--- lemma 2  
      (goal RAILCAB-NEW |- ceq true = false if conLoc(S:Sys) = s4 /\ loc(S:Sys) = noReturn ;)
      (set ind on S:Sys .)
      (apply SI .)
      (auto .)
		  		  
      --- proof of lemma 2 needs lemma 5 and 6 	  

      (apply CA CA IP RD .)
      (apply CA CA IP RD .)
      (apply CA CA IP RD .)
      (apply CA CA IP RD .)
      (apply CA CA IP RD .)
      (apply CA CA IP RD .)
      (apply CA CA IP RD .)
      (apply CA CA IP RD .)
      (apply CA CA IP RD .)
      (apply CA CA IP RD .)
      (apply CA CA IP RD .)
      (apply CA CA IP RD .)
      (apply CA CA IP RD .)
		  
      --- lemma-5
      (init ceq  channel1(S:Sys) = empty if  loc(S:Sys) = noReturn . by (S:Sys <- x#1 ;) .)
      (cp   eq channel1(x#1) = Q#2 passed  . ><   ceq channel1(x#1) = empty
      if loc(x#1)= noReturn [label added-1].) 
      (equation .)
      (init ceq true = false if empty = Q:MsgSeq passed . by Q:MsgSeq <- Q#2 ; .)
      (auto .)


      (apply CA CA IP RD .)
      (apply CA CA IP RD .)
		
      --- lemma-4
      (init ceq false = true if conLoc(S:Sys) = s4 /\ appResult(S:Sys) = grant . by S:Sys <- x#1 ; .)
      (auto .)

      (apply CA CA IP RD .)
      (apply CA CA IP RD .)


--- end of proof of lemma 2