--- lemma 1 
(goal RAILCAB-NEW |- ceq gate(S:Sys) = true if  appResult(S:Sys) = grant ;)

--- prove of lemma 1 needs lemma-3 and lemma-4
      
      (set ind on S:Sys .)
      (apply SI .)
      (auto .)


      (apply CA CA IP RD .)
      (apply CA CA IP RD .)
      (apply CA CA IP RD .)
      (apply CA CA IP RD .)
      (apply CA CA IP RD .)
      (apply CA CA IP RD .)
      (apply CA CA IP RD .)
      (apply CA CA IP RD .)

      --- lemma-3 
      (init ceq gate(S:Sys) = true if channel2(S:Sys) = Q:MsgSeq gateMsg(grant) . by (S:Sys <- x#1 ;) (Q:MsgSeq <- Q#3 ;) .)
	(auto .)

      (apply CA CA IP RD .)
      (apply CA CA IP RD .)
      (apply CA CA IP RD .)
      (apply CA CA IP RD .)
      (apply CA CA IP RD .)
      (apply CA CA IP RD .)
      (apply CA CA IP RD .)
      (apply CA CA IP RD .)

	--- lemma-4
	(init ceq true = false if conLoc(S:Sys) = s4 /\  appResult(S:Sys) = grant . by S:Sys <- x#1 ; .)
	  (auto .)

      (apply CA CA IP RD .)

--- end of proof of lemma 1