--- the main property 
--- the property says that whenever the railcab is at the noReturn locatio, 
--- the gate must be close 

(goal RAILCAB-NEW |- ceq gate(S:Sys) = true if loc(S:Sys) = noReturn ;) 

(set ind on S:Sys .)
(apply SI .)   --- 18 subgoals generated 
(auto .)

(apply CA CA IP RD .)  --- apply 14 times 
(apply CA CA IP RD .)
(apply CA CA IP RD .)

(apply CA CA IP RD .)
(apply CA CA IP RD .)
(apply CA CA IP RD .)
(apply CA CA IP RD .)
(apply CA CA IP RD .)
(apply CA CA IP RD .)
(apply CA CA IP RD .)
(apply CA CA IP RD .)
(apply CA CA IP RD .)
(apply CA CA IP RD .)
(apply CA CA IP RD .)

(apply CA CA IP RD .)



--- use lemma 1 to prove the case 1-1-7-1 
(init ceq gate(S:Sys) = true if  appResult(S:Sys) = grant . by S:Sys <- x#1 ; .)

(auto .)

(apply CA CA IP RD .)

--- use lemma 2 to prove the case 1-1-8-1 
(init ceq true = false if conLoc(S:Sys) = s4 /\ loc(S:Sys) = noReturn . by S:Sys <- x#1 ; .) 

(auto .)


(apply CA CA IP RD .)

--- the end of prove