Apoth3osis
Home/Paper → Proof → Code/SafEDMD Koopman
>_SAFEDMD_KOOPMAN

Verified Data-Driven Controller Synthesis

Machine-checked Lean 4 formalization extending Strässer, Berberich & Allgöwer (arXiv 2402.03145) with nucleus-bottleneck Koopman autoencoder error bounds, Heyting algebra structure, and SDP Lyapunov controller synthesis.

VERIFIEDLean 4 + MathlibPLATINUM TIERGitHub
10
Modules
21
Theorems
0
Sorry Count
1092
Lines
4
Corrections
>_VERIFICATION.SEAL
FORMALLY VERIFIED • LEAN 4 • MACHINE-CHECKED • APOTH3OSIS¬QED21 theorems • 0 sorry10 modules0 SORRY

Formal Verification Certificate

Every theorem in this project has been machine-checked by the Lean 4 kernel. No axiom is assumed without proof. No gap exists in the verification chain.

21 THEOREMS VERIFIED10 MODULES1,092 LINES0 SORRY

SafEDMD Koopman • Lean 4 + Mathlib • Apoth3osis Labs

>PAPER_PROOF_CORRESPONDENCE
Paper SectionStatusLean Module
2.1 Koopman Operator TheoryPROVEDKoopmanAlgebra
2.2 EDMD DictionaryPROVEDNucleusReLU, NucleusThreshold
3.1 SafEDMD Error Bounds (Thm 3.1)EXTENDEDSafEDMD
3.2 Active Dictionary RestrictionPROVEDSafEDMD (projectedGramDiag_le)
4 Controller Synthesis (LMI)SIMPLIFIEDStableGenerator
— Heyting Lattice StructureORIGINALHeytingOps, ParametricHeyting
— Semantic ClosureORIGINALSemanticClosure/MR/*
>KEY_MATHEMATICS

SafEDMD Energy Bound

i=1nR(v)i2i=1nvi2\sum_{i=1}^n R(v)_i^2 \leq \sum_{i=1}^n v_i^2

The ReLU nucleus cannot increase the finite-dimensional energy. This is the key algebraic ingredient for SafEDMD error envelopes.

Heyting Adjunction

(acb)    (caHb)(a \sqcap c \leq b) \iff (c \leq a \Rightarrow_H b)

The defining law of Heyting algebras. Proved for both fixed bounds [0, top]ⁿ and learned parametric bounds [lo, hi]ⁿ.

Gram Diagonal Bound

GjR=s=1mR(xs)j2s=1m(xs)j2=GjG^R_j = \sum_{s=1}^m R(x_s)_j^2 \leq \sum_{s=1}^m (x_s)_j^2 = G_j

Projected Gram diagonal entries are bounded by unprojected ones. Critical for SafEDMD active dictionary restriction.

Non-Boolean Witness

i,  loi<ai<hii    ¬¬aa\exists i,\; lo_i < a_i < hi_i \implies \neg\neg a \neq a

Double negation does not recover the original for interior points. This witnesses that the latent lattice is genuinely Heyting, not Boolean.

>CORRECTIONS_AND_EXTENSIONS

Our formalization is SafEDMD-inspired, not a direct transcription. Key differences:

Bound formula

PAPER:

Scalar proportional bound (Theorem 3.1): ‖error‖ ≤ c̃ₓ ‖Φ(x) − Φ(0)‖ + c̃ᵤ ‖u‖

OURS:

Residual-covariance PSD envelope E = (G + λI)⁻¹ R (G + λI)⁻¹ — SafEDMD-inspired but not direct transcription

LMI controller synthesis

PAPER:

6×6 block LMI for bilinear control-affine systems (equation 17)

OURS:

Simplified 2×2 Schur complement for autonomous systems

Active dictionary restriction

PAPER:

Not discussed in the paper

OURS:

Original contribution — masking out latent dimensions killed by the ReLU nucleus for honest NBA-vs-baseline comparisons

Heyting algebra structure

PAPER:

No lattice-theoretic content in the paper

OURS:

Entirely original Apoth3osis work — bounded Heyting operations with adjunction proofs

>DEPENDENCY_GRAPH
Layer 1 (Mathlib):     Mathlib.Order.Nucleus    Mathlib.Data.Real.Basic
                             │                          │
Layer 2 (Nucleus):     NucleusReLU              NucleusThreshold
                             │                          │
Layer 3 (Lattice):     HeytingOps               ParametricHeyting
                             │
Layer 4 (Closure):     SC.Basic  →  SC.ClosureOp  →  SC.InverseEval
                             │
Layer 5 (SafEDMD):     SafEDMD (imports NucleusReLU)
                             │
Layer 6 (Dynamics):    StableGenerator           KoopmanAlgebra
>PROOF_BLUEPRINT

10 modules · 21 theorems · 12 definitions · 1092 lines · 0 sorry

>VERIFIED_C_ARTIFACTS

10 C files transpiled from Lean 4 via LambdaIR → MiniC → C. Each file carries provenance headers and theorem-preservation comments. Compile-verified with gcc -std=c11 -Wall -Wextra -Werror.

DOWNLOAD VERIFIED-C.TAR.GZ
>SAFE_RUST_ARTIFACTS

Rust crate verified-koopman-proofs with 8 modules and 17 tests. All tests pass, zero warnings. Memory-safe by construction.

DOWNLOAD SAFE-RUST.TAR.GZ
>PROVENANCE_CHAIN
Paper (arXiv 2402.03145)Lean 4 ProofsVerified CSafe Rust
>RELATED

Nucleus Bottleneck Autoencoder

The foundational NBA research project.

verified-koopman on GitHub

Full source: Lean proofs + Python package.

Strässer et al. on arXiv

The original SafEDMD paper.