--- lemma-4 
(goal RAILCAB-NEW |- ceq true = false if 
    conLoc(S:Sys) = s4 /\  appResult(S:Sys) = grant ;)

      (set ind on S:Sys .)
      (apply SI .)

(auto .)

(apply CA CA IP RD .)
(apply CA CA IP RD .)
(apply CA CA IP RD .)
(apply CA CA IP RD .)
(apply CA CA IP RD .)
(apply CA CA IP RD .)
(apply CA CA IP RD .)

(apply CA CA IP RD .)

--- lemma-6 is needed here 

(init ceq channel2(S:Sys) = empty if conLoc(S:Sys) = s4 . by (S:Sys <- x#1 ;) .)
(cp   eq channel2(x#1) = Q#3 gateMsg(z#2)  . ><   ceq channel2(x#1) = empty
      if conLoc(x#1)= s4 [label added-1]. )
(equation .)
(init ceq true = false if empty = Q:MsgSeq gateMsg(grant) . by Q:MsgSeq <- Q#3 ; .)
(auto .)

(apply CA CA IP RD .)
(apply CA CA IP RD .)
(apply CA CA IP RD .)
(apply CA CA IP RD .)
(apply CA CA IP RD .)

--- lemma-7 is needed here 
(init ceq channel1(S:Sys) = empty if conLoc(S:Sys) = s1  /\ appResult(S:Sys) = grant . by (S:Sys <- x#1 ;) .)
(cp  eq channel1(x#1) = Q#2 passed  . ><  ceq channel1(x#1) = empty
      if conLoc(x#1)= s1 /\ appResult(x#1)= grant [label added-1]. ) 
(equation .)
(init ceq true = false if empty = Q:MsgSeq passed . by Q:MsgSeq <- Q#2 ; .)
(auto .)

(apply CA CA IP RD .)
(apply CA CA IP RD .)
(apply CA CA IP RD .)
(apply CA CA IP RD .)

--- end of proof of lemma-4