reserve A for preIfWhileAlgebra,
  C,I,J for Element of A;
reserve S for non empty set,
  T for Subset of S,
  s for Element of S;
reserve f for ExecutionFunction of A,S,T;

theorem
  for P being set for C,I being Element of A
  st C is_terminating_wrt f,P & I is_terminating_wrt f,P &
  P is_invariant_wrt C,f & P is_invariant_wrt I,f &
  f iteration_terminates_for I\;C, f.(s,C) & s in P holds [s, while(C,I)] in
  TerminatingPrograms(A, S, T, f)
proof
  let P be set;
  let C,I be Element of A such that
A1: C is_terminating_wrt f,P and
A2: I is_terminating_wrt f,P and
A3: P is_invariant_wrt C,f and
A4: P is_invariant_wrt I,f;
  given r being non empty FinSequence of S such that
A5: r.1 = f.(s,C) and
A6: r.len r nin T and
A7: for i being Nat st 1 <= i & i < len r
  holds r.i in T & r.(i+1) = f.(r.i, I\;C);
  assume
A8: s in P;
  defpred P[Nat] means $1 < len r implies r.($1+1) in P;
A9: P[0] by A3,A5,A8;
A10: for i being Nat st P[i] holds P[i+1]
  proof
    let i be Nat such that
A11: P[i] and
A12: i+1 < len r;
A13: i+1 >= 1 by NAT_1:11;
    then
A14: r.(i+1) in T by A7,A12;
A15: r.(i+1+1) = f.(r.(i+1), I\;C) by A7,A12,A13;
    reconsider s = r.(i+1) as Element of S by A14;
    f.(s,I) in P by A4,A11,A12,NAT_1:13;
    then f.(f.(s,I),C) in P by A3;
    hence r.(i+1+1) in P by A15,Def29;
  end;
A16: for i being Nat holds P[i] from NAT_1:sch 2(A9,A10);
A17: now
    let i be Nat;
    assume that
A18: 1 <= i and
A19: i < len r;
    thus r.i in T by A7,A18,A19;
    then reconsider s = r.i as Element of S;
A20: i-'1 <= i by NAT_D:35;
A21: i = (i-'1)+1 by A18,XREAL_1:235;
    i-'1 < len r by A19,A20,XXREAL_0:2;
    then
A22: s in P by A16,A21;
    then
A23: [s, I] in TerminatingPrograms(A,S,T,f) by A2;
    f.(s, I) in P by A4,A22;
    then [f.(s, I), C] in TerminatingPrograms(A,S,T,f) by A1;
    hence [r.i, I\;C] in TerminatingPrograms(A,S,T,f) &
    r.(i+1) = f.(r.i, I\;C) by A7,A18,A19,A23,Def35;
  end;
  [s,C] in TerminatingPrograms(A,S,T,f) by A1,A8;
  hence thesis by A5,A6,A17,Def35;
end;
