlies the automated existence proof support discussed in Section 7.

Completeness for Global Existence
The derivation of the existence axioms GEx,BEx,GBEx and rule DEx illustrate the use of liveness refinement for proving existence properties. Moreover, BDG · is the sole ODE diamond refinement axiom underlying these derivations (recall DDG · derives from BDG · ). This yields a natural question: are there ODEs whose solutions exist globally, but whose global existence cannot be proved syntactically using BDG · ? The next completeness result gives a conditional completeness answer: all global existence properties can be proved using BDG · , if the corresponding ODE solutions are represented syntactically.
has a global solution syntactically represented in dL as term X(t) dependent only on the free variable t. The equality x = X(t) is provable along the ODE x = f (x), t = 1 because solutions are equational invariants [28,31]. The proof uses BDG · with the bounding term p = X(t) 2 , so that the required hypothesis of BDG · , i.e., [x = f (x), t = 1] x 2 ≤ X(t) 2 proves trivially using the equality x = X(t).
The completeness result in Proposition 11 is somewhat unsatisfying at first glance, because one needs to have an explicit syntactic representation of the solution for the ODE. In the term language of this article (Section 2.1) only polynomial solutions would be representable in this way. However, dL also has term language extensions [31], which considerably extends the class of syntactically representable solutions to include, e.g., towers of exponentials. 8 Additionally, the proof in Proposition 11 actually only requires a provable upper bound x 2 ≤ X(t) 2 rather than an equality. Thus, a dL representable (and provable) upper bound X(t) 2 also suffices for prove global existence. This completeness result highlights the advantage of axioms BDG · ,DDG · and their use in the derived axioms of Corollaries 7-10 because they implicitly deduce global existence without needing an explicit representable solution for the ODEs.

Liveness Without Domain Constraints
This section presents proof rules for liveness properties of ODEs x = f (x) without domain constraints, i.e., where Q is the formula true. Errors and omissions in the surveyed techniques are highlighted in blue.

Differential Variants
The fundamental technique for verifying liveness of discrete loops are loop variants, i.e., quantities that decrease strictly across each loop iteration. Differential variants [25] are their continuous analog: Corollary 12 (Atomic differential variants [25]). The following proof rules (where is either ≥ Monotonicity M[ ] strengthens the postcondition to p ≥ p 0 () + ε()t with the domain constraint ¬(p 0). A subsequent use of dI completes the derivation: Rule dV is derived in Appendix B.2 as a corollary of rule dV Γ because the ODE x = f (x) is assumed to have solutions which (provably) exist globally.
The premises of both rules dV Γ ,dV require a constant (positive) lower bound ε() on the Lie derivative . p. This bound ensures that the value of p strictly increases along solutions to the ODE, eventually becoming non-negative. Soundness of both rules therefore crucially requires that ODE solutions exist for sufficiently long for p to become non-negative. This is usually left as a soundness-critical side condition in liveness proof rules [25,39], but any such side condition is antithetical to approaches for minimizing the soundness-critical core in implementations [28] because it requires checking the (semantic) condition that solutions exist for sufficient duration. The conclusion of rule dV Γ formalizes this side condition as an assumption. In contrast, rule dV discharges it using the (assumed) provable global existence for the ODEs (see Section 4).
The rest of this article similarly develops ODE liveness proof rules that rely on the global existence proofs from Section 4. In all subsequent proof rules, the ODE were globally Lipschitz (or, as a special case, linear), then its global existence can be proven using axiom GEx from Corollaries 7 and 8. For uniformity, all proof steps utilizing this assumption are marked with GEx, although proofs of global existence could use various other techniques described in Section 4. All subsequent proof rules can alternatively be presented with sufficient duration assumptions like dV Γ , but those are omitted for brevity.
Example 2 (Linear liveness). The liveness property that Fig. 1 suggested for the linear ODE α l is proved by rule dV . The proof is shown on the left below and visualized on the right. The first monotonicity step M strengthens the postcondition to the inner blue circle u 2 + v 2 = 1 4 which is contained within the green goal region. Next, since solutions satisfy u 2 + v 2 = 1 initially (black circle), the K & step expresses an intermediate value property: to show that the continuous solution eventually reaches u 2 + v 2 = 1 4 , it suffices to show that it eventually reaches u 2 + v 2 ≤ 1 4 (also see Corollary 13 below). The postcondition is rearranged before dV is used with ε() = 1 2 . Its premise proves with R because the Lie derivative of 1 4 −(u 2 +v 2 ) with respect to α l is 2(u 2 +v 2 ), which is bounded below by 1 2 under the assumption 1 4 The Lie derivative calculation shows that the value of u 2 + v 2 decreases along solutions of α l , as visualized by the shrinking (dashed) circles. However, the rate of shrinking converges to zero as solutions approach the origin, so solutions never reach the origin in finite time! This is why dV Γ ,dV crucially need a constant positive lower bound on the Lie derivative . p ≥ ε() for soundness [25] instead of merely requiring . p > 0. It is also instructive to examine the chain of refinements (2) underlying the proof above. Since α l is a linear ODE, the first dV step refines the initial liveness property from GEx, i.e., that solutions exist globally (so, for at least for time 3 4 / 1 2 = 3 2 ), to the property u 2 +v 2 ≤ 1 4 . Subsequent refinement steps can be read off from the proof steps above: The latter two steps illustrate the idea behind the next two surveyed proof rules. In their original presentation [41], the ODE x = f (x) is only assumed to be locally Lipschitz continuous, which is insufficient for global existence of solutions, making the original rules unsound. See Appendix C for counterexamples.
Corollary 13 (Equational differential variants [41]). The following proof rules are derivable in dL. Term ε() is constant for ODE x = f (x), and the ODE has provable global solutions for both rules.
The view of dV as a refinement of GEx in Example 2 also yields generalizations of dV to higher Lie derivatives. Indeed, it suffices that any higher Lie derivative . p (k) is bounded below by a positive constant ε() rather than just the first: Corollary 14 (Atomic higher differential variants). The following proof rule (where is either ≥ or >) is derivable in dL. Term ε() is constant for ODE x = f (x), and the ODE has provable global solutions.
is strictly positive, all lower Lie derivatives . p (i) of p for i < k, including p itself, eventually become positive. This derives using a sequence of dC,dI steps.

Staging Sets
The idea behind staging sets [39] is to use an intermediary staging set formula S that can only be left by entering the goal region P . This staging property is expressed by the box modality formula Corollary 15 (Staging sets [39]). The following proof rule is derivable in dL. Term ε() is constant for ODE x = f (x), and the ODE has provable global solutions.

SP
Γ The rest of the derivation is similar to dV Γ ,dV .
In rule SP, the staging set formula S provides a choice of intermediary between the differential variant p and the desired postcondition P . Proof rules can be significantly simplified by choosing S with desirable topological properties. For example, all of the liveness proof rules derived so far either have an explicit sufficient duration assumption (like dV Γ ) or assume that the ODEs have provable global solutions (like dV using axiom GEx). An alternative is to use axiom BEx, by choosing the staging set formula S(x) to characterize a bounded or compact set over the variables x.
Corollary 16 (Bounded/compact staging sets). The following proof rules are derivable in dL. Term ε() is constant for x = f (x). In rule SP b , formula S characterizes a bounded set over variables x. In rule SP c , it characterizes a compact, i.e., closed and bounded, set over those variables.
. Rule SP b derives using BEx and differential variant p to establish a time bound. Rule SP c is an arithmetical corollary of SP b , using the fact that continuous functions on compact domains attain their extrema.
Example 3 (Nonlinear liveness). The liveness property that Fig. 1 suggested for the nonlinear ODE α n is proved using rule SP c by choosing the staging set formula S ≡ 1 ≤ u 2 + v 2 ≤ 2 (blue annulus) and the differential variant , which is bounded below by 3 2 in S. Thus, the right premise of SP c closes trivially. The left premise requires proving that S is an invariant within the domain constraint ¬(u 2 + v 2 ≥ 2). Intuitively, this is true because the blue annulus can only be left by entering goal u 2 + v 2 ≥ 2. Its elided invariance proof is easy [31]. * There are two subtleties to highlight in this proof. First, S characterizes a compact, hence bounded, set (as required by rule SP c ). Solutions of α n can blow up in finite time which necessitates the use of BEx for proving its liveness properties. Second, S cleverly excludes the red disk (dashed boundary) characterized by u 2 + v 2 ≤ 1 4 . Solutions of α n behave differently in this region, e.g., the Lie derivative . p is non-positive in this disk. The chain of refinements (2) behind this proof can be seen from the derivation of rules SP b ,SP c in Appendix B.2. It starts from the initial liveness property BEx (with time bound 1/ 3 2 = 2 3 ) and uses two K & refinement steps. The first K & step shows that the staging set is left ( α n ¬S), while the latter shows the desired liveness property: The use of axiom BEx is subtle and is often overlooked in surveyed liveness arguments. This includes incorrect claims [35,Remark 3.6] that a liveness argument works without assuming that the relevant sets are bounded. Similarly, the following proof rule derives from SP c by adapting ideas from the literature [36, Theorem 2.4, Corollary 2.5] that were claimed to hold for any closed set K, when, in fact, K needs to be compact as assumed implicitly in the proof [36].
Corollary 17 (Set Lyapunov functions [36]). The following proof rule is derivable in dL. Formula K characterizes a compact set over variables x, while formula P characterizes an open set over those variables.
. Rule SLyap derives from SP c with S ≡ ¬P ∧ K, since ¬P characterizes a closed set, and the intersection of a closed set with a compact set is compact.

Liveness With Domain Constraints
This section presents proof rules for liveness properties These properties are more subtle than liveness without domain constraints, because the limitation to a domain constraint Q may make it impossible for an ODE solution to reach a desired goal region without leaving Q. Axiom DR · with R ≡ true provides one way of directly generalizing the proof rules from Section 5, as shown in the following derivation. Proof rules from Section 5 can be used on the resulting right premise: This derivation extends all chains of refinements (2) from Section 5 with one additional step: Liveness arguments become much more intricate when attempting to generalize beyond DR · , e.g., recall the unsound conjecture DR · . Indeed, unlike the technical glitches of Section 5, this article uncovers subtle soundness-critical errors in the literature. With dL's deductive approach, these intricacies are isolated to the topological axioms (Lemma 4) which have been proved sound once and for all. Errors and omissions in the surveyed techniques are again highlighted in blue.

Topological Proof Rules
The first proof rule generalizes differential variants to handle domain constraints: Corollary 18 (Atomic differential variants with domains [25]). The following proof rule (where is either ≥ or >) is derivable in dL. Term ε() is constant for the ODE x = f (x), and the ODE has provable global solutions. Formula Q characterizes a closed (resp. open) set when is ≥ (resp. >).
The derivation uses axiom COR choosing R ≡ true, noting that p ≥ 0 (resp. p > 0) characterizes a topologically closed (resp. open) set so the appropriate topological requirements of COR are satisfied: The derivation steps on the right premise are similar to the ones used in dV although an intervening dC step is used to add Q to the antecedents.
The original presentation of rule dV Γ [25] omits the highlighted assumption ¬(p 0), which is needed for the COR; the rule is unsound without it. In addition, it uses a form of syntactic weak negation [25], which is unsound for open postconditions, as pointed out earlier [39]. See Appendix C for counterexamples. Corollary 18 recovers soundness by adding topological restrictions on the domain constraint Q.
The next two corollaries similarly make use of COR to derive the proof rule dV M = & [41] and the adapted rule SLyap& [36]. They respectively generalize dV M = and SLyap from Section 5 to handle domain constraints. The technical glitches in their original presentations [36,41], which were identified in Section 5, remain highlighted here.
Corollary 19 (Equational differential variants with domains [41]). The following proof rules are derivable in dL. Term ε() is constant for the ODE x = f (x), and the ODE has provable global solutions for both rules. Formula Q characterizes a closed set over variables x.
Similar to the derivation of dV = ,dV M = from dV . In this case, rule dV & is used with being ≥, since Q characterizes a closed set.
Corollary 20 (Set Lyapunov functions with domains [36]). The following proof rule is derivable in dL. Formula K characterizes a compact set over variables x, while formula P characterizes an open set over those variables.
. Similar to the derivation of SLyap, but with an additional COR step, since both formulas p > 0 and P characterize open sets.
The staging sets with domain constraints proof rule SP& [39] uses axiom SAR: Corollary 21 (Staging sets with domains [39]). The following proof rule is derivable in dL. Term ε() is constant for ODE x = f (x), and the ODE has provable global solutions.
The derivation starts with a SAR step, and then uses rule SP.
The rules derived in Corollaries 18-21 demonstrate the flexibility of dL's refinement approach for deriving the surveyed liveness arguments as proof rules. Indeed, their derivations are mostly straightforward adaptations of the corresponding rules presented in Section 6, with the appropriate addition of either a COR or SAR refinement step. This flexibility is not limited to the surveyed liveness arguments because refinement steps can also be freely mixed-and-matched for specific liveness questions.
Example 4 (Strengthening). The liveness property u 2 + v 2 = 1 → α n u 2 + v 2 ≥ 2 was proved in Example 3 using the staging set formula S ≡ 1 ≤ u 2 + v 2 ≤ 2. Since S and u 2 + v 2 ≥ 2 characterize closed sets, axiom COR extends the chain of refinements (2) from Example 3 to a stronger liveness property for α n : Formula S ≡ 1 ≤ u 2 + v 2 < 2 also proves Example 3 but does not characterize a closed set. Thankfully, the careful topological restriction of COR prevents unsoundly concluding the property The refinement approach also enables the discovery of new, general liveness proof rules by combining refinement steps in alternative ways. As an example, the following chimeric proof rule combines ideas from Corollaries 14, 16, and 21: Corollary 22 (Combination proof rule). The following proof rule is derivable in dL. Formula S characterizes a compact set over variables x.
The derivation combines ideas from the derivations of dV k (generalizing dV to higher derivatives), SP c (compact staging sets), and SP& (refining domain constraints).
The logical approach of dL derives even complicated proof rules like SP k c & from a small set of sound logical axioms, which ensures their correctness. The proof rule E c & below derives from SP k c & (for k = 1) and is adapted from the literature [35,Theorem 3.5], where additional restrictions were imposed on the sets characterized by Γ, P, Q, and different conditions were given compared to the left premise of E c & (highlighted below). These original conditions were overly permissive as they are checked on sets that are smaller than necessary for soundness. See Appendix C for counterexamples.
Corollary 23 (Compact eventuality [35]). The following proof rule is derivable in dL. Formula Q ∧ ¬P characterizes a compact set over variables x.

Implementation
This section discusses an implementation of ODE existence and liveness proof rules in KeYmaera X, drawing on the refinement approach and the common refinement steps identified in the preceding sections. These proof rules are implemented as tactics in KeYmaera X [10], which are not soundness-critical. This arrangement allows the implementation of useful ODE liveness proof rules (Section 7.1) and their associated proof automation (Section 7.2), but with KeYmaera X's sound kernel as a safeguard against any implementation errors or mistakes in their derivations or side conditions. Nevertheless, for the sake of completeness, syntactic derivations of all liveness proof rules presented in this section are also given in Appendix B.4. All of the concrete ODE liveness examples in this article and elsewhere [39] have been formally proved in KeYmaera X using this implementation. By leveraging existing infrastructure in KeYmaera X, the implementation can also be used as part of liveness proofs for hybrid systems. It has been used for the liveness proofs (among others) of a case study involving a robot model driving along circular arcs in the plane [4].

Liveness Proof Rules
Atomic differential variants dV is a useful primitive proof rule to implement in KeYmaera X because many ODE liveness arguments, e.g., dV M = ,SP, use it. From a practical perspective though, rule dV as presented in Corollary 12 still requires users to provide a choice of the constant ε(), e.g., the proof in Example 2 uses ε() = 1 2 . The following slight rephrasing of dV enables a more automated implementation.
Corollary 24 (Existential atomic differential variants [25]). The following proof rule (where is either ≥ or >) is derivable in dL, where ε is a fresh variable and ODE x = f (x) has provable global solutions.
Proof Sketch (Appendix B.4). Rule dV ∃ derives from dV as a corollary.
Just like rule dV , rule dV ∃ requires a positive lower bound ε > 0 on the derivative of p along solutions. The difference is that rule dV ∃ asks a purely arithmetical question about the existence of a suitable choice for ε. This can be decided automatically to save user effort in identifying ε, but such automation comes at added computational cost because the decision procedure must now find a suitable instance of ε for the ∃ quantifier (or decide that none exist) rather than simply checking a user-provided instance. Thus, both dV ,dV ∃ are implemented to give users flexible control over the desired degree of automation in their proofs.
Another variation of dV is its semialgebraic generalization, i.e., where the goal region is described by a formula P formed from conjunctions and disjunctions of (in)equalities. Rules dV M = ,SP provide examples of such a generalization, but they are indirect generalizations because users must still identify an underlying (atomic) differential variant p as input when applying either rule. In contrast, the new semialgebraic generalization of dV below directly examines the syntactic structure of the goal region described by formula P . Its implementation is enabled by KeYmaera X's ODE invariance proving capabilities which are, in turn, based on dL's complete axiomatization for ODE invariants [31].
Corollary 25 (Semialgebraic differential variants). Let b be a fresh variable, and term ε() be constant for ODE x = f (x), t = 1. Let P be a semialgebraic formula in the following normal form ([31, Eq 5]), and G P be its corresponding ε-progress formula (also in normal form): The following proof rule derives in dL, where ODE x = f (x) has provable global solutions, and The intuition behind rule dV is similar to rule dV . As long as the solution has not yet reached the goal P , it grows towards the goal at "rate" ε(). The technical challenge is how to formally phrase the "rate" of growth for a semialgebraic formula P , which does not have a well-defined notion of derivative. Rule dV uses the ε-progress formula G P , together with the semialgebraic progress formulas Example 5 (Non-differentiable progress functions [39]). Consider the following liveness formula with two inequalities in its postcondition: Using the min function, formula (10) can be written equivalently with a single atomic inequality: However, (11) is not a formula of real arithmetic (Section 2.1) and it does not have well-defined dL semantics. Indeed, rule dV does not work directly for proving (11) because the Lie derivative of its postcondition is not well-defined. One possible solution is to generalize dV by considering directional derivatives of continuous (but non-differentiable) functions such as min, max, such as in [39,Section 5.2]. However, justifying the correctness of this option would require delicate 9 The arithmetic formula . P ( * ) exactly characterizes that the ODE x = f (x) makes local progress in P for some nonzero duration, see prior work [31,Thm. 6.6]. changes to dL semantics. Rule dV instead proves (10) directly without requiring rephrasing, nor complications associated with directional derivatives. The proof is as follows, with ε() = 1 and The proof starts by using rule dV, where the assumption .
(¬P ) ( * ) in its premise is weakened as it is unnecessary for the proof. Unfolding the definition of .
(G P ) ( * ) and simplifying leaves an arithmetical question. The right conjunct is omitted for brevity since the argument is symmetric. The left conjunct of the succedent proves with real arithmetic R because the assumptions u More generally, for a liveness postcondition comprising a conjunction of atomic inequalities p 0∧q 0 (where is either ≥ or > in either conjunct), the premise resulting from applying dV simplifies in real arithmetic to the following arithmetical premise: The arithmetical premise (12) is equivalent to the corresponding arithmetical conditions given in [39,Example 14], and both are decidable in real arithmetic. The intuition behind (12) is that whenever p is further from the goal than q, then p is required to make ε progress towards the goal (symmetrically when q is further than p from the goal). A similar simplification of dV for a disjunction p 0 ∨ q 0 is shown in (13), which asks for the term closer to the goal to make ε progress towards the goal instead. Further simplifications for semialgebraic formulas P are obtained as nested combinations of (12) and (13).
The two variations of dV shown in Corollaries 24 and 25 (and their implementation) allow users to focus on high-level liveness arguments in KeYmaera X rather than low-level derivation steps. Another key usability improvement afforded by the implementation is the sound and automatic enforcement of the appropriate side conditions for every proof rule. The common side conditions for ODE liveness proof rules presented in this article can be broadly classified as follows: 1. Freshness side conditions on variables, e.g., in rules dV ,dV ∃ ,dV. These are automatically enforced in the implementation because KeYmaera X's kernel insists on fresh names when required for soundness. Renaming with fresh variables is also automatically supported.
2. Global existence of ODE solutions. These are semi-automatically proved, as in Section 7.2.
3. Topological side conditions, e.g., in axiom COR and rules dV &,dV M = &. These conditions are important to correctly enforce because they may otherwise lead to the subtle soundness errors (e.g., Section 6). The implementation uses syntactic criteria for checking these side conditions (Appendix A.3).
An example topological refinement axiom (Lemma 4) and its corresponding proof rule implemented in KeYmaera X with syntactic topological side conditions is given next.
Lemma 26 (Closed domain refinement axiom). The following topological · ODE refinement axiom is sound, where formula Q characterizes a topologically closed set over variables x, and formulaQ characterizes the topological interior of the set characterized by Q. CR Corollary 27 (Closed domain refinement rule). The following proof rule is derivable in dL, where formula Q is formed from finite conjunctions and disjunctions of non-strict inequalities ≥, ≤, and formula Q > ≥ is identical to Q but with strict inequalities >, < in place of ≥, ≤ respectively.
Axiom CR is a variant of axiom COR with different topological conditions. Like COR, these conditions allow formula ¬P to be assumed in the domain constraint when proving the box refinement for CR. The corresponding proof rule cR gives syntactic side conditions for the formulas Q, Q > ≥ , which are easily checked by the implementation, e.g., the formula Q > ≥ can be automatically generated from Q. The advantage of CR over COR,SAR manifests in the domain constraint of the middle premise of rule cR. Here, the closed domain constraint Q can be additionally assumed when proving that solutions stay withinQ. The implementation provides rule cR as a powerful primitive for refining domain constraints amongst other options, e.g., DR · .

Proof Support
Beyond enabling the sound implementation of complex ODE liveness proof rules such as those in Section 7.1, tactics can also provide substantial proof support for users.

Automatic Dependency Ordering
Recall derived axiom GBEx from Corollary 10, which proves (global) existence of solutions for an ODE x = f (x). A user of the axiom must still identify precisely which dependency order (4) to use, and provide the sequence of bounded sets B i for each group of variables y i involving nonlinear ODEs. The canonical choice of such a dependency order can be automatically produced by a tactic using a topological sort of the strongly connected components (SCCs) 10 of the dependency graph of the ODE.
x 1 x 4 x 5 y 4 x 2 x 6 y 3 x 3 y 2 x 7 x 8 y 1 Figure 2: A possible dependency graph corresponding to an ODE over the variables x 1 , . . . , x 8 . There is a directed edge (drawn as arrows) x i → x j if the ODE x i depends on free variable x j . Each dashed rectangle is a strongly connected component. Reverse topologically sorting these components yields one possible grouping of the variables y 1 , . . . , y 4 in dependency order. The vertices in y 1 are not connected to those in y 2 , y 3 , y 4 , so the order between these groups can be chosen arbitrarily.
More precisely, to prove global existence for an ODE x = f (x), consider the dependency graph G where each variable x i is a vertex and with a directed edge from x i to x j if the RHS f i (x) for x i depends on free variable x j . First, compute the SCCs of G, and then topologically sort the SCCs. The groups of variables y i can be chosen according to the vertices in each SCC in reverse topological order. An illustrative example with four SCCs is shown in Fig. 2.
After finding the appropriate SCC order (as in Fig. 2), the global existence tactic can now check if the ODEs corresponding to the variables in each SCC y i is affine and, if that is the case, it proves global existence for those variables automatically. For example, if the SCC y 4 ≡ {x 1 , x 4 , x 5 } had affine dependencies, then the ODE solution could be proved automatically to be global in the variables x 1 , x 4 , x 5 following the proof in Corollary 8. On the other hand, suppose the SCC y 3 ≡ {x 2 , x 6 } had nonlinear dependencies, then users are prompted to input a bounded set (or a bound on derivatives) over variables x 2 , x 6 in order to prove global existence for those variables. This process continues similarly for the SCCs y 2 and y 1 until global existence is proved for the full ODE. This process minimizes the manual effort required of the user in proving global existence by focusing their attention only on the (automatically identified) nonlinear parts of the ODE.
To drive global existence proof automation further, key special cases can be added to the method described above. One such special case for univariate ODEs is exemplified below.
Example 6 (Global existence for univariate ODEs). Consider the case where a variable group has just one variable and no further dependencies, e.g., y 2 ≡ {x 3 } in Fig. 2 or α b from Section 4. Global existence for such univariate ODEs is decidable, even if the RHS is highly nonlinear [14].
The idea is from dynamical systems theory: for univariate polynomial ODEs, all solutions either asymptotically approach a root of the polynomial RHS or diverge to infinity. Fig. 3 illustrates the dynamical systems view of a univariate ODE. For all initial conditions x between points r 1 and r 3 (inclusive), the ODE solution exists globally. Conversely, for all other initial conditions, the ODE blows up in finite time because f (x) is nonlinear. Therefore, for a nonlinear univariate polynomial ODE x = f (x) and initial assumptions Γ, it suffices to check validity of the following sequent to decide global existence: The existentially quantified variable r corresponds to a fixed point (a root with f (r) = 0). Disjunct a checks whether the solution approaches r from the left, e.g., the points between r 1 and r 2 in Fig. 3 approach r 2 from the left. Alternatively, disjunct b checks whether the solution approaches r from the right. The implementation checks validity of this sequent for univariate nonlinear ODEs and then proves global existence using BDG · because the solution is provably trapped between the initial value of x and the fixed point r.

Differential Cuts for Liveness Proofs
Differential cuts dC provide a convenient way to structure and stage safety proofs for ODEs in dL. An in-depth discussion is available elsewhere [30], but the idea is illustrated by the following derivation: The derivation uses a sequence of differential cut steps to progressively add the cuts C 1 , C 2 , . . . , C n to the domain constraint. A final dW step completes the proof when the postcondition P is already implied by the (now strengthened) domain constraint. Intuitively, the differential cuts are akin to lemmas in this derivation. For example, by proving the premise Γ [x = f (x) & Q]C 1 , the cut C 1 can now be assumed in the domain constraints of subsequent steps. Just like the cut rule from sequent calculus, differential cuts dC allow safety proofs for ODEs to be staged through a sequence of lemmas about those ODEs.
For proof modularity and maintainability, it is desirable to enable a similar staging for ODE liveness proofs. Concretely, suppose that the formula [x = f (x) & Q]C has been proved as a cut: The challenge is how to (soundly) use this lemma in subsequent derivation steps (shown as · · · ). Note that naïvely replacing Q with Q ∧ C 1 in the domain constraint of the succedent does not work. This may even do more harm than good because the resulting ODE liveness question becomes more difficult (Section 6).
The refinement-based approach to ODE liveness provides a natural answer. Recall that each refinement step in the chain (2) requires the user to prove an additional box modality formula. The insight is that, for these box modality formulas, any relevant lemmas that have been proved can be soundly added to the domain constraint. For example, suppose that rule K & is used to continue the proof after the cut. The left premise of K & can now be strengthened to include C in its domain constraint: Users could manually track and apply lemmas using dC as shown above, but this quickly becomes tedious in larger liveness proofs. The implementation instead provides users with tactics that automatically search the antecedents Γ for compatible assumptions that can be used to strengthen the domain constraints. These tactics also use a form of ODE unification when determining compatibility. More precisely, consider the box modality formula [x = f (x) & Q]P , which may arise as a box refinement during a liveness proof. The antecedent formula [y = g(y) & R]C is called a compatible assumption for [x = f (x) & Q]P if: 1. The set of ODEs y = g(y) is a subset of the set of ODEs x = f (x). This is order-agnostic, e.g., 2. The domain constraint Q implies domain constraint R, i.e., Q → R is valid.
Under these conditions, the ODE y = g(y) & R permits more trajectories than the ODE of concern x = f (x) & Q. Thus, if formula C is always true along solutions of the former ODE, then it also stays true along solutions of the latter. Combining compatible assumptions with implementations of liveness proof rules yields turbo-charged versions of those rules. For example, in rule dV ∃ , instead of simply assuming the negation of the postcondition (¬(p 0) → · · · ) when determining the existence of suitable ε, all postconditions of compatible assumptions can be assumed, e.g., with ¬(p 0) ∧ C → · · · for postcondition C of a compatible assumption.

Related Work
Existence and Liveness Proof Rules. The ODE liveness arguments surveyed in this article were originally presented in various notations, ranging from proof rules [25,39,41] to other mathematical notation [34,35,36,39]. All of them were justified directly through semantical or mathematical means. This article unifies and corrects all of these arguments, and presents them as dL proof rules which are syntactically derived by refinement from dL axioms.
To the best of knowledge, this article is also the first to present a deductive approach for syntactic proofs of existence properties for ODEs. In the surveyed liveness arguments [25,34,35,36,39,41], sufficient existence duration is either assumed explicitly or is implicitly used in the correctness proofs. Such a hypothesis is unsatisfactory, since the global existence of solutions for (nonlinear) ODEs is a non-trivial question; in fact, it is undecidable even for polynomial ODEs [14]. Formal proofs of any underlying existence assumptions thus yield stronger (unconditional) ODE liveness proofs. Of course, such existence properties are an additional proof burden, but Section 7 also shows that implementations can help by automating easy existence questions, e.g., for affine systems where global existence is well-known. A related problem arising in the study of hybrid systems is Zeno phenomena [18,44], where a trajectory of a hybrid model makes infinitely many (discrete) transitions in finite (continuous) time. Like finite time blow up, Zeno phenomena typically occur as abstraction artifacts of hybrid systems models, and they do not occur in real system. Thus, analogous to the question of global existence, absence of Zeno phenomena must either be assumed (or Zeno trajectories explicitly excluded) [18,25], or proved when specifying and verifying properties of such systems [44].
Other Liveness Properties. The liveness property studied in this article is the continuous analog of eventually [22] or eventuality [35,39] from temporal logics. In discrete settings, temporal logic specifications give rise to a zoo of liveness properties [22]. In continuous settings, weak eventuality (requiring almost all initial states to reach the goal region) and eventuality-safety have been studied [34,35]. In adversarial settings, differential game variants [29] enable proofs of winning strategies for differential games. In dynamical systems and controls, the study of asymptotic stability requires both stability (an invariance property) with asymptotic attraction towards a fixed point or periodic orbit (an eventuality-like property) [6,36]. For hybrid systems, various authors have proposed generalizations of classical asymptotic stability, such as persistence [40], stability [32], and inevitability [8]. Controlled versions of these properties are also of interest, e.g., (controlled) reachability and attractivity [1,41]. Eventuality(-like) properties are fundamental to all of these advanced liveness properties. The formal understanding of eventuality in this article is therefore a key step towards enabling formal analysis of more advanced liveness properties.
Automated Liveness Proofs. Automated reachability analysis tools [5,9] can also be used for liveness verification. For an ODE and initial set X 0 , computing an over-approximation O of the reachable set X t ⊆ O at time t shows that all states in X 0 reach O at time t [40] (if solutions do not blow up). Similarly, an under-approximation U ⊆ X t shows that some state in X 0 eventually reaches U [13] (if U is non-empty). Neither approach handles domain constraints directly [13,40] and, unlike deductive approaches, the use of reachability tools limits them to concrete time bounds t and bounded initial sets X 0 . Deductive liveness approaches can also be (partially) automated, as shown in Section 7. Lyapunov functions guaranteeing (asymptotic) stability can be found by sumof-squares (SOS) optimization [24]. Liveness arguments can be similarly combined with SOS optimization to find suitable differential variants [34,35]. Other approaches are possible, e.g., a constraint solving-based approach can be used for finding the so-called set Lyapunov functions [36] (e.g., the term p used in SLyap,SLyap&). Crucially, automated approaches must ultimately be based on sound underlying liveness arguments. The correct justification of these arguments is precisely what this article enables.

Conclusion
This article presents a refinement-based approach for proving liveness and, as a special case, global existence properties for ODEs in dL. The associated KeYmaera X implementation demonstrates the utility of this approach for formally proving concrete ODE liveness questions. Beyond the particular proof rules derived in the article, the exploration of new and more general ODE liveness proof rules is enabled by simply piecing together more refinement steps in dL, or in the KeYmaera X implementation of those steps. Given its wide applicability and correctness guarantees, this approach is a suitable framework for justifying ODE liveness arguments, even for readers less interested in the logical aspects. The views and conclusions contained in this document are those of the authors and should not be interpreted as representing the official policies, either expressed or implied, of any sponsoring institution, the U.S. government or any other entity.

A Proof Calculus
This appendix presents the dL proof calculus that underlies the refinement approach of this article. For ease of reference, all of the core axioms and proof rules presented in the main article are summarized here, along with their proofs (where necessary).

A.1 Base Calculus
The following lemma summarizes the base dL axioms and proof rules used in this article. Lemma 28 subsumes Lemma 1 with the addition of the differential ghost axiom (DG from Section 2.3) and three axioms ([·]∧,DMP,DX). The latter three additions are used in derivations in Appendix B.
Lemma 28 (Axioms and proof rules of dL [28,30,31]). The following are sound axioms and proof rules of dL. In axiom DG, the ∃ quantifier can be replaced with a ∀ quantifier.
Axiom [·]∧ derives from axiom K [28,30]. It commutes box modalities and their conjunctive postconditions because the conjunction P ∧ R is true after all runs of hybrid program α iff the individual conjuncts P, R are themselves true after all runs of α. Axiom DMP is the modus ponens principle for domain constraints. The differential skip axiom DX is a reflexivity property of differential equation solutions. The "←" direction says if domain constraint Q is initially false, then the formula [x = f (x) & Q]P is trivially true in that initial state because no solution of the ODE stays in the domain constraint. Thus, this direction of DX allows domain constraint Q to be assumed true initially when proving [x = f (x) & Q]P (shown below, on the left). The "→" direction has the following equivalent contrapositive reading using · and propositional simplification: , if the domain constraint Q and postcondition P were both true initially, then x = f (x) & Q P is true because of the trivial solution of duration zero. When proving the liveness property x = f (x) & Q P , one can therefore always additionally assume ¬(Q ∧ P ) because, by DX, there is nothing to prove otherwise (shown below, on the right).
Rule dGt from Section 4 is useful for adding a fresh time variable t in ODE existence and liveness proofs. It derives as shown below, using axiom · to switch between the box and diamond modalities, and using DG to introduce a universally quantified time variable t which is then instantiated using ∀L to t = 0.

Rule:
dGt Derivation: The bounded differential ghost axiom BDG from Lemma 2 (quoted and proved below) is a new vectorial generalization of DG which allows differential ghosts with provably bounded ODEs to be added.

BDG
[ Proof of Lemma 2. The proof of BDG is similar to that for the differential ghosts axiom [28], but generalizes it to support vectorial, nonlinear ODEs by adding a precondition on boundedness of solutions. Let y be a vector of m fresh variables and y = g(x, y) be its corresponding vector of ghost ODEs. Both directions of the (inner) equivalence of axiom BDG are proved separately.
"→" The (easier) "→" direction does not require the outer bounding assumption of BDG, i.e., the is valid for any ODE y = g(x, y) meeting the freshness condition on y. The proof for this direction is identical to the proof of soundness for differential ghosts [28,Theorem 38].
Let y(·) : [0, T y ) → R m similarly denote the projection of ϕ y onto its y coordinates and y(·) 2 denote the squared norm evaluated along y(·). Since T y ≤ τ < T , note that y(·) must be the unique right-maximal solution of the time-dependent differential equation y = g(x(t), y). Otherwise, if there is a longer solution ψ : [0, ζ) → R m for y = g(x(t), y) which exists for time ζ with T y < ζ ≤ T , then the combined solution given by (x(t), ψ(t)) : [0, ζ) → R n × R m extends ϕ y beyond T y (by keeping all variables other than x, y constant at their initial values in state ω). This contradicts right-maximality of ϕ y . Moreover, since T y ≤ τ , for all times 0 ≤ ζ < T y , by assumption, ϕ(ζ) ∈ [[Q(x)]], so the solution ϕ y satisfies ϕ y (ζ) ∈ [[Q(x)]] by coincidence for formulas [28]. Thus, from (14), for all times 0 ≤ ζ < T y , the squared norm is bounded by p max : i.e., T y = T , which contradicts T y ≤ τ < T .
The following lemma presents additional dL ODE invariance proof rules that are used in the derivations in Appendix B. These invariance proof rules are not the main focus of this article but they are nevertheless useful for simplifying or deriving the premises of this article's existence and liveness proof rules.
Lemma 29 (ODE invariance proof rules of dL [31]). The following are derived ODE invariance proof rules of dL. In rule dbx , g is any polynomial cofactor term. In rule sAI&, (¬P ) −( * ) are semialgebraic progress formulas [31,Def. 6.4] with respect to x = f (x). In rule Enc, formula P is formed from finite conjunctions and disjunctions of strict inequalities >, <, and formula P ≥ > is identical to P but with non-strict inequalities ≥, ≤ in place of >, < respectively. .
Proof. These ODE invariance proof rules are all derived from the complete dL axiomatization for ODE invariants [31].
Rule dbx is the Darboux inequality proof rule for the invariance of p 0 which derives using dI ,dC,DG, see [31,Section 3.2] for an extensive explanation of the proof rule. Rule sAI& is dL's complete proof rule for ODE invariants, i.e., the formula P is invariant for ODE x = f (x) & Q iff it proves by rule sAI&. For closed (resp. open) semialgebraic formulas P , the right (resp. left) premise of rule sAI& closes trivially [31]. This simplification is useful for obtaining more succinct proof rules, e.g., rule dV makes use of it. Rule Barr is a dL rendition of the strict barrier certificates proof rule [7,33] for invariance of p 0. Intuitively, the premise says that p = 0 is a barrier along which the value of p is increasing along solutions (succedent . p > 0), so it is impossible for solutions starting from p 0 to cross this barrier into p 0. It derives as a special case of rule sAI&. Finally, rule Enc says that, in order to prove invariance for formula P which characterizes an open set, it suffices to prove it assuming P ≥ > in the domain constraint, where P ≥ > relaxes all strict inequalities in P and thus provides an over-approximation of the topological closure of the set characterized by P .

A.2 Refinement Calculus
The following ODE liveness refinement axioms are quoted from Lemma 3, and their syntactic derivations in the dL proof calculus are given below.
Proof of Lemma 3. The four axioms are derived in order.
K & Axiom K & is derived as follows, starting with · ,¬L,¬R to dualize the diamond modalities in the antecedent and succedent to box modalities. A dC step using the right antecedent completes the proof.
BDG · Axiom BDG · derives from axiom BDG after using axiom · to dualize diamond modalities to box modalities. The leftmost antecedent is abbreviated: DDG · Axiom DDG · derives as a differential version of axiom BDG · with the aid of DG. The derivation starts with · ,¬L,¬R to turn diamond modalities in the sequent to box modalities. Axiom DG then introduces fresh ghost ODE z = L(x)z + M (x), where the antecedents are universally quantified over ghost variable z while the succedent is existentially quantified. The quantifiers are then instantiated using ∀L,∃R, with z = y 2 so that z stores the initial value of the squared norm of y. Axiom BDG is used with y = g(x, y) as the ghost ODEs and with p(x, z) ≡ z. The antecedents are abbreviated: From the resulting open premise, a dC step adds the postcondition of R z to the domain constraint of the succedent, while M[ ] rearranges the postcondition into the form expected by rule dbx . The proof is completed using dbx with cofactor g = L(x). The resulting arithmetic proves because the Lie derivative of z − y 2 is bounded above by the following calculation, where the inequality from the domain constraint is used in the second step.
The ODEs x = f (x), y = g(x, y), z = L(x)z + M (x) are abbreviated · · · in the derivation below. dC The following topological · ODE refinement axioms are quoted from Lemmas 4 and 26. The topological side conditions for these axioms are listed in Lemmas 4 and 26 respectively. For semialgebraic postcondition P and domain constraints Q, R, these refinement axioms derive syntactically from dL's real induction axiom [31,Lemma A.2]. For the sake of generality, the proofs below directly use the topological conditions.  - - ], then t < τ and furthermore, by (17), Since the interior is topologically open, by (16), there exists ε > 0 where t + ε < τ such that ] for all 0 ≤ ζ ≤ ε. By definition of the supremum, for every such ε > 0, there exists ϕ(t + ζ) ∈ [[P ]] for some ζ where 0 < ζ ≤ ε. This yields the desired conclusion.
SAR For axiom SAR, assume that If ]. Since Q is a formula of first-order real arithmetic, solutions of polynomial ODEs either locally progress into the set characterized by Q or ¬Q [31,39]. 12 In particular, there exists ε > 0, where t + ε < τ , such that either 1 ] for all 0 < ζ ≤ ε. By definition of the supremum, for every such ε there exists ϕ(t + ζ) ∈ [[P ]] for some ζ where 0 < ζ ≤ ε.
If the formula Q is further assumed to characterize an open set, this sub-case ( 1 ) is the only possibility, even if Q is not a formula of first-order real arithmetic, because ϕ(t) ∈ [[Q]] implies ϕ continues to satisfy Q for some time interval to the right of t by (16).
, which yields a contradiction.
The refinement axioms are pieced together in refinement chains (2) to build ODE existence and liveness proof rules in a step-by-step manner. However, all such refinement chains (2) start from an initial hypothesis x = f (x) & Q 0 P 0 from which the subsequent implications are proved. The time existence axiom TEx from Section 4.1 provides the sole initial hypothesis that is needed for the refinement approach of this article.

A.3 Topological Side Conditions
In Section 2.2, topological conditions are defined for formulas φ that only mention free variables x occurring in an ODE x = f (x). For example, φ is said to characterize an open set with respect to x iff the set [[φ]] is open when considered as a subset of R n (over variables x = (x 1 , . . . , x n )). This section defines a more general notion, where φ is allowed to mention additional free parameters y that do not occur in the ODE. Adopting these (parametric) side conditions makes the topological refinement axioms that use them, like COR,CR, more general. Let x = (x 1 , . . . , x n ), (y 1 , . . . , y r ) = V \ {x} be parameters, and ω ∈ S be a state. For brevity, write y = (y 1 , . . . , y r ) for the parameters and ω(y) = (ω(y 1 ), . . . , ω(y r )) ∈ R r for the component-wise projection, and similarly for ω(x) ∈ R n . Given the set [[φ]] ⊆ S and γ ∈ R r , define: The set [[φ]] γ ⊆ R n is the projection onto variables x of all states ω that satisfy φ and having values γ for the parameters y. Formula φ characterizes a (topologically) open (resp. closed, bounded, compact) set with respect to variables x iff for all γ ∈ R r , the set [[φ]] γ ⊆ R n is topologically open (resp. closed, bounded, compact) with respect to the Euclidean topology.
These topological side conditions are decidable [3] for first-order formulas of real arithmetic P, Q because in Euclidean spaces they can be phrased as conditions using first-order real arithmetic. The following conditions are standard [3], although special care is taken to universally quantify over the parameters y. Let P (x, y) be a formula mentioning variables x and parameters y, then it is (with respect to variables x): • open if the formula ∀y ∀x P (x, y) → ∃ε>0 ∀z x−z 2 < ε 2 → P (z, y) is valid, where the variables z = (z 1 , . . . , z n ) are fresh for P (x, y), • bounded if the formula ∀y ∃r>0 ∀x P (x, y) → x 2 <r 2 is valid, where variable r is fresh for P (x, y) • compact if it is closed and bounded, by the Heine-Borel theorem [37, Theorem 2.4.1].
There are syntactic criteria that are sufficient (but not necessary 13 ) for checking whether a formula satisfies the semantic conditions. For example, the formula P (x, y) is (with respect to variables x): • open if it is formed from finite conjunctions and disjunctions of strict inequalities ( =, >, <), • closed if it is formed from finite conjunctions and disjunctions of non-strict inequalities (=, ≥, ≤), • bounded if it is of the form x 2 p(y) ∧ R(x, y), where p(y) is a term depending only on parameters y and R(x, y) is a formula. This syntactic criterion uses the fact that the intersection of a bounded set (characterized by x 2 p(y)) with any set (characterized by  R(x, y)) is bounded. The formula P (x, y) is also compact if is ≤ and R(x, y) is closed.
These syntactic criteria are easily checkable by an implementation that inspects the syntactic shape of input formulas P . In contrast, checking the semantic topological conditions for P requires invoking expensive real arithmetic decision procedures. An application is shown for axiom CR, where its corresponding proof rule cR uses syntactic side conditions to enable an effective implementation.

B Derived Existence and Liveness Proof Rules
This appendix derives all of the existence and liveness proof rules of the main article. These derivations are based on the sound dL axioms presented in Appendix A. For ease of reference, this appendix is organized into four sections, corresponding to Sections 4-7 of the main article. The high-level intuition behind these proofs is available in the main article while motivation for important proof steps is given directly in the subsequent proofs. Further motivation for the surveyed liveness arguments can also be found in their original presentations [25,34,35,36,39,41].
2x · f (x) The inequality (19) is a valid real arithmetic formula and thus provable by rule R. This enables the derivation below using axiom DDG · because L, M satisfy the respective variable constraints of the axiom. The resulting left premise proves, after a dW step, by R. The resulting right premise, after the ODEs x = f (x) have been removed, proves by axiom TEx.
Proof of Corollary 8. Assume that the ODE x = f (x) has affine dependency order (4), i.e., where each ODE y i = g i (y 1 , . . . , y i ) is of the affine form y i = A i (y 1 , . . . , y i−1 )y i + b i (y 1 , . . . , y i−1 ) for some matrix and vector terms A i , b i respectively with the indicated variable dependencies. From the proof sketch for Corollary 8, A i , b i satisfy inequality (8) for each i = 1, . . . , k. Like the proof of inequality (19), inequality (8) is prolonged by inequality (5) to remove non-squared norm terms in its RHS, which yields corresponding choices of bounding dL terms L i , M i .
The inequality from (20) is a valid real arithmetic formula, and thus provable by R for each i = 1, . . . , k. The derivation uses rule DEx, where each premise is chosen to be of form D so they prove, after a dW step, with R with the above choice of L i , M i for each i = 1, . . . , k.
Proof of Corollary 9. The derivation starts by Skolemizing with ∀R, then switching the diamond modality in the succedent to a box modality in the antecedent using · ,¬R. The postcondition of the box modality is simplified using the propositional tautologies ¬(φ ∨ ψ) ↔ ¬φ ∧ ¬ψ and ¬¬φ ↔ φ. Axiom [·]∧,∧L splits the conjunction in the antecedent, before · is used again to flip the left antecedent to a diamond modality in the succedent. These (mostly) propositional steps recover the more verbose phrasing of BEx from (9). [ The formula B(x) is assumed to characterize a bounded set with respect to the variables x. The closure of this set is compact, and thus, the continuous norm function x 2 attains its maximum value on that set. Hence, the formula ∃D ∀x (B(x) → x 2 ≤ D) is valid in first-order real arithmetic, and thus provable by R. The derivation continues with a cut of this formula and Skolemizing with ∃L. Axiom BDG · is then used to remove the ODE x = f (x), with p(x) = D. The resulting right premise proves with TEx, while the resulting left premise is labeled 1 and continued below.
From premise 1 , a dC step adds the postcondition of the leftmost antecedent, B(x), to the domain constraint. Since the remaining antecedent is universally quantified over variables x, it is soundly kept across an application of a subsequent dW step, and the proof is completed with ∀L,→L. * Proof of Corollary 10. Assume the ODE x = f (x) is in dependency order (4), and the indices i = 1, . . . , k are partitioned into disjoint sets L, N as in Corollary 10. The first step Skolemizes with ∀R.
The derivation uses ideas from Corollaries 6,8, and 9 to remove the ODE y i = g i (y 1 , . . . , y i ) at each step. The corresponding disjunct ¬B i (y i ) (if present) is also removed from the succedent when i ∈ N . At each step i, the derivation reduces a succedent of the form: To the form: The derivation proceeds with two cases depending if i ∈ L or i ∈ N .
• For each i ∈ L (similarly to Corollary 8), the ODE y i = A i (y 1 , . . . , y i−1 )y i +b i (y 1 , . . . , y i−1 ) is affine for some matrix and vector terms A i , b i respectively with the indicated variable dependencies The RHS of this affine ODE satisfies the inequality (20) with terms L i , M i as given in (20). Axiom DDG · is used with those choices of L i , M i , which removes the ODEs for y i in the resulting right premise. The resulting left premise is labeled 1 and explained below. Note that the freshness conditions of axiom DDG · are met because the postcondition of the succedent does not mention variables y i for i ∈ L. Similarly, the indices from j ∈ N ∩ {1, . . . , i} are equal to those from j ∈ N ∩ {1, . . . , i − 1} because i / ∈ N .
• For each i ∈ N (similarly to Corollary 9), the boundedness assumption on y i is first extracted from the succedent, with the abbreviation R ≡ (t > τ ∨ j∈N ∩{1,...,i−1} ¬B j (y j )). The bottommost succedent is similarly abbreviated using the propositional tautology t > τ ∨ j∈N ∩{1,...,i} ¬B j (y j ) ↔ R ∨ ¬B i (y i ). The formula B i (y i ) is assumed to characterize a bounded set with respect to the variables y i . Thus, similarly to Corollary 9, the formula ∃D i ∀y i (B i (y i ) → y i 2 ≤ D i ) proves by R. The derivation continues with a cut of this formula and Skolemizing, abbreviating S ≡ [y 1 = g 1 (y 1 ), . . . , y i = g i (y 1 , . . . , y i ), t = 1]B i (y i ). Axiom BDG · is then used with p(y i ) = D i , which removes the ODEs for y i in the resulting right premise. The resulting left premise is labeled 2 and explained below.
The derivation continues from premise 2 identically to Corollary 9, with a dC step to add the postcondition of the antecedent S to the domain constraint. The proof is completed with dW and ∀L,→L.
Validity of formula (23) further implies that (23) is provable because of the dL completeness theorem for equational invariants [28,31,Theorem 4.5]. The derivation of global existence for x = f (x) first Skolemizes with ∀R, then introduces fresh variables x 0 , t 0 storing the initial values of x, t with cut,R,∃L. Axiom BDG · is used with p(t) = X(t − t 0 ) 2 to remove the ODEs x = f (x). The resulting right premise proves by TEx. The resulting left premise is abbreviated 1 and proved below.
From 1 , the derivation continues with a dC using the provable formula (23). The premise after dW proves by R by rewriting the succedent with the equality x = X(t − t 0 ) and by reflexivity of ≤.
Note that, instead of assuming that X(t) is an explicit solution for the ODE x = f (x), it also suffices in this derivation that premise 1 is provable, i.e., X(t − t 0 ) 2 is a provable upper bound on the squared norm of x along solutions of the ODE.

B.2 Proofs for Liveness Without Domain Constraints
Proof of Corollary 12. The complete derivation of rule dV Γ using refinement axiom K & is already given in the proof sketch for Corollary 12 so it is not repeated here.
The derivation of dV (as a corollary of dV Γ ) starts by introducing fresh variables p 0 , i representing the initial values of p and the multiplicative inverse of ε() respectively using arithmetic cuts (cut,R) and Skolemizing (∃L). It then uses dGt to introduce a fresh time variable to the system of differential equations: Next, an initial liveness assumption x = f (x), t = 1 p 0 + ε()t > 0 is cut into the antecedents after which rule dV Γ is used to obtain the premise of dV . Intuitively, this initial liveness assumption says that the solution exists for sufficiently long, so that p, which is provably bounded below by p 0 + ε()t, becomes positive when starting from its initial value p 0 . The proof of this cut is abbreviated 1 and proved below.
From premise 1 , a monotonicity step M equivalently rephrases the postcondition of the cut in real arithmetic. The arithmetic rephrasing works using the constant assumption ε() > 0 and the choice of i as the multiplicative inverse of ε(). Since the ODE x = f (x) is assumed to have provable global solutions, axiom GEx finishes the derivation by instantiating τ = −ip 0 , which is constant for the ODE. * Proof of Corollary 13. Rule dV M = derives directly from dV = with a M monotonicity step: The derivation of rule dV = starts using axiom K & with G ≡ p ≥ 0 and rule dV (with being ≥) on the resulting right premise, which yields the sole premise of dV = (on the right): From the left premise after using K & , axiom DX allows the domain constraint to be assumed true initially, which strengthens the antecedent p ≤ 0 to p < 0. Rule Barr completes the proof because the antecedents p = 0, p = 0 in its resulting premise are contradictory: Proof of Corollary 14. Rule dV k can be derived in several ways. For example, because . p (k) is strictly positive, one can prove that the solution successively reaches states where . p (k−1) is strictly positive, followed by . p (k−2) and so on. The following derivation shows how dC can be elegantly used for this argument. The idea is to extend the derivation of rule dV to higher Lie derivatives by (symbolically) integrating with respect to the time variable t using the following sequence of inequalities, where The next cut introduces an initial liveness assumption (cut premise abbreviated 1 ). The premise 1 is proved identically to the correspondingly abbreviated premise from the derivation of dV using axiom GEx because the ODE x = f (x) is assumed have provable global solutions.
From the remaining open premise, axiom K & is used with G ≡ p 0 + ε()t > 0: Finally, a monotonicity step M[ ] simplifies the postcondition using domain constraint S, yielding the left conjunct of the right premise of rule SP. The right premise after monotonicity is abbreviated 2 and continued below.
From 2 , rule dI yields the right conjunct of the right premise of rule SP. S Proof of Corollary 16. Rule SP b is derived first since rule SP c follows as a corollary. Both proof rules make use of the fact that continuous functions on compact domains attain their extrema [37,Theorem 4.16]. Polynomial functions are continuous so this fact can be stated and proved as a formula of first-order real arithmetic [3]. The derivation of SP b is essentially similar to SP except replacing the use of the global existence axiom GEx with the bounded existence axiom BEx. It starts by using axiom K & with G ≡ ¬S, yielding the left premise of SP b : Continuing on the resulting right from K & (similarly to SP), the derivation introduces fresh variables p 0 , i representing the initial value of p and the multiplicative inverse of ε() respectively using arithmetic cuts and Skolemizing (cut,R,∃L). Rule dGt introduces a fresh time variable: The set characterized by formula S is bounded so its closure is compact (with respect to variables x). On this compact closure, the continuous polynomial function p attains its maximum value, which implies that the value of p is bounded above in S and cannot increase without bound while staying in S. That is, the formula ∃p 1 R(p 1 ) where R(p 1 ) ≡ ∀x (S(x) → p ≤ p 1 ) is valid in first-order real arithmetic and thus provable by R. This formula is added to the assumptions next and the existential quantifier is Skolemized with ∃L. The resulting symbolic constant p 1 represents the upper bound of p on S. Note that R(p 1 ) is constant for the ODE x = f (x), t = 1 because it does not mention any of the variables x (nor t) free: Next, a cut introduces an initial liveness assumption saying that sufficient time exists for p to become greater than its upper bound p 1 on S, which implies that the solution must leave S. This assumption is abbreviated T ≡ x = f (x), t = 1 (¬S ∨ p 0 + ε()t > p 1 ). The main difference from SP is that assumption T also adds a disjunction for the possibility of leaving S (which characterizes a bounded set). This cut premise is abbreviated 1 and proved below.
Continuing from the open premise on the left, axiom K & is used with G ≡ ¬S ∨ p 0 + ε()t > p 1 : The postcondition of the resulting box modality is simplified with a M[ ] monotonicity step. This crucially uses the assumption R(p 1 ) which is constant for the ODE. A dI step yields the remaining premise of SP b on the right, see the derivation labeled immediately below: From premise 1 , a monotonicity step M equivalently rephrases the postcondition of the cut. Axiom BEx finishes the proof because formula S(x) is assumed to be bounded over variables x. * BEx x = f (x), t = 1 (¬S ∨ t > i(p 1 − p 0 )) R,M ε() > 0, iε() = 1 T Next, to derive rule SP c from SP b , the compactness of the set characterized by S(x) implies that the (abbreviated) formula ∃ε>0 A(ε) where A(ε) ≡ ∀x (S(x) → . p ≥ ε) and the (abbreviated) formula B ≡ ∀x (S(x) → . p > 0) are provably equivalent in first-order real arithmetic. Briefly, this provable equivalence follows from the fact that the continuous polynomial function . p is bounded below by its minima on the compact set characterized by S(x) and this minima is strictly positive. The following derivation of SP c threads these two formulas through the use of rule SP b . After Skolemizing ∃ε>0 A(ε) with ∃L, the resulting formula A(ε) is constant for the ODE x = f (x) so it is kept as a constant assumption across the use of SP b , leaving only the two premises of rule SP c : Proof of Corollary 17. Rule SLyap derives from SP c with S ≡ ¬P ∧ K, since the intersection of a closed set with a compact set is compact. The resulting right premise from using SP c is the right premise of SLyap: Continuing from the left premise, a monotonicity step with the premise p ≥ 0 K turns the postcondition to p 0. Rule Barr is used, which, along with the premise p ≥ 0 K results in the premise of rule SLyap:

B.3 Proofs for Liveness With Domain Constraints
Proof of Corollary 18. The derivation uses axiom COR choosing R ≡ true, noting that p ≥ 0 (resp. p > 0) characterizes a topologically closed (resp. open) set so the appropriate topological requirements of COR are satisfied. The resulting left premise is the left premise of dV &: The proof continues from the resulting right premise identically to the derivation of dV until the step where dV Γ is used. The steps are repeated briefly here.
Like the derivation of dV Γ , axiom K & is used with G ≡ p 0 () + ε()t > 0. The key difference is an additional dC step, which adds Q to the domain constraint. 14 The proof of this differential cut uses the left premise of dV &, it is labeled 1 and shown below.
The derivation from the resulting left premise (after the cut) continues similarly to dV Γ using a monotonicity step M[ ] to rephrase the postcondition, followed by dI which results in the right premise of dV &: The derivation from 1 removes the time variable t using the inverse direction of rule dGt [28,30,31]. Just as rule dGt allows introducing a fresh time variable t for the sake of proof, its inverse direction simply removes the variable t since it is irrelevant for the proof of the differential cut.
The derivation of rule dV = & starts by using axiom K & with G ≡ p ≥ 0. The resulting box modality (right) premise is abbreviated 1 and proved below. On the resulting left premise, a DX step adds the negated postcondition p < 0 as an assumption to the antecedents since the domain constraint Q is true initially. Following that, rule dV & is used (with being ≥, since Q characterizes a closed set). This yields the two premises of dV = &: From premise 1 , the derivation is closed similarly to dV = using DX and Barr: * R p = 0, p = 0 Notably, the implemented differential cuts automation from Section 7.2 can add such a cut automatically.
Proof of Corollary 20. The derivation of rule SLyap& starts by using DX to add assumption ¬P to the antecedents since the domain constraint p > 0 is in the antecedents. Next, axiom COR is used. Its topological restrictions are met since both formulas P and p > 0 characterize open sets. From the resulting right premise, rule SLyap yields the corresponding two premises of SLyap& because formula K (resp. P ) characterizes a compact set (resp. open set): From the leftmost open premise after COR, rule Barr is used and the resulting p = 0 assumption is turned into K using the left premise of SLyap&. The resulting open premises are the premises of SLyap&: Proof of Corollary 21. The derivation starts by using axiom SAR which results in two premises: From the left premise after SAR, a monotonicity step turns the postcondition into S, yielding the left premise and first conjunct of the right premise of SP&.
From the right premise after using axiom SAR, rule SP yields the remaining two premises of SP&: The dW,DMP step uses the propositional tautology ¬P → ¬(P ∧ Q) to weaken the domain constraint so that it matches the premise of rule SP&.
Proof of Corollary 22. The chimeric proof rule SP k c & amalgamates ideas behind the rules SP& dV k SP c . It is therefore unsurprising that the derivation of SP k c & uses various steps from the derivations of those rules. The derivation of SP k c & starts similarly to SP& (following Corollary 21) using axiom SAR: From the left premise after SAR, a monotonicity step turns the postcondition into S, yielding the left premise and first conjunct of the right premise of SP k c &.
From the right premise after SAR, the derivation continues using K & with G ≡ ¬S, followed by dW,DMP. The resulting left premise is (again) the left premise of SP k c &, while the resulting right premise is abbreviated 1 and continued below: The derivation continues from 1 by intertwining proof ideas from Corollary 14 and Corollary 16. First, compactness of the set characterized by S(x) implies that the formula ∃ε>0 A(ε) where A(ε) ≡ ∀x (S(x) → . p (k) ≥ ε) and the formula B ≡ ∀x (S(x) → . p (k) > 0) are provably equivalent in first-order real arithmetic. These facts are added to the assumptions similarly to the derivation of SP c . The resulting right open premise is the right conjunct of the right premise of SP k c &: From the left premise, recall the derivation from Corollary 14 which introduces fresh variables for the initial values of the Lie derivatives with cut,R,∃L. The derivation continues similarly here, with the resulting antecedents abbreviated Γ 0 ≡ Γ, p = p 0 , . . . , . Rule dGt is also used to add time variable t to the system of equations.
Recall from Corollary 16 that the formula R(p 1 ) ≡ ∀x (S(x) → p ≤ p 1 ) can be added to the assumptions using cut,R,∃L, for some fresh variable p 1 symbolically representing the maximum value of p on the compact set characterized by S: Γ 0 , ε > 0, A(ε), t = 0, R(p 1 ) x = f (x), t = 1 ¬S cut,R,∃L Γ 0 , ε > 0, A(ε), t = 0 x = f (x), t = 1 ¬S One last arithmetic cut is needed to set up the sequence of differential cuts (24). Recall the polynomial q(t) from (24) is eventually positive for sufficiently large values of t because its leading coefficient is strictly positive. The same applies to the polynomial q(t) − p 1 so cut,R (and Skolemizing with ∃L) adds the formula ∀t > t 1 q(t) − p 1 > 0 to the assumptions:

B.4 Proofs for Implementation
Proof of Corollary 24. The derivation starts with a cut of the sole premise of dV ∃ (the left premise below). The existentially bound variable ε is renamed to δ throughout the derivation for clarity. After Skolemizing (with ∃L), rule dV is used with ε() = δ. The universally quantified antecedent is constant for the ODE x = f (x) so it is soundly kept across the application of dV . This proof is completed propositionally ∀L,→L. Proof of Corollary 25. Assume that formulas P, G P are in normal form as in Corollary 25. The derivation of rule dV uses variable b as a lower bound on the initial values of all terms p, q appearing in formula P . Formally, the formula ∃b M i=0 m(i) j=0 p ij ≥ b ∧ n(i) j=0 q ij ≥ b is a valid formula of real arithmetic and proves by R because P is a finite formula.
The derivation starts similarly to dV by introducing fresh variables b (for the bound above), and i representing the multiplicative inverse of ε() using arithmetic cuts cut,R. It then Skolemizes (∃L) and uses dGt to introduce a fresh time variable to the system of differential equations: Next, the refinement axiom K & is used with G ≡ (b + ε()t > 0). This yields two premises, the right of which proves by GEx (after monotonically rephrasing with R,M ) because the ODE x = f (x) is assumed to have provable global solutions. The left premise from K & is abbreviated 1 and continued below.
Continuing from premise 1 , monotonicity strengthens the postcondition from b + ε()t ≤ 0 to G P under the domain constraint assumption ¬P . This strengthening works because, assuming that ¬P and G P is true in a given state, then propositionally, at least one of the following pairs (each pair listed horizontally) of sub-formulas of ¬P and G P for some indices i, j are true in that state: Either pair of formulas imply that formula b + ε()t ≤ 0 is also true in that state, so the strengthening proves by M[ ],R. Next, a cut,R step adds the formula G P to the antecedents since t = 0 initially. Rule sAI& yields the sole premise of rule dV because G P characterizes a closed set (Lemma 29).
Proof of Corollary 27. The derivation of rule cR is seemingly straightforward using axiom CR followed by rule Enc on the resulting middle premise. There is a minor subtlety to address because the formula Q > ≥ (with strict inequalities replacing non-strict ones in Q) is only a syntactic under-approximation of the interior of the set characterized by Q, and so the axiom CR does not immediately apply as stated. For example, formula x < x characterizes the empty set, while the formula x ≤ x characterizes the set of all states, whose interior is also the set of all states. However, since Q is a semialgebraic formula, there is a computable quantifier-free formulaQ that exactly characterizes its topological interior [3].
The derivation starts with a cut of the formula Q which yields the leftmost premise of Rule cR. This is followed with DX, which adds formula ¬P to the antecedents because there is nothing to prove if both formulas Q and P are already true initially. The derivation then uses CR with the computable formulaQ characterizing the topological interior of formula Q. This yields two premises, the right of which corresponds to the rightmost premise of rule cR. From the resulting left premise (with postconditionQ), an M[ ],R monotonicity step strengthens the postcondition because Q > ≥ →Q is a valid formula of real arithmetic. Rule Enc completes the derivation.

C Counterexamples
This appendix gives explicit counterexamples to illustrate the soundness errors identified in Sections 5 and 6.

C.1 Finite Time Blow Up
The soundness errors identified in Section 5 all arise because of incorrect handling of the fact that solutions may blow up in finite time. This phenomenon is studied in detail in Section 4, and it is illustrated by α n (see Fig. 1) or α b (see Example 1). The following is a counterexample for the original presentation of dV = (and dV M = ,dV = &,dV M = &) [41]. Similar counterexamples can be constructed for [35,Remark 3.6] and for the original presentation of SLyap,SLyap& [36].
Counterexample 7. Consider rule dV = without the restriction that the ODE has provable global solutions. This unrestricted rule, denoted dV = , is unsound as shown by the following derivation using it with ε()=1: The conclusion of this derivation is not valid. Consider an initial state ω satisfying the formula u = 1 ∧ v = 0. The explicit solution of the ODE from ω is given by u(t) = 1 1−t , v(t) = t for t ∈ [0, 1). The solution does not exist beyond the time interval [0, 1) because the u-coordinate asymptotically approaches ∞, i.e., blows up, as time approaches t = 1. It is impossible to reach a state satisfying v − 2 = 0 from ω along this solution since at least 2 time units are required.
This counterexample further illustrates the difficulty in handling nonlinear ODEs. Neither the precondition (v − 2 ≤ 0) nor postcondition (v − 2 = 0) mention the variable u, and the ODEs u = u 2 , v = 1 do not depend on variables v, u respectively. It is tempting to discard the variable u entirely. Indeed, the liveness property v − 2 ≤ 0 → v = 1 v − 2 = 0 is valid. Yet, for liveness questions about the (original) ODE u = u 2 , v = 1, the two variables are inextricably linked through the time axis of solutions to the ODE.

C.2 Topological Considerations
The soundness errors identified in Section 6 arise because of incorrect topological reasoning in subtle cases where the topological boundaries of the sets characterized by the domain constraint and desired liveness postcondition intersect. The original presentation of dV & [25] gives the following proof rule for atomic inequalities p 0. For simplicity, assume that the ODE x = f (x) is globally Lipschitz continuous so that solutions exist for all time.
Compared to dV &, this omits the assumption ¬(p 0) and makes no topological assumptions on the domain constraint Q. The following two counterexamples show that these two assumptions are necessary. Counterexample 8. Consider the following derivation using the unsound rule dV & with ε() = 1: The conclusion of this derivation is not valid. In states where u > 1 is true initially, the domain constraint is violated immediately so the diamond modality in the succedent is trivially false in these states. Counterexample 9 ( [38]). This counterexample is adapted from [38,Example 142], which has a minor typographical error (the sign of an inequality is flipped). Consider the following derivation using the unsound rule dV & with ε() = 1: * dW,R The conclusion of this derivation is not valid and, in fact, unsatisfiable. The domain constraint u ≤ 1 and postcondition u > 1 are contradictory so no solution can reach a state satisfying both simultaneously.
The next two counterexamples are for the liveness arguments from [34, Corollary 1] and [35,Theorem 3.5]. For clarity, the original notation from [35, Theorem 3.5] is used. The following conjecture is quoted from [35, Theorem 3.5]: Conjecture 30. Consider the system x = f (x), with f ∈ C(R n , R n ). Let X ⊂ R n , X 0 ⊆ X , and X r ⊆ X be bounded sets. If there exists a function B ∈ C 1 (R n ) satisfying: B(x) > 0 ∀x ∈ ∂X \ ∂X r (26) ∂B ∂x f (x) < 0 ∀x ∈ X \ X r (X 0 , in black) leaves the domain unit disk (X , boundary in blue) immediately without ever reaching its interior (X r , in green with dashed boundary). The interior is slightly shrunk for clarity in the visualization: the blue and green boundaries should actually overlap exactly. (Right) Visualization of Counterexample 11. Solutions from the initial set (X 0 , in black with dashed boundary) eventually enter the goal region (X r , in green with dashed boundary). However, the domain (X , in blue with dashed boundary) shares an (open) boundary with X r at v = 0 which solutions are not allowed to cross. As before, the sets are slightly shrunk for clarity in the visualization: the blue and green boundaries should actually overlap exactly. The level curve B = 0 is plotted in red. All points above the curve satisfy B < 0, while all points below it satisfy B > 0.
Then the eventuality property holds, i.e., for all initial conditions x 0 ∈ X 0 , the trajectory x(t) of the system starting at x(0) = x 0 satisfies x(T ) ∈ X r and x(t) ∈ X for all t ∈ [0, T ] for some T ≥ 0. The notation X (resp. ∂X ) denotes the topological closure (resp. boundary) of the set X .
In [34,Corollary 1], stronger conditions are required. In particular, the sets X 0 , X r , X are additionally required to be topologically open, and the inequality in (25) is strict, i.e., B(x) < 0 instead of B(x) ≤ 0.
The soundness errors in both of these liveness arguments stem from the condition (26) being too permissive. For example, notice that if the sets ∂X , ∂X r are equal then (26) is vacuously true. The first counterexample below applies for the requirements of [35,Theorem 3.5], while the second applies even for the more restrictive requirements of [34, Corollary 1].
Counterexample 10. Let the system x = f (x) be u = 0, v = 1. Let X r be the open unit disk characterized by u 2 + v 2 < 1, X be the closed unit disk characterized by u 2 + v 2 ≤ 1, and X 0 be the single point characterized by u = 0 ∧ v = 1. All of these sets are bounded. Note that ∂X \∂X r = ∅ since both topological boundaries are the unit circle u 2 +v 2 = 1. Let B(u, v) = −v, so that ∂B ∂x f (x) = ∂B ∂u 0 + ∂B ∂v 1 = −1 < 0 and B ≤ 0 on X 0 . All conditions of [35,Theorem 3.5] are met but the eventuality property is false. The trajectory from X 0 leaves X immediately and never enters X r . This is visualized in Fig. 4 (Left).
Counterexample 11. Let the system x = f (x) be u = 0, v = 1. Let X r be the set characterized by the formula u 2 + v 2 < 5 ∧ v > 0, X be the set characterized by the formula u 2 + v 2 < 5 ∧ v = 0, and X 0 be the set characterized by the formula u 2 + (v + 1) 2 < 1 2 . All of these sets are bounded and topologically open. Let B(u, v) = −v + u 2 − 2, so that ∂B ∂x f (x) = ∂B ∂u 0 + ∂B ∂v 1 = −1 < 0, and B < 0 on X 0 . The set ∂X \ ∂X r is characterized by formula u 2 + v 2 = 5 ∧ v ≤ 0 and B is strictly positive on this set. These claims can be checked arithmetically, see Fig. 4 (Right) for a plot of the curve B = 0.
All conditions of [34, Corollary 1] are met but the eventuality property is false. Solutions starting in X 0 eventually enter X r but can only do so by leaving the domain constraint X at v = 0, see Fig. 4 (Right).