Reasoning Method between Polynomial Error Assertions

: Error coefﬁcients are ubiquitous in systems. In particular, errors in reasoning veriﬁcation must be considered regarding safety-critical systems. We present a reasoning method that can be applied to systems described by the polynomial error assertion (PEA). The implication relationship between PEAs can be converted to an inclusion relationship between zero sets of PEAs; the PEAs are then transformed into ﬁrst-order polynomial logic. Combined with the quantiﬁer elimination method, based on cylindrical algebraic decomposition, the judgment of the inclusion relationship between zero sets of PEAs is transformed into judgment error parameters and speciﬁc error coefﬁcient constraints, which can be obtained by the quantiﬁer elimination method. The proposed reasoning method is validated by proving the related theorems. An example of intercepting target objects is provided, and the correctness of our method is tested through large-scale random cases. Compared with reasoning methods without error semantics, our reasoning method has the advantage of being able to deal with error parameters.


Introduction
Formal verification includes two main approaches: model-checking and theoremproving. Model-checking, proposed by Clarke and Emerson, verifies safety properties by searching the state space [1,2]. In contrast, theorem-proving uses logic and mathematical reasoning to verify the safety properties of a piece of software [3]. These two approaches have complementary advantages [4,5] and are widely used in industries [6][7][8]. Reasoning methods in theorem-proving belong to the field of deductive reasoning, comprising syntax, semantics, and reasoning rules; and numerous research studies have been conducted in this area. Labeled transition systems or their similar structures are widely used in the field of formal verification, which is a common technical method for describing the transition behavior of systems [9]. In particular, the states and transition conditions of systems are defined by two-valued logic propositions. However, two-valued or multi-valued logic is inadequate to describe the state of complex systems [10]. The real polynomial algebraic transition system extends the domain space of multivalued logic to the real number domain, which can more effectively describe complex systems and verify their safety properties [11]. Particularly in the field of hybrid system verification [12], numerous theories based on differential invariants have been proposed [13][14][15].
Semantics, grammar, and reasoning rules have been extensively studied in the field of reasoning methods [16]. However, the system parameters are sometimes not precisely determined in complex systems. In most cases, only the value ranges of these parameters are known [17,18], thereby making the reasoning and verification of these systems more complex. However, few reports on the semantic descriptions of errors have been published. For example, the Gröbner basis is widely used in polynomial-based theoremproving methods. However, as the Gröbner basis of polynomial equations does not vary continuously along with the parameters, it significantly increases the difficulty of dealing with error parameters in reasoning methods. In engineering, absolute accuracy is neither possible nor necessary. For example, when the temperature reaches 80 • C, the system stops heating; this is called a guard condition. However, precise measurements are not possible because the measurement often contains errors. Owing to the accumulation of multiple error variables, the system may undergo the wrong transitions. This is unacceptable for safety-critical systems. For example, a guard condition is f(x 1 , x 2 , . . . , x n ) < 100, where x 1 , x 2 , . . . , x n are the values measured by instruments and f is a function of x 1 , x 2 , . . . , x n . Because x 1 , x 2 , . . . , x n are all measured values, the calculations cannot be completely accurate. In this way, errors may be further accumulated in the calculation of the function value f(x 1 , x 2 , . . . , x n ). In other words, the calculation result may conclude that the guard condition f(x 1 , x 2 , . . . , x n ) < 100 is satisfied, when, in fact, it is perhaps not correct. Especially in the case of the disturbance-sensitive function, minor parameter changes can lead to completely different results. However, several studies on reasoning methods involve error parameters. The authors previously proposed a reasoning method for linear error assertion (LEA) [19]. In this method, combined with the convex properties of LEA, the conclusion that vertexes of the precursor assertion are contained in the zero set of the successor assertion can be used to determine whether there is an implication relationship between precursor assertion and successor assertion. However, zero sets of nonlinear assertions may not be a convex set, indicating that the method reported in [19] is ineffective in dealing with nonlinear error assertion.
Error semantics based on interval numbers can be transformed into an inequality relationship. This implies that some theorems of inequality-proving may be promising for nonlinear error assertions. For example, a = [a − , a + ] can be transformed into: a − ≤ a ≤ a + . Quantifier elimination methods used in reasoning methods between polynomial error assertions (PEAs) are introduced in this study. The inclusion relationships of the zero sets of the PEAs are transformed into the quantifier elimination problems of semi-algebraic first-order logic. Our reasoning method can be used to verify systems described by PEAs.

Error Intervals
Errors are common and inevitable. This section presents the error semantics represented by the intervals and their operation rules. Errors were quantitatively characterized using interval numbers. The interval numbers generalize real numbers and have been successfully applied in numerous areas [20,21]. The definition and operation rules of the interval numbers are introduced below.
For addition: For subtraction: For multiplication: In particular, when a ≥ 0, b ≥ 0, then: when c > 0, then: and when c = 0, then: For division, when c > 0, then: and when c < 0, then: The error intervals generalize real numbers, where a − = a + , a is the real number. However, the four arithmetic operations of the interval numbers defined above are irreversible. An example is provided as follows.
If a is a real number, then the equation a + b − b = a must hold. However, if a and b are interval numbers, the previous equation does not necessarily hold. Let From the operation rules above, Formula (10) is obtained: Formula (10) implies that the reasoning process is irreversible (that is, the conclusion of the reasoning is only one necessary condition, and not the necessary and sufficient condition for the premise) and does not imply that the four operation rules with interval numbers are incorrect in reasoning methods. The increase in the number of operations, with interval numbers in the reasoning process, may lead to meaningless results. Therefore, it is essential to try other methods in the reasoning process, and this study provides a possible approach.

Polynomial Error Assertion
In this section, we introduce some of the mathematical concepts that have been established and are involved in our method (Definitions 1, 2, and 3). We also introduce the definitions of PEA and the zero set of PEAs (Definitions 4 and 5) that are contributed by this study.

Definition 1.
A real polynomial is a mathematical expression that comprises several terms. Each term includes one or more variables raised to power and is multiplied by a real coefficient. The general form of a polynomial with m terms is given by Formula (11): Let R[x 1 , . . . , x n ] be the set of all real polynomials. An example of a real polynomial is as follows: Definition 3 (Real zero set of polynomials group). Let ϕ be a polynomial group comprising f 1 , f 2 , . . . , f n , which is expressed as (14), and: The real zero set of ϕ, denoted byZero(ϕ), satisfies Formula (15).
The definition of the polynomial error assertion is provided below.
Definition 5 (Real zero set of PEAs, zero set of PEAs). ϕ is a PEA. The real zero set of ϕ, denoted by zero(ϕ), satisfies Formula (18).
From Definition 5, zero(ϕ) contains all possible solutions of Formula (19) owing to the error coefficients. Therefore, all possible states of the system generated by the error parameters can be defined using zero(ϕ). In engineering, if some system states are not found to be under zero(ϕ), this indicates that there are non-error factors affecting the system. Moreover, determining whether there are some mechanical failures in the system is necessary.

Implication Relationships
The implication relationship between assertions is the fundamental rule in the reasoning method based on theorem-proving. We introduce the equivalent expression of the implication relationship between polynomials and zero sets in Theorems 1 and 2, respectively. Theorem 1. ϕ 1 implies ϕ 2 (denoted as ϕ 1 |= ϕ 2 ) iff Zero(ϕ 1 ) ⊆ Zero(ϕ 2 ), where ϕ 1 and ϕ 2 are the two polynomials.
The significance of Zero(ϕ) lies in all possible system states produced by error coefficients. Conversely, if the security state zone of the system is defined by Zero(ϕ 2 ), and, at a certain moment, the system state x = (x 1 , x 2 , . . . , x n ) satisfies (x 1 , x 2 , . . . , x n ) / ∈ Zero(ϕ 2 ), then state x is unsafe for the system. If the security state zone of the system is defined by Zero(ϕ 2 ), and if Zero(ϕ 1 ) ⊆ Zero(ϕ 2 ) is held, it implies that all states in Zero(ϕ 1 ) are safe.

Problem Descriptions
Let ϕ 1 and ϕ 2 be two PEAs; we must determine whether Zero(ϕ 1 ) ⊆ Zero(ϕ 2 ) holds. This question has safety significance in safety-critical systems. For example, considering the safety states of the system are designed using Zero(ϕ 2 ) according to the given error coefficients, the mechanical or electrical capability of the system meets the given design requirements and error tolerances. However, this does not mean that all possible error assignments can be met for the system design. For example, when extreme weather conditions occur, one of the error coefficients exceeds the given error range. At this time, it is necessary to identify whether the system can still not exceed the design requirements under the new parameter assignments. When ϕ 1 and ϕ 2 are both non-linear PEA, the vertex judgment method (VJM) in [19] is invalid. The idea of VJM is that ϕ 1 and ϕ 2 are linear algebraic assertions.
. However, VJM is based on convex conditions Zero(ϕ 2 ). The convex set has a property that all points inside it (including its boundary) can be generated finitely by its vertices. Moreover, if all the vertices of Zero(ϕ 1 ) are within Zero(ϕ 2 ) (including the boundary), then Zero(ϕ 1 ) ⊆ Zero(ϕ 2 ) must hold. Unfortunately, Zero(ϕ 2 ) is not a convex set when ϕ 2 is a nonlinear PEA. For example, in Formula (45) in Section 5, Zero(ϕ 2 ) is not a convex set, and Zero(ϕ 2 ) is shown as the red part in Figure 1. Obviously, both A and B are inside Zero(ϕ 2 ), but some points on the line segment of AB are no longer inside Zero(ϕ 2 ).
. However, VJM is based on convex conditions  Therefore, VJM is invalid for PEA. For example, Figure 2a clearly shows that the rectangle ABCD is a convex set, and points A, B, C, and D are the vertices of the rectangle. When vertices A, B, C, and D are all inside the diamond-shaped EFGH, it can be concluded that all the points inside the rectangle ABCD are inside the diamond-shaped EFGH. However, the closed area formed by the line segments EF, FG, GH, HE (the area is shorted for EFGH) in Figure 2b is also a convex set, as seen in the red area in Figure 1. Although vertices A, B, C, and D of the rectangle ABCD are all inside the non-convex EFGH (including the boundary), the red part in the rectangle ABCD remains outside EFGH. Therefore, VJM is invalid for PEA. For example, Figure 2a clearly shows that the rectangle ABCD is a convex set, and points A, B, C, and D are the vertices of the rectangle. When vertices A, B, C, and D are all inside the diamond-shaped EFGH, it can be concluded that all the points inside the rectangle ABCD are inside the diamond-shaped EFGH. However, the closed area formed by the line segments EF, FG, GH, HE (the area is shorted for EFGH) in Figure 2b is also a convex set, as seen in the red area in Figure 1. Although vertices A, B, C, and D of the rectangle ABCD are all inside the non-convex EFGH (including the boundary), the red part in the rectangle ABCD remains outside EFGH. Therefore, VJM is invalid for PEA. For example, Figure 2a clearly shows that the rectangle ABCD is a convex set, and points A, B, C, and D are the vertices of the rectangle. When vertices A, B, C, and D are all inside the diamond-shaped EFGH, it can be concluded that all the points inside the rectangle ABCD are inside the diamond-shaped EFGH. However, the closed area formed by the line segments EF, FG, GH, HE (the area is shorted for EFGH) in Figure 2b is also a convex set, as seen in the red area in Figure 1. Although vertices A, B, C, and D of the rectangle ABCD are all inside the non-convex EFGH (including the boundary), the red part in the rectangle ABCD remains outside EFGH. The following section introduces a method of identifying the relationship between non-linear PEAs and the mathematical definitions involved.

Two Mathematical Definitions
The constant coefficients-the semi-algebraic system (CSS) [22] and first-order polynomial logic formulas [14]-are introduced in Definitions 6 and 7, respectively. After Definition 6, the method of transforming PEA into a CSS is provided. (20) represents the general form of a CSS:
The given PEA can be transformed into a CSS. The general conversion method is as follows.
A PEA comprises multiple error polynomials. f (x 1 , . . . , x n )is the error polynomial in the general form, as in Formula (17). The equivalent CSS is then shown in Formula (21): Thus, a PEA can be transformed into an equivalent CSS.
For example, Formula (22) is a first-order polynomial logic: Accordingly, a CSS can be equivalently transformed into a first-order polynomial logic, as shown in Formula (23):

Quantifier Elimination
This section briefly introduces the quantifier elimination method, based on cylindrical algebraic decomposition (CAD). Tarski modified the reasoning process based on first-order logic to judge the inclusion relationship of specific sets. However, Tarski's algorithm has a high time complexity for the problem of quantifier elimination [23]. The CAD algorithm was first proposed by Collins [24] and has been further improved by many researchers. At present, it is widely used in quantifier elimination problems. Xia et al. first implemented the CAD algorithm on Maple [25]. The CAD algorithm can equivalently convert first-order polynomial logic with quantifiers into a formula without quantifiers. The algorithm first selects an appropriate projection operator (Proj), which projects a first-order logic formula with r variables to a first-order logic formula with only r − 1 variables. Then, it iteratively applies the projection operator Proj, thereby obtaining several first-order logic formulas with r − 1, r − 2, . . . , 1 variables. Subsequently, the real root isolation algorithm is applied to these first-order logic formulas, such that the R r space is divided into several cells. All the points in a certain cell have the same sign on each subformula in this first-order polynomial logic. Hence, an arbitrary point in each cell can be selected to verify each formula in first-order polynomial logic, thereby providing an equivalent quantifier-free formula. The quantifier elimination method has been applied to many contexts [26][27][28]. Certain scholars have made some progress in the poly-complexity quantifier elimination method in the field of symbolic computation [29]. In this study, QE( ) denotes the quantifier elimination method.
For example, f is a first-order polynomial logic, such as in Formula (24). After eliminating the quantifier for f (denoted as QE( f )), the equivalent non-quantifier formula of f is as Formula (25):

Reasoning Method between PEAs
This section introduces some theorems proposed in this study (Lemma 1, Theorem 3, and Definitions 8 and 9), and the steps of the reasoning method between PEAs.
Some symbols used in Theorem 3, and the reasoning method in this article, are provided in Definitions 7 and 8.

Definition 8.
Let ϕ be the CSS equivalent to ϕ, where ϕ is a PEA.
For example, ϕ : Definition 9. ϕ s is a real polynomial equation system that replaces all error coefficients in ϕ with symbols.
Based on Theorem 3, we can obtain the reasoning method for PEAs. Steps 1-4 can determine whether Zero(ϕ 1 ) ⊆ Zero(ϕ 2 ) is true. Some of the symbols used in the following steps are represented as follows: ϕ 1 and ϕ 2 are two PEAs. All the error coefficients of ϕ 1 and ϕ 2 are , respectively. The steps to verify whether Zero(ϕ 1 ) ⊆ Zero(ϕ 2 ) holds are as follows: 1.
A simple example is presented below to introduce the reasoning method between PEAs.

Simple Example
ϕ 1 and ϕ 2 are two PEAs as Formula (39). Now, we must judge whether Zero(ϕ 1 ) ⊆ Zero(ϕ 2 ) holds: Based on the steps described in Section 4.3, the specific steps for the example are as follows: 1.
Using the call quantifier elimination algorithm, Formula (42) can be obtained: Finally, [1,4] ⊆ a ≤ 5, i.e., 1 ≤ a ≤ 4 ⊆ a ≤ 5 is found to be true. Therefore, 3. Using the call quantifier elimination algorithm, Formula (42) can be obtained: 3. Using the call quantifier elimination algorithm, Formula (42) can be obtained:       Zero ϕ . Furthermore, we are also interested in the boundary situation when a = 5 (variable "a" comes from Formula (40)). According to the calculation result from the Maple codes above in section 4.4, we can conclude that when a <= 5, holds. Figure 6 shows the situation when a = 5.
In Figure 6, barely holds with the boundary condition (a = 5). This shows that, in this case, the results (a <= 5) obtained by our method are complete.

Interception Verification
This section provides an example of the reasoning method between PEAs in the industry and the codes in Maple.
A self-powered flying target descends from a height of 10 km. Assuming that the expected landing point is the origin of the coordinates, the target flight path is always on a plane. The target starts to land at a horizontal distance (s) of 80 km from the point of origin, and a height (h) of 10 km in the vertical direction. After radar monitoring and system simulation, the landing trajectory of the target conforms to a PEA, which is represented by 1 ϕ in Formula (43): Does Zero(ϕ 1 ) ⊆ Zero(ϕ 2 ) hold? We can mix Figures 3 and 4 to observe. Figure 5 is obtained by mixing Figures 3 and 4. As shown in Figure 5, the red part (Zero(ϕ 1 )) is all inside Zero(ϕ 2 ). Furthermore, we are also interested in the boundary situation when a = 5 (variable "a" comes from Formula (40)). According to the calculation result from the Maple codes above in Section 4.4, we can conclude that when a <= 5, Zero(ϕ 1 ) ⊆ Zero(ϕ 2 ) holds. Figure 6 shows the situation when a = 5.
In Figure 6, Zero(ϕ 1 ) ⊆ Zero(ϕ 2 ) barely holds with the boundary condition (a = 5). This shows that, in this case, the results (a <= 5) obtained by our method are complete.

Interception Verification
This section provides an example of the reasoning method between PEAs in the industry and the codes in Maple.
A self-powered flying target descends from a height of 10 km. Assuming that the expected landing point is the origin of the coordinates, the target flight path is always on a plane. The target starts to land at a horizontal distance (s) of 80 km from the point of origin, and a height (h) of 10 km in the vertical direction. After radar monitoring and system simulation, the landing trajectory of the target conforms to a PEA, which is represented by ϕ 1 in Formula (43): From Formula (43), Zero(ϕ 1 ) is obtained as shown in Formula (44): At this point, it is necessary to attempt to intercept the target at 45 km from the point of origin in the horizontal direction. This distance (45 km from the origin) is to ensure safety. This is because being too close to the ground or point of origin may make the interception process meaningless, even if it is successfully intercepted. If the target is a missile with certain lethality, enough safe distance is necessary. Therefore, a group of intercepting objects is launched from the ground, which is designed to satisfy ϕ 2 (a PEA with three degrees), as shown in Formula (45): From Formula (45), Zero(ϕ 2 ) can be obtained as Formula (46): Thereafter, we must determine whether the flying object can be intercepted under sufficiently dense launching of the interceptors. When the set of trajectories of the group of interceptors includes all possible trajectories of the target, the target can be intercepted.
The specific steps and their results are provided below, according to the method discussed in Section 4.3.
The universal quantifier ∀ acts on x and y, and the existence quantifier ∃ acts on b in Formula (48). Subsequently, we call the quantifier elimination algorithm to obtain Formula (49):

Simulation and Testing
The interval number in ϕ 2 is b = [0.95, 1.05]. In addition, n numbers are selected randomly in intervals [0.95, 1.05] to form n test cases (case 1 , case 1 , . . . , case n ). These n random parameters are substituted into Formula (45) to form n polynomial equation systems, the curves of which are represented by the red parts in Figures 7 and 8. Similarly, repeat the procedure for ϕ 1 . The n numbers are selected randomly in the interval a = [0.99, 1.01] to form n test cases (case 1 , case 2 , . . . , case n ). These n cases are then substituted into Formula (43). Subsequently, the n curves are drawn, as indicated by the black parts in Figures 7 and 8. random parameters are substituted into Formula (45) to form n polynomial equation systems, the curves of which are represented by the red parts in Figures 7 and 8 ). These n cases are then substituted into Formula (43). Subsequently, the n curves are drawn, as indicated by the black parts in Figures 7 and 8.  tems, the curves of which are represented by the red parts in Figures 7 and 8 ). These n cases are then substituted into Formula (43). Subsequently, the n curves are drawn, as indicated by the black parts in Figures 7 and 8.   Figure 7 show that, when 45 ≤ x ≤ 80, the black area (Zero(ϕ 1 )) is inside the red area (Zero(ϕ 2 )). This shows that these interceptors can hit the target in the range of 45 km to 80 km from the point of origin in the horizontal direction, as long as these interceptors that satisfy the formula ϕ 2 can be launched sufficiently densely.
Furthermore, according to the result from Maple in step 4 in Section 5.1, we can conclude that when 0.9883 ≤ a ≤ 1.0112, Zero(ϕ 1 ) ⊆ Zero(ϕ 2 ) holds. The black part of Figure 8 is the situation with a = [0.999, 1.001] as Zero(ϕ 1 ). The situation with 0.9883 ≤ a ≤ 1.0112 is shown in Figure 9.  In Figure 9, in the range of 45-80 km in the horizontal direction, the black part almost ran out of the red area. This suggests that the result ( 0.9883 1.0112 a ≤ ≤ ) obtained by our method are also complete, as in the example in Section 4.4.

Comparison
Most reasoning methods based on theorem proofs do not contain error semantics. For polynomial systems with error coefficients, reasoning methods with error semantics have advantages over most methods without error semantics. The literature [19] is valuable for linear error assertions, but it is invalid for nonlinear PEAs. The method reported in [14] is effective for polynomial systems with a single error variable. However, there are In Figure 9, in the range of 45-80 km in the horizontal direction, the black part almost ran out of the red area. This suggests that the result (0.9883 ≤ a ≤ 1.0112) obtained by our method are also complete, as in the example in Section 4.4.

Comparison
Most reasoning methods based on theorem proofs do not contain error semantics. For polynomial systems with error coefficients, reasoning methods with error semantics have advantages over most methods without error semantics. The literature [19] is valuable for linear error assertions, but it is invalid for nonlinear PEAs. The method reported in [14] is effective for polynomial systems with a single error variable. However, there are few reports on reasoning methods with multiple error variables on PEAs. Conversely, some scholars have studied fuzzy reasoning to deal with errors [30]. This type of method provides the fuzzy degree of correctness or similar conclusions, which is different from the reasoning method proposed in this article. The proposed reasoning method can provide a deterministic answer (without a fuzzy degree) to establish whether the conclusion is correct or incorrect.

Conclusions
The reasoning method between PEAs, with two theorems involved, and their proofs, are proposed in this study. In addition, for non-linear assertions without polynomials, Taylor expansion can be used to expand them into polynomials for approximation. However, the quantifier elimination algorithm based on cylindrical algebraic decomposition (in the field of symbolic computation) is used in our reasoning method. Although the time complexity of our reasoning method will significantly increase with the increase in the number of variables, our reasoning method can provide a reliable and accurate answer without a fuzzy degree for the reasoning between PEAs, which is necessary in safety-critical systems. The reasoning problem of error polynomials with many variables is expected to be approximated by combining numerical calculation methods. This is also the direction of our study in the future.