mod INV {
 pr(SCP)
-- arbitrary values
  op s : -> Sys
-- names of invariants
  op inv1 : Sys -> Bool
  op inv2 : Sys -> Bool
  op inv3 : Sys -> Bool
  op inv4 : Sys -> Bool
  op inv5 : Sys -> Bool
-- CafeOBJ variables
  var S : Sys
-- invariants
  eq inv1(S) 
     = (bit1(S) = bit2(S) implies mk(next(S)) = pac(next(S)) list(S)) and
       (not(bit1(S) = bit2(S)) implies mk(next(S)) = list(S)) .
  eq inv2(S) 
     = not(cell2(S) = empty)
       implies (bit1(S) = get(cell2(S)) or bit2(S) = get(cell2(S))) .
  eq inv3(S) = not(cell1(S) = empty) and bit2(S) = fst(get(cell1(S))) 
               implies pac(next(S)) = snd(get(cell1(S))) .
  eq inv4(S) = not(cell1(S) = empty) and bit2(S) = fst(get(cell1(S))) 
               implies bit1(S) = fst(get(cell1(S))) .
  eq inv5(S) 
     = not(cell1(S) = empty) and not(cell2(S) = empty)
       implies (bit1(S) = get(cell2(S)) or not(bit2(S) = fst(get(cell1(S))))) .
}

mod ISTEP {
  pr(INV)
-- arbitrary values
  op s' : -> Sys
-- names of formulas to prove
  op istep1 : -> Bool
  op istep2 : -> Bool
  op istep3 : -> Bool
  op istep4 : -> Bool
  op istep5 : -> Bool
-- formulas to prove
  eq istep1 = inv1(s) implies inv1(s') .
  eq istep2 = inv2(s) implies inv2(s') .
  eq istep3 = inv3(s) implies inv3(s') .
  eq istep4 = inv4(s) implies inv4(s') .
  eq istep5 = inv5(s) implies inv5(s') .
}