# A Thesis Submitted for the Degree of PhD at the University of Warwick ### **Permanent WRAP URL:** http://wrap.warwick.ac.uk/110541/ # **Copyright and reuse:** This thesis is made available online and is protected by original copyright. Please scroll down to view the document itself. Please refer to the repository record for this item for information to help you to cite it. Our policy information is available from the repository home page. For more information, please contact the WRAP Team at: wrap@warwick.ac.uk ## A Formal Theory of Railway Track Networks # in Higher-order Logic and its Applications in Interlocking Design Wai Wong B.Sc. M.Sc. A dissertation submitted for the degree of Doctor of Philosophy in Engineering to the University of Warwick Department of Engineering, University of Warwick, Coventry, England February 1992 Shu Fong and Anton # Contents | A | ckno | ledgement | x | |----|-------|------------------------------|-----| | D | eclar | tion | хi | | Sı | ımm | ry : | ĸii | | I | Pre | iminary | 1 | | 1 | Intr | duction | 3 | | | 1.1 | Safety-critical systems | 4 | | | 1.2 | Formal methods | 5 | | | 1.3 | An overview of the research | 10 | | 2 | The | HOL Logic and the HOL system | 12 | | | 2.1 | ML — The meta-language | 13 | | | 2.2 | Overview of the HOL Logic | 17 | | | | 2.2.1 HOL types | 18 | | | | 2.2.2 HOL Terms | 20 | | | | 2.2.3 Theories | 22 | | | | 2.2.4 Theorems | 26 | | 24 | ודאנ | ENTS | | n | |----|------|---------|-----------------------------------------|----| | | | | | _ | | | 2.3 | Theor | em proving in HOL | 28 | | | | 2.3.1 | Forward proof | 28 | | | | 2.3.2 | Goal directed proof | 29 | | | Pri | nciples | of Railway Signalling | 31 | | | 3.1 | Railwa | ay track and signalling equipment | 32 | | | | 3.1.1 | Track components | 32 | | | | 3.1.2 | Signals | 35 | | | 3.2 | Signal | Uing principles | 37 | | | 3.3 | Solid- | state interlocking | 39 | | | | 3.3.1 | Features of the SSI | 40 | | | | 3.3.2 | The design procedures | 42 | | | | 3.3.3 | The benefit and the future | _ | | | | 3.3.3 | The benefit and the future | 43 | | | _ | | | | | | T | heorie | 4 | 45 | | 1 | The | e math | ematical foundation | 47 | | | 4.1 | The t | heory graph | 48 | | | | 4.1.1 | The representation of graphs | 48 | | | | 4.1.2 | Some basic definitions of graph | 51 | | | | 4.1.3 | Relationship between vertices and edges | 52 | | | | 4.1.4 | Operations on graphs | 55 | | | | 4.1.5 | Subgraphs and graph isomorphism | 59 | | | 4.2 | | heory path | 63 | | | 4.2 | 4.2.1 | | | | | | 4.2.1 | Walks in a graph | 63 | | CO | NTE | NTS | | |----|-----|-----|--| | | | | | | | | 4.2.2 | S | on | ıe ( | ope | erat | tion | ва | nd | fa | ac1 | s | OI | 1 | se | qı | ıe | nc | es | ٥ | f e | dį | ζei | В | | | | 64 | |---|-----|----------|------|------|------|------|------|------|------|-----|-----|-----|----|-----|----|----|----|----|----|----|---|-----|----|-----|---|--|--|--|-----| | | | 4.2.3 | 7 | [rai | ils | and | dр | ath | 6 . | | | | | | | | | | | | | | | | | | | | 68 | | | | 4.2.4 | S | on | ae | pro | pe | rtie | s of | f p | at | hs | | | | | | | | | | | | | | | | | 69 | | 5 | Mod | delling | g o | f I | tai | ilw | ау | Co | om | pa | n | en | te | | | | | | | | | | | | | | | | 73 | | | 5.1 | The th | hec | ory | TI | RAC | ĸ. | | | | | | | | | | | | | | | | | | | | | | 74 | | | | 5.1.1 | J | oir | 18 . | | | | | | | | | | | | | | | | | | | | | | | | 74 | | | | 5.1.2 | 1 | [fa | ck | cir | cui | ts . | | | | | | | | | | | | | | | | | | | | | 75 | | | | 5.1.3 | P | Poi | nta | ١, | | | | | | | | | | | | | | | | | | | | | | | 76 | | | 5.2 | The th | hec | ory | S | IGN | AL | | | | | | | | | | | | | | | | | | | | | | 77 | | | | 5.2.1 | S | im | ple | e si | gna | als. | | | | | | | | | | | | | | | | | | | | | 78 | | | | 5.2.2 | C | Cor | np | our | nd : | sign | als | | | | | | | | | | | | | | | , | | | | | 80 | | | 5.3 | The th | hec | ory | P | ART | ٠. | | | | | | | | | | | | | | | | | | | | | | 82 | | | | 5.3.1 | P | Par | ta. | | | | | | | | | | | | | | | | | | | | | | | | 82 | | | | 5.3.2 | E | Edg | çe l | ab | els | | | | | | | | | | | | | | | | | | | | | | 83 | | 8 | The | netwo | or! | k ı | mo | ode | ı | | | | | | | | | | | | | | | | | | | | | | 86 | | | 6.1 | Specifi | fica | atic | n. | of i | rail | way | y tr | a.c | k i | ne | tu | /O: | rk | B | | | | , | | | | | | | | | 87 | | | 6.2 | Exam | ıple | es c | of i | net | wo | rks | | | | | | | | | | | | | | | | | | | | | 90 | | | 6.3 | Induct | | | | | | | | | | | | | | | | | | | | | | | | | | | 95 | | | 6.4 | Some | pr | op | ert | ies | of | net | Wol | rks | ١, | | | | | | | | | | | | | | | | | | 98 | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | I | I A | pplica | ati | io | 38 | | | | | | | | | | | | | | | | | | | | | | | | 105 | | 7 | Ver | ificatio | on | of | t t | rac | k I | lavo | out | | | | | | | | | | | | | | | | | | | | 108 | | CONTENTS | | |----------|--| | | | | | 7.1 | Layout compiler | 3 | |----|------|--------------------------------------|---| | | 7.2 | The network verifier | • | | | 7.3 | Formal specification of track layout | 2 | | | | 7.3.1 Syntax | 2 | | | | 7.3.2 Semantics | 2 | | | 7.4 | The implementation of the verifier | 7 | | | | 7.4.1 The parser | 7 | | | | 7.4.2 The prover | ) | | 9 | Gen | eration of control tables 128 | 5 | | | 8.1 | Definition of routes | | | | 8.2 | Finding routes | | | | 8.3 | Automatic control table generation | | | | | | | | 9 | Inte | lockings and state machines 137 | 7 | | | 9.1 | States of a network | 7 | | | 9.2 | Proving routes | 4 | | | 9.3 | Interlockings | 5 | | | | 9.3.1 State machine theories | 6 | | | | 9.3.2 Interlocking as state machine | 8 | | 10 | Con | clusions and future research 15: | 3 | | | 10.1 | A generic abstract model | 3 | | | 10.2 | Applications of the model | 4 | | | 10.3 | The HOL system | | | co | NTE | NTS | | | | | | | | _ | | | | | | | | | | | | | | _ | _ | | v | |----|------|------------|------------|-------|---|---|---|---|--|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|--|-----| | | 10.4 | Methodol | ogy issues | | | | | | | | | | | | | | | | | | | | | | | | 159 | | A | но | L theorie | | | | | | | | | | | | | | | | | | | | | | | | | 169 | | | A.1 | The theor | ry func . | | | | | | | | | | | | | | | | | | | | | | | | 169 | | | A.2 | The theor | ry graph . | | | | | | | | | | | | | | | | | | | | | | | | 171 | | | A.3 | The theor | ry elist. | | | | | | | | | | | | | | | | | | | | | | | | 179 | | | A.4 | The theo | ry path . | | | | | | | | | | | | | | | | | | | | | | | | 181 | | | A.5 | The theo | ry SIGNAL | | | | | | | | | | | | | | | | | | | | | | | | 185 | | | A.6 | The theo | ry TRACK . | | | | | | | | | | | | | | | | | | | | | | | | 194 | | | A.7 | The theo | ry PART . | | | | | | | | | | | | | | | | | | | | | | | | 199 | | | A.8 | The theo | ry NETWOR | Κ. | | | | | | | | | | | | | | | | | | | | | | | 203 | | В | МL | source li | istings | | | | | | | | | | | | | | | | | | | | | | | | 205 | | | B.1 | The file | uk_func.m | 1. | | | | | | | | | | | | | | | | | | | | | | | 205 | | | B.2 | | ak_graph. | | | | | | | | | | | | | | | | | | | | | | | | 209 | | | B.3 | | ak_subgra | | | | | | | | | | | | | | | | | | | | | | | | 222 | | | B.4 | | nk_elist. | | | | | | | | | | | | | | | | | | | | | | | | 227 | | | | | ak_math.m | | | | | | | | | | | | | | | | | | | | | | | | 232 | | | B.5 | | • | | | | | | | | | | | | | | | | | | | | | | | | | | | B.6 | | ak_signal | | | | | | | | | | | | | | | | | | | | | | | | 241 | | | B.7 | | ak_track. | | | | | | | | | | | | | | | | | | | | | | | | 247 | | | B.8 | The file I | mk_part.m | 1 | | • | • | • | | | ٠ | ٠ | • | • | • | ٠ | • | • | • | ٠ | ٠ | ٠ | • | | ٠ | | 250 | | | B.9 | The file s | nk_networ | k . m | 1 | | | | | , | | | | | | | , | | | ٠ | ٠ | | | | | | 25: | | C | List | ings of t | he verifie | r | | | | | | | | | | | | | | | | | | | | | | | 26: | | <u>C(</u> | ONT | ENTS | × | |-----------|-----|-----------------------------------|----| | | C.2 | The file rail_help.ml | 26 | | | C.3 | The file rail_load.ml | 26 | | | C.4 | The file ver_network.ml | 26 | | | C.5 | The file mk_verifier.ml | 27 | | | C.6 | The file Makefile | 27 | | D | Ro | stes and control tables | 27 | | E | Lev | el crossing—a case study | 28 | | F | Dy | namic networks and state machines | 28 | | | F.1 | The file dnetwork.ml | 28 | | | F.2 | The file setlist.ml | 28 | | In | dex | | 28 | # List of Figures | 1.1 | System specification and verification. | 7 | |-----|-------------------------------------------------------------|-----| | 3.1 | A slip crossing and its equivalent atomic parts | 32 | | 3.2 | The principle of track circuit | 34 | | 3.3 | An overlap | 35 | | 3.4 | An example of track layout: a double left-hand junction | 37 | | 11 | The hierarchy of theories | 46 | | 4.1 | Examples of simple graph | 50 | | 6.1 | A simple network. | 90 | | 6.2 | Another simple network | 91 | | 6.3 | A network formed using NJOIN | 92 | | 6.4 | A track layout containing a passing loop. | 92 | | 6.5 | A network model representing the track layout in Figure 3.4 | 94 | | 6.6 | Location of vertices: case 2 | 102 | | 7.1 | Generation and verification of track layout. | 107 | | 7.2 | Isomorphism between engineering design and theorem proving | 110 | | 7.3 | Syntax of Railway Layout Specification language | 113 | | 121 O | F FIGURES | VIII | |-------|--------------------------------------------------|------| | | | | | | Listing of prove_network_njoin | | | 7.5 | A HOL session of verifying network specification | 124 | | 9.1 | A graph representing the passing loop at t | 144 | | 9.2 | An interlocking state machine | 148 | 9.3 A state transition diagram of generic interlocking machine. . . . . . 150 # List of Tables | 2.1 | HOL primitive terms | |-----|--------------------------------------------------| | 2.2 | HOL infix terms and special constants | | 2.3 | HOL binders | | 3.1 | Track components | | 3.2 | An example of control table | | 5.1 | Projection operators and predicates for :Part 8 | | 9.1 | Abbreviated types for states and state functions | # Acknowledgement I sincerely thank Professor W. J. Cullyer for his guidance and invaluable help and advice throughout the entire period of my study. He introduced me to the fields of formal methods and safety-critical systems, encouraged me to further the research. Without his help and encouragement, I would never be able to complete the study. I would like to express my thanks to Dr. M. Gordon of University of Cambridge Computer Laboratory who kindly provided me a two-week study visit to the laboratory where I learnt considerable about the HOL system and to Dr. T. Melham of the same laboratory who gave me many valuable suggestions and helped me to solve some difficult technical problems in the development of the formal theories. I am also in debt to Dr. A. Cribbens and Mr. I. Mitchell of British Rail Research who gave many suggestions and comments on the direction of the research and technical points about signalling systems. Dr. J. F. Crain and Dr. N. Storey reviewed a draft of this dissertation and suggested many improvements. # Declaration The author declares that the research described in this dissertation has been carried out by him except where explicitly stated otherwise. The theories described in Part II have been presented to the 1991 International Workshop on HOL Theorem Proving System and its Application and a paper published in the workshop's proceedings[68]. An outline of the research also appears in a joint paper with Prof. W. J. Cullyer submitted to the IEE Computing & Control Engineering Journal. ## Summary The research described in this dissertation centres on the application of a discipline of formal methods in railway signalling system design. A generic abstract model of railway track networks and signals has been developed in Higher-Order Logic(HOL). It consists of several theories arranged in a hierarchy. Railway track networks are modelled by a class of constraint labelled directed graphs. HOL theories of graphs and paths have been developed for representing track networks. HOL theories modelling individual track components and signals have also been developed. These theories are then combined to create a theory of track network. Three applications of this model are described. The first is a network verifier which verifies a formal specification of track layout against its abstract model by proving theorems automatically. The second application is to extract information from the specifications and to create control tables automatically. Lastly, a method of modelling the interlocking processor using finite state machines is described. Although this research has centred on railway signalling, it can be viewed as a case study of how to apply formal methods in the analysis and design of safety-critical systems. The approach and methods used can be generalized in order to be useful in other industries. #### Part I ### **Preliminary** The main text of this thesis, which consists of ten chapters, is divided into three parts. The first part. Preliminary, contains introductory material. There are three chapters in this part. The first chapter begins with a brief discussion of safety-critical systems and formal methods and continues with an overview of the research. The major tool used in the research is Higher Order Logic (HOL). The second chapter provides a brief introduction to HOL logic and the HOL system for the benefit of readers who are not familiar with them. This chapter also explains the notation for presenting HOL text and examples used in subsequent chapters. Chapter 3 describes the basic principles of railway signalling and the state-of-the-art technology for the automation and integration of signalling systems. The second part of the thesis, Theories, presents the HOL theories resulting from the research. These theories form a generic abstract model of railway track networks. The last part, Applications describes several possible applications of the theories in the specification and design of interlocking. The dissertation concludes with a discussion of the findings of this research and suggestions for further works. This dissertation also includes several appendices. These list the HOL theories, the ML sources of these theories and listings of various programs described in the main text. #### Chapter 1 ### Introduction This chapter gives a brief introduction to safety-critical systems and formal methods and an overview of the research presented in this dissertation. During the last decade, advances in microelectronics and microcomputer technology have changed the way we work and live. Programmable devices have replaced much old, hard-wired equipment to offer improved flexibility and cost effectiveness. This provides the designer with many opportunities for developing new products and new manufacturing processes, and control systems containing programmable devices are now very common. Applications include the generation of electricity, flying large passenger aircraft and safeguarding the running of trains. As these systems become more powerful and perform more difficult tasks, they also become extremely complex. The complexities of some of these computer control systems have grown to a point where even their designers are barely able to comprehend them. This raises some serious questions: how can we be sure that the systems function correctly and what will happen if they fail? The research to be described in this dissertation is a small contribution towards an answer to these questions. Like designers in other well-established branches of engineering, computer control system engineers resort to mathematics. In this case, the helping hand comes from mathematical logic. Research in applying formal logic in the analysis and design of computer systems has been carried out for several decades, but it is only recently that the technology has matured to a point where it is feasible to use it in practical systems. Nevertheless, there are still many unsolved problems, especially when dealing with large complex systems. The research presented in this dissertation is a first attempt to apply a particular discipline of formal methods, namely Higher-Order Logic, to a specific problem—railway signalling systems. However, it is possible to generalize the methods used in this research so that they can be used in other types of system. An overview of the research will be presented in the last section of this chapter, but before that, a brief discussion of safety-critical control systems and formal methods will be given. #### 1.1 Safety-critical systems If, when a system fails, it causes human injury, or even fatality, or causes serious environmental damage, then such a system is a safety-critical system. Examples of such systems include shut-down systems for nuclear generation plants, flight control systems for passenger aircraft, railway signalling interlocking systems and radiotherapy equipment. Safety-critical systems can be classified into different risk classes according to two orthogonal dimensions: the severity of potential accidents and the frequency of their occurrence. The risk of a system is higher if the consequence is more severe or the frequency is higher. Preliminary bazard analysis should be carried out to access the risk of a system before any extensive design and development work is commenced. There are international and national standards governing hazard analysis, classification of critical systems and, specification and design of safety-critical systems [41] [40] [52] [51] [37] [57]. Preventative measures should be taken in the design of such systems to minimize the risk. After the risk associated with the failure of a system is identified, subsystems and components have to be classified according to their function criticality, i.e., the importance of each subsystem or component in ensuring the system safety. One method of categorising safety systems uses four classes: class I to class IV. The higher the class, the more critical it is. When analyzing railway signalling systems [24], Cullyer found that point and signal actuators are of class II, and the point position sensors and signal proving circuits are of class III. The sensors and proving circuits are more critical because, If they malfunction, the system loses the correct information of its state and hence, may perform a hazardous function without knowing it. For example, a broken RED bulb (actuator) can be detected by the proving circuit, but a faulty proving circuit may make the system think that the RED aspect is alight when, in fact, it is not. #### 1.2 Formal methods Formal methods are the application of applied mathematics — formal logic — to the design and analysis of computer systems[58]. Every formal method is based on a formal system (L,C) where L is a language and C a consequence relation. A language is defined by a set of symbols S and a grammar which specifies the rules of forming sentences using symbols in S. A consequence relation is a set of inference rules which transform sentences in L while maintaining their validity. For example, modus ponens is an inference rule in classical predicate logic. A structure (U, I), where U is an universe containing a set of values and I is an interpretation mapping sentences of L into U, is used to assign meanings to sentences of L. A structure M is a model of a sentence A if A is true in M. A sentence A is valid if it is true in every model of L. This concise description of the theoretical bases of formal methods is due to Wing [18]. Formal methods are usually applied in three phases: formal specification; design and documentation; and verification. The requirements of a control system are usually first written in a natural language. In the formal specification phase, functional requirements are translated into a formal language. This is necessary because a formal language eliminates ambiguity. Implementation of the formal specification is developed in the design and documentation phase. In this phase, formal methods can be used to transform a specification into an implementation. This process is known as synthesis. The whole system is often divided into subsystems, and different technologies are used to implement various subsystems. For example, hardware can be used to implement a subsystem which requires a rapid response, while software is used for other part of the system. Different methods are often used with different implementation technologies. After the design has been developed, it has to be verified against the specification to see whether it really implements the specification correctly. This is the third phase. The verification is often carried out by proving Figure 1.1: System specification and verification. theorems asserting the equivalence of the specification and the implementation. In developing large complex systems, the entire system is divided into subsystems and they in turn are divided into subsubsystems. The processes of specification, design and verification are often applied to several levels as illustrated in Figure 1.1. The implementation of a level is often the specification of the next lower level except the lowest one where physical VLSI circuits and actual program codes become the implementation. Verifications are carried out to show each level is correctly imple- mented by its next lower level, e.g., a theorem asserting the functional equivalence of the system specification and the subsystem specifications. The benefits of using formal methods are many, but the most important ones are: - it helps designers to understand their problems more thoroughly, to gain greater insight, and thus to achieve better design; - it helps to uncover more errors at earlier stages, and thus reduces development costs, and: - e it helps to give higher confidence in the correct functioning of the system. All these help to reduce the risk of accident and save time and money, resulting in a better system. Many formal methods has been developed during the last two decades. Now, some of them are becoming mature and are widely available and are being used in practical systems. Methods in this category include Z, VDM, OBJ, HOL, and the Boyer-Moore theorem prover. All these have supporting computer tools. Z is a notation based on elementary set theory and first-order logic, and was developed at Oxford University's Programming Research Group in the the late seventies and early eighties. A definitive description of Z can be found in [62], and examples of using Z can be found in [63] [27] and [28]. VDM stands for Vienna Development Method. It is a model-based specification language developed at the IBM Vienna Research Laboratories during the 1970s. In VDM the description of systems, both specification and designs, are given as models. The major references on VDM include [42] [6], [59] and [7]. OBJ is a specification language with both executable and non-executable parts based on order-sorted equational logic. It integrates specification, design, prototyping and verification in a single system. The algebraic approach to specification on which OBJ is hased is described by Goguen et al. in [32]. The current version of OBJ is described in [30], and its use as a theorem prover in [31]. The Boyer-Moore theorem prover was developed by Boyer and Moore at the University of Texas at Austin and was started in 1972. It supports first-order logic using LISP as the meta-language. The logic and the theorem prover are described in [8] and [9], and the future of this ongoing project is discussed in a recent paper [10]. This prover has been used to verify a microprocessor design [39]. A collection of system components known as the CLI 'verified stack', in which a lower level component implements its next higher level component, has been verified and described in the Journal of Automatic Reasoning 5(4) by five related papers [5] [4] [38] [45] and [66]. HOL is a theorem prover supporting higher-order logic which has been used in the research to be described in this dissertation. A brief description of the logic and the system will be given in Chapter 2. Meanwhile, its application areas are reviewed briefly. The first application area of HOL was initially in the specification and verification of hardware design. This was first advocated by Hanna [36]. The VIPER microprocessor was a processor whose functional requirements were formally specified [23] and this specification has been partially verified in HOL [15] [16]. Although the processor is very simple compared to most commercially available microprocessors, the methodology used for the specification and verification of the processor is an excellent case study of the application of formal methods in real hardware, and this should be further developed and exploited. Other areas of HOL applications include: software verification[33] and communication protocols[43]. The idea of producing a totally verified system by linking verified software to verified hardware has been explored by Joyce [44]. #### 1.3 An overview of the research Railway signalling systems are certainly safety-critical systems. The safety record of railway signalling systems has been very good due to the stringent requirements imposed on the design and manufacturing of such systems. From the early mechanical semaphore signals to modern power signals based on electromechanical technology, signalling engineers have had a great helping hand from nature, namely the gravitational force, in ensuring their systems are fail-safe. In semaphore signals, the weight of the arm forces it to return to the danger position in the event that the interlocking frame is broken. However, when computers and solid state components are introduced, this fail-safe feature, guaranteed by a natural force, is lost. Therefore, more riscrous methods of design and verification of signalling systems are necessary. The research to be presented in this dissertation is thought to be the first attempt to apply formal methods to the design and verification of railway signalling systems. The approach of the research is first to create a formal model of a railway track network and signals. This model is then used in the formal specification of railway track layouts and in other phases of interlocking system design. After studying the basic principles of interlocking in signalling systems, the au- thor developed a formal model to represent railway track networks and signals. The model consists of several HOL theories which form a hierarchy. The top level theory is the NETWORK theory which models the topological relation of the track network. Some generic properties of the model have been derived. Networks are represented by a class of constrained labelled directed graphs. A theory of labelled directed graphs has been developed for the purpose of representing track networks. The first application of this formal model of track networks was to generate formal specifications of track layouts and to verify them. A verifier has been implemented to automate the process of verifying track layout specifications. The verification is performed by proving theorems stating that the given specification represents a well-formed track network. Next, a method of generating control tables is developed. This method extracts information from the formal specification to compile the control tables. The specification of the core of a table generation program will be described. The dynamic aspects of the track network and the problems of ensuring that the interlocking operates safely are investigated. The most important properties of a working network are safety and liveness. Safety is guaranteed by the correct implementation of the interlocking regulations. In essence, no conflicting movement of trains should be allowed. The liveness of a network can be expressed as the ability to run trains according to the prescribed timetable. A network with all signals constantly displaying the red aspect is certainly safe but not live. A method of modelling interlocking systems by finite state machine and how to deduce important properties of such machine will be described. #### Chapter 2 # The HOL Logic and the HOL ### system This chapter gives a brief introduction to Higher-Order Logic and the HOL system. The notation for presenting HOL text in this dissertation is also described. HOL stands for Higher Order Logic. The HOL logic is a version of typed predicate calculus based on the simple theory of types founded by the logician Alonzo Church [14]. A more modern description of simple type theory can be found in [3]. The HOL logic is supported by the HOL system developed by a team headed by Gordon in the University of Cambridge Computer Laboratory [34]. For the saiz of completeness, and for the benefit of readers who are not familiar with HOL, this chapter provides an informal description of both the logic and the HOL system. A formal, set theoretic based description of the HOL logic and the soundness of the <sup>&</sup>lt;sup>1</sup>The acronym HOL in used for both the logic and the computer system supporting the logic. Usually, the context can make clear what is referred to when the acronym is used on its own. In cases where this is not clear, the term 'HOL logic' or 'HOL system' will be used instead. HOL proof system can be found in [17], and tutorial examples of using HOL are given in [18]. The HOL system provides an interactive environment for the user to carry out formal reasoning in the HOL logic. The interface to the logic is the meta-language ML which is a functional programming language. The HOL system used in the research described by this thesis is HOL88 version 2.0.2 A brief introduction to the meta-language ML is given in the Section 2.1. The object language, the HOL logic, is described in the Section 2.2. Methods of carrying out formal proofs in HOL are described in the Section 2.3. At the same time as describing HOL, the notations for presenting HOL text and theorems in the subsequent chapters are introduced. #### 2.1 ML - The meta-language ML is a strongly typed functional programming language. It was first designed and implemented by Milner, Morris and Wadsworth at the University of Edinburgh in the early 1970's. It was designed originally to be the meta-language of the Edinburgh LCF system[35]. Since then, the language has evolved to become a large family of related languages. The most notable one is the Standard ML defined by Milner et al.[49], and it has several very good implementations. The ML of the Cambridge <sup>&</sup>lt;sup>3</sup> In fact, the theories and proofs described in this dissertation were developed using Version 1.11. Small modifications were made to bring them up-to-date with Version 2.0 when it was released. <sup>&</sup>lt;sup>3</sup>Two new implementations of HOL based on Standard ML are being developed at the University of Calgary, Canada and by International Computers Limited (ICL), England. The Calgary version in in the public domain and has been beta-released since November 1991. HOL88 is between the original ML and the standard ML. The user of HOL interacts with the system by typing in expressions in ML. The system evaluates each input expression and prints out its value and type. Some expressions may also have side effects, for example, creating a theory file. This read-evaluate print loop is known as the top-level. Throughout this thesis, segments of ML programs and ML expressions are displayed typeset in typesriter font. In this section, meta-variables typeset in *italic* are used to stand for parts of an ML expression. ML types. Every expression in ML possesses a type. An expression may possess many types, in which case it is said to be polymorphic. Polymorphic types contain type variables whose names are strings of one or more '\*' characters optionally followed by a number or an identifier. For example, \*, \*\*, \*2 and \*\*\*foo are all legal type variables. The type of the expression is printed after the expression separated by a colon (:). There are four basic types in ML: wold which contains a single object denoted by (); int which stands for integers, such as 1, 2, 3 and so on; bool which stands for boolean values true and false; and string which stands for ASCII character strings which are enclosed by a pair of single quotes(') like this 'Tais is a string'. There are three special infix type constructors: s constructs a cartesian product, also known as a pair; + constructs a disjoint sum and -> indicates a function type. All these type constructors are associated to the right, i.e., (int s int s bool) is equivalent to (int s (int s bool)). There is a pre-defined type constructor list which takes a single argument. For example, (int)list is the type for integer lists and (\*)list is a polymorphic type standing for a list whose elements may be of any type. The ML type checker uses a set of rules to check the type of every input expression before evaluating it. This strict type checking has its roots in the original ML language. It is important, among other reasons, because abstract types are used to represent terms and theorems of the logic and the values of the latter cannot be created arbitrarily. Incorrectly typed expression will cause an error message to be printed and no evaluation will be performed. Expressions ML expressions consist of constants, variables, function applications, lambda expressions, conditionals, local declarations and exceptions. Constants of the basic types are already described above. Constants of compound types can be expressed using constructors and basic constants. Since lists and pairs are used very often, a special syntax is provided for inputing expressions of these types. Elements of a list can be enclosed in a pair of brackets and each is separated by a semicolon. For example, [1;2;3;4] is a list containing four integers. A pair is enclosed in parentheses and the elements are separated by a comma. The parentheses of nested pairs can be ignored, leaving the commas to act as right-associative operators. For example, (1,2,true) is a pair of the type (int # int # bool). Names of variables, or identifiers, can be either a sequence of alphanumeric characters starting with a letter or a special symbol chosen from a list which can be programmed by the user. Identifiers of the second form will not be used in this thesis. An identifier can be bound to any value, for example, a HOL definition or a theorem. All ML identifiers mentioned in the subsequent chapters will be typeset in typewriter font. Function applications have the form $e_1e_2$ where $e_1$ is an expression which must be evaluated to a value possessing a function type and $e_2$ must be an expression possessing a type which is an instance of the domain of $e_1$ . For example, the predefined function hd has the type (\*)list -> \*. The expression hd[1;2;3;4] is a well typed function application. The type of this expression will be int which is obtained by substituting the type of the argument, namely (int)list into the function type, the type variable \* is then instantiated by int. A lambda expression has the form $\ x$ . e where the ASCII character $\ x$ is used to approximate the lambda symbol ( $\lambda$ ) used in conventional mathematics. The evaluation of any lambda expression always yields a function value whose type is $t_{W_1} \rightarrow t_{W_2}$ where $t_{W_1}$ is the type of x and $t_{W_2}$ is the type of e. Conditionals in ML have the form 12 e then e' else e". When a conditional is evaluated, the expression e, which must possess type bool, is evaluated first. If the result is true, e' is evaluated, otherwise e" is evaluated. The value of either e' or e" will become the value of the conditional. The else e" part is optional. If this part is omitted and e is evaluated to false, the unique value of type void is returned. Local declarations have the form d in e where d is a declaration as described below. The scope of this declaration is the expression e. Exceptions are a special class of expression. Their purpose is to trap errors. They take the form failuith e. When an exception is encountered, the expression e is evaluated whose result must be of type string, then a failure is generated. Declarations ML declarations take one of the following forms: let $f x_1 \dots x_n = e$ letrec $f x_1 \dots x_n = e$ let z = e The first declares a variable, then e is evaluated and the resulting value is bound to x. The second declares a function with name f and formal arguments $x_1 \dots x_n$ . The last form is the same as the second except that the declared function is recursive. #### 2.2 Overview of the HOL Logic In classical propositional logic, each proposition can be either true or false, but not both. There are a number of logical connectives to combine simple propositions to form more complex ones, such as negation( $\gamma$ ), conjunction( $\Lambda$ ), disjunction(V), implication( $\gamma$ ), and so on. This can be regarded as zero-order logic. In predicate logic, there is an infinite set of variables and, for each $n \ge 0$ , a set of n-place predicates. There are quantifiers, such as fordit( $\forall$ ) and there exists(3) to quantify variables. This can be regarded as first-order logic. In the HOL logic, variables can range over functions and predicates, a function can take another function as its argument and can deliver a function as the result of applying it. Such a function is called a higher-order function or functional. One can talk about 'for all function f' and so on. Hence, it is a higher-order logic. Expressions of the HOL logic are terms, and they are represented in ML by values of type term. They are usually input using the mechanism known as quotation in which a logical expression is enclosed by a pair of double quotes, like "A / B". To the HOL system, "A /\ B" is an ML expression of type term, and it denotes a logical term meaning 'the conjunction of A and B'. Every expression in the HOL logic belongs to a type which can be thought of as a set of objects having certain common properties. This type is known as logical type in contrast to the ML types of ML expressions. For example, the logical expression "A \(\Lambda\) B" has logical type : bool which stands for boolean. All logical types are typeset in typewriter font prefixed by a colon(:) as in the above example. Logical types are represented in ML by an abstract type type. The ML function type.of takes a term and returns its logical type. This may seem confusing. The HOL session below may help to clarify the difference between logical types and ML types. ``` 6 let t = "A \ B";; t = "A \ B" : term 5 type_of t;; ":bool" : type ``` In the above example, the hash sign (s) is the HOL system prompt and the double semi-colon (;;) terminates each input expression. The line between them is the input typed by the user. The next line is the system response. In the first line, the user declare an ML variable t and binds the logic expression "A /\ B" to it. HOL responds with the value of this variable and its type. In the second input line, the user applies the function type\_of to t. HOL responds with the logical type of the term. #### 2.2.1 HOL types Logical types can be one of the following: - a type variable which stands for an arbitrary set of objects. This is also known as polymorphic type. Names of logical type variables are constructed following the same rules as ML type variables. - an atomic type or constant type which stands for a fixed set of objects. Some of the pre-defined atomic types are : bool for booleans, :num for natural numbers, :one for a set containing only a single element and :ind for an infinite set. - a function type which is written as: ty1 -> ty2. This stands for a set of functions whose domain is the set tu, and whose rance is the set tu... - a compound type of the form (ty1,...,tyn)op where ty1,...,tyn are types, known as argument types, and op is a type operator. op is said to be of arity n since it takes n types as its arguments. A compound type stands for the set resulting from applying the type operator op to the sets denoted by ty1,...,tyn. list is a pre-defined type operator of arity 1, and prod is a pre-defined type operator of arity 2 which stands for cartesian products, also known as pairs. For example, :(amm)list is the type for lists of natural numbers, and :(num,beol)prod is the type for pairs whose first elements are natural numbers and whose second elements are booleans. Since pairs are used frequently, a special syntax is provided for the type operator prod; an infix s can be used, for example, the type :(num,beol)prod is usually written as:num s bool. Function types and constant types can be considered as special cases of general compound types. A function type : $ty_1 \rightarrow ty_2$ is equivalent to : $(ty_1, ty_2)$ #un. Constant | Kind of | HOL | Standard | Description | |-------------|----------|-----------------|------------------------------------------------| | term | notation | notation | | | Variable | v : ty | tr <sub>e</sub> | variable of type σ | | Constant | c : ty | C <sub>y</sub> | constant of type σ | | Combination | t1 t2 | t1 t2 | apply the function $t_1$ to the argument $t_2$ | | Abstraction | \x. & | λz.t | λ-abstraction | Table 2.1: HOL primitive terms. types are type operators of arity 0. A polymorphic type ty containing type variables $typex_1, \dots, typex_n$ can be subjected to a simultaneous substitution by the types $ty_1, \dots, ty_n$ . The resulting type ty' is called an instance of ty. For example, (bool, num)prod is an instance of the type $(typex_1, typex_2)$ prod. #### 2.2.2 HOL Terms Well formed expressions in HOL are called terms. Unlike predicated logic, there is no separate syntactic class for formulae; their roles are played by terms of type :bool. Every term belongs to a type and denotes an element of the set denoted by that type. The HOL system quotation parser attempts to deduce the type of a term when it is input in a quotation. Sometimes, there is not enough information for the parser to work out the type, in such case, explicit type information can be attached to the term or any part of it. For example, in "x: bool", the variable x is specified to be of type:bool. | Kind of term | HOL notation | Standard notation | Description | |--------------|---------------------------------|-----------------------------------------------|----------------------------------| | Truth | T | т | true | | Falsity | 7 | 1 | false | | Negation | *1 | 72 | not i | | Diajunction | t₁∨t₂ | $t_1 \lor t_2$ | t <sub>1</sub> or t <sub>2</sub> | | Conjunction | t <sub>1</sub> /\t <sub>2</sub> | <i>t</i> <sub>1</sub> ∧ <i>t</i> <sub>2</sub> | t1 and t2 | | Implication | t1==>t2 | $t_1 \supset t_2$ | t1 implies t2 | | Equality | t1=t2 | $t_1 = t_2$ | t1 equals t2 | | Conditional | (t=>t1 t2) | $(t \rightarrow t_1, t_2)$ | if t then to else to | Table 2.2: HOL infix terms and special constants. | Kind of term | HOL notation | Standard notation | Description | |------------------|--------------|-------------------|-------------------| | ∀-quantification | tz.f | ∀z.1 | for all z : t | | 3-quantification | 7x.t | 3x. t | for some z : t | | €-term | ex.t | ez. t | an z such that: t | Table 2.3: HOL binders. Table 2.1 lists all kinds of primitive terms in HOL. All terms can be constructed from these primitives. Some constants are given special syntactic status of infix or binders. The pre-defined infix constants are listed in Table 2.2 and binders are listed in Table 2.3. Within a quotation, an expression of the form "(f) is called an anti-quotation where f must be an ML expression of type term or type. Such an expression evaluates to the value of f. In subsequent chapters, HOL terms will be displayed and typeset in typesviter font using the quotation mechanism, i.e., always enclosed by a pair of double quotes("), such as "A /\ B = B /\ A" When a term is referred to in running text, the logical constants are typeset in Sans Serif font while the standard notations listed in the tables above will be used for variables and special constants. #### 2.2.3 Theories The result of a session with the HOL system is an object called a theory. A HOL theory is very similar to a logician's theory. Like a logician's theory, a HOL theory contains types, constants, definitions and axioms. The most important difference is that a HOL theory also contains an explicit list of theorems which have been proved from the axioms and definitions using the theorem prover while a logician's theory implies all theorems (often infinitely many) that could be proved. Therefore, all HOL theorems mentioned in subsequent chapters have actually been proved. A HOL theory is stored in a number of files called the theory files. Each theory file contains some types, constants, axioms and theorems, together with pointers to other theory files called its parents. The collection of reachable files is called the ancestry of the theory. When the HOL system starts, the initial theory is the theory HOL. The ancestry of the theory HOL contains all types, axioms, constants and theorems of the HOL logic. All new theories created during a HOL session are extensions of the theory HOL, either directly or via some other theories such as those provided as libraries. The names of theories and libraries are typeset in typewriter font. A theory can be extended in the following ways: - by constant definition which introduces new constants by specifying formulae to determine them uniquely: - by type definition which introduces new types or new type operators by specifying a non-empty subset of an existing type and proving that the new type is isomorphic to this subset; - by constant specification which introduces new constants which satisfy arbitrary given consistent properties. The constants may not be uniquely determined. There is an ML function for this purpose. All these extensions to theory are known as definitional extension. Theories created solely by definitional extensions are called definitional theories. Since the new constants and types are defined in terms of properties of existing ones, the extended theory is consistent if the original theory is. All the theories described in the subsequent chapters are definitional theories, and since they are extensions of the NOL theory, they are consistent. Only the first two methods of theory extension have been used in developing these theories. There are several pre-defined ML functions in HOL for defining constants. The result of calling these functions is an equational theorem characterizing the newly defined constant. The session below defines a new constant GRAPH using the function new definition. The resulting theorem is stored in the current theory with the name GRAPH.DEF. By convention, all definitional theorems are named with the suffix \_DEF. In this dissertation, new constant definitions are presented in the following form: HOL Definition 1 (GRAPH\_DEF) The string following the definition number is the name of the definition. The term characterizing the new constant is printed in the HOL input notation in typewriter font. A type definition package is provided to allow concrete recursive types to be defined automatically [48]. It provides an ML function define\_type which accepts a simple type specification language in the form of: $$type = C_1 ty_1^1 \dots ty_1^{k_1} | \dots | C_m ty_m^1 \dots ty_m^{k_m}$$ where type is the name of the new type and $C_i$ are the type constructors. The results of defining a new type are - . to formally define tupe as a type in the current theory: - · to make appropriate constant definitions for the constructors Ci; - . to automatically prove a theorem which characterizes the newly-defined type. The type definition package also provides a set of functions to automatically prove theorems about the basic properties of the type. These functions are: - prove\_constructors\_one\_one which proves a theorem stating the constructors are one-one functions: - prove\_constructors\_distinct which proves a theorem stating that, if more than one has been defined, the different constructors produce different objects in the type; - prove\_cases\_thm which proves a theorem stating that any object of the type is produced by one of the constructors; - prove\_induction.thm which proves a theorem stating the structural induction principle of the type. The session below defines a new type :Tcir with a constructor TCIR. The type characterization theorem is stored with the name Tcir\_Arion; by convention, all type characterization theorems are named with suffix \_Arion. ``` Slet Tcir_Axion = define_type 'Tcir_Axion' 'Tcir = TCiR num (num->Tetate)'; Tcir_axion = [-12.7 fm. in 17. fm(TciR n 2') = f n f' Tcir_axion = [-12.7 fm. in 17. fm(TciR n 2') = f n f' ``` In this dissertation, new type definitions are presented in a format similar to that of constant definitions. The string specifying the new type is enclosed in a pair of single quotes('), which resembles the input syntax required by the type definition package. Below is the definition of :Toix shown in such a format. #### HOL Definition 2 (Tcir Axion) 'Toir = TOIR num (num->Tetate)' #### 2.2.4 Theorems A theorem is the result of a proof. In a more formal sense, a proof is a list of pairs $[(\Gamma_1, t_1), \dots, (\Gamma_n, t_n)]$ known as sequents in a deductive system, and a theorem is the last element of this list. The first component $\Gamma_i$ of a sequent is a set of formulae called the hypotheses or the assumptions and the second component $t_i$ is a single formula called the conclusion. Each sequent in a proof is either a theorem that has been proved earlier or is derived from other theorems following some rules known as the inference rules. Theorems in the HOL system are represented by values of the ML abstract type thm. There is no way to construct a value of type thm except by carrying out a proof. In this way, the ML type system protects the HOL logic from the arbitrary construction of a theorem, so that every computed value of the type representing theorems is a theorem. The HOL system prints values of type thm in a special way: it prefixes the conclusion with 1- which resembles the turnstile (1-) in the conventional mathematical notation for theorems. For example, the theorem asserting the symmetry of addition is printed as: $$[-1m \ n. \ (m+n) = (n+m)$$ There are five axioms in the HOL logic, which are the only pre-defined values of type thm. All other theorems follow from them. Once a theorem has been proved, it can be saved in the current theory. Every theorem is identified by two strings: the name of the theory file in which it is stored and the unique name of the theorem. Theorems stored in any file reachable from the current theory can be loaded into the current HOL session and bound to an ML identifier. Theorems can be loaded automatically if autoloading has be set up. In this case, a theorem is loaded whenever its name is first mentioned in the input, and it is bound to an ML identifier of the same name. For example, the 'symmetry of addition' theorem is stored in the theory arithmetic and has the name ADD\_SYM. When this name first appears in an expression, the theorem will be loaded and bound to the ML identifier ADD\_SYM. In this dissertation, all theorems are printed in conventional mathematical notation rather than the raw output from the HOL system as shown above to improve the readability. The format is similar to that used for definitions. An example is shown below: #### HOL Theorem 1 (GUNION SYN) $$\vdash \forall G_1 G_2.G_1 G_2 \text{UNION } G_2 = G_2 G_2 \text{UNION } G_1$$ The string after the theorem number is the name under which the theorem is stored. The same ML identifier will be bound to the theorem if it is automatically loaded. The conversion from the system output format to the format given above is performed by a formatter developed by the author. The formatter is organized as a library named latex-hol. It consists of a set of ML functions which takes a theorem or a whole theory and generates text in MTEX format. The text can then be typeset using the MTEX typesetting system. The implementation of the formatter is based on the HOL pretty printer library prettyp. Details of how to use the formatter and its implementation can be found in [67]. ### 2.3 Theorem proving in HOL Proofs can be carried out in two different ways: forward proof and goal-directed proof. A forward proof starts with an existing theorem and inference rules are applied successively to transform this theorem into a sequence of new theorems until the desired one is reached. A goal-directed proof sets up a goal which has exactly the same form as the desired theorem, then tactics are applied to decompose it into a list of subgoals, and this process continues until all subgoals can be solved. #### 2.3.1 Forward proof Inference rules are used to transform a theorem when carrying out forward proofs. They are implemented in HOL as ML functions which deliver a theorem. These functions take one or more theorems and possibly other arguments depending on the meaning of the inference rules. There are eight primitive inference rules in HOL. Since there is no primitive constructor for the values of type that in ML, calling these functions is the only way to create a theorem. The primitive inference rule Modus Ponens, for example, is represented by the ML function HP. It takes two theorems as its arguments: the first should be an implication and the second should be a theorem matching the antecedent of the implication. It returns a theorem in the same form as the conclusion of the implication. There is a comprehensive set of pre-defined ML functions implementing derived inference rules. These functions are defined in terms of the eight primitive rule functions. Each of them combines a number of steps of applying the primitive rules, and thus providing a set of more useful tools. Users of HOL can also define their own functions implementing derived inference rules for their special needs. A conversion in HOL is a rule which maps a term to a theorem stating the equality of that term to some other term. The theorem produced by a conversion is often used to convert the whole or part of a formula — i.e., rewriting or substitution. Conversions are also represented by ML functions returning a theorem. For example, the conversion bool.EQ.CONV takes a term for the form "b1 = b2" and returns one of the following theorems: $$\vdash (b_1 = b_2) = \mathsf{T}$$ if $b_1$ and $b_2$ are identical boolean terms, or $$\vdash (b_1 = b_2) = \mathsf{F}$$ if each of $b_1$ and $b_2$ is $\mathsf{T}$ or $\mathsf{F}$ but different, or $$\vdash (b_1 = b_2) = b_2 \text{ if } b_1 \text{ is } \mathsf{T}, \text{ or }$$ $$\vdash (b_1 = b_2) = b_1$$ if $b_2$ is T. There are a number of higher-order functions for combining conversions to form more complex ones. For example, conv<sub>1</sub> THENC conv<sub>2</sub> is a conversion formed by the function THENC. When this expression is evaluated, the conversion conv<sub>1</sub> is performed first, then the conversion conv<sub>2</sub> is carried out. ### 2.3.2 Goal directed proof The forward proof style is rather unnatural, and is too 'low level' for many applications. The goal directed proof style constructs a proof by organizing it into a tree in which each node is a subgoal and each edge is a tactic. The tree is traversed twice, the first is from the root representing the original goal to the leaves representing the final (trivial) subgoals, the second is from the leaves back to the root. In the first pass, tactics are applied and subgoals are generated, and in the second pass, a proof is computed from the theorems achieving the subgoals to yield the theorem achieving the original goal. This is only a conceptual view of the goal-directed proof style. No tree is actually created in HOL, but there is a subgoal package which manages all the proof searching efforts. It provides functions for the user to set up a goal and then to apply tactics. The idea of using tactics in goal-directed proofs originated from Milner and was first implemented in Edinburgh LCF [35]. A tactic is an ML function. When applying to a goal, a tactic reduces it to - 1. a list of subgoals, and - 2. a justification function mapping a list of theorems to a theorem. The subgoal package keeps track of the justification functions and combines them in the correct order to compute the final theorem that achieves the goal. There is a comprehensive set of tactics provided by the HOL system. Tactics can be combined to form more complex ones using tacticuls. The user can define special tactics for his application using the existing ones. In Chapter 6, the proof of a theorem asserting a property of networks will be described in detail to illustrate the process of proof searching in the goal-directed proof style. # Chapter 3 # Principles of Railway Signalling This chapter gives an introduction to the principles of railway signalling and the state-of-the-art technology in automatic interlocking systems so that readers not familiar with the subject can understand the following chapters. The primary function of a railway signalling system is to maintain the safe operation of trains over the track network and to protect human beings from injury and equipment from damage. In addition to this, the system should allow efficient operation of trains so that the maximum capacity can be obtained. This chapter describes the signalling equipment, the principles of railway signalling and the state-of-the-art in automatic signalling systems based on the current practice of British Rail [54]. The description is rather general and provides a view-point for the research described in later chapters. Many important issues of railway signalling which are not within the scope of this research are ignored. Most of the concepts described here are also applicable to other railway authorities. Section 3.1 describes the basic functions of individual components of signalling equipment. The central concept of signalling systems — interlocking — and the Figure 3.1: A slip crossing and its equivalent atomic parts. operation of the complete system are explained in Section 3.2. The last section of this chapter presents the current technology of signalling systems in British Rail. # 3.1 Railway track and signalling equipment A signalling system consists of many kinds of component. These components can be grouped into two classes: track components and signals. The first class forms the railway track network, the permanent way, and the second is the means of controlling the train movements over the track network. #### 3.1.1 Track components For the purposes of this research, the property of the track components which is of interest is their topology, that is, how they are interconnected to form a track network. Based on this consideration, the track components have been divided into the following four classes: buffers, tracks, points and diamond crossings. They are called parts. Table 3.1 below shows a schematic drawing of these parts together with a brief description. There are other, more complex track components in real networks, such as the single slip crossing. It can be considered as a compound of a simple diamond crossing with a pair of simple points connected to either end of it. This is illustrated in Table 3.1: Track components. Figure 3.1 with the single slip crossing shown on the left-hand side and the decomposition to atomic parts on the right. The four simple components listed above are atomic. All complex track components can be built up by combining appropriate atomic parts. A complete track network can be formed by connecting the required track components together and placing signals at the appropriate locations. The primary means of detecting the presence of a train is by the use of track circuits. A conceptual view of the operation of the circuits is illustrated in Figure 3.2. A voltage is applied to the two rails of the track. This can be detected by a sensor to indicate that the track section is 'CLEAR'. When a train is present, its wheels bridge the circuit reducing the voltage between the rails, so that the output is changed to 'OCCUPIED'. The design of a track circuit is fail-safe, in that it will always give an 'OCCUPIED' output when it is faulty. In a fixed block system, the track network is divided into sections. Each section Figure 3.2: The principle of track circuit. is controlled by a signal and may be occupied by at most one train except in certain special operations, such as the coupling of an engine. Track sections are electrically insulated from each other. In a simple layout, each section usually has its own associated track circuit, and consists of only a single part, for example, a plain track. In a complex layout, such as a busy terminal station, a section may contain several track circuits, each circuit spanning several parts. The point where the adjacent sections meet is called a join. Since the track is characterized by different kinds of part, the term join is also used to mean the meeting point of two adjacent parts. In practice, there are several types of join: - conducting join which is the join between two parts that share the same track circuit; - · insulated join which is the join between two track circuits; Figure 3.3: An overlap. overlap join — which is also formed between two track circuits, but in addition, one of the circuits is a special section of track, known as an overlap. An overlap is a short section ahead of a stop signal, whose function is to protect a train against overrunning the signal in adverse conditions. As illustrated in Figure 3.3, the section between joint j2 and j3 is an overlap which protects a train from overrunning signal S11, and thus j3 is an overlap joint. #### 3.1.2 Signals Like track components, there are several kinds of signals. Their names and functions are listed below: main signal - gives instructions to the normal running traffic; junction indicator — provides information at the entry to a branch so that a diverted train may slow down; subsidiary signal — (always associated with a main signal) authorizes the driver to pass the main red aspect and draw ahead to stop short of any obstructions; shunting signal — gives instruction for slow movements into or out of sidings etc. Sometimes, a combination of several types of signals is installed on a single signal post, for example, a main signal and a junction indicator are often combined at the entry to a branch line. According to the number of different aspects they can display, main signals can be of 2, 3 or 4-aspect. For 2 and 3-aspect types, there are stop signals and repeaters. The repeaters are used where earlier warning is required of the aspect of a stop signal. A 2-aspect stop signal can display RED and GREEN while a 2-aspect repeater can display YELLOW and GREEN. A 3-aspect signal can display RED, YELLOW, GREEN. A 4-aspect signal can display a "DOUBLE YELLOW' aspect in addition to all aspects of the 3-aspect signal. The use of different number of aspects depends on the traffic density, the headway and the length of the track sections. For example, in Figure 3.3, \$11 is a 2-aspect stop signal with an overlap protection and \$10 is a 2-aspect repeater. At any time, a signal is in either of the two states: 'ON' or 'OFF'. A train must not pass a signal which is in the 'ON' state; this is shown as the RED aspect. All other aspects are said to be 'OFF'. All aspects of main signals employ double filament bulbs. The auxiliary filament is switched into use automatically as soon as the main filament is broken. When this happens, an indicator on the control panel is illuminated to warn the signalman. A signal will not be taken as showing a particular aspect simply because it is selected. There is proving circuit built into the signal which checks whether the selected aspect is drawing current, that is the bulb for the selected aspect has at least one filament illuminated. In the case in which both filaments of the selected aspect are broken, the signal is said to be fewlty. Figure 3.4: An example of track layout: a double left-hand junction. # 3.2 Signalling principles Singalling systems provide two types of controls to the traffic: the first is route control, which is achieved by setting the appropriate points; and the second is speed control which is achieved by setting the aspects of the appropriate signals. All these controls are operated from a central location — the signal control centre. Each control centre may supervise an area of up to hundreds of kilometres of tracks, which consists of many points and signals. The track network is organized into a number of routes. Each route starts from a signal, the entry signal, and usually ends at another signal, the exit signal. If two routes share at least one part, they are said to be conflicting. To allow a train to pass through a route, it has to be set up and proved. This means that the conditions which provide a safe passage through the route have to be satisfied. For example, Figure 3.4 shows a layout in the vicinity of a left-hand double junction. Suppose that the route from signal \$10. to S12 is to be set up. This requires: - all the track circuits along the route, namely tc11, tc12, tc13 and tc14, to be 'CLEAR': - . the point P200 to be set to NORMAL and detected at the correct position; - . the exit signal S12 is not faulty; - the entry signal S11 of the conflicting route from this signal to S15 is turned 'ON' and proved to be alight; - the track circuit along the conflicting route up to the point of conflict, namely tc26, must be 'CLEAR'. After all of these conditions are satisfied, the entry signal to the route can then be turned 'OFF', and the route is said to be 'set'. Central to the operation of the signalling system is the concept of interlocking. For example, the route locking is in operation after the above route is set. This means that the satisfied conditions should not be destroyed by subsequent operation of points or setting up a conflicting route. This is important because the incoming train has been given permission to proceed and if the entry signal is changed to 'ON' unexpectedly, the driver may not be able to stop short of it and dangerous situations could arise. Traditionally, these operation conditions are expressed in a tabular form, the control tables. The control tables have a well-defined syntax and semantics for the interlocking functions, and are very well understood by signalling engineers. A control table for the example route above is shown in Table 3.2. | ROUTE | TRACK CIRCUITS | | REQUIRE POINTS | | SIGNALS | | |--------|----------------------------------|----------|----------------|---------|---------|-----| | | CLEAR | OCCUPIED | NORMAL | REVERSE | ALIGHT | ON | | 510512 | tc11,tc12 | | P200 | | 912 | | | | tc13,tc14 | | | | | | | | Protect from conflicting traffic | | | | | | | | tc26 | | | | | 311 | Table 3.2: An example of control table. # 3.3 Solid-state interlocking In the early days of railway signalling, interlocking was achieved by the mechanical interlocking frame. When electromechanical technology was adopted, relay circuits implemented the interlocking function and are still in widespread use. Since its advent in the late 70's, microprocessor technology has influenced every branch of engineering and railway signalling is certainly no exception. However, the application of microcomputer control technology in signalling systems is rather conservative. This is because of the strict safety assurance required in such systems. Due to the unpredictable failure modes of a complex microcomputer control system, microprocessors were only used in non-vital functions in the early attempt of applying computer in signalling controls. The first use of microprocessor in control of vital safety functions in the U.K. was the Solid State Interlocking project of British Rail Research[20][21] which started as soon as the first 16-bit microprocessors became available. The aim of the project was towards the 'eventual replacement of present day electromechanical signalling interlocks [22]. At the same time, the new system should not alter any signalling principles and the appearance and behaviour of the system so far as the operator is concerned. The result is the now highly-acclaimed SSI system, which has been adopted for all new signalling installations in British Rail. #### 3.3.1 Features of the SSI The SSI system can be divided into three parts: - · one or more microcomputer interlockings: - · a control panel: - · a maintenance terminal. The heart of the computer interlocking is the interlocking processors. There are three processors which operate as a triple modular redundancy(TMR) system to achieve the strict requirements of reliability and fault tolerance. These perform all the safety-critical logical operations of the signalling controls. The commands to the equipments, such as point machines and signals, are transmitted to specialized interface units at the trackside via a duplex data highway. The data on this highway are encoded in two levels to withstand the severe electromagnetic interference encountered with electric traction and to maintain the high overall integrity required. Two panel processors perform the non-safety tasks of servicing the control panel which can be either the conventional mosaic push-button type or new style Visual Display Units(VDU) type. A diagnostic processor provides information to the maintenance terminal which is used by the technician to monitor the performance of the system. The software controlling the interlocking processors is designed to be data driven. Since every signalling scheme has a different configuration, it will be very inefficient, if not impossible, to design, implement and verify a special version of the control program for each installation. The arrangement of the signals, the track layout and the rules for controlling them are encoded in a data base. The standard software is based on the concept of the control cycle: in each cycle, the system processes one incoming message and generates one control command. During the cycle, it updates a set of variables representing the current state of the network, consults the database for the applicable rules, and derives the correct control commands. Since the software is safety-critical, it is subjected to rigorous testing and validation processes to ensure that it is logically correct and faithfully implements the specification. The software development and validation processes were described in [60]. The basic principles are to be disciplined in the development stage and to be risorous in the validation stage. Very strict rules are applied to the design and development of the software. The programs are highly modular and well structured. The use of interrupts is excluded in favour of simple looping and polling. Data flow between modules is made explicit. High quality documentation has been produced which contributes to the correctness of the software and simplify the validation process. Several well-established techniques are used to validate the software: functional analysis checks the correspondence between the requirement specification and the software; structural analysis checks the programming logic; information flow analysis ensures the correct data passing between modules; modular analysis confirms the correctness of each module; and semantic analysis proves the software correct by logical deduction. The whole software development process, from specification through design to validation, makes certain assumptions about the environment within which the final program will execute. These include the behaviour of the hardware, the equipment which under the program control. Only system testing will uncover any misconception on the reality. Therefore, extensive system testing has to be carried out, both in an environment simulated in a laboratory and in the real field environment. #### 3.3.2 The design procedures Briefly, the procedures of designing and implementing a signalling scheme using SSI [50] is as follows: - 1. specify the required track and signalling layout; - 2. produce control tables: - 3. generate geographic data: - 4. test the geographic data on a simulator: - 5. install the SSI with EPROMs containing the geographic data. One of the major task of the railway signalling engineer is to produce the control tables required for a particular track and signalling layout. The geographic data are then extracted from this table and written in a special purpose high-level programming language. This program is subsequently compiled into data object codes and installed in the SSI. The process of producing control table and geographic data is being carried out manually because it requires skill and experience. The research described in later chapter shows a possible way of automating these operations. #### 3.3.3 The benefit and the future The major benefits of the SSI system are its flexibility, good maintainability and cost-effectiveness. The flexibility is due to the modular organization of the system which provides an easy path to future evolution for both the interlocking itself and other systems it interfaces with. For example, the Integrated Electronic Control Centre (IECC)[61] is the new human interface built on top of the interlocking. It replaces the conventional mosaic push-button control panel by track balls, keyboards and VDU. The modular system also contributes to other benefits, the bulk of the cost saving being achieved by the dramatic shrinkage of the physical dimensions of the new equipment. The flexibility of the SSI system also opens up the possibility of higher order control systems. The Automatic Route Setting(ARS) is one of such systems. It is interlinked with the Signalling and Information Networks. It is informed of the preplanned schedule, the location of the trains, and it learns from the SSI the real-time state of the signalling and track occupation. From this information, it can deduce the required route and whether there are any conflicts. It can then calculate the optimal routing strategy and translate it into commands to the SSI. Besides the SSI system in the U.K., railway authorities in other countries have also developed computer controlled signalling systems, such as the ERILOCK systems in Swedish Railway Administration[13], the SMILE systems in Japanese National Railways[2], and so on. Since the SSI is the key element in providing interlocking, a rigorous formal approach to the design and implementation is necessary and desirable. The research described in the later chapters was carried out with the aim of helping railway signalling engineers and designers to improve the integrity and correctness of interlocking systems based on the use of microprocessors and real-time software. # Part II # **Theories** In order to apply formal methods in signalling systems, a formal model of the railway track network and signalling equipment must first be established. This model is an abstract view of the railway track network, based upon which, specifications of interlocking system can be developed. This part presents such a formal model expressed in Higher-Order Logic. It is organized into several theories which form a hierarchy shown on the next page. In the hierarchy, the sets theory is one of the HOL system libraries. The theories below the dashed line are developed by the author. On the left-hand side are the theories describing the mathematical structures, namely graphs and paths, which are used to model the network. The main theories graph and path contain definitions and theorems about these mathematical structures, while the auxiliary theories func and elist contain some lower level definitions and theorems about functions and lists which support the main theories. These theories are described in Chapter 4. Figure II: The hierarchy of theories. On the right-hand side of the hierarchy are the theories modelling the railway equipment. The theory TRACK models track components, and the theory SIGBAL models signals. The PART theory combines individual components to provide a uniform interface to the network model. These theories are described in Chapter 5. The top level of the model is the theory METWORK which characterizes track networks. Some basic properties of such networks have been proved. This is described in Chapter 6. The complete listings of each theory can be found in Appendix A and the ML sources for creating these theories are listed in the Appendix B. # Chapter 4 # The mathematical foundation This chapter describes the HOL theories graph and path and two auxiliary theories func and alist. These theories contain the abstract mathematical structures for modelling the network. Graph theory is a very large branch of mathematics, and it has found applications in many diverse fields. The theory described in this chapter is only a first attempt at expressing a small portion of the conventional graph theory in Higher-Order Logic. The main criteria for deciding what to include in the theory are the requirements of modelling the track network. The definitions and theorems about graphs and paths are organized into two main HOL theories, graph and path, and two auxiliary theories, func and elist. The graph theory contains definitions of labelled directed graphs, several basic relations of vertices and edges, and basic operations on graphs. Some properties of graphs and related operations have been proved and the theorems are stored in this theory. The path theory contains definitions of walks, trail and paths, and basic operations on them. Similarly, some basic properties in the form of theorems are stored in this theory. The func theory contains definitions and theorems about functions some of which are used in the reasoning of graph isomorphism. The features used will be described when graph isomorphism is discussed. The elist theory contains some operations and facts about lists which are needed for reasoning about paths. It is described in Section 4.2.2. The theories have been developed in a very general way so that they will be suitable to be used for other applications. The terminology and definitions adopted in these theories follow the convention found in many textbooks, such as [64] [65] [29]. Since there is not a library of graphs in the HOL system up to version 2.0, the theories as described below provide a starting point for building a comprehensive library of graphs. Thus, when applications requiring the use of graph arise, the library can be called upon without the repeated work of defining a graph. # 4.1 The theory graph # 4.1.1 The representation of graphs First of all, graphs have to be represented by some structure in HOL. This representation should reflect the abstract properties of graphs, and should be general and flexible so as to be suitable for use in different applications. Based on these considerations, a type and a predicate have been chosen to represent graphs. The type is a pair of sets. The first element of the pair is the set of vertices which can be of any type, that is \*:\*\*. And the second is the set of edges. Each edge is a triple containing the source vertex, the destination vertex and its own label. The vertex fields are of the same type of the elements of vertex set. The label field is of a distinct polymorphic type ";\*\*", For convenience, it is abbreviated in ML as<sup>1</sup>: let Vertex = ";\* and Edge = ";(\* 8 \* 6 \* \*)" and Grah = ";(\*)set 8 (\* 6 \* 6 \* \*)set";; Thus, antiquotation can be used to make the subsequent HOL text much more readable. ": "Graph" is the polymorphic type for a general graph. Any particular instance of graph can be created by instantiating the types ":=" and ":==" with the required types for the vertices and for the labels of the edges. The choice of this concrete representation follows most conventional definitions of graphs. However, not every object of the type: 'Graph is a proper graph. A predicate is required to distinguish those which are graphs from others in the type. The definition of this predicate reads: HOL Definition 1 (GRAPH\_DEF) "GRAPE ((Y:('Vertex)set),(E:('Edge)set)) = ie. e IE E ==> (((e\_src e) IE V) /\ ((e\_des e) IE V))" where e.exc and e.des return the first and second field of the triple representing the edges, respectively. This specifies that, to be a graph, the source and destination vertices of every edge in the edge set must be elements of the vertex set. This is the dominant abstract property of a graph. Having this definition of a graph, we need to assert that there exists at least one graph, i.e., the theorem GRAPH.EXISTS. HOL Theorem 1 (GRAPH EXISTS) H BG, GRAPH G Insultype\_abbrev cannot be used made these are polymorphic types. Figure 4.1: Examples of simple graph. A trivial example of graph is the null graph ({ }, { }), (A logical constant NULL\_GRAPH is defined to be a null graph.) and a more interesting graph shown in Figure 4.1(a) can be written in HOL as $$\{\{1,2,3,4,5,6,7,8\},$$ $\{(1,2,a),(2,3,b),(3,4,e),(4,1,d),(5,6,e),(6,7,f),$ $\{(7,8,g),(8,5,h),(1,5,i),(2,6,j),(3,7,k),(4,8,l)\}\}$ As a consequence of this representation, all graphs are directed. This is because $\{v_1, v_2, x\} \neq \{v_2, v_1, x\}$ for all $v_1, v_2$ and x. However, it is still possible to represent an undirected graph using the same representation. Each edge of an undirected graph can be replaced by a pair of anti-parallel edges. Also, all graphs are labelled. To represent an unlabelled graph, the label field of the edges can be instantiated by the type :one. Since there is only one object in this type, all the labels will be identical, hence, $\{v_1, v_2, x\} = \{v_1, v_2, y\}$ for all x and y. #### 4.1.2 Some basic definitions of graph Two constants, VS and ES, are defined to access the vertex set and the edge set. They are characterized by the theorems VERTICES and EDGES. **HOL Theorem 2 (VERTICES)** $$\vdash \forall V E. \forall S(V, E) = V$$ HOL Theorem 3 (EDGES) $$\vdash \forall V E. ES(V, E) = E$$ A loop is defined to be an edge whose source vertex and destination vertex are identical. Applying the predicate HAS\_LOOP to a graph G will yield true if and only if the graph G contains a loop. The graph shown in Figure 4.1(b) has a loop, the edge labelled I. HOL Definition 2 (LOGF\_DEF) HOL Definition 3 (BAS\_LOOP\_DEF) A graph is said to have multiple edges if and only if there is more than one edge which has the same vertex as its source and the same vertex as its destination. This property is expressed in the predicate MULTI.EDGE. The graph shown in Figure 4.1(c) has multiple edges, (1, 2, a) and (1, 2, b). HOL Definition 4 (MULTI EDGE DEF) "MULTI\_EDGE d = ?(a1: "Edga) e2. (a1 IB (ES G)) /\ (a2 IB (ES G)) /\ "(a1 = a2) /\ (a\_serc a1 = a\_serc a2) /\ (a\_des a1 = a\_des a2)\* A simple graph is defined to be a graph containing neither loops nor multiple edges. A finite graph is a graph whose vertex set and edge set are both finite. "SIMPLE\_GRAPE (G: "Graph) = (GRAPE Q) /\ "(MAS LOOP Q) /\ "(MULTI\_EDGE Q)" HOL Definition 6 (FINITE\_GRAPH\_DEF) HOL Definition 5 (SIMPLE GRAPH DEF) "FIBITE\_GRAPE (G: Graph) = (GRAPE Q) /\ FIBITE (WS Q) /\ FIBITE (WS Q) /\ FIBITE (WS Q)" Other abstract properties of graphs can be defined in a similar way. #### 4.1.3 Relationship between vertices and edges Incidence An edge is said to be incident with the vertices which are the source or destination of the edge. It is said to be incident from the source vertex and to be incident to the destination vertex. The function INCIDENT\_WITH, applied to a graph G and a vertex v, returns a set of edges which incident with the vertex v. HOL Definition 7 (INCIDENT WITH DEF) "INCIDENT\_WITH (G: Graph) v = {e | (e IS\_EDGE q) /\ ((e\_src e = v) \/ (e\_des e = v))}" Let us name the graph in Figure 4.1(a) as G', then #### INCIDENT WITH G' 1 in equal to $\{(1,2,\alpha),(4,1,d),(1,5,\epsilon)\}$ . Similarly, we can define INCIDENT.FROM and INCIDENT.TO in HOL as below: HOL Definition & (INCIDENT\_FROM DEF) "INCIDENT\_FROM (G:^Graph) v = {e | (a IS\_EDGE Q) /\ (e\_src e = v) }" ``` HOL Definition 9 (INCIDENT_TO_DEF) ``` ``` "IMCIDENT_TO (G: Graph) v = {e | (e IS_EDGE G) /\ (e_des e = v)}" ``` Degree The degree of a vertex is the total number of edges incident with it. The out-degree of a vertex is the number of edges incident from it and the in-degree is the number of edges incident to it. The HOL definition of degree make use of the definitions of incidence and the cardinal number of sets. They are listed below: HOL Definition 10 (OUT DEGREE DEF) "OUT\_DEGREE (G: Graph) v = CARD (INCIDENT\_FROM G v)" HOL Definition 11 (IN DEGREE DEF) "IM\_DEGREE (G: "Graph) w = CARD (IMCIDENT\_TO G w)" HOL Definition 12 (DECREE DEF) "DEGREE (G: Graph) w = (IN\_DEGREE G w) + (GUT\_DEGREE G w)" Thus, DEGREE G' 1 is 3, OUT DEGREE G' 1 is 2 and IN DEGREE G' 1 is 1. **Adjacence** Two vertices are said to be *adjacent* if and only if there exists an edge between them. The predicate VER\_ADJA $Gv_1v_2$ is true if there is an edge $\{v_1,v_2,x\}$ or $\{v_2,v_1,y\}$ for some x and y. The HOL definition of VER\_ADJA is: HOL Definition 13 (VER\_ADJA\_DEF) "VER\_ADJA d v1 (v2:e) = (GRAPH 0) /\ (v1 15\_VERTEX 0) /\ (v2 IS\_VERTEX 0) /\ ("(::Edga). (e IS\_EGGE 0) /\ ("(::Edga). (e IS\_EGGE 0) /\ ("(::Edga). (e IS\_EGGE 0) /\ ("(::Edga). (e IS\_EGGE 0) /\ ("(::Edga). (e IS\_EGGE 0) /\ ("::Edga). (e IS\_EGGE 0) /\ ("::Edga). (e IS\_EGGE 0) /\ ("::Edga). In Figure 4.1(a), VER.ADJA G'12 is T while VER.ADJA G'13 is F. Similarly, two edges are adjacent if there is a vertex which is the destination of one and the source of the other. HOL Definition 14 (E\_ADJA\_DEF) ``` "E_ADJA Q e1 (e2: Edge) = (GRAPH Q) /\ (e1 IS_EDGE Q) /\ (e2 IS_EDGE Q) /\ ((e_des e1 = e_src e2) \/ (e_des e2 = e_src e1))* ``` Successor and predecessor. A vertex $v_2$ is a successor of another vertex $v_1$ if and only if there exists an edge from $v_1$ to $v_2$ . The predicate IS.SUC.VER defined below indicates this relationship. HOL Definition 18 (IS\_SUC\_VER\_DEF) ``` "IS_SUC_VER (G: Graph) v1 v2 = 7e. (e IS_EDGE Q) /\ (e_src e = v1) /\ (e_des e = v2)" ``` The vertex 2 in G' is the successor of vertex 1. The converse of successor is the prodecessor. The corresponding predicate is IS\_PRE\_VER: HOL Definition 16 (IS\_PRE\_VER\_DEF) ``` "IS_PRE_VER (G: Graph) v1 v2 = ?e. (e IS_EDGE 0) /\ (e_des e = v1) /\ (e_src e = v2)" ``` The functions SUC\_VERS and PRE.VERS return the set of vertices which are successors and predecessors, respectively. HOL Definition 17 (SUC\_VERS\_DEF) HOL Definition 18 (PRE\_VERS\_DEF) ``` "SUC_VERS (Q: Graph) v = {v' | (v' IS_VERTEI Q) /\ (IS_SUC_VER Q v v')}" ``` "PRE\_VERS (G: Graph) v = {v' | (v' | IS\_VERTEX | G | /\ (IS\_PRE\_VER | G | v')}" Referring to Figure 4.1(a), SUC\_VERS $G'1 = \{2, 5\}$ and PRE\_VERS $G'1 = \{4\}$ . ### 4.1.4 Operations on graphs Insertion and deletion The primitive operations on graphs are insertion and deletion of a vertex or an edge. The definition of inserting a vertex la: HOL Definition 19 (INSERT\_VERTEX\_DEF) "IESERT\_VERTEX v (Q: "Graph) = (v IESERT (VS G), (ES G))" and the definition of inserting an edge is: HOL Definition 20 (INSERT\_EDGE\_DEF) ``` "IESERT_EDGE e (Q:^Graph) = ((VS G), ``` ((((e\_src e) IS\_VERTEI G) /\ ((e\_dem e) IS\_VERTEI G)) => (e IMSERT (ES G)) | (ES G)))" Note that to maintain the integrity of a graph, the only edges which can be inserted are those incident with vertices already in the graph. The reverse operations of insertion is DELETE.VERTEX and DELETE.EDGE. Their definitions are listed below: HOL Definition 21 (DELETE\_VERTEX\_DEF) ``` "DELETE VERTEX (G: Graph) v = ``` (((VS Q) DELETE V). ((ES Q) DIFF (INCIDENT\_WITH G V)))" HOL Definition 22 (DELETE\_EDGE\_DEF) ``` "DELETE_EDGE (G: Graph) e = ((VS G), ((ES G) DELETE e))" ``` Note also that deleting a vertex must also delete all the edges incident with it. The following four theorems assert that the abstract property of a graph is maintained over these operations. HOL Theorem 4 (GRAPH\_IMSERT\_VERTEX) $\vdash \forall G v. GRAPH G \supset GRAPH (v INSERT_VERTEX G)$ HOL Theorem 5 (GRAPH\_IMSERT\_EDGE) F ∀G e. GRAPH G ⊃ GRAPH (e INSERT.EDGE G) HOL Theorem 6 (GRAPH DELETE\_VERTEX) F ∀G v. GRAPH G ⊃ GRAPH (G DELETE\_VERTEX v) HOL Theorem 7 (GRAPH DELETE EDGE) $\vdash \forall G \in GRAPH G \supset GRAPH (G DELETE_EDGE e)$ All of these operations are commutative. These facts are asserted by the following theorems: HOL Theorem 8 (INSERT\_VERTEX\_COMM) + ∀G v1 v2. $v_1$ INSERT\_VERTEX ( $v_2$ INSERT\_VERTEX G) = Da INSERT\_VERTEX (V) INSERT\_VERTEX G) HOL Theorem 9 (INSERT\_EDGE\_COMM) + ∀G e1 e2. $e_1$ INSERT\_EDGE ( $e_2$ INSERT\_EDGE G) = e2 INSERT\_EDGE (e1 INSERT\_EDGE G) HOL Theorem 10 (DELETE\_VERTEX\_COM) + ∀G v1 v2. (G DELETE.VERTEX v<sub>1</sub>) DELETE.VERTEX v<sub>2</sub> = (G DELETE.VERTEX v<sub>2</sub>) DELETE.VERTEX v<sub>1</sub> HOL Theorem 11 (DELETE\_EDGE\_COM) + ∀G e1 e2. $(G \, \mathsf{DELETE\_EDGE} \, e_1) \, \mathsf{DELETE\_EDGE} \, e_2 =$ (G DELETE\_EDGE $e_2$ ) DELETE\_EDGE $e_1$ Graph union and intersection. Two important operations on graphs are the union and intersection of two graphs. The union of two graphs G<sub>1</sub> and G<sub>2</sub> is defined to be the unions of their vertex sets and edge sets. The HOL definition reads: HOL Definition 23 (G\_UNION\_DEF) "Q\_UBIOS (G1: Graph) G2 = ((VS G1) UBIOS (VS G2), (ES G1) UBIOS (ES G2))" The operation G.UNION is closed within the set of all graphs, i.e., the union of any two graphs is a graph. HOL Theorem 12 (GRAPH\_UNION) + ∀G1 G2. $GRAPH G_1 \wedge GRAPH G_2 \supset GRAPH (G_1 G_1UNION G_2)$ This operation is symmetric, associative and the union of a graph with itself results in itself. These properties are asserted by the following three theorems. HOL Theorem 13 (Q\_UNION\_SYN) HOL Theorem 14 (G\_UNION\_ASSOC) $$\vdash \forall G_1 G_2 G_3$$ . $$(G_1 G_1 UNION G_2) G_2 UNION G_3 = G_1 G_2 UNION (G_2 G_2 UNION G_3)$$ HOL Theorem 15 (G\_UNION\_IDENT) $$\vdash \forall G. G. G. UNION G = G$$ It is obvious that if v is a vertex of the union of $G_1$ and $G_2$ , then it is either a vertex of $G_1$ or a vertex of $G_2$ . Similarly, if e is an edge of the union of $G_1$ and $G_2$ , then it is either an edge of $G_1$ or an edge of $G_2$ . Hence, the following two theorems: HOL Theorem 16 (VERTEX\_IN\_UNION) $$\vdash \forall G_1 G_2 v.$$ $$v$$ IS\_VERTEX $(G_1$ G\_UNION $G_2) = v$ IS\_VERTEX $G_1 \lor v$ IS\_VERTEX $G_2$ HOL Theorem 17 (EDGE\_IN\_UNION) $$\vdash \forall G_1 G_2 \in e \mid S\_EDGE \mid G_1 G\_UNION G_2) = e \mid S\_EDGE G_1 \lor e \mid S\_EDGE G_2$$ The definition of graph intersection is the intersections of their vertex sets and edge sets: HOL Definition 24 (G\_INTER\_DEF) ``` "G_ISTER (d1: "Graph) d2 = (((vs g1) ISTER (vs g2)), ((ES g1) ISTER (ES g2)))" ``` This operation is closed within the set of all graphs. This is expressed in the following theorem: HOL Theorem 18 (GRAPH\_INTER) $$\vdash \forall G_1\,G_2.\,\mathsf{GRAPH}\,G_1 \land \mathsf{GRAPH}\,G_2 \supset \mathsf{GRAPH}\,(G_1\,\mathsf{G\_INTER}\,G_2)$$ And this operation is also symmetric, associative and reflexive, hence, the following three theorems: HOL Theorem 19 (G\_INTER\_SYN) $\vdash \forall G_1 G_2. G_1 G.INTER G_2 = G_2 G.INTER G_1$ HOL Theorem 20 (G\_INTER\_ASSOC) $\vdash \forall G_1 G_2 G_3 \cdot (G_1 G \sqcup \mathsf{NTER} G_2) G \sqcup \mathsf{NTER} G_3 = G_1 G \sqcup \mathsf{NTER} (G_2 G \sqcup \mathsf{NTER} G_3)$ HOL Theorem 21 (G\_INTER\_IDENT) $\vdash \forall G.G \text{ GINTER } G = G$ All vertices of the intersection of two graphs must be the vertices of both of the graphs. Similarly, all edges of the intersection must be the edges of these graphs. The following two theorems assert these facts: HOL Theorem 22 (VERTEX\_IN\_INTER) $\vdash \forall G_1 G_2 v. v \mid S\_VERTEX (G_1 G\_INTER G_2) = v \mid S\_VERTEX G_1 \land v \mid S\_VERTEX G_2$ HOL Theorem 23 (EDGE\_IN\_INTER) $\vdash \forall G_1 G_2 e. e \mid S\_EDGE(G_1 G\_INTER G_2) = e \mid S\_EDGE G_1 \land e \mid S\_EDGE G_2$ 4.1.5 Subgraphs and graph isomorphism Subgraph A subgraph of a graph G is a graph whose vertex set and edge set are subsets of the vertex set and edge set of G, respectively. A predicate SUBGRAPH is defined for this relation. HOL Definition 25 (SUBGRAPH DEF) "SUBGRAPS (B: Graph) (G: Graph) = (GRAPH N) /\ (GRAPH Q) /\ ((VS N) SURSET (VS Q)) /\ ((NS N) SURSET (NS Q))\*\* SUBGRAPH HG is true if H is a subgraph of G. As the definition implies, a subgraph is itself a graph. This is asserted by the theorem SUBGRAPH.GRAPH. HOL Theorem 24 (SUBGRAPH GRAPH) F VG H. SUBGRAPH H G ⊃ GRAPH G ∧ GRAPH H The subgraph relation is reflexive, transitive and antisymmetric. These properties are asserted by the following three theorems. HOL Theorem 25 (SUBGRAPH\_REFL) $\vdash \forall G. \mathsf{GRAPH} G \supset \mathsf{SUBGRAPH} G G$ HOL Theorem 26 (SUBGRAPH\_TRANS) $\vdash \forall G_1 G_2 G_3$ . SUBGRAPH $G_1 G_2 \land SUBGRAPH G_2 G_3 \supset SUBGRAPH <math>G_1 G_3$ HOL Theorem 27 (SUBGRAPH ANTISYM) $\vdash \forall G_1 G_2$ . SUBGRAPH $G_1 G_2 \land SUBGRAPH G_2 G_1 \supset (G_1 = G_2)$ From the definition, a subgraph can be obtained by deleting an edge and/or a vertex from a graph. This is expressed in the following two theorems: HOL Theorem 28 (SUBGRAPH DELETE EDGE) $\vdash \forall G \ \epsilon. \ \mathsf{GRAPH} \ G \supset \mathsf{SUBGRAPH} \ (G \ \mathsf{DELETE\_EDGE} \ \epsilon) \ G$ #### HOL Theorem 29 (SUBGRAPE DELETE VERTEX) + ∀G v. GRAPH G ⊃ SUBGRAPH (G DELETE\_VERTEX v) G A subgraph can also be obtained by applying selection functions to the vertex set and the edge set of a graph. This operation is defined in HOL as: HOL Definition 26 (MK.SUBGRAPH.DEF) "MK\_SUBGRAPE (G: Graph) fv fe = {v | v IS\_VERTEX G /\ fv v}, {a | a IS\_EDGE G /\ fe e /\ fv (e\_exc e) /\ fv (e\_des e)}\* The theorem MK\_SUBGRAPH\_GRAPH asserts that the result of this operation maintains the integrity of graph, and the theorem MK\_SUBGRAPH\_SUBGRAPH asserts that the result is indeed a subgraph of the original graph. #### HOL Theorem 30 (MK\_SUBGRAPH\_GRAPH) + VG fv fe. GRAPH G ⊃ GRAPH (MK.SUBGRAPH G fv fe) #### HOL Theorem 31 (RK\_SUBGRAPH\_SUBGRAPH) $\vdash \forall G \text{ fv } fe. \text{ GRAPH } G \supset \text{SUBGRAPH } (MK\_SUBGRAPH } G \text{ fv } fe) G$ **Graph isomorphism** Two graphs $G_1$ and $G_2$ are isomorphic if there exists a one-one correspondence between the vertices and edges of $G_1$ and the vertices and edges of $G_2$ , respectively. The predicate GRAPH.ISO is defined for this relation: HOL Definition 27 (GRAPH\_ISO\_DEF) "GRAPH\_ISG (G: Graph) (H: Graph) (f,g) = (GRAPH G) /\ (GRAPH H) /\ ((YS G) <--> (YS H))f /\ (ES G) <--> (ES H))g" where the infix constant <--> means one-one correspondence. In the above definition, ((WS 0) <--> (WS E)) I means I is a one-one correspondence between the elements of the vertex set of Q and the elements of the vertex set of B. Four theorems about graph isomorphism have been proved. They assert the properties of this relation, namely reflexive(automorphism), transitive and symmetric. HOL Theorem 32 (GRAPH\_ISO\_AUTO) F VG. GRAPH G > GRAPH.ISO G G (I, I) HOL Theorem 33 (GRAPH\_ISO\_TRANS) + ¥g1 g2 g3 f1 g1 f2 g2. GRAPH LISO $g_1 g_2(f_1, g_1) \wedge GRAPH LISO g_2 g_3(f_2, g_2) \supset$ GRAPH LISO $g_1 g_3((f_2 \circ f_1), (g_2 \circ g_1))$ HQL Theorem 34 (GRAPH\_ISQ\_SYN) $\vdash \forall G \ H \ f \ g$ . GRAPH ISO $G \ H \ (f,g) \supset (\exists f' \ g'$ . GRAPH ISO $H \ G \ (f',g'))$ HOL Theorem 35 (GRAPH\_ISO\_SYM\_INV) $\vdash \forall G \ H \ f \ g. \ \mathsf{GRAPHJSO} \ G \ H \ (f,g) \supset$ GRAPH LISO H G (FUN LINV (VS G) (VS H) f, FUN LINV (ES G) (ES H) g) The theorem GRAPH ISO.SYMIEV makes a stronger assertion about the symmetry of graph isomorphism by explicitly providing an inverse function FUN.INV where the expression FUN.INV $S_1 S_2 f$ is an inverse function of f, and its domain is the set $S_2$ and its range is the set $S_3$ . ## 4.2 The theory path One of the most important uses of graphs with respect to the applications in railway signalling systems is the derivation of paths. The path theory contains definitions of a path and related constants. Some basic properties of paths have been proved. Consider any two vertices $v_1$ and $v_2$ in a graph, $v_2$ is reachable from $v_1$ if there is a sequence of edges through which one can arrive at $v_2$ from $v_1$ . There are usually many different ways one can arrive at $v_2$ . According to whether all the edges in the sequence are distinct, the sequences can be classified into several classes. They are wolks, trails and paths. ### 4.2.1 Walks in a graph A walk in a graph G is a sequence of edges $e_1, e_2, \dots, e_n$ , which satisfies the following: - 1. n > 0; - 2. $e_i$ is an edge of G, for all i = 1, ..., n; - 3. the destination of $e_i$ is equal to the source of $e_{i+1}$ for $1 \le i < n$ . This implies that the edges are not necessarily distinct in a walk, i.e., a walk may pass through the same edge more than once. In HOL, a sequence of edges is represented by a list of edges, of type: ('Edge)list. A list of edges satisfies the predicate WALK if and only if it is a walk. HOL Definition 28 (WALK DEF) "WALK Q (w:('Hdge)list) = -(HULL w) /\ (WALK\_TAIL w Q)" #### HOL Definition 29 (WALK\_TAIL\_DEF) Here, the recursive predicate WALK.TAIL guarantees the list of edges forms a walk by checking whether the conditions 2 and 3 listed above are met. The degenerate case, the null list, is not to be considered as a walk. The entry of a walk is the source of the first edge in the list, and the exit of a walk is the destination of the last edge. ``` HOL Definition 30 (WALK_ENTRY_DEF) ``` ``` "WALK_RETRY (1:("Edge)list) = e_erc (ED 1)" ``` #### HOL Definition 31 (WALK\_EXIT\_DEF) ``` "WALK_REIT (COBS (hd: "Edge) t1) = (NULL t1) => (e des hd) | (WALK EXIT t1)" ``` ## 4.2.2 Some operations and facts on sequences of edges Since the lists representing walks and other classes of edge sequences are special cases of general lists, the operations, functions and theorems in the HOL system theory list are not sufficient. Several predicates are defined to deal with these edge sequences, and are described in this subsection, together with some theorems about them. Membership of a list The concept of membership is borrowed from set theory. An object x is a member of a list $[x_0, \dots, x_n]$ if $x = x_i$ for some i where $0 \le i \le n$ . The predicate ELEM is defined to have this list membership property. HOL Definition 32 (ELEM\_DEF) "(ELEN [ (x:0) = F) /\ (ELEN (CONS h t) (x:0) = (x = h) \/ (ELEN t x))" It is obvious that there is no element in a null list. If x is in a list l, it is also in the list obtained by adding an element to l. If x is an element of the list obtained by appending a list $l_2$ to a list $l_1$ , it is an element of $l_1$ or $l_2$ . These facts are asserted by the theorems NULL NOT ELEM COMS and ELEM APPEND. HOL Theorem 36 (NULL\_NOT\_ELEM) HOL Theorem 37 (ELEM\_CONS) HOL Theorem 38 (ELEM\_APPEND) $$\vdash \forall l_1 l_2 z$$ . ELEM (APPEND $l_1 l_2$ ) $z = \text{ELEM } l_1 z \lor \text{ELEM } l_2 z$ The theorem IN\_ELEM relates the set membership with the list membership. It asserts that there exists a list *l* such that all members of a finite set *s* are elements of *l*. HOL Theorem 39 (IN\_ELEN) $$\vdash \forall s. \mathsf{FINITE} s \supset (\exists l. (\forall x. x \mathsf{IN} s = \mathsf{ELEM} \, l \, x))$$ Unique elements in a list $[z_0, \dots, z_n]$ , the elements are called unique elements if all x are distinct. The recursive function UNIQUE.EL is defined to check the uniqueness of the elements of a list, and is used in the definitions of trail and path. HOL Definition 33 (UNIQUE EL DEF) "(UNIQUE\_EL [] = T) /\ $(UEIQUE_EL\ (COES\ (hd:*)t1) = (EVERY\ (\x.^(x = hd)) t1) /\ (UEIQUE_EL\ t1))$ Element set A set can be constructed to contain all elements of a list. Obviously, such a set will contain all distinct elements of the list. This provides a means of collecting all distinct elements of a list, and applying set operations on them, for example, checking whether two lists have common elements can be performed by using the set disjoint predicate on the element sets (a definition corresponding to this is shown in HOL Definition 35). The function EL.SET returns a set containing all element of its argument list. HOL Definition 34 (EL\_SET\_DEF) "(EL\_SET [] = {}) ^ (EL\_SET (COBS hd tl: | list) = hd IBSERT (EL\_SET tl))" The element set of the list (APPEND $l_1 l_2$ ) is the union of the element sets of $l_1$ and $l_2$ . HOL Theorem 40 (ELSET\_APPEND) $\vdash \forall l_1 l_2$ . EL.SET (APPEND $l_1 l_2$ ) = EL.SET $l_1$ UNION EL.SET $l_2$ The theorem ELEM\_IS\_EL\_SET asserts that the list membership relation is equivalent to the set membership of the element set. HOL Theorem 41 (ELEM.IM.EL.SET) + VIz. ELEM Iz = z IN ELSET I Disjoint lists Two lists are said to be disjoint if they do not have common elements. The predicate DISJ\_LIST is defined for testing this condition. It is defined in the way suggested above. HOL Definition 35 (DISJLIST DEF) "DISJ\_LIST (11:(\*)1ist) 12 = DISJOIST (EL\_SET 11) (EL\_SET 12)" The basic properties of DISJ\_LIST follow those of the set operator DISJOINT, i.e., it is symmetric. HOL Theorem 42 (DISJ\_LIST\_COM) $\vdash \forall l_1 l_2$ . DISJ $\perp$ IST $l_1 l_2 = DISJ$ $\perp$ LIST $l_2 l_1$ The following two theorems state the facts about DISJ.LIST over the list operators CONS and APPEND. HOL Theorem 43 (DISJ\_LIST\_COMS) $\vdash \forall l_1 \ l_2 \ h. \ \mathsf{DISJ\_LIST} \ (\mathsf{CONS} \ h \ l_1) \ l_2 = \ \mathsf{DISJ\_LIST} \ l_1 \ l_2 \land \neg \mathsf{ELEM} \ l_2 \ h$ HOL Theorem 44 (DISJLISTAPPEND) $\vdash \forall l_1 \ l_2 \ l_3$ . DISJ\_LIST (APPEND $l_1 \ l_2$ ) $l_3 = \text{DISJ_LIST} \ l_1 \ l_3 \land \text{DISJ_LIST} \ l_2 \ l_3$ Vertex lists The functions described in the remaining of this subsection are used in the reasoning of paths. They are meaningful only when applying to the edge sequences which are walks in a graph. Consider a walk $w = [e_0; \dots; e_n]$ in a graph, the vertices passed through by w are the source of $e_0$ and the destinations of $e_i$ for $0 \le i \le n$ . The function VER.LIST returns the list of vertices a walk passes through. It is defined in terms of V.L which returns the same list except the entry vertex. HOL Definition 36 (VER\_LIST\_DEF) "(WELLIST [] = []) /\ (WELLIST (COMS (hd: Edge) tl) = COMS (e\_erc hd) (V\_L (COMS hd tl)))" HOL Definition 37 (V.L.DEF) "(V\_L [ = [] /\ (V\_L (COES (hd: Edge) t1) = COES (e\_des hd) (V\_L t1))" The following three theorems state the properties of the function VER.LIST over the list operators CONS and APPEND. HOL Theorem 45 (V\_APPEND) $\vdash \forall p_1 \ p_2. \ \forall \bot \ (\mathsf{APPEND} \ p_1 \ p_2) = \mathsf{APPEND} \ (\forall \bot \ p_1) \ (\forall \bot \ p_2)$ HOL Theorem 46 (VER\_LIST\_CONS) $\vdash \forall p h. VER\_LIST(CONShp) = CONS(e\_sech)(CONS(e\_deah)(V\_Lp))$ HOL Theorem 47 (VER\_LIST\_APPEND) F Vp1 p2. ¬NULL p1 ∧ ¬NULL p2 ⊃ $(VER\_LIST(APPEND p_1 p_2) = APPEND(VER\_LIST p_1)(TL(VER\_LIST p_2)))$ #### 4.2.3 Trails and paths A trail is a walk which contains no repeated edges, i.e., all edges in the sequence are distinct. However, it may pass through the same vertex more than once, thus containing a cycle. HOL Definition 38 (TRAIL DEF) "TRAIL (G: "Graph) (1: ("Edge)list) = (WALK G 1) /\ (UBIGUE EL 1)" The clause UNIQUE\_EL i makes sure that all elements in the list i are distinct, i.e., no edges in a trail are reneated. A path is a trail which passes through any vertex at most once, i.e., there is no cycle in a path. PATH Gl if and only if l is a path in the graph G. HOL Definition 39 (PATH\_DEF) "PATE (G:^Graph) (1:(^Edge)list) = (Thail G 1) / (UHIQUE\_EL (VER\_LIST 1))" The clause UNIQUE.EL (VER.LIST I) guarantees that all vertices passed through by I are distinct. In the application in railway signalling, paths are the most important type of lists, therefore, some theorems about paths will be described in the next subsection. The entry of a path is defined to be the source vertex of the first edge in the sequence: HOL Definition 40 (PATH\_ENTRY\_DEF) "PATE\_ESTRY (1: ("Edge)list) = e\_src (ED 1)" and the exit of a path is the destination vertex of the last edge in the sequence. It is defined in terms of the exit of a walk (WALK.EXIT). HOL Definition 41 (PATH\_EXIT\_DEF) "PATE\_EXIT (p:("Edge)list) = WALK\_EXIT p" ## 4.2.4 Some properties of paths Disjoint paths Two paths $p_1$ and $p_2$ are said to be disjoint if they do not overlap, i.e., they do not share any edges, nor have identical vertices. A HOL definition for this may be DISJ\_LIST p1 p2 /\ DISJ\_LIST (VER\_LIST p1) (VER\_LIST p2) The actual definition in the theory is DISJ.PATH.DEF which replaces the constants VER.LIST by V.L. thus, it excludes the entry vertices in the disjoint test. This is needed to overcome a difficulty when DISJ.PATH is used to test two paths which are to be connected to form a longer path. In such case, the exit of one path should be equal to the entry of the other. HOL Definition 42 (DISJ.PATH.DEF) "DISJ\_PATE G p1 p2 = PATE G p1 /\ PATE G p2 /\ DISJ\_LIST p1 p2 /\ DISJ\_LIST (V\_L p1) (V\_L p2) Extending a path. An existing path p can be extended by adding an edge h to the front of it. The theorem PATH-CORS expresses the conditions that a path can be extended in this way. The conditions are: - 1. h must be an edge in the same graph; - 2. the entry of p is equal to the destination of h; - 3. h is not already an element of p; - 4. the source of h is not equal to any of the vertices in p. HOL Theorem 48 (PATH\_COMS) F ∀phG. GRAPH $G \land PATH G p \land h$ IS\_EDGE $G \land (PATH\_ENTRY p = e.dea h) \land$ $\neg LOOP h \land \neg ELEM (VER\_LIST p) (e.arc h) \land \neg ELEM ph \supset$ PATH G (CONS h p) Two existing paths $p_1$ and $p_2$ can also be concatenated using the list operator APPEND to form a new path whose entry is the entry of $p_1$ and whose exit is the exit of $p_2$ , providing the following conditions hold: - 1. the exit of p1 is equal to the entry of p2; - 2. p1 and p2 are disjoint paths, i.e., DISJ\_PATH G p1 p2; - 3. the entry of p1 is not equal to any of the vertices in p2; The first condition guarantees that the resulting path is connected, and the second and third conditions eliminate the possibility that the resulting path will have repeated edges and/or loops. This is expressed in the theorem PATH\_APPEND. HOL Theorem 49 (PATH\_APPEND) + ∀G p1 p2. GRAPH $G \wedge \mathsf{DISJ\_PATH}$ $G p_1 p_2 \wedge (\mathsf{PATH\_EXIT} p_1 = \mathsf{PATH\_ENTRY} p_2) \wedge$ $\neg \mathsf{ELEM} (\mathsf{VER\_LIST} p_2) (\mathsf{PATH\_ENTRY} p_1) \supset$ $\mathsf{PATH}$ $G (\mathsf{APPEND} p_1 p_2)$ Paths under graph operations If p is a path in $G_1$ , then it is still a path in the union of $G_1$ and another graph, say $G_2$ . HOL Theorem 50 (PATH\_Q\_UNION) + ∀pG1G2. GRAPH $G_1 \wedge GRAPH G_2 \wedge PATH G_1 p \supset PATH (G_1 G.UNION G_2) p$ If p is a path in G, then it is a path of the graph resulting from inserting an edge or a vertex into G. HOL Theorem 51 (PATH\_IES\_EDGE) + Vp ∈ G. PATH G p ⊃ PATH (e INSERT\_EDGE G) p HOL Theorem 52 (PATH\_INS\_VERTEX) $\vdash \forall p v G. PATH G p \supset PATH (v INSERT_VERTEX G) p$ Connected graph Finally, the concept of connected graph is defined in terms of whether there is a path connecting any two vertices in the graph. HOL Definition 43 (CONNECTED DEF) "COMMECTED G = GRAPH G / (101 W2. (W1 IS\_WERTER 0) \ (W2 IS\_WERTER 0) \ "(W1 = W2) (71. (PATE G 1) /\ (v1 = PATE\_ESTRY 1) /\ (v2 = PATE\_EXIT 1)))" The theories described in this chapter form a mathematical foundation for modelling the track network. These theories have been developed in a very general way to anticipate the needs of other applications. They have been organized into a library which can be loaded into the HOL system by a simple command. When other applications call for the use of graph, this library will be a quick and reasonable starting point. # Chapter 5 # Modelling of Railway # Components This chapter describes the theories which model the individual track com- Let us now consider how to model the railway track components and signals. Their basic functions have been described in Chapter 3. The key to the modelling is abstraction. The basic principle in the development of the theories modelling these components is to concentrate on the major function of each of them. An abstract type is defined to represent each class of components. The basic functions of the components are encoded in the properties of these types. The types are defined using the type definition package[48] in the HOL system described briefly on Page 24. Then, appropriate projection operators and discriminators are defined to manipulate objects of these types. These types and constant definitions and theorems about their basic properties are arranged in three HOL theories: TRACK, SIGNAL and PART. Each of these theories is described in detail in a separate section below. ## 5.1 The theory TRACK This theory contains type definitions and constant definitions about the individual track components, namely joins, track circuits and points. The complete theory is listed in Appendix A.6 and the ML source creating this theory is listed in Appendix B.7. #### 5.1.1 Joins Since joins have no moving parts, all that is required to characterize a join is its type. Simply, an enumerated type is defined to represent them. There are three types of joins in the real track network as listed in Section 3.1. In addition, a special type of join is required to indicate the connection point between the two areas under different control centres. Therefore, the enumerated type has four possible values. The name of the type is Join, its specification is HOL Definition 44 (Join Axion) 'Join = J\_conduct | J\_insulate | J\_overlap | J\_terminate' The value J.terminate is for the joins between control areas. Four predicates, IS\_ICOND, IS\_IINSU, IS\_IOVER and IS\_ITERM are defined for testing the value of a join. They return T if they are applied to a join whose value is J.conduct, J.insulate, J.overlag or J.terminate, respectively. ### 5.1.2 Track circuits At any given time, a track circuit is in one of the two physical states, either 'CLEAR' or 'OCCUPIED'. When a route has been set up, it locks the sections of track so that a conflicting route cannot be set up. Although the track circuits along the route are not in the 'OCCUPIED' state, they cannot be included into another route. They are said to be in a 'LOCKED' state. The track circuit state is represented by an enumerated type: Tstate with the following specification: HOL Definition 45 (Tstate\_Arica) 'Tstate = occupied | locked | clear' The three constant values correspond to the physical states 'CLEAR', 'OCCUPIED', and the logical state 'LOCKED'. A track circuit is represented by the type :Teix with the following specification: HOL Definition 46 (Teix\_Axiom) 'Tcir = TCIR num (num->fstate)' The first field of a track circuit is its identification number, which is of type : nm. The second field is a function of time yielding the current state of the circuit. For example, if a track circuit is occupied at the time slot 10, then S<sub>1c</sub>10 = occupied, where S<sub>1c</sub> is its state function. This time function represents the physical input into the system. Within the abstract model of railway, time is represented by natural numbers, i.e., of type :nun, thus, time is on a discrete scale. This is reasonable approximation of the real system providing the unit of time is sufficiently small. The actual unit depends on how the control system is implemented. In the case of SSI or similar implementations, the time unit could be the duration of a control cycle. The origin of the time scale could be any fixed time in the past. There are projection operators defined for accessing the fields of track circuits. They are TCJD which returns the identification number, and TC.SFUNC which returns the state function. #### 5.1.3 Points The modelling of points follows the same general principle of modelling track circuits. There are two sets of orthogonal states: one concerns with the physical states, the position of the point which can be either 'NORMAL', 'REVERSE' or moving between these static positions; the other set concerns with the logical states which indicate whether the point can be moved. The set of physical states is represented by the type :Ppos. Its specification is HOL Definition 47 (Ppos.Axion) 'Ppos = normal | reverse | moving' The set of logical state is represented by the type :Ploc with the following specification: HOL Definition 48 (Ploc.Axion) 'Ploc = free\_move | free\_mor\_rev | free\_rev\_mor | remote\_locked' where free\_move indicates the point is free to move to any position, free\_nor\_rev indicates it is free to move from NORMAL to REVERSE, free\_rev\_nor indicates it is free to move from REVERSE to NORMAL, and remote\_locked indicates it cannot be moved at all. A point is represented by the type :Point which contains three fields as shown in the specification below: HOL Definition 49 (Point Axion) 'Point = POINT num (num->Pros) (num->Ploc)' The first field is the identification number, the second is the physical state function and the last the logical state function. There are three projection operators corresponding to these fields, namely PNT\_ID, PNT\_POS and PNT\_LOC. As it is often required to test the position of points, the predicates PNT\_NORMAL and PNT\_REVERSE are defined to yield T if the point is at the respective position. HOL Definition 50 (PHT\_MORMAL\_DEF) "PET\_HORMAL p t = ((PET\_POS p t) = normal)" HOL Definition 51 (PUT REVERSE DEF) "PHT\_REVERSE p t = ((PHT\_PGS p t) = reverse)" # 5.2 The theory SIGNAL It has been mentioned in Chapter 3 that there are a number of classes of signals and that several signals from different classes may be combined on a signal post to form a compound signal. Following the basic principle, a type is defined to represent each class of signals. Another type based on these types of simple signals is defined to represent compound signals. The complete theory is listed in Appendix A.5 and the ML source creating this theory is listed in Appendix B.6. ### 5.2.1 Simple signals Main signal Main signal is the most complex of all classes of simple signals because they can display up to 4-different aspects, and because there are different types according to the number of aspects can be displayed. The enumerated type :Mappect is defined for the current state of main signals. HOL Definition 52 (Maspect Axion) 'Maspect = green | double\_yellow | yellow | red | green\_flash | double\_yellow\_flash | yellow\_flash | famley\_ampact' faulty\_aspect indicates that the signal is faulty. All other values indicate that the chosen aspect is proved to be alight. Another enumerated type, namely https: idefined for distinguishing the kind of main signals, i.e., the number of aspects it can display. HOL Definition 53 (Mtype\_Axion) 'Htype - two\_mapect | three\_mapact | feur\_mapect | two\_repeat | three\_repeat' The type for main signal is Maig which has two fields: the first indicates the kind of signal and the second is the state function. HOL Definition 54 (Maig\_Axion) 'Msig = MSIG Ntype (num->MAspect)' There are three predicates for testing the current state of a main signal, namely MAIN.ON, MAIN.OFF and MAIN.FAULTY. A main signal is said to be "ON" if the RED aspect is alight. It is said to be faulty if the state function returns the value faulty.spect. Otherwise it is "OFF". HOL Definition 55 (MAIN\_DEF) "MAIR\_OR s (t:num) = (N\_ASPECT s t) = red" HOL Definition 56 (MAIN\_FAULTY\_DEF) "MAIN\_FAULTY a (t:num) = (M\_ASPECT a t) = faulty\_aspect" HOL Definition 57 (MAIR\_OFF\_DEF) "MAIN\_OFF s (t:xxm) = "(RAIN\_ON s t) / "(RAIN\_FAULTY s t)" Junction indicators The type Jaig is defined for both junction indicators and route indicators regardless how they are implemented. The only thing which concerns us is whether the indicator is alight. A state function of type :axxx->bool is used for the current state, where T (true) means the chosen arm or route number of the indicator is proved alight. HOL Definition 58 (Jsig\_axion) 'Jsig = JSIG (num->bool)' Subsidiary signals A subsidiary signal has only the 'OFF' aspect which gives authority to the driver to pass the main signal showing the 'ON' aspect but prepare to stop short of any obstruction. Therefore, the type for subsidiary signal aspect has two possible values: sub.not.show and sub.off. The type representing subsidiary signals is :Subsig which has only a state function returns the current aspect. HOL Definition 59 (Subaspect Axion) 'SubAspect = sub\_not\_show | sub\_off' HOL Definition 60 (Subsig\_Axion) 'Subsig = SUBSIG (num->Subispect)' Shunting signals Shunting signals have two possible aspects: 'ON' and 'OFF', and may have a proving circuit for the 'ON' aspect; thus the type :Shaspect has three possible values. The type for shunting signal :Shaig has only one field, the state function. ``` HOL Definition 61 (ShAspect Axion) ``` ``` 'Shaspect = sh_on | sh_off | sh_faulty' ``` ``` HOL Definition 62 (Sheig_Axion) ``` 'Shaig = SHUHTSIG (num->Shispect)' ### 5.2.2 Compound signals Compound signals are represented by the type :Signal. A constructor is provided for each combination of types of signals. HOL Definition 63 (Signal Arion) ``` 'Signal = SIGBALM num Heig | SIGBALMJ num Heig Jeig | SIGBALMS num Heig Subeig | SIGBALMS num Heig Subeig Jeig | SIGBALS num Sheig' ``` The first field of any compound signal is the identification number. The other fields are the constituent signals. The projection operators SIGNAL.ID and SIGNAL.MAIN are defined to access the identification number and the main signal. HOL Definition 64 (SIGNAL\_ID\_DEF) ``` "(SIGHAL_ID (SIGHALM id m) = id) /\ (SIGHAL_ID (SIGHALM] id m j) = id) /\ (SIGHAL_ID (SIGHALMS id m m) = id) /\ (SIGHAL_ID (SIGHALMS id m m) = id) /\ (SIGHAL_ID (SIGHALMS id m) = id) /\ (SIGHAL_ID (SIGHALS id m) = id)" ``` ## HOL Definition 65 (SIGNAL MAIN DEF) ``` "(SIGHAL_MAIH (SIGHALM id m) = m) /\ (SIGHAL_MAIH (SIGHALM) id m j) = m) /\ (SIGHAL_MAIH (SIGHALMS id m m) = m) /\ (SIGHAL_MAIH (SIGHALMS jd m m i) = m) " ``` Since the 'ON' and 'OFF' states are of most importance in the operation of interlocking, two predicates, ON and OFF are defined for testing the current ON/OFF state of a signal. #### HOL Definition 66 (ON DEF) ``` "(OH (SIGNALM id m) t = (MAIN_OH m t)) /\ (OH (SIGNALM) id m j) t = (MAIN_OH m t)) /\ (OH (SIGNALMS id m n) t = (MAIN_OH m t)) /\ (OH (SIGNALMS id m n) t = (MAIN_OH m t)) /\ (OH (SIGNALMS id m n) t = (MAIN_OH m t)) /\ ``` ### HOL Definition 67 (OFF\_DEF) ``` "(OFF (SIGNALM id m) t = (MAIM_OFF m t)) /\ (OFF (SIGNALM) id m) t = (MAIM_OFF m t)) /\ (OFF (SIGNALMS) id m m) t = (MAIM_OFF m t)) /\ (OFF (SIGNALMS) id m m m) t = (MAIM_OFF m t)) /\ (OFF (SIGNALMS) id m) t = (SIGNIT_OFF m t)) /\ (OFF (SIGNALMS) id m) t = (SIGNIT_OFF m t) /\ ``` If a signal is neither 'ON' nor 'OFF', then it is faulty, the predicate SIGNAL\_FAULT indicates such a state. ``` HOL Definition 68 (SIGNAL FAULT DEF) ``` ``` "SIGNAL_FAULT a t = "((OH a t) \/ (OFF a t))" ``` At any given time, a signal will be in either 'ON' or 'OFF' or 'FAULTY' state, and it will never be in both 'ON' and 'OFF' states characterized by the predicates ON. OFF and SIGNAL\_FAULT, and they are in turn based on the properties that the constructors for the types of signal aspects are distinct and one-one. This is a important property of the signals and it is asserted by the theorems SIGHAL\_STATES and SIGHAL\_SOT\_OB\_OFF. HOL Theorem 53 (SIGNAL STATES) HOL Theorem 54 (SIGNAL\_MOT\_ON\_OFF) $$\vdash \forall st. \neg ((ONst) \land (OFFst))$$ ## 5.3 The theory PART This theory contains two type definitions defining two kinds of atomic building blocks for creating track networks. The first is the parts which will become the vertices in the graph representing the network, and the second is the labels of the edges. Chapter 6 will show how a network is formed using these parts and edges. Meanwhile, the definitions of parts and edge labels are described. The complete theory listing can be found in Appendix A.7 and the ML source creating this theory is listed in Appendix B.8. #### 5.3.1 Parts The type :Part is defined to represent a section of track in the network. Each part has an identification number, an associated track circuit (except buffers) and a single atomic track component which may be any class of components listed in Table 3.1. A track circuit may be shared by more than one part. HOL Definition 69 (Part Axion) <sup>&#</sup>x27;Part - SPART num ( ``` TPART num Tcir | DPART num Tcir (numSnum) (numSnum) | PPART num Tcir Point (numSnumSnum) ``` Since there are four kinds of atomic components, the definition of type: Part has four cases. A part constructed by BPART represents a buffer, and by TPART represents a section of plain track. They are simple and do not deserve more explanation. A diamond crossing is represented by a DPART part. The last two fields, of type :namesum are the identification numbers of the adjacent parts. A movement through the diamond crossing can only be made between the parts indicated in the same pair. Since all three kind of parts mentioned above contains no moving elements, they are static. In contrast, a PPART represents a section containing a point which may change state according to its position. The current state of a point is returned by the state function in the third field. The last field, a triple of identification numbers, pointing to the adjacent parts which should on the trailing, normal and reverse ends of the point, respectively. Projection operators are defined for accessing the various fields of a part, and discriminator are defined for testing what kind of part an object of this type is. They are listed in Table 5.1. ### 5.3.2 Edge labels The adjacent parts are connected by edges which is labelled by the join between the parts, and possibly a signal. The type : \$\mathbb{L} \mathbb{L} \mathbb{L} \mathbb{L}\$ defined to represent the edge label. It has two cases: either a join with attached signal or simply a join. ## PART\_PNT\_REVERSE returns the ID number of the part at the reverse end IS\_PPART T if the part is a point Table 5.1: Projection operators and predicates for :Part. HOL Definition 70 (Elbl Arion) 'Elbl = ELBLSIG Join Signal | ELBL Join' Projection operators are defined to access the join and signal field, and a predicate returning T if an edge has a signal attached is also defined. HOL Definition 71 (ELBL\_JQIN\_DEF) "(ELBL\_JOIS (ELBLSIG ] a) = j) /\ (ELBL\_JOIS (ELBL 1) = 1)" HOL Definition 72 (ELBL SIGNAL DEF) "ELBL\_SIGNAL (ELBLSIG 1 a) = a" HOL Definition 73 (IS\_ELBL\_SIGNAL\_DEF) "IS\_ELBL\_SIGNAL (ELBLSIG 1 a) = T" Now, the basic building blocks of railway track network have been defined. The rules for building 'legal' networks will be described in the next chapter. # Chapter 6 # The network model This chapter describes the model for complete railway track networks which is specified in the HOL theory METWORK. Networks are modelled using a class of directed graphs. Some basic properties of such network are explained. Having created the specifications of the parts, signals and a generic graph theory, the model of a complete track network can be specified based on these building blocks. A network is modelled by a constrained, labelled directed graph whose vertices are labelled by track component parts and whose edges are labelled by joins and signals. The basic procedures of creating a model of a track layout are: - construct an object of type :Part for each atomic track component with its associated track circuit—these will become the vertices: - construct an object of type :Elb1 for each signal and join—these will become the labels of the edges: - connect the adjacent parts with two antiparallel edges to represent possible traffic running in two directions—the edges are labelled by the appropriate objects of type :Elbl. The resulting network model is an abstract representation of the track layout. It preserves the topological relation between the adjacent parts and between the parts and signals in the original layout. The physical dimensions, such as the length of each section of track, are ignored. The specification of this model will be described in Section 6.1 and examples of track network be shown in Section 6.2. Some basic properties of the network model will be discussed in the last section of this chapter. The specification of the network model and the theorems are stored in the HOL theory METWORK which is listed in Appendix A.8 and the ML source creating this theory is listed in Appendix B.9. ## 6.1 Specification of railway track networks The type variable : appeared in : Graph is instantiated by the type : Part. and : so by : Elbl. With this type, the vertices of the network represent the track components and the edges are labelled either simply by a join or by a combination of a join and a signal. The edges represent the connection between the parts and the possible direction of the traffic moving between them. However, not all objects of this type are proper networks according to the rules of designing track layout. A predicate NETWORK is required to distinguish the real railway track networks from those which, although properly typed, violate the rules. It defines a subset of the objects of type : Network to be proper railway track networks. This is to say that if any object of type : Network satisfies the predicate NETWORK, it is a representation of a physical track layout which can be constructed following the rules of a railway authority. The rules used in this study are taken from British Rail's current practice[54]. These rules are embedded in the definition of NETWORK which is defined inductively, i.e., a network can be built up by adding component parts to an existing network. ### HOL Definition 74 (METWORK DEF) ``` "BETUORK (B:Hetwork) = iP.((in. P(((BPART n)), ( ))) /\ (in. t. P(((BPART n)), ( ))) /\ (in. t. p. no. P(((PPART n t. p. no.)), ( ))) /\ (in. t. p. no. P((((DPART n t. n. no.)), ( ))) /\ (in. t. p. no. P(((DPART n t. n. no.)), ( ))) /\ (in. p. p. p. ((P. n. / (p. 1. waters n) /\ (in. p. p. p. no.) (BPC n. p. no.) (in. no. P((in. no.)) /\ (in. no.) P((i ``` The body of this definition is an implication, which specifies that a single track component (a part) on its own is a legal network (the first four conjuncts in the antecedent), and there is only one way of building up larger networks (the last conjunct which is itself an implication). To construct a larger network, one can add a vertex into an existing network and connect this new vertex with a existing vertex by a pair of antiparallel edges. To apply this network building operation, certain conditions have to be met in order to preserve the basic network properties in the results. These conditions are specified as the antecedent of the implication corresponding to the specification of the operation. The meanings of this specification are: - the vertex p<sub>1</sub> with which the newly added edges are incident must be a vertex in the existing network: - 2. the new vertex p2 must not be identical to p1; - 3. both of them must satisfy the predicate NFC with respect to the network N. The name NFC stands for Not-Fully-Connected. Its definition specifies that the indegree of a vertex must be less than a limit. The maximum number of edges which are incident to a vertex depends on the kind of parts in the vertex. The limits reflect the topological characteristic of the parts. For example, at most two connections can be made to a TPART which represents a plain track because parts can only be connected to it at both ends. HOL Definition 75 (NFC\_DEF) ``` "(BFC (B:Hetwork) (BPART m) = (IM_DEGREE M (BPART m) < 1)) /\ (MFC (B:Hetwork) (TPART m t) = (IM_DEGREE M (TPART m t) < 2)) /\ (MFC (B:Hetwork) (PPART m t m m) = (IM_DEGREE M (PPART m t m m) < 3)) /\ (MFC (B:Hetwork) (PPART m t m m) = (IM_DEGREE M (APART m t m) = 2) < 4))** ``` Here, the out-degree of vertex is not mentioned. It has been ignored deliberately since the way a network is constructed requires that edges are added always as an antiparallel pair, which guarantees that the in-degree of each vertex is equal to its out-degree, therefore, specifying only one of them would be sufficient. The operations carried out in the construction of a network are the general graph operations INSERT.EDGE and INSERT.VERTEX defined in the theory graph. Figure 6.1: A simple network. To make the network specification more concise, a function NJOIN is defined to abbreviate these graph operations. HOL Definition 76 (BJ018\_DEF) ``` "EJGIE (B:Setwork) (n1:Fart) (s1:Edge) n2 s2 = ((n1,n2,s1) ISSERT_EDGE ((n2,n1,s2) ISSERT_EDGE (n2 INSERT_EDGE E)))" ``` The pre-conditions of the network construction operation NJOIN do not apecify whether $p_2$ must not be a vertex of the existing network N. This implies that it may also be one of the vertices already in N. This is necessary because models for a class of layouts cannot be constructed without this lack of restriction on $p_2$ . This class of layouts contains one or more loops, as will be shown in the next section. # 6.2 Examples of networks Let us now study some examples of railway track networks. The first example shown in Figure 6.1 is a very simple network to illustrate the concept of Not-Fully-Connected and the placement of signals. Suppose that all vertices in this network are of TPART, then the middle one, namely T2, is fully connected, i.e., NFC $T2\ N=F$ , while the other two parts, T1 and T3, are not fully connected. Another point which should be mentioned here is that there is a signal attached to the edge from T1 to T2. A train moves from T1 to T2 follows this edge and is under the control of the Figure 6.2: Another simple network. signal. While a train moves along the reverse direction will follow the other edge and not be controlled by the signal. The second example illustrates the operation NJOIN. In Figure 6.2, the network N has a not-fully-connected PPART P1 and the separate part T2 is a TPART. T2 is clearly not-fully-connected just after it is added into N. The conditions for constructing a larger network are satisfied so the following operation can be carried out: ### NJOIN N P1 j1 T2 j1 where j1 has been defined to be a simple insulated join, i.e., j1 = EDGE J.insulate. The result of this is the network shown in Figure 6.3(a), and the corresponding track layout is shown in Figure 6.3(b). The third example illustrates the situation in which the second vertex of the NJOIN operation is already in the existing network. The track layout shown in Figure 6.4(a) contains a passing loop. Suppose that a network model containing all the vertices and edges except the pair of edges labelled j6 has been created, and it is bound to the name N. The NJOIN operation can be used to insert only a pair of edges into N by taking P12 as the first vertex and T4 as the second. This can be Figure 6.3: A network formed using NJOIN. Figure 6.4: A track layout containing a passing loop. written as $$N' = NJOIN N P12 S104 T4 16$$ The effect of this operation is ``` (P12, T4, 76) INSERT EDGE ((T4, P12, S104) INSERT EDGE N) ``` because T4 is already a vertex of N, the operation T4 INSERT.VERTEX N is redundant. This shows that the function NJOIN does provide the means to close a loop in a network model. Without this flexibility, it will be impossible to build any network containing a passing loop. The complete specification of this network is: ``` {Ti, T2, T3, T4, P11, P12}, {(T1,P11,S100), (P11,T1,j1), (P11,T2,j2), (T2,P11,S103), (T2,P12,S102), (P12,T2,j3), (P12,T3,j4), (T3,P12,S101), (P11,T4,j5), (T4,P11,S105), (T4,P12,S104), (P12,T4,j6)} ``` It will be shown in Chapter 7 how this network specification is verified against the generic network definition. The last example is more extensive and realistic. It is a network model of the double left-hand junction layout shown in Figure 3.4. Its graph is shown in Figure 6.5. The specification of this network can be written in HOL in a canonical form as: ``` { T100, T101, T102, T103, T104, T105, T106, T107, T108, T109, T110, T111, T112, P200, P201, D300 ), { (T100,T101,S10), (T101,T100,J1), (T101,P200,J2), (P200,T101,J2), (P200,T104,J3), (T104,P200,J3), (P200,D300,J4), (D300,P200,J4), (T104,T105,J5), (T105,T106,J5), (T105,T106,J5), (T105,T106,J5), (T105,T106,J5), (T105,T106,J4), (T107,T108,J1), (T102,D300,J7), (T102,T103,S12), (T103,T102,J8), (T107,T108,S11), (T108,T107,J9), (T108,D300,J10), (D300,T108,J10), (D300,P201,J11), (P201,D300,J11), (T109,T110,S13), (T110,T109,J12), (T110,P201,J13), (P201,T110,J13), (P201,T111,J14), (T111,P201,J14), (T111,P201,J14), (T111,T112,S15), (T112,T111,J15) } ``` Figure 6.5: A network model representing the track layout in Figure 3.4. where Tn for all n appeared above has been defined as $(TPART \ n \ ncir)$ , and similarly, the points (P201, P202) and the diamond crossing (D300) have been defined as the appropriate kind of parts. ncir is the track circuit number associated with the part. # 6.3 Inductive reasoning on networks Induction is a very powerful tool of reasoning. One of the reasons that the network specification has been defined as show in HOL Definition 74 is to take advantage of this reasoning method. The way that induction is carried out with networks is explained below. First of all, the base cases of induction are identified. They are the single part networks. The following four theorems state that a single part of any kind is a legal network. They follow from the definition METNORK\_DEF immediately. HOL Theorem 55 (METWORK BUFFER) $\vdash \forall n. \, \mathsf{NETWORK}(\{\mathsf{BPART}\, n\}, \{\})$ HOL Theorem 56 (METWORK\_TRACK) $\vdash \forall n. \, \mathsf{NETWORK} (\{\mathsf{TPART} \, n \, t\}, \{\})$ HOL Theorem 57 (NETWORK POINT) + ∀nipn3. NETWORK({PPART nipn3}, {}) HOL Theorem 58 (NETWORK DIAM) ⊢ ∀n t n₁ n₂. NETWORK ({DPART n t n₁ n₂}, { }) The induction step is the network construction operation involving NJOIN. The theorem NETWORK\_NJOIN asserts that the result of this operation is also a network providing the pre-conditions specified in the definition are met. ### HOL Theorem 59 (NETWORK MJOIN) $$(\forall p_1\ p_{2+}p_1\ | \ \mathsf{S\_VERTEX}\ N\ \land \lnot(p_1\ =\ p_2) \land \mathsf{NFC}\ N\ p_1\ \land \mathsf{NFC}\ N\ p_2\ \supset$$ (Ve1 e2. NETWORK (NJOIN N p1 e1 p2 e2))) The induction theorem for networks is METWORK\_INDUCT. This states that if all the simple networks have the property P (the base cases), and if the property P holds for the results of the network building operation providing it holds for the networks being operated on (the step cases), then the property P holds for all networks. This theorem also follows from the network definition directly. #### HOL Theorem 60 (NETWORK\_INDUCT) $\vdash \forall P$ . $$\begin{aligned} & (\forall n.\ P(\{\mathsf{BPART}\ n\, 1\}, \{\})) \land \\ & (\forall n\, t.\ P(\{\mathsf{TPART}\ n\, t\}, \{\})) \land \\ & (\forall n\, t\, p\, n_3.\ P(\{\mathsf{PPART}\ n\, t\, p\, n_3\}, \{\})) \land \\ & (\forall n\, t\, n_1\, n_2.\ P(\{\mathsf{DPART}\ n\, t\, n_1\, n_2\}, \{\})) \land \\ & (\forall N\ p_1\, p_2.\ P\ N \land \neg (p_1 = p_2) \land p_1\, \mathsf{IS.VERTEX}\ N \land \mathsf{NFC}\ N\ p_1 \land \mathsf{NFC}\ N\ p_2 \supset \\ & (\forall a_1\, a_2.\ P(\mathsf{NJOIN}\ N\ p_1\, a_1\, p_2\, a_2))) \supset \\ & (\forall N.\ \mathsf{NETWORK}\ N \supset P\ N) \end{aligned}$$ Structural induction based on this theorem can be carried out. To facilitate this in the goal directed proof style, a tactic METMORX\_INDUCT\_TAC has been written to automate the generation of subgoals and management of the proof. The goal to which this tactic is applied should be in the following form: ! #. BETWORK # ==> P[B] where P[B] is a term stating some property of B. It should be of type :bool. For example, "IB. HETWORK B ==> GRAPE B" is a goal in the correct form for the induction tactic. When applying the induction tactic to a properly formed goal, it generates five subgoals: P[BPART...] P[TPART...] P[PPART...] P[DPART...] P[NJOIH...] Suppose the network induction tactic is applied to the goal "!B. BETWORK B ==> GRAPH B", the following five subgoals will be generated: "IN p1 p2. GRAPH N /\ "(p1 = p2) /\ p1 IS\_VERTEX N /\ HFC N p1 /\ HFC N p2 ==> (!e1 =2. GRAPH(NJOIN N p1 e1 p2 e2))" "in t mi m2. GRAPH((DPART m t mi m2).())" "in t p n3. GRAPH({PPART n t p n3},(})" "in t. GRAPH({TPART n t},{})" "in. GRAPH({BPART n},{})" They corresponds to the five conjuncts in the antecedent of the induction theorem. The justification of this tactic is modus ponens, that is if all conjuncts of the antecedent in the induction theorem is true, then the conclusion must also be true. # 6.4 Some properties of networks One of the reasons for using Higher Order Logic in the modelling of railway signalling is its generality. This means that it is able to deduce general properties of the model such that all instances of networks created following the specification will possess the same properties. Some of the more important properties of the network model are described in this section. Networks are graphs. Although the definition of network does not explicitly specify that a network must be a graph, this is indeed always true. This is because the type :Network is an instance of :"Graph, the base cases (single part networks) are trivial single vertex graphs, and all networks are built using only those graph operations that preserve the abstract property of graph. This fact is stated by the theorem NETWORK GRAPK ### HOL Theorem 61 (NETWORK\_GRAPH) #### WW. NETWORK N > GRAPH N After this fact has been established, all graph operations can be applied to networks safely, and all theorems about graphs also hold for networks. The hierarchy of the theories reflects this as well. Since the theory graph is an ancestor of BETWORK, all functions defined in the theory graph are available to networks and all theorems proved about graphs hold for networks as well. Networks are finite. The theorem NETWORK\_FINITE asserts that all networks are finite, that is both the vertex set and the edge set of any network are finite. ### HOL Theorem 62 (METWORK\_FINITE) ### $\vdash \forall N. \text{ NETWORK } N \supset \text{FINITE}(VS.N) \land \text{FINITE}(ES.N)$ This theorem has been proved by induction using NETWORK\_INDUCT.TAC. The base cases are trivial. A single vertex graph is clearly finite. The results of the network building operation are finite can be deduced from the fact that adding a finite number of elements into a finite set results a finite set (more precisely, two edges are added to the edge set and possibly one vertex is added to the vertex set in each operation). Combining the theorems NETWORK.GRAPH and NETWORK.FINITE, one can state that all networks are finite graphs. ### HOL Theorem 63 (NETWORK FINITE GRAPH) #### ¥N. NETWORK N ⊃ FINITE GRAPH N Thus, all infinite sets are excluded from networks. The practical significance of this is that there exists an upper bound on the number of components in a network. Therefore, search algorithms operated on networks should terminate eventually. This is also significant when considering the storage required for the database of the geographic data and the time required in each iteration of the control loop in the interlocking software. Networks are connected Recall the definition CONNECTED\_DEF in Chapter 4 which specifies that there exists a path between any two different vertices in a connected graph. This implies that no part of a connected graph is separated. The theorem NETWORK\_CONNECTED asserts that all networks are connected. ### HOL Theorem 64 (METWORK\_COMMECTED) ### $\vdash \forall N. NETWORK N \supset CONNECTED N$ This theorem has been proved by induction using METWORK\_IMDUCT\_TAC as well. The base cases are trivial since there is only one vertex in each of graph. For the induction step, what required to be proved is that by adding a vertex into a connected graph, and at the same time, adding a pair of edges connecting it to a vertex already in the existing graph, the resulting graph will still be connected. The subgoal corresponding to this is: "IN DI D2. CONNECTED B // '(p1 = p2) // ``` "'N p1 p2. CONNECTED N /\ ^(p1 = p2) /\ p1 IS_VERTEX N /\ (NFC N p1) /\ (NFC N p2) ==> fa1 a2. CONNECTED (NJOIN N p1 s1 p2 s2)" ``` By rewriting with the definitions of CONNECTED, this is further divided into two subgoals. The first is in the form ``` GRAPH (NJOIN N p1 e1 p2 e2) ``` where the antecedent has been abbreviated as . . . . These are essentially the subgoals corresponding to the induction step in the proof of the theorem NETWORK.GRAPH, which means that the result of the NJOIN operation must always be a graph. The same tactic used in proving the corresponding subgoal in NETWORK.GRAPH can be applied to solve this. The second subgoal is also an implication, but more complex. ``` "'vi v2. vi i3_vertex (BJOIB B pl si p2 s2) /\ v2 i3_vertex (BJOIB B pl si p2 s2) /\ '(vi = v2) ==> (*1. PATE(BJOIB B pl si p2 s2)1 /\ (vi = PATE_BHIT 1) /\ (v2 = PATE_BHIT 1) /\ (v2 = PATE_BHIT 1) /\ ``` In essence, what required to be shown is that there exists a path between any two different vertices in the resulting network (BJOIN H p1 s1 p2 s2) given that N is connected. To solve this, case analysis on the location of $p_2$ can be considered ( $p_1$ is already a vertex in N from the definition of NETWORK). There are two cases: - I. p<sub>2</sub> is in N; - II. p2 is outside N. In case I, the operation NJOIN will insert into N only two edges but no new vertex. Since N is connected, the result of adding two edges to it will clearly be connected. The situation of case II is more complicated. Further case analysis on the locations of the variable vertices $v_1$ and $v_2$ can be considered. There are four cases according to whether $v_1$ and $v_2$ is in N: - 1. both v1 and v2 are outside N; - 2. v1 is in N and v2 is outside N; - 3. v2 is in N and v1 is outside N. - 4. both v1 and v2 are in N; The first case is trivial since there is only one vertex outside N, namely $p_2$ . If both $v_1$ and $v_2$ are outside N, they must both equal $p_2$ . This contrasts with $\neg(v_1 = v_2)$ in the antecedent of the subgoal. Case 4 is simple since N is already connected, there is a path between any two vertices in it. The cases 2 and 3 are reciprocal with the locations of the variable vertices vs and v2 transposed. The situation of case 2 is illustrated in Figure 6.6. These two Figure 6.6: Location of vertices: case 2. cases require further case analysis according to whether v1 and v2 are identical to the vertices p1 and p2. There are again four cases. Taking case 2 as example, the subcase can be listed as: - (a) $v_1 = p_1$ and $v_2 = p_2$ : - (b) $v_1 = p_1$ and $\neg v_2 = p_2$ ; - (c) $\neg v_1 = p_1$ and $v_2 = p_2$ : - (d) $\neg v_1 = p_1$ and $\neg v_2 = p_2$ ; There will be no path from $v_1$ to $v_2$ in cases (b) and (d) because $v_2$ is outside N and not equal to $p_2$ , which implies that $v_2$ is not a vertex of the resulting network. These situations contrast with the antecedent of the subgoal, so they can be solved by contradiction. To prove each of the remaining two subcases requires an appropriate evident to be supplied to the theorem prover. The evident for subcase (a) is the single edge path # $[(p_1, p_2, s_1)].$ which is one of the newly added edges connecting the two vertices. This is clearly a path in the new network. The evident for subcase (c) is the path ## APPEND ! [(p1, p2, s1)] where l is a path in N and $v_1 = PATH_ENTRY[l, p_1] = PATH_EXIT[l.]$ Since the l is a path in N, it must be a path in a larger network containing N. Appending another path $[(p_1, p_2, a_1)]$ in the larger network should results a path providing that the conditions of combining paths specified in the theorem PATH\_APPEND are satisfied. In this case, these conditions are satisfied because the newly inserted edge $(p_1, p_2, a_1)$ is not equal to any of the edges in l, and the new vertex $p_2$ is not equal to any of the vertices passed by l. Thus, this subcase can be resolved. Case 3 can be solved using the same method. Following the analysis, appropriate tactic can be built to solve the subgoals. thus to prove the theorem EETNORK.COBERCTED. The complete proof can be found in Appendix B.9. The theorem METWORK\_COMMECTED is very important in practice. It implies that from any point in a network, any other point can be reached. This does not mean that a single route can be set up for a train to move between any parts in a network. Routes have not been formally defined yet. Following the approach explained above, other general properties of the network model can be deduced. This network model and its properties provide a formal foundation on which reasoning about routes and interlocking can be carried out. The following chapters will explain how to use the theories described in this part to help design and implement Computer Aided Design (CAD) tools and possible operational software for the signalling engineers. # Part III # **Applications** In this part, three applications are presented which use the formal model of railway track network described in Part II. They are: - 1. verification of track layout; - 2. generation of control table; - 3. interlocking of routes. Each of these will be described in a separate chapter. The first two applications are in the area of CAD tools for signalling scheme design. The last one concerns the modelling of the logical operations of interlocking systems. These applications can be viewed as a case study of applying the theories into practice. In the concluding chapter of the thesis, discussions of further use of the theories will be given. # Chapter 7 # Verification of track layout This chapter describes a railway track layout verifier. It accepts specifications of track layouts generated by CAD tools and verifies them against the formal model of track network. It deduces a theorem for each specification asserting the conformity of the specification to the formal network model if this is true. As described in Section 3.3.2, the first step in the design of a signalling scheme is the specification of the track and signal layout. The result of this step is a specification for the required layout. The process of producing this specification usually involves designers and engineers from many disciplines. One of the tasks of the signalling engineers is to ensure that the new acheme will conform to all safety regulations. In order to apply rigorous methods in later stages of the design and implementation of signalling schemes, in addition to the traditional layout drawings and descriptions in natural language, a formal specification of the layout is indispensable. Formal reasoning can be carried out using this abstract representation. First of all, verification of this formal specification of track layout against the formal model of track network should be performed. This ensures that the specification conforms to the rules of creating track network, and hence it is a representation of Figure 7.1: Generation and verification of track layout. a 'legal' layout. Here, legal means conforming to the formal definition of a track network. Figure 7.1 illustrates the process of generating and verifying a formal specification. The layout compiler will be described in Section 7.1 while the subject of this chapter, the network verifier, will be described in detail in the subsequent sections. # 7.1 Layout compiler Although the subject of this chapter is the verifier, some comments on the layout compiler will help to understand the motivation, necessity and usefulness of the verifier. The layout compiler is a CAD tool acting as the front end for track layout design. A prototype compiler has been developed by Cullyer [25]. It consists of three parts: a graphical user interface, an input checker and a compiler. The graphical user interface handles the interaction between the designer and the computer system. It shows the track layout in a symbolic form which resembles the conventional drawings, and allows the user to insert, delete or modify objects in the layout. The user interface utilizes the interactive graphics capabilities which have become standard features of personal computers and workstations. The entire layout is conceptually divided into a grid of cells. Each cell contains only a single track component. The internal representation of the layout and the rules for checking input are based on the formal track network model described in Chapter 6. When the user inserts a component into a cell, the input checker validates the component using the rules defined in the formal model. For example, a point (or PPART) can have at most three pairs of connections to the adjacent cells. The input checker also displays a list of components which are 'legal' in the current cell via the graphical interface to help the user choose the correct one. When the layout is completed, the compiler translates the internal representation to a formal specification in the format to be described in Section 7.3. The layout compiler can also generate files in another format, known as Railway Layout Graphics language (RLG for short). This format has been defined based on the internal representation of the layout compiler, and it is graphics output oriented. Files in RLG format are used to produce hard copy of the layout, such as the one shown in Figure 3.4.1 Certainly, formal software development methods, such as structured system design and static code analysis, can be applied in the development of the layout compiler. However, current technologies are still not capable of verifying the correctness of the compiler due to the complex interactions between the graphics libraries and system libraries involved. Therefore, verification of the formal specification generated by the compiler is necessary. ### 7.2 The network verifier The task of the network verifier is to take the formal specification generated by the layout compiler as its input, and to deduce a theorem asserting that the specification is an instance of a legal network according to the definition of the network model if and only if this is true. This approach represents an isomorphism between the conventional engineering design and formal theorem proving. A commutative diagram illustrating this isomorphism is shown in Figure 7.2. In the diagram, a downward arrow indicates an abstraction, while an upward arrow indicates an interpretation. The upper path shows the conventional design process. To approve a layout scheme, the designers and engineers perform a large amount of checking against the current regulations <sup>&</sup>lt;sup>3</sup>A PostScript printer driver which accepts files in RLG format has been implemented by the author. The railway track diagrams throughout this thesis have been produced by this driver. Figure 7.2: Isomorphism between engineering design and theorem proving. and their experience, maybe with some assistance from CAD tools. The lower path shows the use of a verifier based on the HOL theorem prover. This process works on an abstract model of the real layout. It verifies the specification against the formal model of generic networks. The result is a theorem stating that the specification is an instance of generic networks. This lower path based on formal reasoning can be used to replace a large proportion of the manual process in the upper path, and help the engineers to improve their designs, but it will never completely replace the upper path. Caution must be applied when interpreting the theorems because they are deduced based on the formal specification rooted in the generic theory, both of which have been derived by abstracting the engineering drawings and regulations. These descriptions are only as good as the model designer's understanding of the real world. However, abstraction is a very powerful tool. By creating an abstract model, the designer can gain greater insight into the problem. There is an analogy with hardware verification. A VLSI device fabricated on a silicon wafer will never be verified, even if low level formal proofs have been carried out. What can be verified is the formal design specification. However, this does not mean that formal verification does not have a significant role, since it helps to discover many design errors and misunderstandings. As hardware and system become even more complex, formal specification and verification will be more important. The use of the verifier is simple. It appears to the user as an ML function in a HOL library. It takes the file name of the formal specification file generated by the compiler as its sole argument and returns a value of type: that if verification is successful. Suppose that a specification of a layout has been saved in a file named layout.rls, the session below shows how it is verified: ``` $ load_library 'rail_werifier';; (): woid $ werify 'layout.rls';; |- METWORK ({...}, {...}) ; tha ``` The library rail\_verifiar is first loaded into HOL. Then, the verifier is called with the name of the file containing the specification. If this specification conforms to the formal network model, a theorem is returned. Otherwise, the evaluation fails. The verifier automates and encapsulates the difficult, and sometimes very tedious, process of discovering a proof for each specification. This provides an easy-to-use tool to the signalling engineers. # 7.3 Formal specification of track layout Formal specifications of track layouts are written in a language called the Railway Layout Specification Language, RLS for short. It is the target language of the layout compiler and the source language of the network verifier. The RLS language is based on the formal model of track components and networks. The syntax and semantic of RLS will be described in separate subsections below. ### 7.3.1 Syntax The syntax of the RLS language is defined in an augmented BNF form in Figure 7.3. The following rules are used in the syntax definition: - 1. all non-terminal symbols are in lower case characters; - all terminal symbols appear as literal character strings enclosed in single quotes except the end of specification marker which is a single character indicated as [EDF] meaning the end of file: - 3. the start symbol is spec. ## 7.3.2 Semantics A complete layout specification is divided into two parts. The first is the definition part which begins with the keyword DEFINITION and it is ended by the start of the second part which is introduced by the keyword CONSTRUCTION. The construction part extends to the end of the file. ``` spec :: = definition_part construction_part [ROF] ;; definition_part :: 'DEFIBITION' def_list :: def_list ::= definition def_list :: definition :: 'TCIR' num | 'BPART' num | 'TPART' num num | 'PPART' num num num '(' num num num ')' [ 'DPART' num num '(' num num ')' '(' num num ')' | 'SIGBAL' num sig_type | 'POIST' num | 'EDGESIG' num join_type num ( 'EDGEJOIE' num join_type ;; toin type | | 'COMDUCT' | 'IMSULATE' | 'OVERLAP' | 'TERRIHATE' ;; sig_type :: "NAIN' | 'NAIN_JUNC' | 'NAIN_SUN' | 'MAIN_SUB_JUNC' | 'SMUNT' ;; construction_part +: "COMSTRUCTION" 'SIMP' part op_list ;; op_list i: op op_list;; op tim 'BJGIS' part part edge edge | 'EDGE' part part edge edge ;! part :: 'B'num | 'T'num | 'P'num | 'D'num ;; edge ::* 'j'num | 's'num ;; num :: digit | digit num;; ``` Figure 7.3: Syntax of Railway Layout Specification language. The definition part The DEFIBITION part contains definitions of all the track components, signals and joins appeared in the layout. Each definition associates an identification number to the object being defined and specifies the types or other sub-objects required to fully define such an object in the HOL logic. There are nine different definitions allowed in the definition part. The keywords which introduce the definitions and the meanings of their associated fields are listed below: - TCIR(C) Track circuit. The only field is the track circuit number. - POINT(N) Point. The only field is the ID number. - BPART(B) Buffer part. The only field is the part ID number. - TPART(T) Plain track part. The first field is the part ID number and the second is the ID number of the associated track circuit. - PPART(P) Point part. The first two fields have the same meaning as TPART. The third field is the ID number of the point which must be defined previously by a POIRT definition. The three field enclosed in parentheses are the ID numbers of the trailing, normal and reverse parts, respectively. - DPART(D) Diamond crossing part. The first two fields have the same meaning as TPART. The two pairs of num fields are the ID numbers of the adjacent parts. Each pair identifies the parts connecting to the same leg. - SIGNAL(S) Compound signal. The first field is the ID number and the second is the class. - EDGEJOIN(j) Simple edge label. The first field is the ID number, the second the type of join. EDGDSIG(a) Edge label containing a signal. The first two fields have the same meaning as EDGEJOIN. The last field is the ID number of the attached signal which has been defined by a SIGNAL definition. The action for each definition is to define a constant in the HOL logic. The name of the constant is the ID number prefixed by a single letter indicating the type of the object. The prefix letters for each type of object is enclosed in parentheses following the keywords in the list above. All the information necessary for creating constants of various types is provided by the fields in the definition. Note that all of the state functions of circuits, points and signals have been omitted. This is because, when verifying the layout, the states of these components are not important; only the static topological relations between the components are being considered. Dummy functions of the appropriate types are supplied by the verifier to satisfy the type checker when defining logical constants. The construction part This part contains information about how to build the network using the objects defined in the definition part. This information is necessary to guide the verifier in the deduction of the network theorem. It appears as a list of network operations. Each operation adds some objects into the network built by previous operations in the list except the first one. The first operation must be a SIMP operation which means to construct a simple network containing only a single part. This corresponds to the base case in the definition of network NETWORK\_DEF. In addition to the SIMP operation, there are two more operations allowed: NJOIN adds a vertex and a pair of edges into the network. The first part indicates the vertex in the existing network to which new connections are being made. The second part is a new vertex to be inserted into the network. The two edge fields specify the labels of the edges connecting the two parts. EDGE adds only a pair of edges. The fields in this operation have the same meaning as in BJOIR except that the second part is also a vertex in the existing network. For each operation, the verifier attempts to prove a theorem in the form: where N is the network built by the operations so far, $p_1$ and $p_2$ are the parts, $e_1$ and $e_2$ are the edge labels. If the attempt fails, the operation violates the rules of the formal network model, thus no theorem can be deduced. Example A specification of the layout of a passing loop shown in Figure 6.4 can be written as below: ``` DEFINITION TOTA 1 TOTA 2 TOTA 3 TOTA 4 TOTA 5 TOTA 6 POINT 11 POINT 12 TPART 1 1 PPART 11 5 1 (1 2 4) TPART 2 2 PPART 12 6 2 (3 2 4) TPART 3 3 TPART 4 4 EDGEJOIN 1 INSULATE SIGNAL 100 MAIN SIGNAL 101 MAIN SIGNAL 102 MAIN SIGNAL 103 MAIN SIGNAL 104 MAIN SIGNAL 105 MAIN EDGESIG 100 INSULATE 100 EDGESIG 101 INSULATE 101 EDGESIG 102 INSULATE 102 EDGESIG 103 INSULATE 103 EDGESIG 104 INSULATE 104 EDGESIG 108 INSULATE 105 CONSTRUCTION SIMP TI BJOIN T1 P1 #100 11 EJGIE P11 T2 11 #103 ``` BJOIN T2 P12 a102 j1 BJOIN P12 T3 j1 a101 BJOIN P11 T4 j1 a105 RDGE T4 P12 a104 j1 [BOF] Note that different lists can create identical networks, since the order of the operations in the construction part is not unique. # 7.4 The implementation of the verifier The verifier can be divided into two parts: the parser and the prover. The parser is the front end of the verifier. Its functions are to recognize the input and to call appropriate functions in the prover. The prover is a suite of ML functions which together carry out proofs and deliver theorems if the specification is correct according to the formal model defined in the network theory. ## 7.4.1 The parser The parser is implemented using the parser generator in the standard collection of HOL libraries. This parser generator accepts grammar specification with embedded actions in a syntax similar to the BNF. It generates a parser in the form of an ML function, named PARSE\_file. When this function is called, it will read the input, and attempt to match the production rules specified as the syntax of the RLS language in Figure 7.3. If a production rule is matched, the associate action is invoked. This parser function is called by the function warrify mentioned in the example at the end of Section 7.2 as the entry point to the parser. To illustrate the implementation of the parser, two production rules with associ- ated actions as part of the input grammar specification to the parser generator are described in detail below. The complete ML source of the verifier can be found in Appendix C. The first rule is the plain track definition rule. The syntax for a plain track part is TPART num num (see Figure 7.3). The production rule for parsing this syntax required by the parser generator is written as: tours --> [TPART] (def\_tours(TOKES), TOKES)). This specifies that the definition starts with a literal string 'TPART'. When the parser sees such a string, it will read the next two tokens from the input stream and pass them to the function def.tpart. This function is defined as below: let def\_tpart (id, tc) = % (string 0 string) -> (string list 0 thm) % if ((is\_num id) & (is\_num tc)) then (let ptname = 'T' ' id in let tcir = mk\_comst(('C''tc), ":Tcir") in let e = mk\_comst('C''tair, ":Part"), mk\_comb( mk\_comb('TPART", (mk\_num id)), tcir)) in ([ptname], new\_definition(ptname, t))) else fallwith 'expecting two numbers as ID's (def\_tpart)';; It validates the tokens by calling the function is num which returns true if the token string contains only digits. If the tokens are valid, it proceeds to create a new logical constant for this plain track part. Suppose that the tokens are the strings '123' and '201', the effect of evaluating def.tpart is equivalent to making the following HOL definition: **HOL Definition 77** "T123 - TPART 123 C201" where C201 has been defined as a track circuit with ID number 201. Actions associated with other production rules in the definition part carry out similar definitions. The next production rule to be described is the NJOIN construction rule. The syntax of this rule is NJOIN part part edge edge. The input to the parser generator is written as below: ``` sjoin --> [SJOIS] {mk_sjoin(part_nums, edge_nums)} ``` The function mk\_n join is defined as below: ``` lat mk_mjoin (([pt:; pt2], ti:thm), ([edi; ed2],t2:thm)) %: (string list 0 thm) 0 (string list 0 thm) -> % : (string list 0 thm) = lat pi = mk_const(pt:, ":Part") in lat pi = mk_const(pt:, ":Part") in lat ei = mk_const(edi, ":Rlbl") in lat al = mk_const(edi, ":Rlbl") in lat th = prove_natwork_njoin rail_tmp_thm pi p2 si e2 in ([pt2], (rail_tmp_thm := save_thm((pt2''TEN'), th)));; ``` The arguments pt1 and pt2 are the parts to be connected and the arguments ed1 and ed2 are the edge labels. They have been validated by the production rules part.nums and edge.nums. The global identifier rail.tmp.thm is bound to the theorem returned as the result of the previous step of building network. The function prove.network.njoin in the prover is called to deduce a theorem for the current step. If this successes, the new theorem is saved in the current theory and also bound to rail.tmp.thm to pass to the next step. This process continues until the entire specification file is exhausted. ### 7.4.2 The prover The prover automates the process of proving theorems about instances of networks. The theorems it deduces are in the form $$\vdash NETWORK(\{...\},\{...\})$$ (7.1) where the actual element of the vertex set and edge set have been abbreviated. This theorem asserts that ({...}, {...}) is an instance of a generic network as defined in RETWORK DEF. There are three ML functions at the top level which are called by the parser action functions. The function prove\_simple\_network delivers a theorem as an instance of the general theorem METWORK\_SIMP. This corresponds to the base cases of the network induction theorem. The other two functions, prove\_network\_njoin and prove\_network\_adge, deduce theorems which are instances of the network induction step theorem METWORK\_NJOIN. The difference between these two functions is that prove\_network\_njoin takes advantage of the fact that the second operand of the NJOIN operation is not a vertex in the network so the prove is simpler. The proof strategy used by these two function is modus ponens with the theorem METWORK\_NJOIN. The function prove\_network\_njoin is listed in Figure 7.4 and it is described in detail below. To deduce a theorem of the following form NETWORK (NJOIN $$N$$ $n_1$ $n_2$ $s_1$ $s_2$ ). (7.2) one can prove the antecedent of the theorem METWORK\_MIJOIM, then apply modus ponens rule. Taking N as the network created so far, the theorem results of the previous production rule and supplied to prove\_network\_njoim as its first argument thm1. Using modus ponens rule with METWORK\_MIJOIM and thm1 results in an implicative theorem 7.3: $$\vdash \forall p_1 \ p_2 \ p_1 \ \text{IS_VERTEX } N \land \neg (p_1 = p_2) \land \text{NFC } N \ p_1 \land \text{NFC } N \ p_2 \supset$$ $$(\forall e_1 \ e_2 \ \text{NETWORK } (\text{NJOIN } N \ p_1 \ e_1 \ p_2 \ e_2)$$ (7.3) Since the conclusion of this theorem matches 7.2, modus ponens rule can be used 1 let prove\_network\_njoin that p1 p2 j1 j2 = ``` let p.ni = (dest_comb (coacl thmi)) in if (not('BETWORE' = (fst (dest_const p)))) then failuith 'not BETWORK theorem' else let le . (SPEC ""ni" BETWORE BJOIR) in let thm2 = prove_in_network p1 a1 in let thm3 = EQF_ELIN (Part_EQ_CONV ""p1 = "p2") in let thm4 - prove_EFC pi mi im let thm5's prove_not_in_network p2 m1 in 10 let thm5 = MP (MP (SPECL[n1;p2] MOT_VER_IMP_MFC) thm1) thm5' in let aute = CONJ thm2 (CONJ thm3 (CONJ thm4 thm5)) in 11 12 let lm' = SPECL [p1:p2] (MP lm thmi) in 13 let network_camon thm = 14 let miointhm = MP (SPECL [m1;p1;j1;p2;j2] MJGIM_EXP) 15 (COMJ thm2 thm5') in 16 let th . PURE_ONCE_REWRITE_RULE[VERTICES: EDGES] 17 (PURE_ONCE_REVRITE_RULE[njointhm] thm) in 18 (COMY_RULE (DEPTH_COMY (UNION_COMY Part_EQ_COMY)) th) in 19 let nth - (SPECL [j1; j2] (MATCH_MP lm' ante)) in 20 network_canon ath ? 21 failwith 'prove_network_njoin';; ``` Figure 7.4: Listing of prove\_network\_njoin. again to deduce a theorem in the form of 7.2 if the four conjuncts of the antecedent of 7.3 can be proved. The strategy for solving these four subgoals is as follows (the line numbers refer to the listing in Figure 7.4): - Subgoal 1 $n_1$ IS.VERTEX N. The function prove\_in\_network is used to prove this subgoal (line 6). It returns a theorem matching the subgoal if $n_1$ is a vertex of N. It uses the conversion IH.CONV in the sets library which returns a theorem $\vdash x \mid N\{x_1, \dots, x_n\} = T$ if and only if x is equal to $x_i$ for some i where $1 \le i \le n$ . - Subgoal 2 ¬(n<sub>1</sub> = n<sub>2</sub>). This subgoal is proved using the conversion Part.EQ.COBV (line 7). This conversion returns a theorem ⊢ (p<sub>1</sub> = p<sub>2</sub>) = T if and only if p<sub>1</sub> and p<sub>2</sub> are syntactically equal or all their sub-fields are equal. Otherwise, the theorem ⊢ (p<sub>1</sub> = p<sub>2</sub>) = F is returned. The function EQF.ELIM transforms a theorem ⊢ f(z) = F to ¬f(z). - Subgoal 3 NFC N n<sub>1</sub>. This subgoal is proved using the function prove\_HFC (line 8) which returns a theorem of the form | NFC N p<sub>1</sub> if the vertex p<sub>1</sub> is not fully connected. - Subgoal 4 NFC N n<sub>2</sub>. The last subgoal is proved using the fact that p<sub>2</sub> is not a vertex of N. The function prove\_not\_in\_network (line 9) returns a theorem of the form $\vdash \neg (p_2)$ 5.VERTEX N). Then, modus ponens is applied to the theorem HOT.VER\_IMP\_BFC to deduce $\vdash$ NFC N p<sub>2</sub> (line 10). Details of the lower level functions mentioned above can be found in Appendix C.4. The modus ponens rule is applied to the conjunction of the above four subgoals and an instance of 7.3 to deduce a theorem in the form of 7.2 (line 19). This theorem is again to deduce a theorem in the form of 7.2 if the four conjuncts of the antecedent of 7.3 can be proved. The strategy for solving these four subgoals is as follows (the line numbers refer to the listing in Figure 7.4): - Subgoal 1 $n_1$ is.VERTEX N. The function prove\_in\_network is used to prove this subgoal (line 6). It returns a theorem matching the subgoal if $n_1$ is a vertex of N. It uses the conversion IW\_CONV in the sets library which returns a theorem $\vdash x$ in $\{x_1,\ldots,x_n\} = T$ if and only if x is equal to $x_i$ for some i where $1 \le i \le n$ . - Subgoal 2 ¬(n₁ = n₂). This subgoal is proved using the conversion Part\_EQ.CONV (line 7). This conversion returns a theorem ⊢ (p₁ = p₂) = T if and only if p₁ and p₂ are syntactically equal or all their sub-fields are equal. Otherwise, the theorem ⊢ (p₁ = p₂) = F is returned. The function EQF\_ELIM transforms a theorem ⊢ f[z] = F to ¬d[z]. - Subgoal 3 NFC N n<sub>1</sub>. This subgoal is proved using the function prove\_BFC (line 8) which returns a theorem of the form is NFC N p<sub>1</sub> if the vertex p<sub>1</sub> is not fully connected. - Subgoal 4 NFC N n<sub>2</sub>. The last subgoal is proved using the fact that p<sub>2</sub> is not a vertex of N. The function prove\_not\_in\_network (line 9) returns a theorem of the form $\vdash \neg (p_2 \mid S. VERTEX N)$ . Then, madus ponens is applied to the theorem MOT.VER\_INP\_MFC to deduce $\vdash$ NFC N p<sub>2</sub> (line 10). Details of the lower level functions mentioned above can be found in Appendix C.4. The modus ponens rule is applied to the conjunction of the above four subgoals and an instance of 7.3 to deduce a theorem in the form of 7.2 (line 19). This theorem is then converted into a canonical form by expanding the operation NJOIN using the function network\_canon (line 20). The resulting theorem is in the form matching 7.1 as shown below NETWORK $$(\{\ldots, n_2\}, \{\ldots, (n_1, n_2, s_1), (n_2, n_1, s_2)\})$$ where the new vertex and the new edges are added to the vertex set and edge set of the network, and they are in pure set syntax and free of any network operators. To conclude this chapter, the verification of the specification of the passing loop layout listed on page 116 in Section 7.3, with some intermediate results, is shown in Figure 7.5. This session shows how the network expands when new vertices and edges are added. It also shows that there are large number of intermediate theorems being generated in each step: the total number of intermediate theorems is 28419. The verifier does integrate the theorem proving process and makes theorem prover easier to use. The timing information is obtained in a Sun3 with 12Mbyte of memory. The time can be further reduced since the current implementation has not been optimized. The final result is the network theorem in its canonical form. ``` # verify 'loop';; (['T1'], |- HETWORE((T1),())) : (string list # thm) Run time: 0.0s Intermediate theorems generated: 1 (['P11'], |- METWORE({P11.T1}.{(T1.P11.m100),(P11.T1,(1)})) : (string list # thm) Run time: 11.7s Garbage collection time: 21.2s Intermediate theorems generated: 1179 (['T2']. |- HETWORK ({T2,P11,T1},{(P11,T2,j1),(T2,P11,a103),(T1,P11,a100),(P11,T1,j1)})) : (string list # thm) Bun time: 25.7s Garbage collection time: 54.3s Intermediate theorems generated: 2288 ... (deleted) (['P12'], - BETWORK ({T4.T3.P12.T2.P11.T1}. {(T4,P12,=104),(P12,T4,j1),(P11,T4,j1),(T4,P11,=105),(P12,T3,j1), (T3,P12,e101),(T2,P12,e102),(P12,T2,j1),(P11,T2,j1),(T2,P11,e103), (T1,P11,a100),(P11,T1,[1)})) : (string list # thm) Run time: 126.1s Garbage collection time: 230.3s Intermediate theorems generated: 10020 ``` Figure 7.5: A HOL session of verifying network specification. # Chapter 8 # Generation of control tables This chapter describes a method for automatic generation of control lables. This method utilizes well-known graph search algorithms to find out routes in a network and then works out the entries in the control table based on the formalized interlocking resulations. The second step in the design of an SSI controlled signalling scheme is the generation of control tables, whose format has been shown in Chapter 3. Information is extracted from the layout and filled into the control tables. This is probably the most important step in the design process, with respect to ensuring the safe operation of the system. If any incorrect information is left in the table unnoticed, erroneous geographic data would be generated, and the interlocking may become unsafe. It is therefore, necessary to automate the generation of control tables by employing verified software and then to formally verify of the contents of the resulting tables. Since all the topological information about a layout is encompassed in its formal specification, the data required to fill the control table can be extracted from this specification. This chapter describes a method for finding routes, deriving information to fill control tables and verifying the results. This method uses the formal specification of a layout generated by the layout compiler and verified by the verifier. The definition of routes is described in Section 8.1 and the algorithms for finding routes are discussed in Section 8.2. The last section of the chapter describe how to senerate and verify the control tables. ### 8.1 Definition of routes In Section 3.2, a route is described as a section of railway track starting and ending at signals. In the framework of the formal network model, a route is a path starting at a signal and terminating at another signal, but extra rules are required to restrict the paths which can be considered as routes. These rules are due to the physical nature of the track component parts. They are: - when passing a point, i.e., a PPART, a route cannot enter from a normal edge and continue to a reverse edge or vice versa; - when passing a diamond crossing, i.e., a DPART, a route cannot move from an edge of one leg to an edge of another leg. Referring to the example layout of double lefthand junction shown in Figure 3.4, a train cannot move from T104 to D300 through P200 following a single route, nor can a train move from T108 to P200 through D300 in a single manoeuvre. A route from the signal \$10 to the signal \$12 is the following list of edges: \$10512 = [ (1100, 1101, 510); (1101, P200, 12); (P200, D300, 14); (D300, T102, 17); (T102, T103, 512) ] By convention, the name of a route is the string formed by concatenating the names of the entry signal and the exit signals. Notice that the entry of the route is the vertex before the entry signal, and the exit of the route is the vertex after the exit signal. Based on the above discussion, a predicate ROUTE is defined in the HOL logic to specify what a route is. HOL Definition 78 (ROUTE\_DEF) ``` "ROUTE (B:Setwork) (r:(ParteParteElbl)list) = (METWORK B) /\ (PATH B r) /\ (ROUTE_TAIL r) /\ (IS_ELBL_SIGNAL (elb (ED r))) /\ (IS_ELBL_SIGNAL (elb (LAST r)))" ``` A list of edges r is a route in the network N if and only if it is a path in N, and it satisfies the predicate ROUTE.TAIL which is defined below, and both its first and last edges have a signal attached. HOL Definition 79 (ROUTE\_TAIL\_DEF) The function ROUTE.TAIL verifies whether the two restrictions listed at the beginning of this section are satisfied by the list of edges. The meanings of the functions used in its definition have been given in Table 5.1. Note that, in some cases, a route may not terminate at a signal, for example, the last section at a terminal station will end with a buffer, and sometimesm a partial route which does not starts from a signal nor ends at a signal may be required for certain manoeuvre. These are considered to be a subroute. Predicate can be defined for subroutes which will be syntactically identical to the definition of ROUTE except the last two conjuncts are absent. In the following discussion, only complete routes are being considered. The functions ROUTE.EDGES and ROUTE.PARTS are defined for extracting edges and parts along the route. They are used in the specifications described in Section 8.3. HOL Definition 80 (ROUTE\_EDGES\_DEF) "ROUTE EDGES (r:(PartsPartsElb1)list) = (BUTLAST r)" Given a route r as its argument, the function ROUTE.EDGES returns a list of all the edges through which r passes except the last one. A train cannot pass through this edge if the signal attached to it is ON, therefore, when considering the required points for a route, this edge can be ignored. HOL Definition 81 (ROUTE\_PARTS\_DEF) "ROUTE\_PARTS (x:(PartsPartsRbbl)list) = VER\_LIST (BUTLAST (TL x))" The function ROUTE.PARTS returns a list of the parts through which the route r passes, except the part in the source vertex of the first edge and the part in the destination vertex of the last edge. The former is before the entry signal and the latter is ahead of the exit signal, therefore, they should not be considered to be in the route. If two routes share one or more parts, they are said to be conflicting routes. This property is modelled by the predicate CONFLICTING-ROUTES. HOL Definition 82 (CONFLICTING ROUTES DEF) "COMPLICTING\_ROUTES (N: Network) r1 r2 = (ROUTE S r1) /\ (BOUTE S r2) /\ -(DISJ\_LIST (ROUTE\_PARTS r1) (BOUTE\_PARTS r2))\* This predicate is true if and only if both $r_1$ and $r_2$ are routes in the network N and their vertex lists are not disjoint. For example, in the network shown in Figure 3.4, the routes \$10812 and \$11816 are conflicting routes because they share the vertex \$200, i.e., CONFLICTING\_ROUTES N S10S12 S11S15 = T. #### 8.2 Finding routes After defining what routes are, one can proceed to search for routes in a network. Since networks are graphs, many well-known graph searching algorithms can be used to find routes in a network. Amongst them, two are very suitable for finding routes: Murchland's all paths algorithm and depth-first search algorithm. However, these algorithms need to be augmented, because routes are not merely paths, there are extra constraints as specified by ROUTE\_TAIL\_DEF. Murchland's algorithm [53][56] finds all possible paths between two specific vertices. An algebra is used to describe the paths in this algorithm. A path consists of the edge a followed by the edge b is written as ab. If there are two paths ab and ab between the vertices v and w, then they can be written as ab+cd. To avoid looping, an expression, such as (abc)(adc), which has a common factor is defined to be 0. These expressions can well be represented by a tree. For computational purpose, the actual algorithm is described with the aid of an $n \times n$ matrix where n is the number of vertices. The elements of the matrix represent the path or paths between any two given vertices. Initially, the elements contain only single edge path connecting adjacent vertices. On each iteration, the expressions representing the current known paths between the starting vertex and any other vertices are updated by adding new edges to extend the paths. When the algorithm terminates, the elements corresponding to the path(s) between the starting and ending vertices will contain an expression representing all the possible paths. To adopt this algorithm for finding routes, tests corresponding to the specification in RGUTE\_TAIL\_DEF should be incorporated in the iteration to pick out the appropriate edges. This algorithm is suitable for networks which contain larger number of possible routes between the specific vertices. The depth-first search algorithm is described in many textbooks of elementary graph theory and of computer algorithms. Aho et al in [1] give a concise description of the algorithm in imperative programming style, while Paulson in [55] demonstrates an effective implementation of the algorithm in a functional programming language — Standard ML. When adopting this algorithm, tests corresponding to the specification in ROUTE\_TAIL\_DEF should also be incorporated in the search procedure to avoid going down the illegal edges. A program implementing a suitable algorithm can be developed without too much difficulty. It will read in a specification of a network and generate a list of all possible routes in this network. Using a method similar to the one described in Chapter 7, the list of routes can be verified to show the conformity to the specification of ROUTE\_DEF. The discussion in the next section assumes such a route finding program exists, and that it produces a list of all possible routes. #### 8.3 Automatic control table generation The problem of generating control tables can now be considered. The first task is to codify the safety rules which specify the interlocking requirements for setting up a route. Considering only the simple and most common situations, the safety requirements for setting up a route [54] are the followings: - 1. all track circuits on the route must be clear (column 2); - all points on the route must be set, locked and detected at the correct position according to the travelling direction of the route (column 4 and 5); - the exit signal must be in working order, i.e., showing either ON or OFF aspect (column 6): - 4. the entry signal to the conflicting routes must be proved ON (column 7); - the track circuits from the entry signals of the conflicting routes to the point of conflict must be clear (column 2). The column numbers enclosed in parentheses refer to the control table shown in Table 3.2. In that table, column 1 lists the name of routes. Column 2 lists the track circuits required by the route, and is corresponding to the requirement specified by rule 1 and 5. The correspondence between the other columns and the rules is as indicated above. Each of these requirements can be specified in HOL by a function which returns a list of objects that are required by the rule. A null list indicates that nothing is required by the route. Rule 1 The specification for rule 1 is TCIRCUITS. HOL Definition 83 (TCIRCUITS\_DEF) "TCIRCUITS (r:(PartsPartsRibl)list) = MAP PART\_CIRCUIT (ROUTE\_PARTS r)" Since ROUTE.PARTS returns a list of all parts in the route, the higher-order function MAP applies PART\_CIRCUIT to these parts, the result of this function is a list of all track circuits in the route. Rule 2 This rule can be specified by two functions NORM.POINTS which returns a list of points required NORMAL and REV.POINTS which returns a list of points required REVERSE. HOL Definition 84 (NORM\_POINTS\_DEF) "MORM\_POINTS r = FLAT (MAP NORM (ROUTE\_EDGES r))" HOL Definition 85 (REV\_POINTS\_DEF) "REV\_POINTS T - FLAT (MAP REV (ROUTE\_EDGES T))" The functions NORM and REV take an edge as their argument, and return a list of points required NORMAL and REVERSE, respectively, if a movement from the source vertex to the destination vertex is made. HOL Definition 86 (NGNI\_DEF) "HORM (p1,p2,(a:Edge)) = ((IS\_PPART p1) /\ (PART\_PHT\_HORMAL p1 = PART\_ID p2)) => [PART\_POINT p1] | []" HOL Definition 87 (REV\_DEF) "REV (p1,p2,(e:Edge)) = ((IS\_PPART\_pi) /\ (PART\_PUT\_REVERSE pi = PART\_ID p2)) => [PART\_POINT pi] | []" Rule 3 The specification for rule 3 is EXIT\_SIG which returns the signal attached to the last edge of the list. If there is no signal attached to this edge, an empty list is the result. This situation may arise when partial route is being considered. HOL Definition 88 (EXIT\_SIG\_BEF) "ENIT\_SIGNAL (r:(PartsPartsElbl)list) = let e = elb (LAST r) in (IS\_ELBL\_SIGNAL e) => [ELBL\_SIGNAL e] | []- Finding conflicting routes The handling of rules 4 and 5 is more complicated because they require the search for conflicting routes. Since all possible routes in a network can be found by the program mentioned in Section 8.2, all conflicting routes of a given route r can be found using the function CONFLICT.ROUTES. It takes two arguments: the list of all routes in the network, and the given route r. CONFLICT.ROUTES rist r delivers a list of routes which are in rist and are in conflict with r. HOL Definition 89 (CONFLICT\_ROUTES\_DEF) -(COMPLICT\_ROUTES [] r = [] /\ (COMPLICT\_ROUTES (COMS h e) r = (-(OIS\_LIST (ROUTE\_PARTS r)) /\ -(h = r)) => (COMS h (COMPLICT ROUTES t r)) | (COMPLICT\_ROUTES t r))\* Rule 4 The function specifying rule 4 can now be defined. This function takes two arguments: the current route and the list of all routes in the network. It picks the entry signal from each route returned by CONFLICT.ROUTES using the function ENTRY\_SIG which returns the signal attached to the first edge of the list. HOL Definition 90 (ENTRY\_SIGNALS\_DEF) "RETRY\_SIGNALS r rist = MAP RETRY\_SIG (CONFLICT\_ROUTES rist r)" HOL Definition 91 (ENTRY\_SIG\_DEF) "ENTRY\_SIG (x:(Part@Part@Hibl)list) = let e = elb (ED r) in (IS\_ELBL\_SIGNAL e) => [ELBL\_SIGNAL e] | [] " Rule 5 Let r be the route under consideration. The strategy of computing the list of all track circuits specified by this rule is: - 1. work out a list, say crlist, containing all routes which are in conflict with r; - for each vertex p on the route r which is either a PPART or a DPART, work out a list pll containing all routes which are in conflict with r at p, i.e., share the part in p; - for each route l in pll, take the initial segment of l up to the vertex p; the track circuits associated with the the elements in this segment are those required by Rule 5. Several auxiliary functions are needed in specifying the function for this strategy. Their names have CR. as prefix. The first is CR.TAKE. Its specification is $$CR\_TAKE[p_1; ...; p_i; ...; p_n]p_i = [p_1; ...; p_{i-1}]$$ i.e., it returns the initial segment of the list up to but not including the part given as its second argument. HOL Definition 92 (CR.TAKE\_DEF) "(CR\_TAKE [] (p:Fart) = []) /\ (CR\_TAKE (COBS h t) p = (h = p) => [] | (COBS h (CR\_TAKE t p)))" If no element in the list is equal to p<sub>1</sub>, CR.TAKE returns the whole list. The next function is CR.PRS, which stands for Partial RouteS, with the following specification: CR\_PRS $$p$$ [{ $p_{11}$ ; ...; $p_{1n}$ ; ...; $p_{1n}$ ]; ...[ $p_{m1}$ ; ...; $p_{mn}$ ; ...; $p_{mn}$ ] = [[ $p_{11}$ ; ...; $p_{1i}$ ]; ...[ $p_{k1}$ ; ...; $p_{ki}$ ]] where $p_{ji} = p$ for all $1 \le j < k$ . This function takes a part p and a list of lists of parts pll, it returns a list of lists of parts which are the initial segments of the argument lists pll. The local value crlst contains the lists which are in pll and have p as one of their elements. HOL Definition 93 (CR\_PRS\_DEF) ``` "CR_PRS (p:Part) pl1 = let crist = FILTER pl1 (\l. (ELEN 1 p)) in HAP (\l. CR_TAKE 1 p) crist" ``` The function CR.PTS, which stands for ParTS, takes two arguments: the first is the list of parts forming the current route, and the second is a list of lists of parts which are obtained from the list of all routes in the network. It returns a list of lists of parts in the initial arguments of all the conflicting routes. HOL Definition 94 (CR.PTS.DEF) ``` "(CR_PTS [] (pll:((Part)list)list) = [] /\ (CR_PTS (COMB (p:Part) t) pll = ((TS_PPART p) \/ (TS_DPART p) => (APPRED (CR_PRS p pll) (CR_PTS t pll)) | (CR_PTS t pll)" ``` Now, the top level function for Rule 5 can be specified as CR.TCIRCUITS. It takes two arguments similar to ENTRY.SIGS, the first, r is the current route and the second rlst is the list of all routes in the network. It delivers a list containing all track circuits in the conflicting routes between the entry signals and the points of conflict. HOL Definition 95 (CR.TCIRCUITS.DEF) "CR\_TCIRCUITS r rlat = let crist = COEFLICT\_ROUTES rist r in let plate = FLAT (CL\_PTS (ROUTE\_PARTS r) (MAP ROUTE\_PARTS rlst)) in (MAP PART\_CLECUT plas)\* The local value crist contains all routes which are in conflict with r, and pilst is the list of all parts formed by flattening the initial segments of all the conflicting routes returned by CR.PTS. A list of track circuits is obtained by applying PART.CIRCUIT to pilst. The specification of the rules has now been written as HOL functions. These functions form the core of the specification of a program which generates the control tables. Such a program can be implemented in a verifiable subset of high-level programming language, such as SPADE-PASCAL[11] or SPARK Ada[12]. If the program is verified and validated to correctly implement the safety rules, the control tables generated by it should be free of errors. However, it is still possible to verify the contents of the control tables generated by such automated procedures to demonstrate the correctness of the data. This can be carried out by proving theorems asserting the validity of the data in the control table. This process of theorem proving can be automated in a similar way as the network verifier described in Chapter 7. ## Chapter 9 # Interlockings and state ## machines This chapter describes the dynamic states of track networks and a method of modelling interlockings using deterministic finite state machines. #### 9.1 States of a network Recall from Chapter 5, the type : Tcir representing track circuits, the type : Point representing points and the type : Signal representing compound signals contain functions returning the states of the components. The network model of a track layout has these state functions embedded in it, thus it is a dynamic representation. At any given time t, the state of a network N, denoted by S(N,t) is completely determined by the states of its constituent components, i.e., the values returned by their state functions. For example, the state of the network shown in Figure 6.4 is determined by the states of its six track circuits, six signals and two points. For any given network N, there are three sets of state functions, denoted by tc(N) the set of track circuit state functions, pnt(N) the set of point state functions and sig(N) the set of signal state functions. The set tc(N) can be written as the following expression This expression represents the image set obtained by applying the compound function (TC.SFUNC o PART.CIRCUIT) to the elements of the vertex set. This function lifts the track circuit state function from each part. Each element of tc(N) is a state function $f_{tc_0}$ of the track circuit i. The type of the function is :nam $\rightarrow$ Tstate. Then, the state of the network at time t can be obtained by applying these functions to t. However, the results cannot be represented in sets. For example, a network N contains three track circuit, i.e., $tc(N) = \{f_{tc_1}, f_{tc_2}, f_{tc_3}\}$ . Suppose that, at time t, the track circuit $tc_1$ is occupied and the others are clear. If the results of applying $f_{tc_1}$ 's to t are stored in a set, it will be {occupied.clear}. This does not uniquely represent the state of the network. Therefore, a list has to be used. The state of the network N at t will be the list loccupied:clear; clear]. An abbreviated type : NetworkState is defined to represent the state of a network. It is a compound of states of three kinds of dynamic components: :(Tstate)list # (PointState)list # (SignalState)list where the type : PointState is an abbreviation for the pair consisting of the position and locking state of points and the type : SignalState represents the state of a compound signal. Their definitions are listed in Table 9.1. The image set of a function f on a set s, i.e., the expression (MAGE fs, is equal to the set $\{fs \mid s \in s\}$ . Abbreviation Definition : MetworkState : (Tstate)list & (PointState)list & (SignalState)list :PointState :Ppos # Ploc :PointStateFunc : (num -> Ppos) # (num -> Ploc) :SignalState :(Maspect # bool # Subaspect) + Shaspect :SignalStateFunc :(num -> Maspect) # (num -> bool) # (num -> Subaspect) + (num -> Snispect) Table 9.1: Abbreviated types for states and state functions. State functions Functions can be defined to lift the state functions from the respective components using expressions similar to 9.1. Three such functions are defined for obtaining lists of state functions of the three kinds of components. They are TC\_STATE\_FUNCS, PNT\_STATE\_FUNCS and SIG\_STATE\_FUNCS, and their definition are listed below. HOL Definition 96 (TC\_STATE\_FUECS\_DEF) "TC\_STATE\_FUNCS (B:Network) = SET\_LIST (IMAGE (TC\_SFUEC o PART\_CIRCUIT) (VS B))" HOL Definition 97 (PET\_STATE\_FUECS\_DEF) "PHT\_STATE\_FUNCS (N: Network) = let plat = SET\_LIST (IMAGE PART\_POINT (VS B)) ia (MAP (\p. (PET\_POS p, PET\_LOC p)) plat)" HOL Definition 98 (SIG\_STATE\_FUNCS\_DEF) "SIG\_STATE\_FUBCS (#:Hetwork) = let siglet = SET\_LIST (IMAGE (ELBL\_SIGNAL o elb) (ES N)) in (MAP SIG\_SPUNC siglet)" In the definition PNT\_STATE\_FUNCS\_DEF, the local value plst is a list of points. The lambda expression (\(\lambda\rho(p\), (PNT\_POS\_p, PNT\_LOC\_p)) is a anonymous function. When applying to a point, it extracts the position and locking state functions. Similarly, in the definition SIG\_STATE\_FUNCS\_DEF, the local value siglst is a list of signals. The function SIG\_SFUNC returns the state function of the signal. In all three functions, the polymorphic function SET\_LIST is used to convert a set to a list. This set-to-list conversion function is characterized by the following theorem: HOL Theorem 65 (SET\_LIST\_THM) + Va. FINITE a ⊃ $(\forall x. (z \mid N a = ELEM (SET_LIST_a) x) \land (CARD_a = LENGTH (SET_LIST_a)))$ This theorem asserts that the function SET.LIST delivers a list containing all elements of a finite set and the length of this list is equal to the cardinal number of the set. The use of such conversion function in networks is justified because all networks are finite. Instantaneous state Combining the above functions, a function delivering the instantaneous state of a network can be defined. HOL Definition 99 (NETWORK STATE DEF) "HETWORK\_STATE (E:Setwork) t = let cile: = TC\_STATE\_FUNCS B in let pfile: = PET\_STATE\_FUNCS B in let sfile: = PET\_STATE\_FUNCS B in (APPLY (vif : f t) cfile: t), (APPLY (vif : f t) cfile: t), (APPLY PPPLYSIG\_FUNC sfile: t))" Thus, the state of a network N at a given time t is specified by the expression NETWORK\_STATE N t. The function APPLY used in NETWORK\_STATE requires some explanation. Its definition is as below. HOL Definition 100 (APPLY DEF) "(APPLY f [] x = ([]:(\*\*)list)) /\ (APPLY (f:\*\*\*\*->(\*->\*\*\*\*)) (COBS hd tl) (x:\*) = COBS (f hd x) (APPLY f tl x))" The purpose of this function is to provide a uniform conversion function for converting the dynamic structure—the structure of time varying functions—to the static structure representing the instantaneous state. The second argument of APPLY is a list of dynamic structures $[g_1, \ldots, g_n]$ , For different kinds of components, their structures of state functions are different. The structure for track circuits is just a simple state function, i.e., each $g_i$ is a tract circuit state function. The structure for points is a pair, i.e., $g_i = (f_{pos_i}, f_{loc_i})$ . The structure for signals is rather complicated, and the detail of this can be found in the ML source listed in Appendix F. The last argument x of APPLY is the common argument to be supplied to the state functions in the structures. The first argument f is a higher-order function which applies the state functions in the structures g, to x. This functional takes care of the difference in the structures. By using appropriate functionals with APPLY, as seen in the BETVORK\_STATE\_DEF, the conversion from the dynamic structures of state functions to the static structures of instantaneous state can be written concisely and uniformly. Example Using the naming convention described in Chapter 7, the passing loop network shown in Figure 6.4 has the following state function structure lists: ([C1; C2; C3; C4; C5; C6], [W11; W12], [5100: 5101: 5102: 5103: 5104: 5105]) Suppose that, at time 4, this network is in a state in which: - all the track circuits are clear, i.e., C, t = clear for all 1; - e the point N11 is at its NORMAL position while N12 is at REVERSE and both are free to move, i.e., $(f_{pos_{N11}}t,f_{loc_{N11}}t) = (normal,free\_move)$ and $(f_{pos_{N12}}t,f_{loc_{N12}}t) = (reverse,free\_move)$ ; - the entry signals to the network, namely \$100 and \$101, are OFF but all other signals are ON, i.e., \$i t = (green, ARB, ARB) for i = 100 or 101 and \$\$S\_i t = (green, ARB, ARB)\$ for other signals;\$^2\$ where ARB indicates an arbitrary value of an appropriate type. Then, the state of the network is the triple below: ([clear; clear; clear; clear; clear; clear], [(normal, free\_move); (reverse, free\_move)], [(green, ARB, ARB); (green, ARB, ARB); (red, ARB, ARB); (red, ARB, ARB); (red, ARB, ARB); (red, ARB, ARB)]) <sup>&</sup>lt;sup>3</sup>Unlike the points, the structure of signal state functions has not been shown explicitly due to its complexity. The expression S, f is used to indicate that f is supplied as a common argument to the state functions in the structure S, Dynamic network. The topology of a network N at a given time t is based on the position of the points, i.e., the values returned by the list of point position functions. If a point p is at NORMAL position, effectively the reverse edges which connect the part containing p to its reverse successor are disconnected, because no movement along these edges can be made. Thus, the dynamic connectivity of a network, D(N,t) is a graph obtained by deleting all the edges which represent the impossible movement to/from a point. The specification of D(N,t) in HOL is the function DNFTWORK. HOL Definition 101 (DNETWORK DEF) ``` "DETVOIX (B:Betwork) t = (VS B), (a | (a IS_BORE B) \\ (IS_PRAT (a,src e) => ((PBT_SORMAL (PART_POIRT (e,src e)) t) \\ (PBT_REVENSE (PART_POIRT (e,src e)) t) \\ (PBT_REVENSE (PART_POIRT (e,src e)) t) \\ (PART_ID (a,dee e) = PART_PET_REVENSE (e,src e)) \\ (PART_ID (a,dee e) = PART_PET_REVENSE (e,src e)) \\ (IS_PPART_G,dee e) = PART_PET_REVENSE (e,src e)) \\ (PART_ID (a,dee e) => ((PET_REVENSE (PART_POIRT (a,dee e)) t) \\ (PART_ID (a,src e) = PART_PET_BORNAL (a,dee e)) \\ (PART_ID (a,src e) = PART_PET_REVENSE (a,dee e)) \\ (PART_ID (a,src e) = PART_PET_REVENSE (a,dee e)) \\ (PART_ID (a,src e) = PART_PET_TENSE e) PART_PET_ ``` The D(N, t) of the passing loop network at the time t described above is as shown in Figure 9.1. Obviously, D(N, t) is a subgraph of the underlying network N, but it may not still be a network. Figure 9.1: A graph representing the passing loop at t. #### 9.2 Proving routes One typical task of an interlocking is to set up or prove a route. A route is proved if the required functions as specified in the control table are all satisfied. Recall from Chapter 8, that these required functions are specified by a set of functions which corresponds to the safety rules. These functions are: TCIRCUITS for the required track circuits, NORM\_POINTS for the points required NORMAL, REV\_POINTS for the points required REVERSE. EXIT\_SIGNAL for the exit signal, ENTRY\_SIGNALS for the entry signals of the conflicting routes, CR.TCIRCUITS for the track circuits along the conflicting routes. The specification for a route being proved will be a predicate asserting that the components returned by the above functions are at the required states. The HOL function ROUTE\_PROVED is defined for this purpose. #### HOL Definition 102 (ROUTE\_PROVED\_DEF) ``` "ROUTE_PROVED r1 r t = let rlet = COMPLICT_ROUTES r1 r in ((EVERY (N. TC_CLEAR r t) (TCIRCUITS r)) /\ (EVERY (N. TC_CLEAR r t) (HORM_POIETS r)) /\ (EVERY (N. PET_HOURAL p t) (HORM_POIETS r)) /\ (EVERY (N. CSIGNAL_FAULT s t)) (RITI_SIGNAL r) /\ (EVERY (N. OB t) (EFTER_SIGNALS r xlet)) /\ (EVERY (N. TC_CLEAR r t) (ERITE_SIGNALS r xlet)) /\ (EVERY (N. TC_CLEAR r t) (ERITE_SIGNALS r xlet)) /\ ``` In the above definition, the first argument ri is the list of all routes in the network. It is required to work out the conflicting routes. EVERY is a pre-defined constant in HOL. The expression EVERY $P[x_1; \ldots; x_n]$ evaluates to T if and only if $Px_i$ are true for $1 \le i \le n$ . The action of setting up a route is usually initiated by the signalman, or by another system, such as the ARS system mentioned in Section 3.3.3, sending a request to the interlocking. The interlocking then checks the states of the required functions, and if any required points are not in the right position or if the required signals do not display the correct aspects, it will attempt to change their positions or aspects to the required states. If this succeeds the route is proved, and the predicate ROUTE.PROVED returns true. This procedure of route setting can be modelled as a state machine which is discussed in the next section. #### 9.3 Interlockings Based on the discussion in the previous two sections, interlocking systems can be modelled by a finite deterministic automaton or finite state machine. The formalization of state machines in HOL is described first, then a method of using this formal theory in the modelling of interlockings is described. #### 9.3.1 State machine theories Theories of deterministic and non-deterministic finite state machines in HOL have been developed by Loewenstein[47][46]. In his theory LSA, a labelled state automaton is represented by the predicates LSA or PLSA. HOL Definition 103 (LSA) (fm. Q(e 0, m 0) /\ (it. P(e t, e t)) /\ (it. H(e t, e t)(e(SUC t),e(SUC t))))" In the definition of LSA, Q is a predicate asserting a set of possible initial states, N is a predicate asserting a set of next states, and e is the external signals including all the inputs and outputs. LSA specifies that there exists a state function s such that s(0) is an initial state and, given any time t, the state transition from s(t) to s(t+1) satisfies the next state function. The definition of PLSA is similar except that a predicate P asserting some properties of the machine is explicitly stated. This theory can be used in reasoning about properties of a given machine based on the theorem LSA.eq.PLSA. HOL Theorem 66 (LSA.eq.PLSA) $$(\forall e.a.\ Q(e,a) \supset P(e,a)) \land (\forall e.a.e'\ a'.\ N(e,a)(e',a') \land P(e,a) \supset P(e',a')) \supset (\forall e''.\ LSA(Q,N)e'' = PLSA(Q,P,N)e'')$$ This theorem states that, if the machine has property P at its initial state, and if the machine has property P at a state s implies the property also holds at the next state s', then the machine has the property P. This theory can also be used in verifying the implementation of a machine by virtue of the theorem LSA.1mp.LSA. #### HOL Theorem 67 (LSA\_imp\_LSA) $$\begin{split} & \forall Q_1 \, Q_2 \, N_1 \, N_2. \\ & (\exists R. \, (\forall e \, s_1. \, Q_1 \, (e, \, s_1) \, \supset \, (\exists s_2. \, Q_2 \, (e, \, s_2) \, \land \, R \, e \, s_1 \, s_2)) \, \land \\ & (\forall e \, e' \, s_1 \, s'_1 \, s_2. \, R \, e \, s_1 \, s_2 \, \land \, N_1 \, (e, \, s_1) \, (e', \, s'_1) \, \supset \\ & (\exists s'_2. \, R \, e' \, s'_1 \, s'_2 \, \land \, N_2 \, (e, \, s_2) \, (e', \, s'_2)))) \, \supset \\ & (\forall e. \, \mathsf{LSA} \, (Q_1, \, N_1) \, e \, \supset \, \mathsf{LSA} \, (Q_2, \, N_2) \, e) \end{split}$$ This states that, if there exists a mapping R between the states of the machine specified by $(Q_1, N_1)$ and the machine specified by $(Q_2, N_2)$ , then the two machines are equivalent. A pilot study of using this theory in the modelling of a level crossing protection has been carried out[26]. In this study, the control system of the barrier and signals was specified as an LSA machine with initial states INIT and next state function NEXT. The major safety property of this machine was specified such that not both railway traffic and road traffic is allowed to proceed at the same time. A theorem stating that the crossing control machine has such safety property was derived. Some details of the definitions and theorems mentioned are listed in Appendix E. Figure 9.2: An interlocking state machine. #### 9.3.2 Interlocking as state machine Using the theory described in above, an interlocking can be modelled by a deterministic finite state machine LSA. Shown in Figure 9.2 is a generic interlocking state machine consisting of two input streams, $I_{req}$ and $I_{sen}$ , a list of outputs, $O_{act}$ , and a list of states $S_{cater}$ . The input stream I<sub>req</sub> feeds requests to the interlocking to perform some actions, such as setting up a route. Suppose that the only possible requests are to set up or to clear a route. A request can then be represented by a pair (action, route) where action is either set or clear and route is the name of the route, e.g., 31003102. The input stream I<sub>sen</sub> consists of the inputs from all the sensors of network components, such as track circuits and signal proving circuits. These reflect the current state of the network as described in Section 9.1. The outputs in Oact drives the actuators, such as point machines and signals. The LSA machine combines all the external signals into a single argument $\epsilon$ . For the generic interlocking machine, $\epsilon$ would be a triple $(O_{act}, I_{res}, I_{syn})$ . The states Sinier is the current internal states of the interlocking. The generic interlocking state machine may have the following internal states: - init is the initial state, in which no routes have been set up, all track circuits are CLEAR, all points are at their NORMAL position and all signals are ON; - e all clear is the state in which no routes have been set up; - · proving is the state the interlocking performs the tasks of proving a route; - e clearing is the state the interlocking performs the tasks of clearing a route; - e route set is the state in which at least one route has been set up. As part of the internal state, a set rowteset containing all the routes which have been set up should be included in $S_{inter}$ . Clearly, in the state sil.clear, rowteset must be empty. Thus, the state function s in the LSA machine should return a pair (state, rowteset). The state transition diagram for this generic interlocking machine is shown in Flyure 9.3. Based on this state transition diagram and the above discussion, the initial state predicate can be expressed in HOL as the definition INIT.DEF. #### HOL Definition 105 (INIT\_DEF) ``` "IBIT ((O_act, I_req, I_sem), S) = (S = (init, ())) (EVERY (Vt. t = clear) (PET I_sem)) /\ (EVERY ((pi,p2), pi = normal) (PET(SED I_sem))) /\ (EVERY STQ_IS_OB (SED(SED I_sem)))" ``` Similarly, the next state function can be specified as function NEXT shown below: ``` "HEIT ((O_act, I_req, I_sen), (state, routeset)) ((O_act', I_req', I_sen'), (state', routeset')) = (((state = init) \/ (state = all_clear)) => (((FST I_req) = set) => (state' = proving) | (state' = state)) | (state = proving) => (FBOUR_BOUTE routeset (SED I_req)) // (state' = route_set) // ``` Figure 9.3: A state transition diagram of generic interlocking machine. In this definition, the functions PROVE\_ROUTE and CLEAR\_ROUTE are called to perform the tasks of proving and clearing a route. Their specifications depend on: - the topology of the network, i.e., how complex is the network, how many routes are there and so on: - 2. the safety rules, i.e., what are the required functions for each route; - the control algorithms, i.e., what are the possible requests and how to achieve them. PROVE.ROUTE can use the predicate ROUTE.PROVED described in Section 9.2 and the functions for working out required track components described in Chapter 8 to check the conditions for setting up routes. The actions taken to prove a route will be to move and lock the points at the required position, to mark all the track circuit to be booked to prevent them from being included in a conflicting route and to instruct the signals to display the correct aspect. Note that PROVE.ROUTE proves a route in the context of routeset, which is passed as an argument, so that the route cannot be proved if it is in conflict with any one of the route already set up. Now, properties of the generic interlocking machine can then be derived using the method described in Section 9.3.1., i.e., by defining predicates expressing the required properties and proving theorems asserting the equivalence of LSA and PLSA machines. The most important properties of an interlocking are solety and liveness. One of the desired safety properties that any interlocking should possesses is that no conflicting routes can be set up at any time. This statement can be expressed in HOL as ``` IB r1 r2. (ROUTE B r1) /\ (ROUTE B r2) /\ "(r1 = r2) /\ (COMPLICTING_ROUTE W r1 r2) ==> it. "((PROVED_ROUTE W r1 t) /\ (PROVE_ROUTE W r2 t)) ``` A predicate NO.CONFLICTING.ROUTES can be define to have this property. To show the generic interlocking machine has this property, the following goal can be set up: ``` te. LSA(ISIT, MEST) e = PLSA(IBIT, MO_COMPLICTING_ROUTES, MEST) e ``` Induction can be used to solve this goal. The induction principle for the deterministic state machine has been encoded in the theorem LSA\_sq\_PLSA. Modus ponens can be used with this theorem to solve the goal if the following two subgoals can be solved: 1. the base case: 2. the induction step: The base case is clearly true because no route is proved in the initial state. The induction step is also true because the route proving functions called in NEXT require all the track circuits along the route to be CLEAR. Other desired properties can be deduced in the same way. Implementation of this generic interlocking machine can then be specified, and verification can be carried out by proving theorems of the form 10. LSA(INIT\_INP, MRXT\_INP) e ==> LSA(INIT, MRXT) e where INIT\_IMP and NEXT\_IMP are the initial and next state functions of the implementation. The method of modelling interlocking using state machine has been described. This generic interlocking state machine is only the top-level. A large amount of research effort is still required to refine this model and to develop practical implementation. ## Chapter 10 # Conclusions and future ## research To conclude this dissertation, a general discussion of the creation of a generic abstract model, the applications of such a model, the suitability of HOL and issues in the method of the research is given in this chapter. Possible future researches are indicated. ### 10.1 A generic abstract model The BETWORK theory is a generic abstract model of railway track networks based on well-founded mathematics. This model is abstract because it only captures the essential topological relations of the network components and disregards any physical constrains and implementation technology. The model is primarily used for writing top-level specifications of interlocking systems and reasoning about their logical operations. The networks being modelled are assumed to satisfy all physical constrains specified by regulations of the railway authorities, for example the distance between successive signals is not less than the service braking distance. Because of this abstraction, the theory is general enough to be used to model railway track networks of railway authorities with different standards. Although the terminology, interpretations, regulations and implementations may vary between different railway authorities, the basic principles of fixed block interlockings are essentially the same. These are: - division of tracks into block sections: - · detection of trains by track circuit or other means; - · regulation of traffic by signal aspects. All these principles are expressed and modelled in the theory. The sectioning of the track leads to track component parts and the representation of parts by vertices of graphs. The notion of a train has not been explicitly modelled, but by the occupied state of track circuits. The modelling of signal has contained a fair amount of detail, but the importance of the ON and OFF aspects has been stressed. The theory has been developed in a rigorous manner, i.e., using only definitional extensions without introducing new axioms. It is based on the set theory and graph theory within the framework of HOL logic, therefore it is consistent. To improve the readability of the theories, the names of the logical constants are generally quite long. #### 10.2 Applications of the model The safety record of the railway industry has been very good. This is achieved by the rigorous regulations developed through decades of working experience. As more and more new technology is being adopted by the industry, especially the use of microprocessors in controlling vital safety functions, it is very important to ensure that the high integrity and reliability of the interlocking systems are maintained. Due to the complexity of the new technology, more rigorous methods should be employed in the analysis, development and implementation of signalling systems. Three case studies of applying the NETWORK theory have been described in Part III. The first two are in the area of signalling scheme design. The model is used in the CAD tools which help the signalling engineers in designing interlocking systems. This is certainly not the most critical part of an interlocking system. The reason for applying the network model in this area first is because the theory is new, and even the whole approach to signalling system design using formal methods is itself new. It would not be wise to apply it in the most critical functions, such as the hardware and software of the interlocking processors, before more experience has been gained. This does not means that there is lack of confidence on the abstract modelling of the track networks, but just to be more cautious in introducing new technology in safety-critical systems so that to minimize the risk of introducing unsafe factors into the systems. Nevertheless, the generation and verification of formal specifications of railway track layout, and creation of control tables are very important ateps in the process of signalling scheme design. By using more rigorous methods, more mistakes can be discovered in earlier stage, thus, it leads to better design and reduces costs. Chapter 9 indicates a possible method of modelling, specifying and reasoning the vital safety functions of interlocking systems using the dynamic state of the network model and finite state machines. There are still many difficult issues which need to be solved before practical systems can be implemented, thus, more research is required. The example interlocking state machine shown in that chapter may have been oversimplified because many important features have been ignored, such as approach lockings. The actions for setting up and clearing routes have not been completely specified. These have to be solved in order to model and to formally specify a real interlocking system. Safety is the paramount requirement of any interlocking system. Ultimately, an interlocking system is safe if it never allows any traffic which may lead to potential collision, even if there is equipment failure. The goal, stating that no conflicting routes can be proved at the same time, shown in Section 9.3.2 is only one of many properties a safe interlocking system should possess. Examples of propositions contributing to the total safety of a interlocking system include: - · a route cannot be set up until all required functions are satisfied; - · an approach locked point cannot be switched. The ultimate goal of liveness of a railway network can be expressed as the ability of running the timetable. Some of provable liveness statements are: - . there is a route from A to B for some specific A and B: - . there exists a time, the required route from A to B can be set up. When using a state machine to model the control loop of interlockings, the eventual occurrence of the transition to the next state and the maximum time required for this transition to happen are two key properties contributing to the total safety and liveness of the system. Traditionally, the concept of liveness is not treated as being important and explicit as safety. This is probably because there is always provision for overriding the system, such as giving authority to a driver to pass a signal displaying the ON aspect in situations arisen from faulty equipment. This prompts a theory of abnormal operations, i.e., a theory modelling the regulations and procedures for recovery from equipment failure. The properties discussed in the previous paragraphs imply that a full temporal logic may be required in the modelling of the interlocking. Furthermore, the generic interlocking state machine specified in Section 9.3.2 is only a top-level specification. To develop a practical interlocking system still requires a large amount of research effort to refine this top-level model down to some detail levels before an implementation can be developed. The verifications between these levels have to be carried out to show the implementation model possesses the same safety properties. #### 10.3 The HOL system The application of formal methods in the design of railway aignalling systems is still a new subject. From the experience of the current research carried out by the author, HOL has the following four major advantages: generality, conciseness, consistence and extensibility. Generality is due to the underlying logic which is a general higher-order mathematic logic. Although, HOL was initially used for hardware verification, it has not been designed for any specific application, its generality making it well suited for many diverse applications areas. It is certainly suitable for railway signalling application. Because of its generality, one can deduce general properties for all networks. Conciseness is due to the fact that the underlying logic is higher-order. This allows very compact expressions being written. In addition, higher-order functions provides a very suitable way of modelling time-varying states of the system and components. Consistence is guaranteed by the strongly typed meta-language and the ways a theory can be extended. By using only definitional extensions to theories, no logical contradiction will be introduced. Extensibility provides a powerful means of adapting the system for different application areas. Since the user is able to add new libraries and new theories, a sub-system with interface more convenient for the application at hand can be developed. The HOL system is an integrated system for developing system specifications at various levels and for reasoning and verifying them. However, there are some drawbacks. The learning curve is very steep, and demands considerable skill if the theorem prover is used efficiently. This hinders its use by practicing engineers and designers who are usually not familiar with formal logic and theorem proving. This can be remedied by providing better interface to the system, such as a windowing environment, and by providing more automatic tools for specific applications, such as the network verifier. #### 10.4 Methodology issues The approach of this research is to develop a general theory and then apply it to more specific problem. The advantage of this approach is that the general theory, namely the graph theory, provides a sound mathematical structure as a foundation on which more specific arguments can be based. Railway track networks are fairly complicated, an abstract model of them must rely on some well-founded structures. They are intrinsically well suited to be represented by graphs. Adopting graphs as the structure of track networks allows many well known algorithms on graphs to be used; particularly important are the algorithms for finding paths. Without a properly defined data structure, it would be very difficult to specify and model track networks and to derive their useful properties. Graph theory has been applied in numerous practical problems in very diverse scientific and engineering fields. In addition to its use in railway signalling, the graph theory developed in HOL can provide a starting point for other applications. For example in the transport industry, the problem of finding the most economical route of delivering goods and the problem of maximizing the network capacity can be solved using graphs. Verification by automatic theorem proving is a method developed in this research for verifying railway layout designs (described in Chapter 7). This approach to verifications relies on the development of a generic abstract model, and a proof atrategy based on this model. Each specific design is then verified against this generic model, and specific instances of the general theorem are automatically deduced using the proof strategy. This approach can be used in other application areas as well. The major advantages of this approach are that it automates the theorem proving process and it provides an easy-to-use tool for practicing engineers and designers. Since there is a misconception that formal methods are very difficult to use, the second point is very important in persuading industry to adopt them. The research presented in this dissertation is a small step towards the applications of formal methods in practical safety-critical system design. The author hopes that this will spark off more research effort in applying formal methods in system analysis and design in the signalling industry and other industries which use safety-critical systems. # **Bibliography** - Alfred V. Aho, John E. Hopcroft, and Jeffrey D. Ullman. The Design and Analysis of Computer Algorithms. Addison-Wesley, 1974. - [2] K. Akita, T. Watanabe, and H. Nakamura. Solid-state interlocking in railway signalling, SMILE. In Proceedings of the International Conference on Electric Railway Systems for a New Century, pages 294-298. IEE, September 1987. - [3] P. B. Andrews. An Introduction to Mathematical Logic and Type Theory: To Truth through Proof. Computer Science and Applied Mathematics Series. Academic Press, 1986. - [4] W. R. Bevier. Kit and the short stack. Journal of Automated Reasoning, 5(4), November 1989. - [5] W. R. Bevier, W. A. Hunt, J. S. Moore, and W.D.Young. An approach to systems verification. Journal of Automated Reasoning, 5(4), November 1989. - [6] D. Bjøerner and Cliff B. Jones. Formal Specification and Software Development. Prentica-Hall International, 1982. - [7] D. Bjørner, C.A.R.Hoare, and H. Langmaack, editors. VDM '90, VDM and Z — Formal Methods in Software Development. Lecture Notes in Computer Science, No. 428. Springer-Verlag, 1990. - [8] Robert S. Boyer and J Strother Moore. A Computational Logic. Perspectives in Computing. Academic Press. Inc., San Diego, CA, U.S.A, 1979. - [9] Robert S. Boyer and J Strother Moore. A Computational Logic Handbook. Perspectives in Computing, Academic Press, Inc., San Diego, CA, U.S.A., 1988. - [10] Robert S. Boyer and J Strother Moore. A theorem prover for a computational logic. In M. E. Stickel, editor, Proceedings of 10th International Conference on Automated Deduction, Lecture Notes in Artificial Intelligence, pages 1-15, Kaiserslautern, FRG, July 1990. Springer-Verlag. - [11] B. A. Carré. SPADE State Code Analysis Manual. Program verification Ltd., April 1985. - [12] B. A. Carré and T. J. Jennings. SPARK—the SPADE Ada kernel. Technical report. University of Southampton, 1988. - [13] K. Celinski. Microcomputer controllers introduce modern technology in fail-safe signalling. In Proceedings of the International Conference on Electric Railway Systems for a New Century, pages 310-314. IEE, September 1987. - [14] A. Church. A formulation of the simple theory of types. Journal of Symbolic Logic, 5:56-68, 1940. - [15] A. Cohn. A proof of correctness of the viper microprocessor: the first level. Technical report, Unviersity of Cambridge Computer Laboratory, 1988. - [16] A. Cohn. A proof of correctness of the viper microprocessor: the second level. Technical report, Unviersity of Cambridge Computer Laboratory, 1990. - [17] Computer Laboratory, University of Cambridge. The HOL System: Description, 1990. - [18] Computer Laboratory, University of Cambridge. The HOL System: Tutorial, 1990. - [19] D. Craigen and K. Summerskill, editors. Formal Methods for Trustworthy Computer Systems (FM89), Workshops in Computing, Springer-Verlag, 1990. - [20] Alan Cribbens. The solid state interlocking. In Proceedings of the International Conference on Railway Safety, Control and Automation towards the 21st Century, pages 24 - 29, Sept. 1984. - [21] Alan Cribbens. A solid state interlocking (sai): an integrated electronic signalling system for mainline railways. In *IEE Proceedings, Part B*, volume 134, pages 148 - 158, MAY 1987. - [22] Alan H. Cribbens, M. J. Furniss, and H. A. Ryland. The solid state interlocking project. In Proceedings of the International Conference on Railways in the Electronic Age, pages 1 - 5, Nov. 1981. - [23] W. J. Cullyer. Implementing Safety Critical Systems: The VIPER microprocessor, pages 1-26. Kluwer Academic Publishers, 1987. - [24] W. J. Cullyer. Safety-critical control systems. Computing & Control Engineering Journal, 2(5):202-210. September 1991. - [25] W. J. Cullyer and Wong W. Application of formal methods to railway signalling—a case study. IEE Computer and Control Engineering journal, 1992. Submitted to IEE CCEJ. - [26] W. J. Cullyer and W. Wong. A mathematical approach to the protection of grade crossing. In Proceedings of international symposium on railing-highway grade crossing research and safety, Knoxville, Tennessee, USA, 31st Oct - 3rd Nov. 1990. - [27] Norman Delisle and David Garlan. A formal specification of an oscilloscope. IEEE Software, September 1990. - [28] Antoni Diller. Z—An Introduction to Formal Methods. Jonb Wiley & Sons, 1990. - [29] Alan Gibhon. Algorithmic Graph Theory. Cambridge University press, Cambridge England, 1985. - [30] J. Goguen, C. Kirchner, H. Kirchner, A. Megrelis, J. Meseguer, and T. Winkler. An introduction to OBJ3. In S. Kaplan and J. P. Jouannuad, editors, Conditional Term Rewriting Systems. — 1st International workshop proceedings. Springer-Verlag, 1988. - [31] J. A. Goguen. OBJ as a theorem prover with applications to hardware verification. In G. Birtwistle and P. A. Subrahmanyam, editors, Current Traends in Hardware Verification and Automated Theorem Proving, chapter 5, pages 218-267. Springer-Verlag., 1989. - [32] J. A. Goguen, J. W. Thatcher, and E. G. Wagner. An initial algebra approach to the specification, correntness and implementation of abstract data types. In R. T. Yeh, editor, Current Trends in programming Methodology, Vol. IV — Data Structuring. Prentice-Hall, 1977. - [33] Michael. C. Gordon. Mechanizing programming logics in higher order logic. In Current Trends in Hardware Verification and Automated Theorem Proving, chapter 10, pages 387-439. Springer-Verlag, 1989. - [34] Michael J. Gordon. HOL: A Proof Generating System for Higher-Order Logic, pages 73-128. Kluwer Academic Publishers, 1987. - [35] Michael J. Gordon, Arthur J. Milner, and Christopher P. Wadsworth. Edinburgh LCF. Lecture Notes in Computer Science, No. 78. Springer-Verlag, 1979. - [36] F. K. Hanna and N. Daeche. Specification and verification using higher-order logic: A case study. In G. J. Milne and P. A. Subrahmanyan, editors, Formal Aspects of VLSI Design, pages 179-213. Springer-Verlag, 1986. - [37] Health and Safety Executive. Guidance on the Use of Programmable Electronic Systems in Safety-related Applications, 1986. - [38] W. A. Hunt. Microprocessor design verification. Journal of Automated Reasoning, 5(4), November 1989. - [39] Warren A. Hunt. FM8501: A Verified Microprocessor. PhD thesis. The University of Texas at Austin, 1985. - [40] IEC. Functional Safety of Programmable Electronic Systems. IEC SC65A/WG10 3rd Draft, June 1989. - [41] IEC. Software for Computers in the Application of Industrial Safety Related Software. IEC SC65A/WG9 3rd Draft, June 1989. - [42] Cliff B. Jones. Systematic Software Development Using VDM. Prentice-Hall, London. 1986. - [43] J. J. Joyce. Formal specification and verification of asynchronous processes in higher-order logic. In Specification and Verification of Concurrent Systems — Proceedings of BCS-FACS Workshop (TR45), 1988. - [44] J. J. Joyce. Totally verified systems: Linking verified software to verified hardware. Technical report, University of Cambridge Computer Laboratory, 1989. - [45] J.S.Moore. A mechanically verified language implementation. Journal of Automated Reasoning, 5(4), November 1989. - [46] P. Loewenstein. Formal verification of state-machines using higher-order logic. In Proceedings of 1989 IEEE International Conference on Computer Design: VLSI in computers and processors. IEEE, IEEE Computer Society Press, 1989. - [47] P. Loewenstein. Reasoning about state machines in higher-order logic. In M. Leeser and G. Brown, editors, Hardware Specification, Verification and Synthesis: Mathematical Aspect, Lecture Notes in Computer Science No. 408, pages 67–89. Springer-Verlag, 1989. - [48] T. F. Melham. Automating recursive type definition in higher-order logic. In Graham Birtwistle and P. A. Subrahmanyam, editors, Current Trends in Hardware Verification and Automated Theorem Proving, pages 341-386. Springer-Verlag, 1989. - [49] Robin Milner, Mada Tofte, and Robert Harper. The Definition of Standard ML. The MIT Press, 1990. - [50] I. H. Mitchell. The design and testing of application database for a railway signalling system. In Proceedings of International Conference on Software Engineering for Real-time Systems, pages 159 - 164, September 1987. - [51] MOD. Requirements for Hazard Analysis of Safety-related Computer Systems. Draft UK DefStan 00-56, April 1991. - [52] MOD. Requirements for the procurment of safety-critical software in defence equipment. Draft UK DefStan 00-55, April 1991. - [53] J. D. Murchland. A new method for finding all elementary paths in a complete directed graph. Technical Report LSE-TNT-22, London School of Economica, 1965. - [54] O. S. Nock, editor. Railway Signalling: A treatise on the recent practice of British Railways. A and C Black, London, 1980. - [55] L. C. Paulson. ML for the Working Programmer. Cambridge university press, 1991. - [56] W. L. Price. Graphs and Networks: An Introduction. Butterworth Co (Publishers) Ltd., London, 1971. - [57] RCTS. Software Considerations in Airborne Systems and Equipment Certification. RCTS-178A, May 1985. - [58] J. Rushby. Formal methods and critical systems in the real world. In D. Craigen and K. Summerskill, editors, Formal Methods for Trustworthy Computer Systems (FM89), Workshops in Computing, pages 121-125. Springer-Verlag, 1990. - [59] Roger Shaw and Cliff B. Jones. Case Studies in System Software Development. Prentice-Hall International series in Computer Science. Prentice-Hall International, September 1989. - [60] R. C. Short. Software validation for railway signalling and train control systems. - In Proceedings of the International Conference on Electric Railway Systems for a New Century, pages 315-319. IEE, September 1987. - [61] Frances Singer. IECC a new era in british rail signalling. Modern Railways, pages 533-535. October 1989. - [62] J. M. Spivey. The Z Notation A Reference Manual. Prentice Hall International Series in Computer Science. Prentice-Hall, 1989. - [63] B. A. Sufrin. Formal specification of a display editer. Science of Computer Programming, 1:157-202, 1982. - [64] Open University. Graphs, Networks and Design— Unit 2: Graphs and Digraphs. Open University press, 1981. - [85] Open University. Graphs, Networks and Design— Unit 5: Paths and Cycles. Open University press, 1981. - [66] W.D.Young. A mechanically verified code generator. Journal of Automated Reasoning, 5(4), November 1989. - [67] W. Wong. Formatting hol text: the library latex-hol. HOL system library Manual, May 1991. - [68] W. Wong. A simple graph theory and its application in railway signalling. In Proceedings of the 1991 international Workshop on Higher Order Logic Theorem Proving System and Its Application. IEEE, 1991. # Appendix A # **HOL** theories This appendix lists all the theories described in Part II in the format similar to the output of the HOL utility function print\_theory. Each theory is listed in a separate section. There are possibly six subsections in each theory: parents lists the parent theories, types lists the names of types defined in the current theory, constants lists the name and types of all constants defined in the current theory, infix lists the name of those constants which have infix syntactic status, definitions lists all theorems associated with constant definitions and theorems lists all theorem saved in the current theory. # A.1 The theory func ## **Parents** HOL mets ## Constants ``` --> ":(*)set -> ((*)set -> ((* -> **) -> bool))" -->> ":(*)set -> ((**)set -> ((* -> **) -> bool))" >--> ":(*)set -> ((**)set -> ((* -> **) -> bool))" <--> ":(*)set -> ((**)set -> ((* -> **) -> bool))" FUN_HVY ":(*)set -> ((**)set -> ((* -> **) -> bool))" FUN_PINVERSE ":(*)set 8 (**)set -> ((* -> **) -> bool))" ``` FUN\_INVERSE ":(\*)set 8 (\*\*)set -> ((\* -> \*\*) -> ((\*\* -> \*) -> bool))" #### Inflyes - --> ":(\*)get -> ((\*\*)get -> ((\* -> \*\*) -> bool))" - -->> ":(\*)set -> ((\*\*)set -> ((\* -> \*\*) -> bool))" - >--> ":(\*)set -> ((\*\*)set -> ((\* -> \*\*) -> bool))" <--> ":(\*)set -> ((\*\*)set -> ((\* -> \*\*) -> bool))" ## Definitions - FUIL DEF $\vdash \forall A B f. \$ --> A B f = (\forall z. z \mid N A \supset f z \mid N B)$ - FUN\_ONTO\_DEF $\vdash \forall A B f. \$--> A B f = (\forall x. x \mid N A \supset f x \mid N B) \land (\forall y. y \mid N B \supset (\exists x. x \mid N A \land (y = f x)))$ - FUN\_DHE\_DNE\_DEF $\vdash \forall A B f. \$ > --> A B f = (\forall x. x \mid N A \supset f x \mid N B) \land (\forall x. y. x \mid N A \land y \mid N A \land (f x = f y) \supset (x = y))$ - FUNISO DEF + VAB f. \$<--> AB f = \$>--> AB f \ \$-->> AB f - FUNLIEV\_DEF $\vdash \forall A B f y$ , FUN\_INV $A B f y = ((y \mid N B \land (\exists x. x \mid N A \land (y = f x))) \Rightarrow (\varepsilon x. x \mid N A \land (y = f x)) \mid (\varepsilon x. x \mid N A))$ - FUN\_PINVERSE\_DEF $\vdash \forall A \ B \ fg$ . FUN\_PINVERSE $(A, B) \ fg = \$ --- > A \ B \ f \land \$ --- > B \ A \ a \land (\forall x, x \mid N \ A \supset (\$ \circ a \ fx = x))$ #### FIRM THVERSE DEF $\vdash \forall A \ B \ f \ g$ . FUN\_INVERSE $(A, B) \ f \ g = FUN_PINVERSE (A, B) \ f \ g \land FUN_PINVERSE (B, A) \ g \ f$ ## Theorems - FUN\_ONTO\_o F VABC (a. \$-->> AB (A \$-->> BC a > \$-->> AC (a o f) - FUN\_DNE\_DNE\_D $\vdash \forall ABCfg.\$>--> ABf \land \$>--> BCg \supset \$>--> AC(g \circ f)$ - FUN\_ISO\_0 $\vdash \forall ABCfg.\$<--> ABf \land \$<--> BCg \supset \$<--> AC(g \circ f)$ - FUNLINVITY $\vdash \forall ABf. \neg (A = \{\}) \supset \$ -- \triangleright BA(FUNLINVABf)$ - LEFT\_FINV $\vdash \forall A \vdash \{f, \neg (A = \{\}) \land \}$ - RIGHT\_FINV $\vdash \forall A B f. \neg (A = \{\}) \land$ $\$-->> A B f \supset FUN_PINVERSE(B, A)(FUN_INV A B f) f$ LEFT\_RIGHT\_PINV $\vdash \forall A B fg.\$--> A B f \land \$--> B A g \land$ FUN\_PINVERSE $(A, B) fg \supset \$>--> A B f \land \$-->> B A g$ ISO\_INVERSE $\vdash \forall A B f g.\$--> A B f \land \$--> B A g \land$ $FUN_INVERSE(A, B) f \circ \neg \$<--> A B f \land \$<--> B A g$ FUN\_EMPTY\_LEFT $\vdash (\forall B f.\$--> \{ \} B f) \land (\forall B f.\$---> \{ \} B f) \land (\forall B f.\$---> \{ \} B f = (B = \{ \} )) \land (\forall B f.\$---> \{ \} B f = (B = \{ \} ))$ FUN\_EMPTY\_RIGHT $\vdash (\forall A f.\$ - \rightarrow A \{ \} f = (A = \{ \})) \land (\forall A f.\$ - \rightarrow A \{ \} f = (A = \{ \})) \land (\forall A f.\$ - \rightarrow A \{ \} f = (A = \{ \})) \land (\forall B f.\$ - \rightarrow A \{ \} f = (A = \{ \})) \land (\forall B f.\$ - \rightarrow A \{ \} f = (A = \{ \}))$ ISO\_FINV + VABf. \$<--> ABf > \$<--> BA(FUNLNVABf) \_\_\_\_\_ End of theory func \_\_\_ # A.2 The theory graph ## Parents HOL sets func #### Constants IS\_EDGE ":\* 8 (\* 8 \*\*) -> ((\*)set 8 (\* 8 (\* 8 \*\*))set -> bool)" IS\_VERTEX ":\* -> ((\*)set \$ (\* \$ (\* \$ \*\*))set -> bool)" DELETE\_VERTEX ":(\*)set \$ (\* \$ (\* \$ \*\*))set -> (\* -> (\*)set \$ (\* \$ (\* \$ \*\*))set)" INSERT\_EDGE ":\* 8 (\* 8 \*\*) -> ((\*)set 8 (\* 8 (\* 8 \*\*))set -> (\*)set 9 (\* 8 (\* 8 \*\*))set)" G\_INTER ":(\*)set 0 (\* 0 (\* 0 \*\*))set -> ((\*)set 0 (\* 0 (\* 0 \*\*))set -> (\*)set 0 (\* 0 (\* 0 \*\*))set)" G\_UNION ":(\*)met 8 (\* 8 (\* 8 \*\*))met -> ((\*)met 8 (\* 8 (\* 8 \*\*))met -> (\*)met 8 (\* 8 (\* 8 \*\*))set)" ". c (a & aa) -> a" . . ``` e_des ": * $ (* $ **) -> ** alb ": # ( # 00) -> 00" GRAPH ":(*)set & (* & (* & **))set -> bool" NULL_GRAPH ":(*)set 6 (* 8 (* 8 **))set" VS ":(*)mat $ (* $ (* $ **))mat -> (*)mat" ES ":(0)set # (0 # (0 # 00))set -> (* 8 (* 8 **))set" IGRAPH ":(*)set # (* # (* # **))set -> bool" LOOP ": a # (a # ea) -> hool" HAS_LOOP ":(*)set # (* # (* # **))set -> bool" MULTI_EDGE ":(*)set # (* # (* # **))set -> bool" SIMPLE_GRAPH ":(*)set # (* # (* # **))set -> bool" FINITE_GRAPH ":(*)met 8 (* 8 (* 8 **))met -> bool" VER_ADJA ":(*)set # (* # (* # **))set -> (* -> (* -> bool))" E_ADJA ":(*)met # (* # (* # **))met -> (* $ (* $ **) -> (* $ (* $ **) -> bool))" INCIDENT_FROM ":(*)set 8 (* 8 (* 8 **))set -> (* -> (* $ (* $ **))set)" OUT DEGREE ":(*)set # (* # (* # **))set -> (* -> num)" INCIDENT_TO ":(*)set 8 (* 8 (* 8 **))set -> (* -> (* # (* # **))get)" IN_DEGREE ":(*)max # (* # (* # **))max -> (* -> num)" INCIDENT_WITH ":(*)set 8 (* 8 (* 6 **))set -> (* -> (* $ (* $ **))mat)" DEGREE ":(*)set # (* # (* # **))set -> (* -> num)" IS_SUC_VER ":(*)met # (* # (* # **))met -> (* -> (* -> bool))" IS_PRE_VER ":(*)set 8 (* 8 (* 8 **))set -> (* -> (* -> bool))" SUC_VERS ":(*)set # (* # (* # **))set -> (* -> (*)set)" PRE_VERS ":(*)set 8 (* 8 (* 8 **))set -> (* -> (*)set)" ``` WULL\_GRAPH $\vdash$ NULL\_GRAPH = { }, { } VS\_DEF $\vdash$ $\lor G$ . $\lor S$ G = FST G ``` EDGES_BETWEEN ":(*)set 0 (* 8 (* 6 **))set -> (* -> (* -> (* 8 (* 8 **))mat))" SUBGRAPH ":(0)mat # (0 # (0 # 00))mat -> ((*)mat # (* # (* # **))mat -> bool)" PSUBGRAPH ":(*)set # (* # (* # **))set -> ((*)set 8 (* 8 (* 8 **))set -> bool)" MK_SUBGRAPH ":(*)set # (* # (* # **))set -> ((* -> bool) -> ((* $ (* $ **) -> boul) -> (*)get $ (* $ (* $ **))get))" GRAPH_ISO ":(*)set # (* # (* # **))set -> ((*)set 0 (* 0 (* 0 **))set -> ((* -> *) # (* # (* # **) -> * # (* # **)) -> bool))" Inflxes IS_EDGE ":* 8 (* 8 **) -> ((*)set 8 (* 8 (* 8 **))set -> bool)" IS_VERTEX ": -> ((*)met 0 (* 0 (* 0 **))met -> bool)" DELETE_EDGE ":(*)mat # (* # (* # **))mat -> (* 8 (* 8 **) -> (*)get 8 (* 8 (* 8 **))get)" DELETE_VERTEX ":(*)set # (* # (* # **))set -> (* -> (*)mat # (* 8 (* 8 **))mat)" INSERT_VERTEX ": -> ((*)set 8 (* 8 (* 8 **))set -> (*)set & (* & (* & **))set)" INSERT_EDGE ": 0 (0 0 00) -> ((*)set 8 (* 8 (* 8 **))set -> (*)set 8 (* 8 (* 8 **))set)" GINTER ":(*)set 8 (* 8 (* 8 **))set -> ((*)set $ (* $ (* $ **))set -> (*)set $ (* $ (* $ **))set)" G_UNION ":(*)set 8 (* 8 (* 6 **))set -> ((*)set $ (* $ (* $ **))set -> (*)set $ (* $ (* $ **))set)" Definitions a.arc.DEF + Ve. a.arce = FST e a_des_DEF + Ve. a_des e = FST (SND e) alb_DEF + Ve. albe = SND (SNDe) GRAPH DEF \vdash \forall V \in GRAPH(V, E) = (\forall e, e \mid N \in D) e since \mid N \mid V \cap a desc \mid N \mid V \cap a ``` ES\_DEF $\vdash \forall G. \ ES \ G = SND \ G$ IS ROOK DEF IN VAC ALS FORE C = AIN ES C IS VERTEX DEF $\vdash \forall v G. v$ is VERTEX G = v in VS GIGRAPH DEF $\vdash \forall V E$ , IGRAPH $(V, E) = \mathsf{IMAGE} \in E$ SUBSET $V \land V$ IMAGE a dea E SUBSET V LOOP\_DEF + Ve. LOOP e = (e\_srce = e\_des e) BAS LOOP DEF $\vdash \forall G. HAS LOOP G = (\exists e. e IN ES G \land LOOP e)$ $\neg(e_1 = e_2) \land (e \text{.src} e_1 = e \text{.src} e_2) \land (e \text{.des} e_1 = e \text{.des} e_2))$ SIMPLE GRAPH DEF. IF $\forall G$ , SIMPLE GRAPH $G = GRAPH G \land \neg HAS\_LOOP G \land$ -MULTILEDGE G FINITE GRAPH DEF $\vdash \forall G. \text{ FINITE.GRAPH } G = \text{GRAPH } G \land \text{FINITE}(\text{VS } G) \land \text{FINITE}(\text{ES } G)$ VER ADJA DEF + VG to to VER ADJA G to to GRAPH G A to IS VERTEX G A $v_2$ IS\_VERTEX $G \land (\exists e. e. \text{IS_EDGE } G \land ((e.srce = v_1) \land (e.sles e = v_2) \lor$ (a\_arce = v2) A (a\_dene = v1))) ELADJALDEF + VG et et. ELADJA G et et = GRAPH G A et ISLEDGE G A $e_2$ IS\_EDGE $G \land ((a\_des e_1 = a\_arc e_2) \lor (a\_des e_2 = a\_arc e_1))$ INCIDENT FROM DEF $\vdash \forall G v. \mathsf{INCIDENT\_FROM} G v = \{e \mid e \mid S.\mathsf{EDGE} G \land (e \mathsf{src} e = v)\}$ OUT\_DEGREE DEF $\vdash \forall G v$ . OUT\_DEGREE $G v = CARD (INCIDENT\_FROM G v)$ INCIDENT\_TO\_DEF $\vdash \forall G v$ . INCIDENT\_TO $G v = \{e \mid e \mid S \text{ EDGE } G \land (a \text{ den } e = v)\}$ IN DEGREE DEF $\vdash \forall G v$ . IN DEGREE $G v = CARD (INCIDENT\_TO G v)$ INCIDENT WITH DEF $\vdash \forall G v$ , INCIDENT WITH G v = $\{e \mid e \mid S\_EDGE G \land ((e\_arce = v) \lor (e\_dese = v))\}$ DEGREE DEF $\vdash \forall G v$ . DEGREE $G v = \mathsf{IN}$ . DEGREE $G v + \mathsf{OUT}$ . DEGREE G vIS SUC VER DEF $\vdash \forall G v_1 v_2$ IS SUC VER $G v_1 v_2 = (\exists e, e \mid S, EDGE G \land$ $(a\_srce = v_1) \land (a\_dese = v_2))$ IS\_PRE\_VER\_DEF + VG v1 v2. IS\_PRE\_VER G v1 v2 = (3e.e IS\_EDGE G A $(a\_dese = v_1) \land (a\_sece = v_2))$ SUC VERS DEF $\vdash \forall G \ v. \ \mathsf{SUC\_VERS} \ G \ v = \{v' \mid v' \ \mathsf{IS\_VERTEX} \ G \land \mathsf{IS\_SUC\_VER} \ G \ v \ v'\}$ PRE VERS DEF $\vdash \forall G v. PRE\_VERS G v = \{v' \mid v' \mid S\_VERTEX G \land iS\_PRE\_VER G v v'\}$ EDGES\_BETWEEN\_DEF $\vdash \forall G \ v_1 \ v_2$ . EDGES\_BETWEEN $G \ v_1 \ v_2 = \{e \mid e \text{ iS.EDGE } G \land (e \text{ arc } e = v_1) \land (e \text{ den } e = v_2)\}$ DELETE\_EDGE\_DEF $\vdash \forall G e. G DELETE\_EDGE e = \forall S G. ES G DELETE e$ DELETE.VERTEX\_DEF + \( \forall G \) o. G DELETE.VERTEX v = \( \forall S \) G DELETE v. ES G DIFF INCIDENT WITH G v. INSERT\_VERTEX\_DEF $\vdash \forall v G. v$ INSERT\_VERTEX G = v INSERT VS G. ES G INSERT\_EDGE\_DEF $\vdash \forall eG. eINSERT\_EDGE G = \forall SG. ((e.arc.e. IS.VERTEX G \land e.des.e. IS.VERTEX G) <math>\Rightarrow e.INSERT ES.G \mid ES.G \mid$ GLINTER\_DEF $\ \vdash \ \forall G_1\,G_2.\,G_1\,$ GLINTER $G_2=\ \lor S\,G_1\,$ INTER $\lor S\,G_2,$ ES $G_1\,$ INTER ES $G_2\,$ GLUNION DEF $\vdash \forall G_1 \ G_2. \ G_1 \ G_2 \ UNION \ G_2 = VS \ G_1 \ UNION \ VS \ G_2. \ ES \ G_1 \ UNION \ ES \ G_2$ SUBGRAPH DEF $\vdash \forall H G$ . SUBGRAPH $H G = GRAPH H \land GRAPH G \land VS H SUBSET VS <math>G \land ES H$ SUBSET ES G PSUBGRAPH $HG = SUBGRAPH HG \wedge (VS H PSUBSET VS G \vee ES H PSUBSET ES G)$ MK.SUBGRAPH.DEF $\vdash \forall G \ fv \ fe$ . MK.SUBGRAPH $G \ fv \ fe = \{v \mid v \ | S.VERTEX \ G \land fv \ v\}$ , {e | e IS\_EDGE G \ fee \ fv(e\_arce) \ fv(e.des e)} GRAPH\_ISO\_DEF $\vdash \forall G H f g$ . GRAPH\_ISO $G H (f, g) = GRAPH G \land GRAPH H \land $<-> (V$ G) (V$ H) <math>f \land $<-> (E$ S G) (E$ H) g$ ## Theorems e.arc $\vdash \forall p_1 \ p_2 \ s. \ e.arc(p_1, p_2, s) = p_1$ e\_des $\vdash \forall p_1 \ p_2 \ s. \ e_des \ (p_1, p_2, s) = p_2$ elb $\vdash \forall p_1 \ p_2 \ s. \ \text{elb} \ (p_1, p_2, s) = s$ VERTICES $\vdash \forall V E. \forall S(V, E) = V$ EDGES $\vdash \forall V E. ES(V, E) = E$ GRAPH EQUIV $\vdash \forall V E$ . GRAPH (V, E) = IGRAPH (V, E) GRAPH\_EXISTS $\vdash \exists G. \mathsf{GRAPH}\, G$ GRAPH PAIR $\vdash \forall G.$ GRAPH $G \supset (G = \forall S.G.$ ES G) GRAPH\_DECOMP $\vdash \forall G.$ GRAPH G = GRAPH (VS G, ES G) GRAPH EQ $\vdash \forall G.H.$ GRAPH $G \land GRAPH H \supset ((G = H) = (\forall S.G = \forall S.H.) \land (ES.G = ES.H.))$ NOT\_VERTEX\_MOT\_EDGE $\vdash \forall G \ v_1 \ v_2 \ x$ . GRAPH $G \supset (\neg v_1 \ \text{IS_VERTEX} \ G \lor \neg v_2 \ \text{IS_VERTEX} \ G \supset \neg (v_1, v_2, x) \ \text{IS_EDGE} \ G)$ GRAPH\_NOT\_VERTEX\_NOT\_EDGE $\vdash \forall G \ v. \ \mathsf{GRAPH} \ G \land \neg v \ \mathsf{IS\_VERTEX} \ G \supset (\forall u \ x. \ \neg (v, u, x) \ \mathsf{IS\_EDGE} \ G)$ GRAPH\_MOT\_VERTEX\_MOT\_EDGE2 $\vdash \forall G v. \mathsf{GRAPH} G \land \neg v \mathsf{IS}.\mathsf{VERTEX} G \supset (\forall w.z. \neg (w, v, z) \mathsf{IS}.\mathsf{EDGE} G)$ EDGE\_EQ $\vdash \forall e_1 e_2 . (e_1 = e_2) = (e\_srce_1 = e\_srce_2) \land (e\_des e_1 = e\_des e_2) \land$ $(a|be_1 = e|be_2)$ GRAPH DIRECTED + VG. SIMPLE GRAPH G > (Ve1 e2. e1 IN ES G A e2 IN ES G A $(e\_arce_1 = e\_dene_2) \land (e\_dese_1 = e\_arce_2) \supset \neg (e_1 = e_2))$ VER\_INCIDENT\_NOT\_EMPTY $\vdash \forall G v. GRAPH G \land \neg (INCIDENT.WITH G v = \{\}) \supset vIS.VERTEX G$ MOT\_VER\_INCIDENT\_EMPTY $\vdash \forall G v. GRAPH G \supset (\neg v IS\_VERTEX G \supset (INCIDENT\_WITH G v = {}))$ GRAPH EDGE\_VERTEX + VG e. GRAPH G A e IS\_EDGE G > e\_srce IS\_VERTEX G A a dese IS VERTEX G MOT.IN.SAME.SET | Vz y a, y | N a A ¬z | N a ⊃ ¬(z = y) HOT IN SAME GRAPH IN VG u.e. GRAPH G A TO IS VERTEX GA $e \text{ IS_EDGE } G \supset \neg(e \text{\_arc } e = v) \land \neg(e \text{\_des } e = v)$ VERTEX EDGE + VG ve. GRAPH G A v IS VERTEX G A $e \text{ IN INCIDENT\_WITH } G v \supset (e\_arce = v) \lor (e\_dea e = v)$ EDELETE ABSORP $\vdash \forall G e. GRAPH G \land \neg e \text{ IS}\_EDGE G \supset (G DELETE\_EDGE e = G)$ V DELETE ABSORP $\vdash \forall G \ v. \ \mathsf{GRAPH} \ G \land \neg v \ \mathsf{IS\_VERTEX} \ G \supset (G \ \mathsf{DELETE\_VERTEX} \ v = G)$ GRAPH DELETE EDGE + ∀G €. GRAPH G ⊃ GRAPH (G DELETE.EDGE €) GRAPH DELETE\_VERTEX $\vdash \forall G v$ . GRAPH $G \supset GRAPH (G DELETE_VERTEX v)$ DELETE\_VERTEX\_COMM $\vdash \forall G v_1 v_2 . (G DELETE_VERTEX v_1) DELETE_VERTEX v_2 =$ (G DELETE\_VERTEX v2) DELETE\_VERTEX v1 DELETE\_EDGE\_COMM + $\forall G e_1 e_2$ . (G DELETE\_EDGE $e_1$ ) DELETE\_EDGE $e_2$ = (G DELETE\_EDGE e2) DELETE\_EDGE e1 GRAPH\_INSERT\_VERTEX $\vdash \forall G v. GRAPH G \supset GRAPH (v INSERT_VERTEX G)$ GRAPH\_INSERT\_EDGE $\vdash \forall G \in GRAPH G \supset GRAPH (e INSERT_EDGE G)$ INSERT\_VERTEX\_COMM $\vdash \forall G v_1 v_2 . v_1 \text{ INSERT_VERTEX } (v_2 \text{ INSERT_VERTEX } G) =$ Do INSERT\_VERTEX (D. INSERT\_VERTEX G) INSERT\_EDGE\_COMM $\vdash \forall G e_1 e_2. e_1 \mid NSERT\_EDGE(e_2 \mid NSERT\_EDGE G) =$ e2 INSERT\_EDGE (e1 INSERT\_EDGE G) IN INSERT\_VERTEX $\vdash \forall e v G. e \text{ IS_EDGE } G \supset e \text{ IS_EDGE } (v \text{ INSERT_VERTEX } G)$ IN\_INSERT\_EDGE + Ve e' G. e IS\_EDGE G > e IS\_EDGE (e' INSERT\_EDGE G) $(\neg v | S\_VERTEXG \supset (\{NCIDENT\_WITH(v | NSERT\_VERTEXG) v = \{\}))$ INCIDENT\_WITH\_INSERT\_VERTEX F ∀G v. GRAPH G ⊃ DELETE\_INSERT\_EDGE + VG e. GRAPH G A e IS\_EDGE $G \supset (e$ INSERT\_EDGE (G DELETE\_EDGE e) = G) INSERT\_DELETE\_VERTEX $\vdash \forall G v$ . GRAPH $G \land \neg v$ IS\_VERTEX $G \supset ((v) | NSERT_VERTEX G)$ DELETE\_VERTEX v = G) VERTICES\_INSERT\_EDGE $\vdash \forall G e. \forall S (e \mid NSERT\_EDGE G) = \forall S G$ EDGES\_INSERT\_VERTEX $\vdash \forall G v$ . ES(v INSERT\_VERTEX G) = ES G VERTEX\_USERT\_VERTEX $\vdash \forall G \ z \ y. \ z \ \text{IS_VERTEX} \ (y \ \text{INSERT_VERTEX} \ G) = (z = y) \lor z \ \text{IS_VERTEX} \ G$ EDGE\_INSERT\_EDGE $\vdash \forall G.e.e.srce | S.VERTEX G \land e.den e | S.VERTEX G \supset e | S.EDGE (e | INSERT_EDGE G)$ EDGE\_IN\_INSERT + YG e. a\_srce |S\_VERTEX G \\ a\_des e |S\_VERTEX G \rightarrow e|S\_VERTEX \right EDGE\_IN\_INSERT2 | YG v, v, z, z, v, (S\_VERTEX G A $v_2$ IS\_VERTEX $G \supset (v_1, v_2, x)$ IS\_EDGE $((v_1, v_2, x))$ INSERT\_EDGE G) VERTEL IN INS. VERTEX $\vdash \forall G \ v \ u. \ v \mid S. VERTEX \ (u \mid INSERT. VERTEX \ G) = (v = u) \lor v \mid S. VERTEX \ G$ ### V\_INSERT\_ABSORP $\vdash \forall G \ v. \ \mathsf{GRAPH} \ G \land v \ \mathsf{IS\_VERTEX} \ G \supset (v \ \mathsf{INSERT\_VERTEX} \ G = G)$ $\texttt{B\_INSERT\_ABSORP} \ \, \vdash \forall G \, \epsilon. \, \mathsf{GRAPH} \, G \wedge \epsilon \, \mathsf{IS\_EDGE} \, G \supset (\epsilon \, \mathsf{INSERT\_EDGE} \, G = G)$ FINITE\_GRAPH\_INSERT\_EDGE $\vdash \forall G \ e. \ \mathsf{FINITE}.\mathsf{GRAPH} \ G \supset \ \mathsf{FINITE}.\mathsf{GRAPH} \ (e \ \mathsf{INSERT}.\mathsf{EDGE} \ G)$ GRAPH LINTER $\vdash \forall G_1 G_2$ . GRAPH $G_1 \land GRAPH G_2 \supset GRAPH (G_1 GINTER G_2)$ GLUTER LIDERT $\vdash \forall G. G. GINTER G = G$ GLINTER SYN $\vdash \forall G_1 G_2, G_1 G \exists \mathsf{INTER} G_2 = G_2 \mathsf{G} \exists \mathsf{NTER} G_1$ G\_INTER\_ASSOC $\vdash \forall G_1 G_2 G_3$ . $(G_1 G_1 \text{NTER } G_2) G_1 \text{NTER } G_3 = G_1 G_1 \text{NTER } (G_2 G_1 \text{NTER } G_3)$ VERTEX IN LINEAR $\vdash \forall G_1 \ G_2 \ v. \ v$ | S. VERTEX $(G_1 \ G.)$ | S. VERTEX $G_1 \ \land \ v$ | S. VERTEX $G_2 \ \land \ v$ | S. VERTEX $G_3 #### EDGE\_IN\_INTER $\vdash \forall G_1 G_2 e. els. EDGE(G_1 G.INTER G_2) = els. EDGE G_1 \land els. EDGE G_2$ GRAPH JULION $\vdash \forall G_1\,G_2$ , GRAPH $G_1\land$ GRAPH $G_2\supset$ GRAPH $(G_1$ G.UNION $G_2)$ G.UNION .IDENT $\vdash \forall G.G.G$ G.UNION G=G GUILLOW SYN $\vdash \forall G_1 G_2, G_1 G_2 \cup NION G_2 = G_2 G_2 \cup NION G_1$ G\_UNION\_ASSOC ⊢ ∀G1 G2 G3. $\begin{array}{l} \textbf{VERTICES\_IM_JOBIOM} \; \vdash \; \forall G_1 \, G_2 \, v_1 \, v_2. \, \text{GRAPH} \, G_1 \wedge \text{GRAPH} \, G_2 \wedge v_1 \, \text{IS\_VERTEX} \, G_1 \wedge \\ v_2 \, \text{IS\_VERTEX} \, G_2 \, v_3 \, \text{IS\_VERTEX} \, (G_1 \, \text{G\_UNION} \, G_2) \wedge \\ v_3 \, \text{IS\_VERTEX} \, (G_1 \, \text{G\_UNION} \, G_2) \end{array}$ VERTEX\_IN\_UNION $\vdash \forall G_1 \ G_2 \ v. \ v$ | S\_VERTEX $(G_1 \ G_2 \ U. \ v)$ | S\_VERTEX $G_1 \lor v$ | S\_VERTEX $G_2 \lor v$ | S\_VERTEX $G_3 \lor$ EDGE\_IN\_UNION $\vdash \forall G_1 G_2 e. els\_EDGE(G_1 G.UNION G_2) = els\_EDGE G_1 \lor els\_EDGE G_2$ VERTEX\_INSERT\_EDGE F YG ve. vIS\_VERTEX (e INSERT\_EDGE G) = vIS\_VERTEX G GRAPH\_INSERT\_EDGES $\vdash \forall G \ v_1 \ v_2$ . GRAPH $G \land v_1 \ IS_VERTEX <math>G \land v_1 \ IS_VERTEX G \supset (\forall x_2, GRAPH ((v_1, v_2, x_2) \ INSERT_EDGE G)) \land (\forall x_2, GRAPH ((v_2, v_3, x_2) \ INSERT_EDGE G))$ G.UBIOB.18SERT.EDGES $\vdash \forall G_1 G_2 v_1 v_2$ . GRAPH $G_1 \land GRAPH (G_2 \land v_1 | S.VERTEX <math>G_1 \land v_2 | S.VERTEX G_2 \supset (\forall x_1. GRAPH ((v_1, v_2, x_1) | NSERT.EDGE (G_1 G.UNION <math>G_2))) \land (\forall x_2. GRAPH ((v_2, v_1, x_2) | NSERT.EDGE (G_1 G.UNION <math>G_2)))$ Q.INS.INS.E $\vdash \forall G e_1 e_2$ . GRAPH $(e_1 \mid \text{INSERT.EDGE } G) \land \text{GRAPH } (e_2 \mid \text{INSERT.EDGE } G) \supset$ GRAPH $(e_2 \mid \text{INSERT.EDGE } (e_2 \mid \text{INSERT.EDGE } G)) \land$ GRAPH $(e_2 \mid \text{INSERT.EDGE } (e_1 \mid \text{INSERT.EDGE } G))$ G\_UNION\_INS\_EDGES $\vdash \forall G_1 G_2 \circ_1 \circ_2$ . GRAPH $G_1 \land GRAPH G_2 \land \circ_1$ IS\_VERTEX $G_1 \supset (\forall e_2 \circ_1 : GRAPH (\circ_1 \circ_1 \circ_2 : 1) INSERT_EDGE ((\circ_2, \circ_1, \circ_2) : INSERT_EDGE (G_1 \cup G_1 \cup G_2))) \land GRAPH ((\circ_2, \circ_1, \circ_2) : INSERT_EDGE (G_1 \cup G_2 \cup G_2))))$ SUBGRAPH REFL + $\forall G$ . GRAPH $G \supset SUBGRAPH G G$ SUBGRAPH $G_1 G_2 G_3$ . SUBGRAPH $G_1 G_2 \land$ SUBGRAPH $G_2 G_3 \supset$ SUBGRAPH $G_1 G_3$ SUBGRAPH ANTISYM $\vdash \forall G_1 G_2$ , SUBGRAPH $G_1 G_2 \land SUBGRAPH G_2 G_1 \supset (G_1 = G_2)$ SUBGRAPH.GRAPH $\vdash \forall G.H.$ SUBGRAPH $H.G \supset \mathsf{GRAPH}.G \land \mathsf{GRAPH}.H$ PSUBGRAPH\_SUBGRAPH $\vdash \forall G H$ . PSUBGRAPH $H G \supset SUBGRAPH H G$ ${\tt PSUBGRAPH\_IRREFL} \; \vdash \forall G. \; {\tt GRAPH} \; G \supset \neg {\tt PSUBGRAPH} \; G \; G$ PSUBGRAPH $G_1 G_2 G_3$ . PSUBGRAPH $G_1 G_2 \land$ PSUBGRAPH $G_2 G_3 \supset$ PSUBGRAPH $G_1 G_3$ PSUMGRAPH DELETE EDGE F YG & GRAPH G ∧ eIS.EDGE G ⊃ PSUBGRAPH (G DELETE.EDGE e) G SUBGRAPH DELETE EDGE F YG & GRAPH G ⊃ SUBGRAPH (G DELETE EDGE e) G SUBGRAPH DELETE VERTEX F VG v. GRAPH G ⊃ SUBGRAPH (G DELETE\_VERTEX v) G PSUBGRAPH DELETE VERTEX + VG v. GRAPH G A # IS\_VERTEX G > PSUBGRAPH (G DELETE\_VERTEX #) G HK\_SUBGRAPH\_GRAPH $\vdash \forall G \ fv \ fe$ . GRAPH $G \supset GRAPH \ (MK_SUBGRAPH \ G \ fv \ fe)$ MK\_SUBGRAPH\_SUBGRAPH $G \supset SUBGRAPH (MK_SUBGRAPH G fv fe)G$ GRAPH ISO AUTO $\vdash \forall G. GRAPH G \supset GRAPH_ISO G G(I,I)$ GRAPH\_ISO\_TRABS $\vdash \forall G_1 G_2 G_3 f_1 g_1 f_2 g_2$ . GRAPH\_ISO $G_1 G_2 (f_1, g_1) \land GRAPH_ISO G_2 G_3 (f_2, g_2) \supset GRAPH_ISO G_1 G_3 ((f_2 \circ f_1), (g_2 \circ g_1))$ GRAPH\_ISQ\_SYM $\vdash \forall G \ H \ f \ g$ . GRAPH $\bot$ SO $G \ H \ (f,g) \supset (\exists f' \ g'$ . GRAPH $\bot$ SO $H \ G \ (f',g')$ ) GRAPH\_ISO $GH (f, y) \supset GRAPH_ISO GH (f, y) \supset GRAPH_ISO H G(FUN_INV(VS G)(VS H) f, FUN_INV(ES G)(ES H) g)$ \_\_\_\_ End of theory graph \_\_\_ ## A.3 The theory elist #### Parenta HOL sets graph #### Constants ELEM ":(\*)list -> (\* -> bool)" UNIQUE\_EL ":(\*)list -> bool" EL.SET ":(a)list -> (a)set" DISJ\_LIST ":(\*)list -> ((\*)list -> bool)" V\_L ":(\* # (\* # \*\*))list -> (\*)list" VER.LIST ":(\* # (\* # \*\*))list -> (\*)list" ``` Definitions ``` ELEM.DEF $\vdash (\forall x. ELEM[]x = F) \land (\forall h t x. ELEM (CONS h t) x = (x = h) \lor ELEM t x)$ UNIQUE\_EL\_DEF $\vdash$ (UNIQUE\_EL[] = T) $\land$ (YAd tt. UNIQUE\_EL(CONS hdtl) = EVERY ( $\lambda x$ . $\neg(x = hd)$ ) tt $\land$ UNIQUE\_EL tt) EL.SET.DEF + (EL.SET() = { }) A (Vhd ti, EL\_SET (CONS hd ti) = hd INSERT EL\_SET ti) DISJLIST DEF $\vdash \forall l_1 l_2$ . DISJLIST $l_1 l_2 = \text{DISJOINT}(\text{EL.SET } l_1)(\text{EL.SET } l_2)$ $V.L.DEF \qquad \vdash (V.L[] = []) \land (\forall hd\ tl.\ V.L.(CONS\ hd\ tl) = CONS\ (e.dex\ hd)\ (V.L.tl))$ VER\_LIST\_DEF $\vdash$ (VER\_LIST [] = []) $\land$ ( $\forall$ hd ti, VER\_LIST (CONS hd ti) = CONS (e\_src hd) (V\_L (CONS hd ti))) ## Theorems FULL BIL $\vdash \forall l. \, \mathsf{NULL} \, l = (l = [])$ MULL\_MOT\_ELEM + VI. NULLI > (Vz. -ELEMIz) RLEN.COMS + VI z v. ELEM (z > ELEM (CONS v/) z ELEM\_APPEND $\vdash \forall l_1 \ l_2 \ z$ . ELEM (APPEND $l_1 \ l_2$ ) $z = \text{ELEM } l_1 \ z \ \lor \text{ELEM } l_2 \ z$ ELEM EL + VIz. ELEM Iz > (3n. z = EL n I) IN ELEN FYA. FINITE A > (34. (Vz. z IN a = ELEM/z)) UNIQUE\_EL\_TL F VIA. UNIQUE\_EL (CONS A I) > UNIQUE\_EL I UNIQUE\_EL\_SIMP + Vz. UNIQUE\_EL[z] ELEM NOT INIQUE EL CONS + VIA ELEMIA > -UNIQUE EL (CONSAI) NOT ELEM UNIQUE EL COMS F ALV. ANIONE EFT V → EFFW (V ⊃ ANIONE EFT (CON2 V) EL.SET APPEND $\vdash \forall i_1 i_2$ . EL.SET (APPEND $i_1 i_2$ ) = EL.SET $i_1$ UNION EL.SET $i_2$ ELEM IN EL.SET $\vdash \forall i_2$ . ELEM $i_2 = x$ IN EL.SET i DISJLIST\_EMPTY $\vdash \forall i$ . DISJLIST[] $i \land DISJLISTi[]$ $\mbox{DISJ\_LIST\_COMS} \; \vdash \forall l_1 \; l_2 \; h. \; \mbox{DISJ\_LIST} \; (\mbox{COMS} \; h \; l_1) \; l_2 = \; \mbox{DISJ\_LIST} \; l_1 \; l_2 \; \land \; \neg \mbox{ELEM} \; l_2 \; h \; \\ \mbox{DISJ\_LIST\_APPEND} \; . \label{eq:dist_list_append}$ $\vdash \forall l_1 \ l_2 \ l_3$ . DISJ\_LIST (APPEND $l_1 \ l_2) \ l_3 = \text{DISJ_LIST} \ l_1 \ l_3 \land \text{DISJ_LIST} \ l_2 \ l_3$ DISJLIST.COMM $\vdash \forall l_1 l_2$ . DISJLIST $l_1 l_2 = \text{DISJLIST } l_2 l_1$ $V \perp APPEND \vdash \forall p_1 p_2. V \perp (APPEND p_1 p_2) = APPEND (V \perp p_1) (V \perp p_2)$ $\texttt{HOT\_BULL\_VER\_LIST} \; \vdash \forall p. \; \neg \mathsf{NULL} \; p \supset (\mathsf{VER\_LIST} \; p = \mathsf{CONS} \left( \mathsf{e\_src} \left( \mathsf{HD} \; p \right) \right) \left( \mathsf{V} \bot \; p \right) \right)$ VER\_LIST\_COMS $\vdash \forall p \ h. \ \mathsf{VER\_LIST} \ (\mathsf{CONS} \ h \ p) = \mathsf{CONS} \ (e\_\mathit{arc} \ h) \ (\mathsf{CONS} \ (e\_\mathit{des} \ h) \ (\mathsf{V\_L} \ p))$ NOT\_NULL\_VER\_LIST.COMS $\vdash \forall i h. \neg \text{NULL } i \land (e.dea h = e.src(HDi)) \supset (VER_LIST(CONS hi) = CONS(e.src h)(VER_LISTi))$ TL\_VER\_LIST $\vdash \forall p. \neg NULL p \supset (TL(VER\_LIST p) = V\_L p)$ $\begin{array}{ll} \text{VER.LIST\_APPEND} & \vdash \forall p_1, p_2, \neg \text{NULL} \ p_1 \land \neg \text{NULL} \ p_2 \supset (\text{VER.LIST} \ (\text{APPEND} \ p_1 \ p_2) = \\ & \text{APPEND} \ (\text{VER.LIST} \ p_1) \ (\text{TL} \ (\text{VER.LIST} \ p_2))) \end{array}$ UNIQUE\_EL\_COMS + VIA. UNIQUE\_ELIA -A IN EL\_SETI - UNIQUE\_EL (CONS AI) NOT\_UNIQUE\_EL\_CONS $\vdash \forall lh.h$ IN EL\_SET $l \supset (UNIQUE_EL(CONShl) = F)$ UNIQUE\_EL\_APPEND $\vdash \forall l_1 \ l_2$ . UNIQUE\_EL (APPEND $l_1 \ l_2$ ) = UNIQUE\_EL $l_1 \land$ UNIQUE\_EL $l_2 \land$ DISJ\_LIST $l_1 \ l_2$ UNIQUE\_V\_L\_CONS $\vdash \forall p \land UNIQUE_EL(V \perp p) \land \neg ELEM(V \perp p)(e\_des \land) \supset UNIQUE_EL(V \perp (CONS \land p))$ UNIQUE\_VER\_LIST.COMS → ∀ph.¬NULLp∧ UNIQUE\_EL(VER\_LIST p) ∧ (a.src(HDp) = e.desh) ∧ ¬LOOPh ∧ ¬ELEM (VER\_LIST p) (e.srch) ⊃ UNIQUE\_EL(VER\_LIST (CONS h p)) UNIQUE\_EL\_VER\_LIST.TL $\vdash \forall p$ . $\neg NULL p \supset (UNIQUE_EL(VER_LIST p))$ UNIQUE\_EL $(TL(VER_LIST p))$ UNIQUE.VER.LIST.APPEND $\vdash \forall p_1 p_2 G$ . $\neg \text{NULL} p_1 \land \neg \text{NULL} p_2 \supset (\text{UNIQUE.EL}(\text{VER.LIST} p_1) \land \text{UNIQUE.EL}(\text{VER.LIST} p_2) \land \text{DISJLIST}(\text{V} \bot p_1) (\text{V} \bot p_1) \land \neg \text{ELEM}(\text{VER.LIST} p_2) (a.src(\text{HD} p_1)) \supset \text{UNIQUE.EL}(\text{VER.LIST}(\text{APPEND} p_1, p_2)))$ \_\_\_\_ End of theory elist \_\_\_ # A.4 The theory path Parents HOL sets graph elist #### Constants WALK\_TAIL ":(\* \$ (\* \$ \*\*))list -> ((\*)mst \$ (\* \$ (\* \$ \*\*))set -> bool)" WALK ":(\*)met # (\* # (\* # \*\*))met -> ((\* 8 (\* 8 \*\*))list -> bool)" WALK\_ENTRY ":(\* 8 (\* 8 \*\*))list -> \*" AMMIN'EN INT ..: (\* \$ (\* \$ 44))1186 -> \* WALK\_EXIT ":(\* & (\* & \*\*))list -> \*" TRAIL ":(\*)set & (\* & (\* & \*\*))set -> ((\* 8 (\* 8 \*\*))list -> bool)" PATH ":(\*)set \$ (\* 8 (\* 8 \*\*))set -> ((\* 8 (\* 8 \*\*))list -> bool)" PATH\_ENTRY ":(\* & (\* & \*\*))list -> \*" PATH FXIT ":(0 & (0 & 00))1(st -> 0" CONNECTED ":(\*)set 0 (\* 8 (\* 8 \*\*))set -> bool" DISI\_PATH ":(\*)mat 8 (\* 8 (\* 8 \*\*))met -> ((\* 8 (\* 8 \*\*))list -> ((\* 8 (\* 8 \*\*))list -> bool))" HAS\_PATH ":(\*)set 8 (\* 8 (\* 8 \*\*))set -> (\* -> (\* -> bool))" #### Definitions WALK\_TAIL\_DEF $\vdash (\forall G. \text{WALK\_TAIL}[]G = T) \land (\forall G \text{ Ad } d. \text{WALK\_TAIL}(CONS \land d. d) G = GRAPH G \land \land d. IS.EDGE G \land (\text{NULL } d. v. \text{WALK\_TAIL}(d. G \land e. d. e. a.r.c.(HD | d.))))}$ WALK DEF FYG W. WALK G W = -NULL WA WALK TAIL WG WALK\_ENTRY\_DEF + VI. WALK\_ENTRY I = e.arc (HDI) WALK\_EXIT\_DEF → Vhd ii. WALK\_EXIT (CONS hd ii) = (NULL ti ⇒ e\_des hd | WALK\_EXIT ti) TRAIL DEF $\vdash \forall GI$ , TRAIL $GI = \text{WALK } GI \land \text{UNIQUE.EL} I$ PATH\_DEF $\vdash \forall G i$ . PATH $G i = TRAIL G i \land UNIQUE.EL (VER_LIST i)$ PATH\_ENTRY\_DEF + VI. PATH\_ENTRY I = e\_arc (HD I) PATH\_EXIT\_DEF + Vp. PATH\_EXIT p = WALK\_EXIT p CONNECTED DEF $\vdash \forall G$ . CONNECTED $G = \mathsf{GRAPH}\ G \land (\forall v_1, v_2, v_1 \mid S. \mathsf{VERTEX}\ G \land v_2 \mid S. \mathsf{VERTEX}\ G \land \neg (v_1 = v_2) \supset (3l.\ \mathsf{PATH}\ G \mid \land (v_2 = \mathsf{PATH}\ \mathsf{LENTRY}) \land (v_2 = \mathsf{PATH}\ \mathsf{LENTRY}) \land (v_3 \mathsf{P$ DISJ\_PATH\_DEF $\vdash \forall G~p_1~p_2$ . DISJ\_PATH $G~p_1~p_2$ = PATH $G~p_1~\land$ PATH $G~p_2~\land$ DISJ\_LIST $p_1~p_2~\land$ DISJ\_LIST $(V \perp L~p_1)$ $(V \perp L~p_2)$ HAS\_PATH\_DEF $\vdash \forall G \ v_1 \ v_2$ . HAS\_PATH $G \ v_1 \ v_2 = (\exists p. \ \mathsf{PATH} \ G \ p \ \land (\mathsf{PATH\_ENTRY} \ p = v_1) \land (\mathsf{PATH\_EXIT} \ p = v_2))$ #### Theorems PATH TRAIL F VIG. PATH GI > TRAIL GI TRAIL WALK F VIG. TRAILGID WALKGI PATH\_WALK F VIG. PATH GI > WALK GI PATH GRAPH F VG I PATH G I ⊃ GRAPH G PATH\_MOT\_MULL ⊢ ∀pG. PATHGI⊃ ¬NULLI PATH\_WALK\_ENTRY + Vp. PATH\_ENTRY p = WALK\_ENTRY p PATH\_CONNECTED $\vdash \forall p h G. PATH G (CONS h p) \land \neg NULL p \supset (a.des h = a.src (HD p))$ CONNECTED\_GRAPH $\vdash \forall G$ . CONNECTED $G \supset GRAPH G$ CONNECTED SING $\vdash \forall v$ . CONNECTED ( $\{v\}, \{\}\}$ ) WALK\_ENTRY\_CONS $\vdash \forall p h G.$ WALK\_ENTRY(CONS h p) = q\_arch WALK\_ENTRY\_APPEND $\vdash \forall p_1 p_2 G. \text{ WALK } G p_1 \land$ WALK $Gp_2 \supset (WALK\_ENTRY (APPEND <math>p_1 p_2) = WALK\_ENTRY p_1)$ WALK\_EXIT\_APPEND $\vdash \forall p_1 p_2 G$ . WALK $G p_1 \land$ WALK $G p_2 \supset$ (WALK\_EXIT (APPEND $p_1 p_2$ ) = WALK\_EXIT $p_2$ ) PATH\_ENTRY\_SIMP | Yu v z. PATH\_ENTRY [u, v, z] = u PATH\_EXIT\_SIMP | Vaux. PATH\_EXIT[u, v, x] = v PATH\_ENTRY\_CONS + Vph. PATH\_ENTRY (CONShp) = e\_arch PATH\_EXIT\_COBS $\vdash \forall ph. \neg NULL p \supset (PATH_EXIT (CONShp) = PATH_EXIT p)$ PATH\_ENTRY\_APPEND + VI, I2. PATH GI, > $(PATH\_ENTRY(APPEND l_1 l_2) = PATH\_ENTRY l_1)$ #### PATH\_EXIT\_APPEND $\vdash \forall l_1 l_2. \neg \mathsf{NULL} l_2 \supset (\mathsf{PATH\_EXIT}(\mathsf{APPEND} l_1 l_2) = \mathsf{PATH\_EXIT} l_2)$ $VALK\_COBS \vdash \forall p \land G. WALK G p \land h IS\_EDGE G \land$ $(a\_das h = WALK\_ENTRY p) \supset WALK G (CONS h p)$ WALK APPEND $\vdash \forall p_1 p_2 G. WALK G p_1 \land WALK G p_2 \land (WALK EXIT p_1 = WALK ENTRY p_2) \supset WALK G (APPEND p_1 p_2)$ WALK.CAT $\vdash \forall G p_1 p_2$ . WALK $G p_1 \land$ WALK $G p_2 \land$ (WALK.EXIT $p_1 = \text{WALK.ENTRY } p_2) \supset (\exists p_3$ . WALK $G p_3 \land$ (WALK.ENTRY $p_3 = \text{WALK.ENTRY } p_1) \land$ $(WALK_EXIT p_3 = WALK_EXIT p_2) \land (p_3 = APPEND p_1 p_2))$ PATH\_EDGE\_HO\_LOOP $\vdash \forall v h G. PATH G(CONS h v) \supset \neg (e_src h = e_sdes h)$ PATH\_SIMP + VG e. GRAPH G A e IS\_EDGE G A -LOOP e > PATH G [e] PATH\_COMS F Vp h G. GRAPH G A PATH G p A h IS\_EDGE G A $(PATH\_ENTRY p = e\_dex h) \land \neg LOOP h \land$ ¬ELEM (VER\_LIST p) (e\_src h) ∧ ¬ELEM ph ⊃ PATH G (CONS h p) PATH\_CAT | F VG ps ps. GRAPH G A DISJ\_PATH G ps ps A (PATH\_EXIT p1 = PATH\_ENTRY p2) A ¬ELEM (VER\_LIST po) (PATH\_ENTRY po) ⊃ (3po, PATH G po A $(PATH_ENTRY p_3 = PATH_ENTRY p_1) \land$ (PATH\_EXIT p2 = PATH\_EXIT p2) A (p2 = APPEND p1 p2)) PATH\_APPEND + VG pt pt, GRAPH G A DISJ\_PATH G pt pt A (PATH\_EXIT pt = PATH\_ENTRY pt) A -ELEM (VER\_LIST p2) (PATH\_ENTRY p1) ⊃ PATH G (APPEND p1 p2) PATH\_MOT\_MIL + VG. -PATHG[] WALK\_TAIL\_G\_UNION + VIG. G2. GRAPH G1 A GRAPH G2 A WALK\_TAIL IG, > WALK\_TAIL I(G, G\_UNION G2) PATH\_G\_UNION + VIG, G2. GRAPH G1 A GRAPH G2 A PATH $G_1 I \supset PATH (G_1 G_2 UNION G_2) I$ WALK TAIL IBS VERTEX ⊢ ∀I v G. WALK\_TAIL I G ⊃ WALK\_TAIL I (v INSERT\_VERTEX G) WALK TAIL INS EDGE + VI. G. WALK TAIL IG > WALK TAIL I(c) INSERT EDGE G) PATHLIES\_VERTEX + VIv G. PATH GL > PATH (v INSERT\_VERTEX G) / PATH\_INS\_EDGE + VieG. PATHGI > PATH(eINSERT\_EDGEG)! PATH\_INS\_EDGE2 + VG v1 v2. GRAPH G A v1 IS\_VERTEX G A v2 IS\_VERTEX G A $\neg(v_1 = v_2) \supset (\forall x. \mathsf{PATH}((v_1, v_2, x) \mathsf{INSERT\_EDGE}G)[v_1, v_2, x])$ PATH\_IS\_EDGE F VG h1. PATH G (CONS h1) > h IS\_EDGE G PATH\_ELEM\_IS\_EDGE $\vdash \forall G l. PATH G l \supset (\forall x. ELEM l x \supset x IS_EDGE G)$ PATH\_IS\_VERTEX F VG h I. PATH G (CONS h I) > e.arch IS\_VERTEX G A a des à IS VERTEX G PATH ELEN VER LIST IS VERTEX $\vdash \forall G i. PATH G i \supset (\forall z. ELEM (VER_LIST i) z \supset z IS_VERTEX G)$ PATH\_INS\_INS\_COMS + VG | v1 v2 z. PATH G I A Da IS\_VERTEX G A TO IS\_VERTEX G A $(v_2 = PATH\_ENTRY i) \land \neg(v_1 = v_2) \supset PATH((v_1, v_2, x) INSERT\_EDGE$ $(v_1 \text{ INSERT_VERTEX } G))(\text{CONS}(v_1, v_2, z)l)$ CONNECTED THE EDGE $\vdash \forall G$ . CONNECTED $G \supset (\forall e$ . CONNECTED $(e \mid NSERT\_EDGE G))$ \_\_\_ End of theory path \_\_\_\_\_ # A.5 The theory SIGNAL ## Parents HOL ## Types ``` ":Shaspect" ":Shsig" ":Subaspect" ":Subaig" ":Jaig" ":Maspect" ":Mtype" ":Naig" ":Signal" ``` #### Constants ``` REP_ShAspect ":ShAspect -> (one + (one + one))ltree" ABS_ShAspect ": (one + (one + one))ltree -> Shaspect" sh on ":Shaspect" sh_off ":ShAspect" sh_faulty ":ShAmpect" REP_Shaig ":Shaig -> (num -> ShAspect)ltree" ABS_Shaig ": (num -> Shaspect)ltree -> Shaig" SHUNTSIG ": (num -> ShAspect) -> Shsig" SHUNT_FUNC ":Shaig -> (num -> Shaspect)" SHUNT_ON ":Shaig -> (num -> bool)" SHUNT_OFF ": Sheig -> (num -> bool)" SHUNT_FAULT ":Shaig -> (num -> bool)" REP_SubAspect ":SubAspect -> (one + one)ltree" ABS_SubAspect ":(one + one)ltree -> SubAspect" sub_not_show ":SubAspect" sub off ":SubAspect" REP_Subsig ":Subsig -> (num -> SubAspect)ltree" ABS_Subsig ":(num -> SubAspect)ltree -> Subsig" SUBSIG ":(num -> SubAspect) -> Subsig" SUB_FUNC ":Subsig -> (num -> SubAspect)" SUB_OFF ":Subsig -> (num -> bool)" ``` ``` REP_sig ":Jsig -> (num -> bool)ltree" ABS_lsig ":(num -> bool)ltree -> Jsig" JSIG ":(num -> bool) -> Jsig" J_FUNC ":Jaig -> (num -> bool)" REP_MAspect ": Maspect -> (one + one))))))))tree" ABS_MAspect *: (one + (one + (one + (one + (one + (one + one))))))))tree -> Maspect" green ":MAspect" double_vellow ":MAspect" vellow ":Manact" red ":MAspect" green_flash ": MAspect" double_vellow_flash ":MAspect" yellow_flash ":MAspect" faulty_aspect ":MAspect" REP_Mtype ": Mtype -> (one + (one + (one + one + one))))ltree" ABS_Mtype ":(one + (one + (one + one)))))tree -> Htype" two_aspect ":Ntype" three_aspect ": Ntype" four_aspect ": Htype" two_repeat ":Ntype" three_repeat ":Htype" REP_Msig ": Hsig -> (Ntype 8 (num -> Maspect))ltree" ABS_Msig ":(Htype 0 (num -> MAspect))ltree -> Msig" MSIG ":Mtype -> ((num -> Mispect) -> Msig)" M.TYPE ":Naig -> Ntype" M_FUNC ":Maig -> (num -> Mispect)" M_ASPECT ": Maig -> (num -> Mispect)" MAIN_ON ": Maig -> (num -> bool)" MAIN_FAULTY ": Heig -> (num -> bool)" MAIN_OFF ": Hsig -> (num -> bool)" ``` ``` RED ":Hsig -> (num -> bool)" YELLOW ": Haig -> (num -> bool)" REP_Signal ":Signal -> (num @ Maig + (num 6 (Maig 8 Jaig) + (num 6 (Maig 8 Subsig) + (num # (Maig # (Subsig # Jsig)) + num # Shaig))))tree" ABS_Signal ": (num # Heig + (num # (Heig # Jeig) + (num # (Heig # Subsig) + (num # (Heig # (Subsig # Jeig)) + num # Sheig)))))tree -> Signal" SIGNALM ":num -> (Msig -> Signal)" SIGNALMJ ":num -> (Hsig -> (Jsig -> Signal))" SIGNALMS ":num -> (Msig -> (Subsig -> Signal))" SIGNALMSJ ":num -> (Heig -> (Subsig -> (Jeig -> Signal)))" SIGNALS ":num -> (Sheig -> Signal)" SIGNAL_ID ":Signal -> num" SIGNAL_MAIN ":Signal -> Nsig" SIGNAL_JUNC ":Signal -> Jsig" SIGNAL_SUB ":Signal -> Subsig" SIGNAL_SHUNT ":Signal -> Sheig" SIG.SFUNC ":Signal -> (num -> Maspect) 8 ((num -> bool) 8 (num -> Subispect)) + (num -> Shispect)" ON ":Signal -> (num -> bool)" OFF ":Signal -> (num -> bool)" SIGNAL_FAULT ":Signal -> (num -> bool)" Definitions Shaspect_TY_DEF + 3rep. TYPE_DEFINITION (TRP (Autl. (v = INL one) A (LENGTH tl = 0) \lor (v = INR(INL ane)) <math>\land (LENGTH tl = 0) \lor (v = INR(INRone)) \wedge (LENGTH tl = 0))) rep ShAspect_ISQ_DEF \vdash (Va. ABS_ShAspect (REP_ShAspect a) = a) \land (\forall r. \mathsf{TRP}(\lambda v tl. (v = \mathsf{INLone}) \land (\mathsf{LENGTH} tl = 0) \lor (v = INR(INLone)) \land (LENGTH tl = 0) \lor (v = INR(INRone)) \land (LENGTH tl = 0))r = (REP\_ShAspect (ABS\_ShAspect r) = r)) sh_on_DEF + sh_on = ABS_ShAspect (Node (INL one) []) sh_off_DEF + sh_off = ABS_ShAspect (Node (INR (INL one))[]) ``` ``` sh_faulty_DEF + sh_faulty = ABS_ShAspect (Node (INR (INR one))[]) Shote TY_DEF + 3rep. TYPE_DEFINITION (TRP (\lambda v t l, (3f. v = f) A (LENGTH # = 0))) rep Shaig ISO DEF + (Va. ABS Shaig (REP Shaig a) = a) \wedge (Vr. TRP (\lambda v t l. (3f. v = f) \wedge (LENGTH tl = 0))r = (REP\_Shaig(ABS\_Shaig r) = r)) SHUNTSIG.DEF + \( f \). SHUNTSIG \( f = ABS_Shaig \) (Node \( f \)) SHURT_FURC_DEF + Va. SHUNT_FUNC (SHUNTSIG a) = a SHUNT_ON_DEF \vdash \forall a t, SHUNT_ON (SHUNTSIG a) t = (at = sh.on) SHUNT_OFF_DEF \vdash \forall a t. SHUNT_OFF (SHUNTSIG a) t = (a t = sh\_off) SHURT FAULT DEF \vdash \forall at. SHUNT FAULT (SHUNTSIG a) t = (at = sh_{at}) SubAspect TY DEF + Brep. TYPE DEFINITION (TRP (Avtl. (v = INL one) A (LENGTH ti = 0) \forall (v = INR one) \land (LENGTH <math>ti = 0))) rep SubAspect_ISQ_DEF \vdash (\forall a, ABS\_SubAspect(REP\_SubAspect a) = a) \land (\forall r, TRP(\lambda v ti, (v = INLone) \land (LENGTH ti = 0) \lor (v = INRone) \land (LENGTH tl = 0))r = (REP\_SubAspect (ABS\_SubAspect r) = r)) mub_not_show_DEF + sub_not_show = ABS_SubAspect (Node (INL one) []) mub_off_DEF | sub_off = ABS_SubAspect (Node (INR one) []) Subsig_TY_DEF + 3rep, TYPE_DEFINITION (TRP (Avtl. (3f. v = f) A (LENGTH tl = 0))) rep Subsig_ISO_DEF \vdash (\forall a. ABS\_Subsig(REP\_Subsig a) = a) \land (\forall r. TRP(\lambda v tt, (\exists f. v = f) \land f. v = f)) \land f. v = (LENGTH tl = 0))r = (REP\_Subsig(ABS\_Subsig r) = r)) SUBSIG DEF + Vf. SUBSIG f = ABS_Subsig (Node f []) SUB_FUNC_DRF + Va. SUB_FUNC (SUBSIG a) = a SUB_OFF_DEF \vdash \forall a \in SUB\_OFF(SUBSIG_a) \in (a \in sub\_off) Jaig_TY_DEF + 3rep, TYPE_DEFINITION (TRP (Avil. (3f. v = f) A (LENGTH tl = 0))) rep Jaig_ISO_DEF \vdash (\forall a. ABS\_lsig(REP\_lsig a) = a) \land (\forall r. TRP(\lambda vtl. (<math>\exists f. v = f) \land (LENGTH tl = 0))r = (REP_laig(ABS_laigr) = r)) JSIG_DEF \vdash \forall f. JSIG f = ABS\_lsig(Node <math>f[]) J_FUNC_DEF \vdash \forall i, J_FUNC (JSIG i) = i ``` ``` MASPACT_TY_DEF + 3rep. TYPE_DEFINITION (TRP (Avtl. (v = INL one) A (LENGTH tl = 0) \lor (v = INR(INLone)) \land (LENGTH tl = 0) \lor (p = (NR(INR(INLone))) \land (LENGTH ti = 0) \lor (v = (NR((NR((NR((NLong))))) \land (LENGTH tl = 0))) (v = INR(INR(INR(INR(INLang))))) \land (LENGTH ti = 0) \lor (v = INR(INR(INR(INR(INR(INLone)))))) \land (LENGTH ii = 0) \lor (v = INR(INR(INR(INR(INR(INR(INLone))))))) \land (LENGTH ti = 0) \lor (v = INR(INR(INR(INR(INR(INR(INR(INRana))))))) \land (LENGTH tl = 0)))rep MARDect_ISQ_DEF \vdash (Va. ABS_MAspect (REP_MAspect a) = a) \land (\forall r, TRP(\lambda v tl, (v = INLone) \land (LENGTH tl = 0) \lor (v = INR(INLone)) \land (LENGTH tl = 0) \lor (v = INR(INR(INLone))) \land (LENGTH tl = 0) \forall (v = INR(INR(INR(INLone)))) \land (LENGTH ti = 0) \lor (v = INR(INR(INR(INR(INLone))))) \land (LENGTH H = 0) \lor (v = INR(INR(INR(INR(INR(INLong)))))) \land (LENGTH ti = 0) \lor (v = INR(INR(INR(INR(INR(INR(INLone))))))) \land (LENGTH ti = 0) \lor (v = INR(INR(INR(INR(INR(INR(INR(INRone))))))) \land (LENGTH tl = 0))r = (REP_MAspect(ABS_MAspectr) = r) green_DEF | | green = ABS_MAspect (Node (INL one) []) double_vellow_DEF + double_vellow = ABS_MAspect (Node (INR (INL one))[]) yellow_DEF + yellow = ABS_MAspect (Node (INR (INR (INL one)))[]) F red = ABS_MAspect (Node (INR (INR (INR (INL one))))[]) red_DEF green_flash_DEF F green_flash = ABS_MAspect (Node (INR (INR (INR (INR (INL one))))))))) double_vellow_flash_DEF + double_vellow_flash = ABS_MAspect (Node (INR (INR (INR (INR (INR (INL one))))))]]) vellow flash DEF + vellow flash = ABS_MAspect (Node (INR (INR (INR (INR (INR (INR (INR (INL one)))))))))))) faulty_aspect_DEF + faulty_aspect = Mtvpe_TY_DEF \vdash \exists rep. TYPE_DEFINITION (TRP(<math>\lambda v ti. (v = INLone) \land INLone) (LENGTH tl = 0) \lor (v = INR(INLone)) \land (LENGTH tl = 0) \lor (v = INR(INR(INLone))) \wedge (LENGTH tl = 0) \lor (v = |NR(|NR(|NR(|NLone)))) \land (LENGTH ti = 0) \lor (v = INR(INR(INR(INRone)))) \land (LENGTH ti = 0))) rep Mtvpe_ISO_DEF \vdash (\forall a, ABS_Mtvpe(REP_Mtvpe_a) = a) \land (\forall r. \mathsf{TRP}(\lambda v t l. (v = \mathsf{INLone}) \land (\mathsf{LENGTH} t l = 0) \lor (v = INR(INLone)) \land (LENGTH ti = 0) \lor (v = INR(INR(INLone))) \land (LENGTH tl = 0) \lor (v = INR(INR(INR(INLone)))) \land (LENGTH tl = 0) \lor (v = INR(INR(INR(INRone)))) \land (LENGTH tl = 0))r = (REP_Mtvpe(ABS_Mtvper) = r)) ``` ``` two_aspect_DEF | two_aspect = ABS_Mtype (Node (INL one)[]) three aspect_DEF + three_aspect = ABS_Mtype (Node (INR (INL one))[]) four_aspect_DEF + four_aspect = ABS_Mtype ( Node (INR (INR (INL one)))[]) two_repeat_DEF |- two_repeat = ABS_Mtype(Node(INR(INR(INR(INLone))))[]) three_repeat_DEF - three repeat = ABS Mtype (Node (INR (INR (INR (INR one))))]]) Maig_TY_DEF + 3rep. TYPE_DEFINITION (TRP (Autl. (3M f. v = M, f) A (LENGTH (l = 0))) rep Maig_ISQ_DEF \vdash (\forall a. ABS\_Maig(REP\_Maig a) = a) \land (\forall r. TRP(\lambda v tl. (\exists M f. v = M, f) \land (LENGTH tl = 0))r = (REP_Msig(ABS_Msigr) = r)) HSIG DEF \vdash \forall M f. MSIG M f = ABS. Maig (Node (M, f)[]) M_TYPE_DEF + Vtupe af, M_TYPE (MSIG tupe af) = tupe M_FUNC_DEF \vdash \forall type \ af. M\_FUNC(MSIG type \ af) = af M_ASPECT_DEF \vdash \forall tupe a \mid t, M_ASPECT_(MSIG tupe a \mid t) = a \mid t NATH DEF + Vat. MAIN ON at = (M.ASPECT at = red) MAIN PAULTY DEF IN Vat. MAIN FAULTY at = (M. ASPECT at = faulty_aspect) MATERIAN DEP DEP IN VALUATION OFF ALL - MAIN ON ALA -MAIN FAULTY AL RED_DEF \vdash \forall st. RED st = (M\_ASPECT st = red) YELLOW DEF \vdash \forall a i. \forall ELLOW a i = (M.ASPECT a i = vellow) Signal TY DEF \vdash Brep. TYPE DEFINITION (TRP (\lambda v t t. (3n M. v = |NL(n, M)| \land (LENGTH tl = 0) \vee (3n M J, v = INR (INL(n, M, J))) <math>\wedge (LENGTH (l = 0) \lor (\exists n M S', v = |NR(|NR(|NL(n, M, S')))) \land (LENGTH tl = 0) \lor (\exists n M S' J, v = INR(INR(INR(INL(n, M, S', J))))) \land (LENGTH tl = 0) \lor (\exists n S', v = INR(INR(INR(INR(n, S'))))) \land (LENGTH # = 0))) rep Signal_ISO_DEF + (Va. ABS_Signal (REP_Signal a) = a) A (\forall r. \mathsf{TRP}(\lambda v tl. (\exists n M. v = \mathsf{INL}(n, M)) \land (\mathsf{LENGTH} tl = 0) \lor (\exists n M J. v = INR(INL(n, M, J))) \land (LENGTH tl = 0) \lor (\exists n \ M \ S', v = \mathsf{INR}(\mathsf{INR}(\mathsf{INL}(n, M, S')))) \land (\mathsf{LENGTH} \ tl = 0) \lor (\exists n \ M \ S' \ J, v = \mathsf{INR}(\mathsf{INR}(\mathsf{INR}(\mathsf{INL}(n, M, S', J))))) \land (LENGTH tt = 0) \lor (\exists n S', v = INR(INR(INR(INR(n, S'))))) \land (LENGTH tl = 0))r = (REP_Signal(ABS_Signalr) = r)) SIGNALW.DEF \vdash \forall n M. SIGNALM n M = ABS. Signal (Node (INL (n, M)) []) SIGNALMJ.DEF + Vn M J. SIGNALMJ n M J = ABS_Signal (Node (INR(INL(n, M, J)))(1) ``` ``` SIGNALMS DEF \vdash \forall n \ M \ S'. SIGNALMS n \ M \ S' = ABS_Signal (Node (INR (INR (INL (n. M. S'))))[]) SIGNALISTORY IN VOM S' J SIGNAL MS La M S' J = ABS_Signal (Node (INR (INR (INR (INL (n, M, S', J))))) []) SIGNALS DEF \vdash \forall n S'. SIGNALS n S' = SIGNAL_ID_DEF \vdash (Vid m. SIGNAL ID (SIGNAL Mid m) = id) \land (\forall id \ m \ i. SIGNAL ID (SIGNAL M J id \ m \ i) = id) \land (Vid m a. SIGNAL ID (SIGNAL MS id m a) = id) A (Vid mai. SIGNAL ID (SIGNAL MS Lid mai) = id) A (Vidah, SIGNAL JD (SIGNALS idah) = 1d) SIGNAL MAIN DEF + (Vid m. SIGNAL MAIN (SIGNALM id m) = m) A (Vidm i SIGNAL MAIN (SIGNAL M Lidm i) = m) A (\forall id \ m \ s. \ SIGNAL MAIN (SIGNAL MS id \ m \ s) = m) \land (\forall id \ m \ a \ i. SIGNAL MAIN (SIGNAL MSJ id \ m \ a \ i) = m) SIGNAL_JUNC_DEF \vdash (Vid m i, SIGNAL_JUNC (SIGNALMJ id m i) = i) \land (\forall id \ m \ a \ i. SIGNAL JUNC (SIGNAL MSJ id m \ a \ i) = i) SIGNAL_SUB_DEF + (Vid m s, SIGNAL_SUB (SIGNALMS id m s) = s) A (Vid m * j. SIGNAL.SUB (SIGNALMSJid m * j) = s) SIGNAL SHUNT DEF + Vid ah, SIGNAL SHUNT (SIGNALS id ah) = ah SIG.SPUNC DEF F (Vidm, SIG SEUNC (SIGNALM idm) = INL (M. FUNC m, ARB, ARB))A (Vid m i, SIG SEUNC (SIGNALM) id m i) = INL(M.FUNC m. L.FUNC j. ARB)) A (\forall id \ m \ a. \ SIG.SFUNC (SIGNALM5 \ id \ m \ a) = INL (M.FUNC m, ARB, SUB_FUNC a)) A (Vid m a i, SIG SEUNC (SIGNALMS Lid m a i) = INL (M_FUNC m, J_FUNC j, SUB_FUNC a)) ^ (Vid sh. SIG_SFUNC (SIGNALS id sh) = INR (SHUNT_FUNC sh)) OH_DEF \vdash (Vid m t, ON (SIGNALM id m) t = MAIN_ON m t) \land (Vid m it, ON (SIGNALM Lid m i) t = MAIN ON mt) A (Vidmat, ON (SIGNALMS idma) t = MAIN ON mt) A (Vid mait. ON (SIGNAL MS) 1d mai) ( = MAIN. ON mt) A (Vid ah 1. ON (SIGNALS id ah) 1 = SHUNT ON ah 1) OFF_DEF \vdash (\forall id \ m \ t, OFF(SIGNAL \ m \ id \ m) \ t = MAIN_OFF \ m \ t) \land (\forall id \ m \ it. OFF (SIGNAL MJ \ id \ m \ i) t = MAIN_OFF \ m \ t) \land (Vid mat. OFF (SIGNALMS id ma) t = MAIN_OFF mt) A (Vid mast, OFF (SIGNAL MS Lid mai) t = MAIN_OFF mt) A (Vid ah t. OFF (SIGNALS id ah) t = SHUNT OFF ah t) SIGNAL FAULT DEF + Vat. SIGNAL FAULT at = -(ON at v OFF at) ``` ``` Theorems ``` ShAspect Axiom $$\vdash \forall e_0 e_1 e_2$$ . $(\exists \forall fn. (fn sh.on = e_0) \land (fn sh.off = e_1) \land (fn sh.faulty = e_2))$ Shaspect const dist $\vdash \neg (sh\_on = sh\_off) \land \neg (sh\_on = sh\_faulty) \land \neg (sh\_off = sh\_faulty)$ Shappect\_INDUCT $\vdash \forall P. P \text{ sh.on } \land P \text{ sh.off } \land P \text{ sh.faulty} \supset (\forall S', P S')$ Shapect\_cases $\vdash \forall S'.(S' = \text{sh\_on}) \lor (S' = \text{sh\_off}) \lor (S' = \text{sh\_faulty})$ Shaig\_Axiom $\vdash \forall f. (\exists \forall fn. (\forall f'. fn (SHUNTSIG f') = f f'))$ Sheig\_one\_one $\vdash \forall f' f''$ . (SHUNTSIG f' = SHUNTSIG f'') = (f' = f'') Shmig\_INDUCT $\vdash \forall P. (\forall f'. P (SHUNTSIG f')) \supset (\forall S'. P S')$ Shmig\_cases $\vdash \forall S', (\exists f', S' = \mathsf{SHUNTSIG} f')$ SubAspect\_Axiom $\vdash \forall e_0 e_1. (\exists \forall fn. (fn sub\_not\_show = e_0) \land (fn sub\_off = e_1))$ SubAspect\_const\_dist | - (sub\_not\_show = sub\_off) SubAspect\_INDUCT ⊢ ∀P. P sub\_not\_show ∧ P sub\_off ⊃ (∀S', P S') SubAspect\_cases $\vdash \forall S', (S' = \text{sub\_not\_show}) \lor (S' = \text{sub\_off})$ Subsig Axiom $\vdash \forall f. (\exists \forall fn. (\forall f', fn (SUBSIG f') = f f'))$ Subsig\_one\_one $\vdash \forall f' f''$ . (SUBSIG f' = SUBSIG f'') = (f' = f'') Submig\_INDUCT $\vdash \forall P. (\forall f'. P (SUBSIG f')) \supset (\forall S'. P.S')$ Subsig.cases $\vdash \forall S'. (\exists f'. S' = SUBSIG f')$ Jaig Axion $\vdash \forall f. (\exists \forall fn. (\forall f'. fn (JSIG f') = f f'))$ Jaig one one $\vdash \forall f' f''. (JSIG f' = JSIG f'') = (f' = f'')$ Jaig\_HBUCT $\vdash \forall P.(\forall f'. P(JSiG f')) \supset (\forall J. P.J)$ Jsig.cases $\vdash \forall J.(\exists f'.J = JSIGf')$ MARDECT Axiom + Veneres es es es es es es. (3V/m. (fn green = en) A $(fn \text{ double yellow} = e_1) \land (fn \text{ yellow} = e_2) \land (fn \text{ red} = e_3) \land$ $(fn \text{ green\_flash} = e_4) \land (fn \text{ double\_yellow\_flash} = e_5) \land (fn \text{ yellow_flash} = e_6) \land (fn \text{ faulty\_aspect} = e_7))$ MAspect\_const\_dist | ¬(green = double\_yellow) \( \Lambda \) ¬(green = yellow) \( \Lambda \) ¬(green = red) A ¬(green = green\_flash) A ¬(green = double\_yellow\_flash) ∧ ¬(green = yellow\_flash) ∧ ¬(green = faulty\_aspect) ∧ ¬(double\_yellow = yellow) ∧ ¬(double\_vellow = red) \ ¬(double\_vellow = green\_flash) \ ~ (double\_yellow = double\_yellow\_flash) ^ $\neg (double\_yellow = yellow\_flash) \land \neg (double\_yellow = faulty\_aspect) \land$ $\neg$ (yellow = red) $\land \neg$ (yellow = green\_flash) $\land$ ``` \neg(vellow = double_vellow_flash) \land \neg(vellow = yellow_flash) \land ¬(vellow = faulty_sepect) A ¬(red = green_flash) A \neg(red = double_vellow_flash) \land \neg(red = vellow_flash) \land ¬(red = faulty_aspect) A ¬(green_flash = double_vellow_flash) A ¬(green_flash = yellow_flash) A ¬(green_flash = faulty_aspect) A ~ (double_vellow_flash = yellow_flash) ^ \neg(double_vellow_flash = faulty_aspect) \land \neg(yellow_flash = faulty_aspect) RAspect_INDUCT ⊢ ∀ P. P green ∧ P double_vellow ∧ P vellow ∧ P red ∧ P green_flash ∧ P \text{ double_yellow_flash } \land P \text{ yellow_flash } \land P \text{ faulty_aspect } \supset (\forall M. P M) Mastert_cases \vdash \forall M, (M = green) \lor (M = double_vellow) \lor (M = vellow) \lor (M = \text{red}) \lor (M = \text{green\_flash}) \lor (M = \text{double\_vellow\_flash}) \lor (M = \text{yellow\_flash}) \lor (M = \text{faulty\_aspect}) Mtype_Axion \vdash \forall e_0 e_1 e_2 e_3 e_4. (\exists \forall fn. (fn \text{ two\_appect} = e_0) \land (fn \text{ three\_appect} = e_1) \land (fn \text{ four\_aspect} = e_2) \land (fn \text{ two\_sepeat} = e_3) \land (fn \text{ three\_sepeat} = e_4)) Htype\_const\_dist \vdash \neg(two\_aspect = three\_aspect) \land \neg(two\_aspect = four\_aspect) four\_aspect = four\_aspect = four\_aspect) \land \neg(two\_aspect = four\_aspect four\_ ~(two_aspect = two_repeat) A ~(two_aspect = three_repeat) A ¬(three_aspect = four_aspect) A ¬(three_aspect = two_repeat) A \neg(three_aspect = three_reneal) \land \neg(four_aspect = two_reneal) \land ¬(four_aspect = three_repeat) A ¬(two_repeat = three_repeat) Htype_INDUCT ⊢ ∀P. P two_aspect ∧ P three_aspect ∧ P four_aspect ∧ P two_aspect ∧ Pthree repeat > (VM. P.M.) \texttt{Htype\_cases} \vdash \forall M, (M = (wo_aspect) \lor (M = three\_aspect) \lor (M = four\_aspect) \lor (M = two_repeat) \lor (M = three_repeat) Haig_Axiom \vdash \forall f. (\exists \forall fn. (\forall M f'. fn (MSIG M f') = f M f')) \texttt{Hsig\_one\_one} \; \vdash \forall M \; f' \; M' \; f''. \; (\texttt{MSIG} \; M \; f' = \texttt{MSIG} \; M' \; f'') = (M = M') \land (f' = f'') Maig_{\perp}IMDUCT \vdash \forall P. (\forall M f', P(MSIG M f')) \supset (\forall M. P M) Mais_cases \vdash \forall M. (\exists M' f', M = MSIG M' f') Signal Axiom \vdash \forall f_0 \ f_1 \ f_2 \ f_3 \ f_4 \ (\exists \forall fn. (\forall n M. fn (SIGNALM n M) = f_0 n M) \land (\forall n M J. fn(SIGNALMJnMJ) = f_1 n M J) \land (\forall n \ M \ S', fn (SIGNALMS n \ M \ S') = f_2 n \ M \ S') \land (\forall n M S' J. fn(SIGNALMSJn M S' J) = f_3 n M S' J) \land (\forall n S', fn (SIGNALS n S') = f_n n S')) Signal_one_one \vdash (\forall n \ M \ n' \ M', (SIGNALM \ n \ M = SIGNALM \ n' \ M') = (n = n') \wedge (M = M')) \wedge (\forall n \ M \ J \ n' \ M' \ J', (SIGNALM J \ n \ M \ J = SIGNALM J \ n' \ M' \ J') = (n=n') \wedge (M=M') \wedge (J=J')) \wedge (Yn M S' n' M' S". (SIGNALMS n M S' = SIGNALMS n' M' S") = (n=n') \wedge (M=M') \wedge (S'=S'')) \wedge ``` ``` (\forall n \ M \ S' \ J \ n' \ M' \ S'' \ J'. (SIGNALMSJ n \ M \ S' \ J = SIGNALMSIn' M' S" J') = (n = n') \wedge (M = M') \wedge (S' = S'') \wedge (J = J')) \wedge (\forall n \ S' \ n' \ S'', (SIGNALS \ n' \ S' = SIGNALS \ n' \ S'') = (n = n') \land (S' = S'')) Signal INDUCT | F VP. (Vn M. P (SIGNALM n M)) A (Vn M J. P (SIGNALM Jn M J)) A (Vn M S'. P (SIGNALMS n M S')) A (Vn M S' J. P (SIGNALMSI n M S' J)) A (Vn S', P(SIGNALS n S')) ⊃ (VS', PS') Signal_cases \vdash \forall S', (\exists n M, S' = SIGNALM n M) \lor (\exists n M J, S' = SIGNALM J n M J) \lor (3n M S". S' = SIGNALMS n M S") V (\exists n \ M \ S'' \ J. \ S' = SIGNALMSJ \ n \ M \ S'' \ J) \lor (\exists n \ S''. \ S' = SIGNALS \ n \ S'') SHUNT_NOT_DN_OFF - Yat. -(SHUNT_ON at A SHUNT_OFF at) SIGNAL STATE - Vat. ON at v OFF at v SIGNAL FAULT at SIGNAL_MOT_ON_OFF + Vat. ¬(ON at A OFF at) _ End of theory SIGNAL __ ``` ## A.6 The theory TRACK Parents SIGNAL ### Types ":Pros" ":Ploc" ":Point" ":Tstate" ":Tcir" ":Join" #### Constants REP.Ppos ":Ppos -> (one + (one + one))ltree" ABS.Ppos ":(one + (one + one))ltree -> Ppos" normal ":Ppos" reverse ":Ppos" moving ":Ppos" REP.Ploc ":(one + (one + one)))ltree" ABS.Ploc ":(one + (one + one)))ltree -> Ploc" Loverian ":Join" ``` free move ":Ploc" free nor rev ":Ploc" free rev.nor ":Ploc" remote locked ":Plac" REP_Point ":Point -> (num # ((num -> Pros) # (num -> Ploc))))ltree" ABS_Point ":(num # ((num -> Pnos) # (num -> Ploc))))tree -> Point" POINT ":num -> ((num -> Pros) -> ((num -> Ploc) -> Point))" PNT_ID ":Point -> num" PNT_POS ":Point -> (num -> Ppos)" PNT_LOC ":Point -> (num -> Ploc)" PNT_RLOCKED ":Point -> (num -> bool)" PNT_NORMAL ":Point -> (num -> bool)" PNT REVERSE ":Point -> (num -> bool)" REP_Tstate ":Tetate -> (one + (one + one))ltree" ABS.Tetate ":(one + (one + one))]tree -> Tatate" occupied ":Tstate" locked ":Tetate" clear ":Tstate" REP_Teir ":Teir -> (num 8 (num -> Tetate))ltree" ABS_Tcir ":(num # (num -> Tetate))]tree -> Tcir" TCIR ":num -> ((num -> Tetate) -> Tcir)" TCJD ":Tcir -> num" TC.SEUNC ":Toir -> (num -> Tatate)" TC ST ":Tcir -> (num -> Tstate)" TC_OCCUPIED ":Tcir -> (num -> bool)" TC_CLEAR ":Tcir -> (num -> hool)" TC_LOCKED ":Tcir -> (num -> bool)" REP_loin ":Join -> (one + (one + one + one)))ltree" ABS_loin ":(one + (one + (one + one))))tree -> Join" J_conduct ": Join" Linsulate ":Join" ``` ``` i_terminate ":Join" IS JCOND ":Join -> bool" IS HNSU ":Join -> hool" ISJOVER ":Join -> bool" IS_ITERM ":Join -> bool" Definitions Prop. TY_DEF + 3rep. TYPE_DEFINITION (TRP (Apti. (p = INL one) A (LENGTH tl = 0) \lor (v = INR(INLone)) \land (LENGTH <math>tl = 0) \lor (v = INR(INRone)) \wedge (LENGTH ti = 0))) rep Pros_ISO_DEF + (\forall a, ABS_Pros(REP_Pros a) = a) \land (\forall r. TRP(\lambda v tl, (v = INLone) \land (LENGTH tl = 0) \lor (v = INR(INLone)) \land (LENGTH tl = 0) \lor (v = INR(INRone)) \land (LENGTH ti = 0))r = (REP_Ppos(ABS_Ppos r) = r)) normal_DEF + normal = ABS_Ppos(Node(INLone)[]) reverse DEF + reverse = ABS Pros (Node (INR(INL one)) []) moving_DEF + moving = ABS_Ppos (Node (INR (INR one)) []) Ploc_TY_DEF + 3rep. TYPE_DEFINITION (TRP (Av Il. (v = INL one) A (LENGTH ti = 0) \lor (v = INR(INLone)) \land (LENGTH ti = 0) \lor (v = INR(INR(INLone))) \land (LENGTH tt = 0) \lor (v = INR(INR(INRone))) \wedge (LENGTH(l = 0))) rep Floc. ISO DEF \vdash (\forall a, ABS.Ploc(REP.Ploc.a) = a) \land (\forall r, TRP(\lambda v.tl.(v = |NLone) \land (LENGTH il = 0) \lor (v = INR(INLorg)) \land (LENGTH il = 0) \lor (v = INR(INR(INLone))) \land (LENGTH ti = 0) \lor (v = INR(INR(INRone))) \wedge (LENGTH tl = 0))r = (REP_Phr(ABS_Ploc r) = r)) free_move_DEF + free_move = ABS_Plac(Nade(INL one)[]) free_nor_rev_DEF + free_nor_rev = ABS_Ploc(Node(INR(INL one))[]) free_rev_nor_DEF + free_rev_nor = ABS_Ploc(Node(INR(INR(INLone)))[]) remote_locked_DEF |= remote_locked = ABS_Ploc(Node(INR(INR(INRone)))[]) Point_TY_DEF + 3rep. TYPE_DEFINITION (TRP (\lambda v.tl. (3n f_0.f_1.v = n, f_0, f_1) \wedge (LENGTH ti = 0))) rep Point_ISQ_DEF \vdash (\forall a, ABS\_Point(REP\_Point a) = a) \land (\forall r. \mathsf{TRP}(\lambda v tl, (\exists n f_0 f_1, v = n, f_0, f_1) \land) (LENGTH tl = 0))r = (REP_Point (ABS_Point r) = r)) POINT DEF \vdash \forall n \mid f_0 \mid f_1 \mid POINT \mid n \mid f_0 \mid f_1 = ABS \cdot Point (Node (n, f_0, f_1) \mid f_0 \mid f_1 f_0 \mid f_1 \mid f_0 ``` ``` PMT ID DEF \vdash \forall n \text{ nos loc}. PMT ID (POINT n \text{ nos loc}) = n PHT_POS_DEF \vdash \forall n \ pos \ loc. PNT_POS (POINT n \ pos \ loc) = pos PET_LOC DEF \vdash \forall n \ pos \ loc. PNT_LOC (POINT n \ pos \ loc) = loc PWT_RLOCKED_DEF \vdash \forall pt, PNT_RLOCKED pt = (PNT\_LOC pt = remote\_locked) PHT MORMAL DEF \vdash \forall v t, PNT NORMAL v t = (PNT_{\bullet}POS_{\bullet}t = normal) PHT REVERSE DEF + Vp1. PNT REVERSE pt = (PNT POS pt = reverse) Totate_TY_DEF + Bren. TYPE_DEFINITION (TRP (Aut. (v = INL one) A (LENGTH tl = 0) \lor (v = (NR(INLone)) \land (LENGTH tl = 0) \lor (v = INR(INR one)) A (LENGTH tl = 0))) rep Tetate ISO DEF + (Va. ABS Tatate (REP. Tetate a) = a) A (\forall r. \mathsf{TRP}(\lambda v tl. (v = \mathsf{INLone}) \land (\mathsf{LENGTH} tl = 0) \lor (v = INR(INLone)) \land (LENGTH tl = 0) \lor (v = INR(INRone)) \land (LENGTH tl = 0))r = (REP_Tstate(ABS_Tstate r) = r)) occupied_DEF + occupied = ABS_Tstate (Node (INL one)[]) locked DEF | locked = ABS Tstate (Node (INR (INL one)) []) clear DEF + clear = ABS Tstate (Node (INR (INR one)) []) TCIT_TY_DEF + 3rev. TYPE_DEFINITION (TRP (Autl. (3n f. v = n, f) A (LENGTH ti = 0))) rep Tcir_ISO_DEF \vdash (\forall a. ABS\_Tcir(REP\_Tcira) = a) \land (\forall r. TRP(\lambda v tl. (\exists n f. v = n, f) \land (LENGTH (l = 0))r = (REP_Tcir(ABS_Tcirr) = r)) TCIR_DEF \vdash \forall n f. TCIR n f = ABS. Tcir (Node (n, f)[]) TC_ID_DEF \vdash \forall ns. TCJD(TCIRns) = n TC_SFUNC_DEF + Vn a. TC_SFUNC (TCIR n a) = a TC.ST.DEF + \forall nat. TC.ST(TC|Rna)t = at TO DOCUMED DEF \vdash \forall c.t. TC OCCUPIED.c.t = (TC.ST.c.t = occupied) TC_CLEAR_DEF + Vct. TC_CLEAR ct = (TC_ST ct = clear) TC_LOCKED_DEF \vdash \forall ct. TC_LOCKED ct = (TC_sTct = locked) Join TY DEF + Brep. TYPE DEFINITION (TRP (Av II. (v = INL one) A (LENGTH tl = 0) \vee (v = INR(INLone)) \wedge (LENGTH tl = 0) \vee (v = INR(INR(INLone))) \land (LENGTH ti = 0) \lor (v = INR(INR(INRone))) \land (LENGTH ti = 0))) rep Join_ISO_DEF \vdash (\forall a, ABS\_loin(REP\_loin a) = a) \land (\forall r, TRP(\lambda v tl. (v = INL one) \land (LENGTH tl = 0) \lor (v = INR(INLone)) \land (LENGTH tl = 0) \lor (v = |NR(|NR(|NLone))) \wedge (LENGTH tl = 0) \vee (p = INR(INR(INRone))) A (LENGTH tl = 0))r = (REP_Join (ABS_Join r) = r)) ``` ``` J_conduct_DEF | | J_conduct = ABS_Join (Node (INL one) | 1) J_insulate_DEF + J_insulate = ABS_loin(Node(INR(INLone))[]) Jovenian DEF + Jovenian = ABS Join (Node (INR (INR (INL one))) []) J_terminate_DEF | | J_terminate = ABS_Join(Node(INR(INR(INR one)))[]) IS_JCOND_DEF \vdash \forall i, IS_JCOND i = (i = J\_conduct) IS_JINSU_DEF \vdash \forall j. IS_JINSU j = (j = 1 \text{ insulate}) IS_JOVER_DEF \vdash \forall i, IS_JOVER i = (i = J_{overlap}) IS_JTERM_DEF \vdash \forall i, IS_JTERM i = (i = J_{terminate}) Theorems Programme \vdash \forall e_0 e_1 e_2. (\exists \forall fn. (fn \text{ normal} = e_0) \land (fn \text{ reverse} = e_1) \land (fn \text{ moving} = e_2)) Pros.const.dist \vdash \neg (normal = reverse) \land \neg (normal = moving) \land \neg (reverse = moving) Prog. INDUCT \vdash \forall P. P \text{ normal } \land P \text{ reverse } \land P \text{ moving } \supset (\forall P'. P P') Pros_cases \vdash \forall P', (P' = normal) \lor (P' = reverse) \lor (P' = moving) Ploc_Axiom \vdash \forall e_0 e_1 e_2 e_3. (\exists \forall fn. (fn free_move = e_0) \land (fn free_nor_rev = e_1) \land (fn \text{ free rev.nor} = e_2) \land (fn \text{ remote locked} = e_2)) Ploc_const_dist \vdash \neg (free\_move = free\_nor\_rev) \land \neg (free\_move = free\_rev\_nor) \land ¬(free_move = remote_locked) ∧ ¬(free_nor_rev = free_rev_nor) ∧ \neg(free_nor_rev = remote_locked) \land \neg(free_rev_nor = remote_locked) Ploc_HBDUCT \vdash \forall P. P \text{ free_move } \land P \text{ free_nor_rev} \land P \text{ free_rev_nor} \land P remote Jocked \supset (\forall P', PP') Ploc_cases \vdash \forall P', (P' = \text{free\_move}) \lor (P' = \text{free\_nor\_rev}) \lor (P' = \text{free\_rev\_nor}) \lor (P' = remote Jocked) Point Axiom \vdash \forall f. (\exists \forall fn. (\forall n f_0 f_1, fn(POINT n f_0 f_1) = f n f_0 f_1)) Point one one \vdash \forall n \ f_0 \ f_1 \ n' \ f'_0 \ f'_1. (POINT n \ f_0 \ f_1 = POINT \ n' \ f'_0 \ f'_1) = (n = n') \land (f_0 = f_0') \wedge (f_1 = f_1') Point_INDUCT \vdash \forall P. (\forall n f_0 f_1. P(POINT n f_0 f_1)) \supset (\forall P'. P P') Point_cases \vdash \forall P'. (\exists n f_0 f_1. P' = POINT n f_0 f_1) Tstate_Axiom \vdash \forall e_0 e_1 e_2. (\exists \forall fn. (fn occupied = e_0) \land (fn locked = e_1) \land (fn clear = e_2)) Tstate_const_dist \vdash \neg(occupied = locked) \land \neg(occupied = clear) \land \neg(locked = clear) ``` ``` Tatate_IBDUCT \vdash \forall P.P. occupied \land P locked \land P clear \supset (\forall T'.PT') Tatate_cases \vdash \forall T'.(T' = \text{occupied}) \lor (T' = \text{locked}) \lor (T' = \text{clear}) Tcir_Axion \vdash \forall f.(\exists \forall fn.(\forall n f'.fn(\mathsf{TCIRn} f') = f n f')) Tcir_case.oe \vdash \forall n f' = f''.(TCIRn f' = \mathsf{TCIRn} f'') = (n = n') \land (f' = f'') Tcir_IBDUCT \vdash \forall P.(\forall n f'.P(\mathsf{TCIRn} f')) \supset (\forall T'.PT') Tcir_cases \vdash \forall T'.(\exists n f'.T' = \mathsf{TCIRn} f') Join_Axion \vdash \forall e_0 e_1 e_2 e_3.(\exists \forall fn.(f n l conduct = e_0) \land (f n l insulate = e_1) \land (f n l overlap = e_2) \land (f n l terminate = e_3)) Join_const_dist \vdash \neg (l.conduct = l.insulate) \land \neg (l.conduct = l.overlap) \land \neg (l.conduct = l.insulate) \land \neg (l.insulate \ P.I.insulate) \land P.I.insulate \ ``` Join\_cases $\vdash \forall J. (J = J\_conduct) \lor (J = J\_insulate) \lor (J = J\_overlap) \lor$ End of theory TRACK # A.7 The theory PART $(J = 1_{terminate})$ Parents TRACK SIGNAL Types ":Part" ":Elbl" Constants (num # (num # num))))))))tree -> Part" BPART ":num -> Part" ``` TPART ":num -> (Tcir -> Part)" DPART ":num -> (Tcir -> (num # num -> (num # num -> Part)))" PPART ":num -> (Tcir -> (Point -> (num # (num # num) -> Part)))" PART_ID ":Part -> num" PART CIRCUIT ": Part -> Toir" PART POINT ":Part -> Point" PART_PNT_TRAILING ":Part -> num" PART PNT NORMAL ":Part -> num" PART_PNT_REVERSE ":Part -> num" PART DIA1 ":Part -> num # num" PART_DIA2 ":Part -> num # num" IS BPART ":Part -> bool" IS_TPART ":Part -> bool" IS DPART ":Part -> bool" IS_PPART ":Part -> bool" REP_E|b| ":Elbl -> (Join 6 Signal + Join)ltree" ABS_Elbl = ":(Join # Signal + Join)ltree -> Elbl" ELBLSIG ": Join -> (Signal -> Elb1)" FLBL ":Join -> Elb1" IS_ELBL_SIGNAL ":Klb1 -> bool" ELBL_SIGNAL ":Elbl -> Signal" ELBL_|OIN ":Klb1 -> Join" ``` #### Definitions ``` Part_TY_DEF \vdash 3rep. TYPE_DEFINITION (TRP(\lambda v.tl.(3n. v.= INL n) \land (LENGTH tl.=0) \lor (3n T'.v.= INR (INL (n. T'))) \land (LENGTH tl.=0) \lor (3n T'.p.p.p.= INR (INR (INR (INL (n. T'.p.p.,p.)))) \land (LENGTH tl.=0) \lor (3n T'.P.p.,v.= INR (INR (INR (INR (n. T'.P.p.,p.)))) \land (LENGTH tl.=0)) rep ``` #### Part\_ISO\_DEF ``` \vdash (\forall a. \mathsf{ABS}.\mathsf{Part}(\mathsf{REP}.\mathsf{Part}|a) = a) \land (\forall r. \mathsf{TRP}(\mathsf{A} vit.(\exists n. v = \mathsf{INL}\, n) \land (\mathsf{LENGTH}\, ti = 0) \lor (\exists n. T'. v = \mathsf{INR}(\mathsf{INL}(n, T'))) \land (\mathsf{LENGTH}\, ti = 0) \lor (\exists n. T' p_p, p_s. v = \mathsf{INR}(\mathsf{INR}(\mathsf{INL}(n, T', p_p, p_1)))) \land (\mathsf{LENGTH}\, ti = 0) \lor (\exists n. T' P. v = \mathsf{INR}(\mathsf{INR}(\mathsf{INR}(n, T', P, p_p)))) \land (\mathsf{LENGTH}\, ti = 0)) r = (\mathsf{REP}.\mathsf{Part}(\mathsf{ABS}.\mathsf{Part}r) = r)) ``` BPART\_DEF $\vdash \forall n$ . BPART $n = ABS_Part(Node(INL n)[])$ TPART\_DEF $\vdash \forall n T'$ . TPART $n T' = ABS_Part(Node(INR(INL(n, T'))))]$ DPART\_DEF $\vdash \forall n \ T' \ p_0 \ p_1$ . DPART $n \ T' \ p_0 \ p_1 = ABS_Part (Node (INR (INR (INL <math>(n, T', p_0, p_1)))))[])$ PPART\_DEF ⊢ ∀n T' Pp. PPART n T' Pp = ABS\_Part (Node (INR (INR (INR (I, T', P, p)))) []) PART\_ID\_DEF $\vdash$ (Yn. PART\_ID (BPART n) = n) $\land$ (Yn t. PART\_ID (TPART n t) = n) $\land$ (Yn t. pa\_1, PART\_ID (DPART n tn\_1 n\_2) = n) $\land$ (Yn tp n\_2, PART\_ID (PPART n tp n\_3) = n) PART\_CIRCUIT\_DEF $\vdash$ (Yn tc. PART\_CIRCUIT (TPART n tc) = tc) $\land$ (Yn tc $n_1 n_2$ . PART\_CIRCUIT (DPART n tc $n_1 n_2$ ) = tc) $\land$ (Yn tc $p n_3$ . PART\_CIRCUIT (PPART n tc $p n_3$ ) = tc) PART\_POINT\_DEF + Vn tc pn3. PART\_POINT (PPART n tc pn3) = p PART\_PHT\_TRAILING\_DEF $\vdash \forall n \ tc \ p \ n_3$ . PART\_PNT\_TRAILING (PPART $n \ tc \ p \ n_3$ ) = FST $n_3$ PART PUT NORMAL DEF $\vdash \forall n \ t \in p \ n_3$ . PART\_PNT\_NORMAL (PPART $n \ t \in p \ n_3$ ) = FST (SND $n_3$ ). DART DUT REVERSE DEF + Vn tcpn3. PART\_PNT\_REVERSE (PPART n tcpn3) = SND (SND n3) PART\_DIA\_DEF $\vdash \forall n \ te \ n_1 \ n_2$ . PART\_DIA1 (DPART $n \ te \ n_1 \ n_2$ ) = $n_1$ PART\_DIA2\_DEF $\vdash \forall n \ te \ n_1 \ n_2$ . PART\_DIA2 (DPART $n \ te \ n_1 \ n_2$ ) = $n_2$ IS BPART DEF $\vdash$ ( $\forall n$ , IS\_BPART(BPART n) = T) $\land$ ( $\forall n t$ , IS\_BPART(TPART n t) = F) $\land$ ( $\forall n t n_1 n_2$ , IS\_BPART(DPART $n t n_1 n_2$ ) = F) $\land$ ( $\forall n t p n_3$ , IS\_BPART(PPART $n t p n_3$ ) = F) IS\_TPART\_DEF $(\forall n. \text{ IS\_TPART } (\text{BPART } n) = \text{F}) \land (\forall nt. \text{ IS\_TPART } (\text{TPART } nt) = \text{T}) \land (\forall nt. n_1. n_2. \text{ IS\_TPART } (\text{DPART } nt. n_1. n_2) = \text{F}) \land (\forall nt. p_n. \text{ IS\_TPART } (\text{PPART } nt. p_n.) = \text{F})$ IS\_DPART\_DEF $\vdash (\forall n. | S.DPART(BPART n) = F) \land (\forall nt. | S.DPART(TPART nt) = F) \land (\forall nt n, n_2. | S.DPART(DPART nt n, n_2) = T) \land (\forall nt pn. | S.DPART(PPART nt pn.) = F)$ IS\_PPART\_DEF $\vdash (\forall n. \text{ IS.PPART } (\text{BPART } n) = F) \land (\forall nt. \text{ IS.PPART } (\text{TPART } nt) = F) \land (\forall ntn_1n_2. \text{ IS.PPART } (\text{DPART } ntn_1n_2) = F) \land (\forall ntpn_3. \text{ IS.PPART } (\text{PPART } ntpn_3) = T)$ ``` EIGHTY DEF + Bren. TYPE DEFINITION (TRP (\lambda v t l, (3) S', v = |NL(J, S')| \wedge (\text{LENGTH } tl = 0) \lor (\exists J, v = |\text{NR } J) \land (\text{LENGTH } tl = 0))) rev E1b1 ISO DEF + (Va. ABS Fibi(REP Fibia) = a) A (\forall r. \mathsf{TRP}(\lambda v tl. (\exists J S'. v = \mathsf{INL}(J, S')) \land (\mathsf{LENGTH} tl = 0) \lor (\exists J, v = (\mathsf{NR}\,J) \land (\mathsf{LENGTH}\,tl = 0)) r = (\mathsf{REP\_EIbl}\,(\mathsf{ABS\_EIbl}\,r) = r)) ELBLSIG.DEF \vdash \forall J.S', ELBLSIG J.S' = ABS\_E[b](Node(INL(J,S'))]) ELBL_DEF + VJ. ELBL J = ABS_EIbl(Node(INR J)[]) IS ELBL SIGNAL DEF \vdash \forall i \in S ELBL SIGNAL (ELBLSIG i \in S) = T ELBL SIGNAL DEF + Via. ELBL SIGNAL (ELBLSIG ia) = a ELBL JOIN DEF \vdash (\forall j \in ELBL\_OIN(ELBLSIG j \in j) \land (\forall j, ELBL\_OIN(ELBL j) = j) Theorems Part_Axiom \vdash \forall f_0 f_1 f_2 f_3. (\exists \forall f n. (\forall n. f n (BPART n) = f_0 n) \land (\forall n \ T', fn (\mathsf{TPART} \ n \ T') = f_1 \ n \ T') \land (\forall n \ T' \ p_0 \ p_1, fn (DPART \ n \ T' \ p_0 \ p_1) = f_2 \ n \ T' \ p_0 \ p_1) \land (\forall n T' P p, f n (PPART n T' P p) = f_2 n T' P p)) Part Induct | YP. (Vn. P(BPART n)) A (Vn T', P(TPART n T')) A (\forall n \ T' \ p_0 \ p_1 . P(\mathsf{DPART} \ n \ T' \ p_0 \ p_1)) \land (\forall n \ T' \ P' \ p. \ P(PPART \ n \ T' \ P' \ p)) \supset (\forall P'. \ P \ P') Part one one \vdash (\forall n \, n' \, (RPART \, n = RPART \, n') = (n = n')) \land (\forall n \ T' \ n' \ T'', (\mathsf{TPART} \ n \ T' = \mathsf{TPART} \ n' \ T'') = (n = n') \land (T' = T'')) \land (\forall n \ T' \ p_0 \ p_1 \ n' \ T'' \ p_0' \ p_1' \ (DPART \ n \ T' \ p_0 \ p_1 = DPART \ n' \ T'' \ p_0' \ p_1') = (n = n') \wedge (T' = T'') \wedge (p_0 = p'_0) \wedge (p_1 = p'_1)) \wedge (\forall n \ T' \ P \ p \ n' \ T'' \ P' \ p', (PPART \ n' \ T' \ P' \ p = PPART \ n' \ T'' \ P' \ p') = (n=n') \wedge (T'=T'') \wedge (P=P') \wedge (p=p')) Part_distinct \vdash (\forall n \ n' \ T' . \neg (BPART \ n = TPART \ n' \ T')) \land (\forall n, n', T', p_0, p_1, \neg(BPART, n = DPART, n', T', p_0, p_1)) \land (\forall n \ n' \ T' \ P \ p, \neg (BPART \ n = PPART \ n' \ T' \ P \ p)) \land (\forall n \ T' \ n' \ T'' \ p_0 \ p_1 . \neg (\mathsf{TPART} \ n \ T' = \mathsf{DPART} \ n' \ T'' \ p_0 \ p_1)) \land (\forall n \ T' \ n' \ T'' \ P \ p. \neg (\mathsf{TPART} \ n \ T' = \mathsf{PPART} \ n' \ T'' \ P \ p)) \land (\forall n \ T' \ p_0 \ p_1 \ n' \ T'' \ P \ p. \ \neg (DPART \ n \ T' \ p_0 \ p_1 = PPART \ n' \ T'' \ P \ p)) Part_cases \vdash \forall P'. (\exists n. P' = BPART n) \lor (\exists n. T', P' = TPART n. T') \lor (\exists n \ T' \ p_0 \ p_1 \cdot P' = \mathsf{DPART} \ n \ T' \ p_0 \ p_1) \lor (\exists n \ T' \ P'' \ p. \ P' = PPART \ n \ T' \ P'' \ p) E1b1_Axiom \vdash \forall f_0 f_1. (\exists \forall fn. (\forall J S', fn (ELBLSIG J S') = f_0 J S') \land (\forall J. fn(\mathsf{ELBL}\,J) = f_1J)) Elb1.Induct \vdash \forall P. (\forall J S'. P(ELBLSIG J S')) \land (\forall J. P(ELBL J)) \supset (\forall E. P.E) ``` Elbl\_one\_one $\vdash (\forall J S' J' S''. (ELBLSIG J S' = ELBLSIG J' S'') = (J = J') \land (S' = S'')) \land (\forall J J'. (ELBL J = ELBL J') = (J = J'))$ Elbl\_distinct $\vdash \forall J S' J'$ . $\neg (ELBLSIG J S' = ELBL J')$ Elbl\_cases $\vdash \forall E. (\exists J S'. E = ELBLSIG J S') \lor (\exists J. E = ELBL J)$ End of theory PART .... ## A.8 The theory NETWORK #### Parents HOL sets func graph elist path PART #### Constants NFC ":(Part)set 6 (Part 6 (Part 6 Elbl))set -> (Part -> bool)" NETWORK ": (Part) set 8 (Part 8 (Part 8 Elb1))set -> bool" #### Definitions HJOIN DEF $\vdash \forall N \ n_1 \ s_1 \ n_2 \ s_2$ . NJOIN $N \ n_1 \ s_1 \ n_2 \ s_2 = (n_1, n_2, s_1)$ INSERT.EDGE $(n_2, n_3, s_3)$ INSERT.EDGE $(n_3, n_3, s_3)$ INSERT.EDGE **METWORK.DEF** ⊢ YN. NETWORK $N = \{ \forall P, \{ \forall n, P \{ \{ \mathsf{BPART} \ n \} , \{ \} \} \} ) \land \{ \forall n \, t, P \{ \{ \mathsf{TPART} \ n \, t \} , \{ \} \} ) \land \{ \forall n \, t \, p \, n_3, P \{ \{ \mathsf{PPART} \ n \, t \, p \, n_3 \} , \{ \} \} ) \land \{ \forall n \, t \, n_1 \, n_2, P \, \{ \{ \mathsf{DPART} \ n \, t \, n_1 \, n_3 \} , \{ \} \} ) \land \{ \forall n' \, p_1 \, p_2, P \, N' \land \neg \{ p_1 \, = \, p_2 \} \land p_1 \, IS. VERTEX \, N' \land \, \mathsf{NFC} \, N' \, p_3 \land \{ p_3 \, n_3 \} \} ) \bigcirc P \, N \}$ ``` Theorems ``` METWORK BUFFER + Vn. NETWORK ({BPART n}, {}) METWORK.TRACK + ∀n t. NETWORK ({TPART n t}, {}) METWORK POINT + Vn ( pns. NETWORK ( (PPART n ( pns.) , { }) METWORK DIAM + Vn t n 1 n 2 NETWORK ({DPART n t n 1 n 2}, { }) METWORK\_SIMP $\vdash \forall n. \, NETWORK(\{n\}, \{\})$ HETHORK HJOIN $\vdash \forall N$ . NETWORK $N \supset (\forall n_1 \, n_2 \, n_1 \, \text{IS.VERTEX} \, N \land \neg (n_1 = n_2) \land \text{NFC} \, N \, n_1 \land \text{NFC} \, N \, n_2 \supset (\forall a_1 \, a_2 \, \text{NETWORK} \, (\text{NJOIN} \, N \, n_1 \, a_1 \, n_2 \, a_2)))$ METWORK\_INDOCT : $\forall P. (\forall n. P. (BPART n_1, \{\})) \land (\forall nt. P. (\{TPART n_t\}, \{\})) \land (\forall nt p_{n_3}. P. (\{PPART n_tp_{n_3}\}, \{\})) \land (\forall nt n_1, n_2, P. (\{DPART n_tn_1, n_2\}, \{\})) \land (\forall Np_{1}, p_{2}. P. N \land \neg (p_{1} = p_{2}) \land p_{1}.S.VERTEX. N \land NFC. Np_{1} \land NFC. Np_{2} \bigcirc (\forall n_1, n_2, p_{1}, n_{2}))) \supseteq$ HFC\_SIMP $\vdash \forall n. \, NFC(\{n\}, \{\})n$ BJOIN\_EXP $\vdash \forall N \mid n_1 \mid d_1 \mid n_2 \mid d_2 \mid n_1 \mid S. VERTEX \mid N \land \neg n_2 \mid S. VERTEX \mid N \supset$ (NJOIN $N \mid n_1 \mid a_1 \mid n_2 \mid a_2 \mid a_2 \mid n_3 \mid S. VERTEX \mid N \mid n_1 \mid n_2 \mid a_3 \mid S. VERTEX \mid N \mid n_3 \mid a_4 \mid a_5 \mid S. VERTEX \mid N \mid n_3 \mid a_4 \mid a_5 \mid S. VERTEX \mid N \mid n_4 \mid a_5 \mid S. VERTEX \mid N \mid n_5 \mid a_5 \mid S. VERTEX \mid N \mid n_5 \mid a_5 \mid S. VERTEX \mid N \mid n_5 \mid a_5 \mid S. VERTEX \mid N \mid n_5 \mid a_5 \mid S. VERTEX \mid N \mid n_5 \mid a_5 \mid S. VERTEX \mid N \mid n_5 \mid a_5 \mid S. VERTEX \mid N \mid n_5 \mid a_5 \mid S. VERTEX \mid N \mid n_5 \mid a_5 \mid S. VERTEX \mid N \mid n_5 \mid a_5 \mid S. VERTEX \mid N \mid n_5 \mid a_5 \mid S. VERTEX \mid N \mid n_5 \mid a_5 \mid S. VERTEX \mid N \mid n_5 \mid a_5 \mid S. VERTEX \mid N \mid n_5 \mid a_5 \mid S. VERTEX \mid N \mid n_5 N S.$ MJOIM EXP2 + VN n1 41 n2 42. n1 IS\_VERTEX N A n2 IS\_VERTEX N > (NJOIN $N n_1 s_1 n_2 s_2 = VS N, (n_1, n_2, s_1)$ INSERT $((n_2, n_1, s_2)$ INSERT ES N)) BETWORK GRAPH ► VN. NETWORK N ⊃ GRAPH N $(\forall N. NETWORK N \supset P.N)$ HOT\_VER\_INP\_HFG $\vdash \forall N \neq N$ NETWORK $N \supset (\neg p \mid S\_VERTEX N \supset NFC N p)$ METWORK FINITE + VN. NETWORK N > FINITE(VS N) A FINITE(ES N) **HETWORK\_FINITE\_GRAPH** → ∀N. NETWORK N ⊃ FINITE.GRAPH N BETWORK CONNECTED $\vdash \forall N.$ NETWORK $N \supset CONNECTED N$ End of theory METWORK \_ ## Appendix B # ML source listings This appendix lists all the ML source files which create the theories in Appendix A. Each file is listed in a separate section. ### B.1 The file mk\_func.ml non\_theory'func';; lead\_library'sets' 11 sem\_special\_symbol (-->>';) non\_special\_symbol '>-->'|| sev\_special\_symbol '>-->'|| let FUI\_MEF = neg\_indin\_definition('FM\_AHF', "\$--> A B (f:0->00) = (ix. (x IN A) --> ((f x) IN B))");; let FUE\_GETO\_DEF = new\_infin\_definition('FUE\_GETO\_DEF'. "\$-->> (A:(a)sat) (B:(on)sat) f = (ta. (a 18 A) ==> (f x) 18 B) /\ (1g. (g 28 8) -> (7s. (s 18 6) /\ (y = f z)))");; let FUE\_GEE\_GEE\_GEF = meg\_infin\_definition('FUE\_GEE\_GEE\_DEF', "\$>--> (&:(\*)eat) (B:(\*\*)eat) f = (ta. (a III A) ==> (f a) III D) /\ (ix y. (x 18 A) /\ (y 18 A) /\ ((f x) = (f y)) --> (x = y))");; let FOR\_150\_DEF = new\_infin\_definition('FOR\_160\_MEF', "\$4--> (4:(0)mat) (8:(00)ggt) # = ((A >--> B) 4) /\ ((A -->> B) 4)");; let FUH\_OSTO\_e = prove\_thm('FOH\_GSTO\_e'. "((A: (e)ase) B C (f:e->ee) (g:ee->eee) ((A -->> B) f) /\ ((B -->> G) g) --> ((A -->> C) (g a f))", PURE\_RENETTE\_TAG[PUR\_SUTS\_BEF; -\_THE] THEN REPEAT GEN\_TAG THEN STRIP\_TAG THE COST. TAC THE GEN. TAC THE STRIP TAC THE RES. TAC THE RES. TAC THE EXISTS TAC "MATTER" THE SURSTI\_TAC (ASSURE "y = (g:ee -> eee) x") THEN SURSTILTAC (ASSUME "E = (f: -> ++) a''") THEN COMPLYAC THROL( FIRST\_ASSUM ACCOPT\_TAG: REFL\_TAG]);; let FUR\_ORE\_ORE\_o = prove\_thm('FUR\_ORE\_ORE\_o'. "!(&:(0)met) R C (f:0->00) (g:00->000) ((a >--> E) f) /\ ((B >--> C) g) ==> ((a >--> C) (g a f))", PURE\_MINESTE\_TAC[PUR\_SEC\_ORE\_DEF; -\_ THE] THEN REPRAT ORE\_TAC THEN STRIP\_TAC THEN CONJ. TAC THEN REPEAT GEN. TAC THEN STRIP. TAC THEN RES. TAC THEN RES. TAC !!! let FUL\_ISQ\_c = preve\_the('FOL\_ISO\_c'. "!(A:(0)mex) B C (f:0->cc) (g:00->ccc). ((& <--> E) f) /\ ((B <--> C) g) ==> ((& <--> C) (g a f))", PURE REMRITE TAGIFUL ISS MEY: - THE THEN REPEAT GEN. TAG THEN STRIP. TAG THEN IMP\_RES\_TAC FOR\_GRID\_G THEN IMP\_RES\_TAC FOR\_GRE\_CRE\_G THE CONJUTAC THEN FIRST\_ASSUR ACCEPT\_TAC) :: let FUR\_INT\_DEF - nen\_definition('FUR\_INT\_DEF', "FIR 127 (4:(4)mat) (8:(44)mat) f y " ((y 18 8) /\ (7x. (x 18 a) /\ (y \* f a))) \*> (Ont. (x IN A) /\ (x = f x)) | (On. x IN A) ");; let FUE\_PIEVERSE\_DEF = new\_definition('FUE\_PIEVERSE\_DEF'. FUR\_PIRVERSE (A,R) (f:c->cc) g = (A --> B)f /\ (B --> A)g /\ (IE. (E IS A) --> ((g o f)E = E))-);; les FUR\_ISVERSE\_BEF = men\_definition('FUR\_ISVERSE\_DEF', "FUR\_ I | FUR\_ I | (4.4-)40) g = (PUR\_PIRVERSE (A.B) f m) /\ (PUR\_PIRVERSE (B.A) m f)=):: let FUS\_TT = prove\_thm('FUS\_TT'. "18 B (f:a->aa), (8 >--> B) f \/ (8 -->> B) f ==> (8 --> B)f", THEN REPEAT ONE THE DISCH THEN STRIP ASSURE THE THEN PIRST\_ARRUN ACCEPT\_TAC) : 1 les FUE IEV TY let les - dick\_acceitt\_sold[dg\_sys\_st] sounce\_sot\_court is preve\_thm('FUL\_INV\_TY' "IA B (f:0->00), "(A = ()) ==> (B --> A)(FBE\_1EV A B f)", ASPRAT ORS TAG THEN BEHINTTH TACCPUS MED: PUR THY MED: Land THEN DISCH TAC THEN REPRAY STRIP TAC THEN COMB CASES TAC THERE. POP\_ASSUM (\e. STRIP\_ASSUME\_TAC ((SELECT\_BULE a CONJUNCT2) t)); FIRST\_ASSUM (\s. MATCH\_ACCEPT\_TAG (SELECT\_BULE a))]);; let LEFT\_FIRT = prove\_thm('LEFT\_FIRT', "(A B (f:n-3en), "(A = ()) /\ (A 3--> B)f en> PUR\_PIRVERSE (A.B) # (PUR\_INV A B #)". PURE\_RENRITE\_TAG[PUR\_PISUMAR\_MAY] THEN REPEAT ORS\_TAG THEN STRIP\_TAG THEN IMPLEMENTAC FUNDTY THEN THE RESULTSCHOOL SEVETY THEN REPRAY CONJ. TAC THEN (FIRST\_ARROW MATCH\_ACCEPT\_TAC CRELER ALL, TAC ) THEN PURE ARMETTE TAC [FUR 184 DEF: - THE] THEE UNDISCH. TAC "(A >--> B)(f:0->00)" THEN PURE DECK AMOUNTS TACIFUS ONE ONE DEFT THES REPRAY STRIP, TAC THES BES, TAC ``` THER SURGOAL THER "(7x', x' IS & /\ ((f:e->ee) x = f x'))" ASSUME_TAC THERLE RELETS TAC "-- THEN COMPLIENCE THESE [FIRST ASSUM ACCEPT TAC; BEFL TAC]; ASH_RESERVE TACT THEN POP_ASSUM (\s. STRIP_ASSUME_TAC (SELECT_MELE s)) THEN RES. TAC THEN FIRST_ASSUN (\c. ACCEPT_TAC (SYN a))]):: let BIGHT_FIST = prove_thm('BIGHT_FIRT', "IA B (f:0->00). "(A = ()) /\ (A -->> B)f ==> PUR PINVERSE (B.A) (FOR INV & B 4) 4". PORE REMRITE TAC (POR PINYINGS AND) THEN REPRAT GEN TAC THEN STRIP TAC THEN THE BES TAG FOR TY THEN 180 BEN. TAG FOR LIFY. TY THEN REPEAT CONJ. TAC THEN (FIRST_ASSUN MATCH_ACCEPT_TAC CRELER ALL_TAC ) THES PURE RENRITE TAC[FUE_INV_DEF : a_TES] THES UNDISCH. TAC "(A -->> 8) (f: 0->++) THE REPEAT STRIP TAG THES HES TAG THEM SUNGGAL THEM "(TH'. E' IN A /\ ((H:00) = f x'))" ANNUAL TAC THERE ! EXISTS TAC "e': " THES COST TAC THES FIRST ASSUM ACCEPT TAC: FILTER_ASH_REMRITE_TAC (\t.met(fat(strip_cosh t) = "m:ss->ss->bool"))[] THEN POP_ASSUM (\t. STRIP_ASSUME_TAG (SHIRET_RULE t)) THEN PIRST_ASSUM (No. MATCH_ACCEPT_TAC (STR t))]);; let LEFT_BIGHT_PINY = preve_the("LEFT_BIGHT_PINY", "14 B (f:a->ee) g (A --> B)f /\ (B --> A)g /\ FUB_PIEVERSE (A,B) f g --> (A >--> B) f /\ (B -->> A) a" REPRAT GEN TAC THEN RENRITE TAC [FER_ART : FER_ORE_ART : FER_RETS_BET : FOR_FIRSTERS : A. TIR] THE REPRAY STRIP TAC THEN BES TAC THREE! UMBISCH_TAC =(a:00->0)(f v) = v= THEN DISCH, THEN (No. SURSTI, TAC (SYR s)) THEN UNDINCH_TAC "(g:ee->e)(f s) = a" THEN BIRCH THEN (No. SURGEL. TAG (SYN s)) THES AP TERM THE THES PIRST ASSUR ACCEPT THE; EXISTS_TAC "(f:0->00) y" THEN CONJ. TAC THEN (CONV. TAC SYN. CONV CHILAN ALL. TAC) THEN FIRST ASSUM ACCEPT. TACT 1:: let 180_1848268 = prove_the('180_1848284', "18 B (f:0->00) g. (A --> B)# /\ (B --> A)g /\ FUS_184ERSE (A,B) # g --> (4 --- 1)f /\ (8 --- 1)g", REPEAT OFF. TAC THE BURNITE TAC(FUE 180 BEF: FOR | HAVESE USF] THEN REPEAT STRIP_TAC THEN IMP_RES_TAC LEFT_RIGHT_PINY) : | let FUE_EMPTY_LEFT = let leni = TAC_PROSF(([], "(B (f:e->ee), ({) --> B)f"), SAMPLITE_TAC[FUN_BEF; HUY_IN_MIPTY]) in let len2 = TAC_PROSP(({), "IB (f: e->ee). ({) >--> B)f"), BENEFITE TAC(FUL_COX_COX_COX; NOT_10_SOFTY)) in let lend = TAC_PROOF(([], "(B (f:=->++) (({) -->> B)f = (B = {})))"), BENETIE TACEPUN GRID DEF: NOT IN MIPTY] THEN GEO TAC THEN CONV. TAC (ONCH. DEPTH_CONV PORALL_NOT_CONV) THER REMNITE TAC [REMARK SOT SEPTY] ) to let lest = TAC_PROSP(([], "IR (f:e->ee), ((() <--> B)f = (B = ()))"), REPEAT GES. TAC THESE ``` ``` REWRITE TAC(FUL_180_BEF:len2:len3]) in save_thm('FUE_EMPTY_LEFT', LIST_CBSJ [len1;len2;len3;len4]);; let FUE_EMPTY_RIGHT = let les - COSV BULE (CHCK_DEPTH_CONV SOT HEISTS COST) (ARM ALL (PURE ONCE BENEFITE MELETERY CLAUSES) (CONTRAPOS(and(NO 100 NOLE (APRC ALL RENDER NOT EMPTY)))))) in let lent = fac_PROSF(([], "i& (f:e->ee), (& --> {})f = (& = {})"), BENEFITE TAC [FOR DEF : BET_IS MIPTY] THE REPEAT ORD TAC THES COST. TAC (CHCS_DEPTS_COST FORALL_SOT_COST) THEN REVOLTS TACCHESISE FOR EMPTY!) to les les2 = TAC_PROSF(([], "18 (f:0->00), (8 >--> {})f = (8 = {})"), BREETTH_TAC(PUR_ORE_GEN_BEF; NOT_18_MIPTY) THE REPRET OFF THE RELIAN THE STRIP, THE THERE I THE REE TAC 1 cm ASS_RESDITS_TAC[SST_IS_MOTY]]) in let lead = TAC PROOF(([], "|A (f | 0->00), ((A -->> (}))f = (A = (}))"). BONRISE TACIFOR OUTS DEP: SET 12 MIPTY THE QUILTAC THE 20 TAC THERL! HATCH ACCEPT TAC 1em: DISCH_THEN (\e. SURST:_TAG e) THEN REBRITE TAGENT IN MIPTYII) in let lend = TAC PRODECCEL. "IR (f:e-bee), ((A <--> ())f = (A = ()))"), REPRAY ORD TAC THES RENDITE_TAC[FUE_ISO_DEF;lend;len3]) in gave_thm('FUE_EMPTT_RIGHT', LIST_COSJ [lest;les2;les3;les4]);; let FWL I - let leni = TaC_PROGF(([], "(A:(*)set. (A --> A) (1:*->*)"), BENDITE TAC (FUN_DEF; 1_THE) in let lem2 = TAC_PRODF(([], "(&:(*)met. (& >--> A) (I:*->*)"), DESCRIPT TACIPUS ORE OF BUY: 1 THE THER REPRAT STRIP_TAC THES PIRST_ARROW ACCEPT_TAC) in let lend = TAC_PRODF(([], "18:(*)set. (A -->> A) (1:*->*)"), REMORD THE TACCEPUS GUTTO BODY : 1 THE THES REPEAT STRIP. TAC THES REISTS. TAC "V: 4" THES ASE_REMRITE_TAC[]) in let land = TAC_PROGF(([], "(&:(*)set. (& <--> &) (1:=->+)"). AMIRITE_TAC(FUL_150_307; |_1mk) THER RESEAT STRIP TAC THERE! MATCH ACCEPT TAG long: MATCH ACCEPT TAG long!) in save_thm('FUE_1', LIST_COBJ [last;loa2;loa3;loa4]);; let 180_F18V = prese_thm('188_F18V', "IA B (f:0-300), (A <--> 2)f -> (B <--> 4)(FMLINV A B f)". REPRAT 488. TAC THES REPRITE TACIFUS 180 BEFT THER ASS CASES TAC "(A:(*)set) = ()" THEN ARE ANNAUTE TAC [FIRE MIPTY_LEFT; FOR_EMPTY_BIGHT] THEN ASS CARRESTAC "(B:(*)set) = ()" THEN ARE RENDITE TAC [FOR MIPTY_LEFT : FOR BUPTY_BIGHT] THEN REPEAT STRIP_TAC THEN MAP_EVERY INP_BES_TAC (FOR TY: FOR 18V_TY:LEFT_FIEV: BIGHT_FIEV:LEFT_BIGHT_PIEV) THER PIRET_ASSUM NATCE_UP_TAC THEN FIRST_ASSUM NATCE_ACCEPT_TAC) () ``` cless\_theory();; ## B.2 The file mk\_graph.ml ``` FILE: mb_graph.ml vor:0.2 AUTHOR: Was Nong DATE: 1 AUG 1990 modefied Jun 91 neo_theory 'graph's i load_library'sets';; men.marent'func':: autalend_all'func';; met_flag('sticky',true);; I----- %- General theorems and tectics seeded in this theory -% les PAIR_EQ_EQ - TAC_PROSF(([]. "(g:edee) y. (x = y) = (PST z = PST y) /\ (SSD z = SSE y)"), REPEAT GES_TAC THES PURE CHCK_RESERVE_TAC[SYN(SPEC_ALL PAIR)] THEN PURE_ORCH_RESERVE_TAC[FET: SED] THES PURS_GROW_RENGITE_TAC[PAIR_EQ] THE PURE ORCE AMERITE TAC[PAIR EQ] THE REPL TAC);; les PAIR_BOT_RQ - TAC_PROSF(( ... "!(a:0) (b:00) x y. "((a,b) = (a,y)) = "(a = x) \/ "(b = y)"), REPRAT GRU. TAC THEN HO. TAC THE CORY TAC COSTRAPOS CORY THEN CHES_RANGITS_TAC[RH_HUNGAH_YIM] THE ORCE_REMNITE_TAC(PAIR_EQ) THE ORCE_REMNITE_TAC():: let EUT_BULL_APPEND - TAC_PROSF(([], "!(11:0 1101) 12. "BOLL 12 mm> "BULL (APPEND 11 12)"), LIST_INDUCT_TAC THEN (ARMATTE_TAC[APPEND; BULL]));; les BULL_BIL - TAC_PROSF(([]. "(1:(*)list. BULL 1 = (1 * {])"). LIST_ISDOCT_TAC THES (RESENTE_TAC(SELL:SET_COSS_STL]));; les MD_APPEND - TAC_PROOF(([]. "ipi p2:(*)2i44 ('EMLL p1) -> (NB (APPRED p1 p2) + ND p1)"), LIST. ISSUCT. TAC THREE! RENDITE TAC (APPEND: BULL): QUOM_REMNITE_TAC[APPEND: MILL] THEN REWRITE_TAC[ND]]);; let EVERT_APPEND = TAC_PROSF(([]. "!(11:0 1100) 12 P. EVERY P (APPEND 11 12) = (EVERY P 11) / (EVERY P 12)"), LINT INDUCT TAC THRUL! REMBITE_TAC(APPEND; EVERY_DEF); SIGN_BENDITS_TAC(APPRID; BIRRY_REF) THEN COCK_REMAITS_TAC(EVERY_REF) THER ASK_RENGITE_TAG[] THEN RENGITE_TAG[COMJ_ASSOC]]);; ``` let DISIGIST INSERT INP - TAC PRODUCCO. "1(a:0) a 1. DISJOIRT (n JESERT a) 1 ""> (B18J6187 a b) /\ '(s IN s)") REMRITE TAC[BISJOIST\_DEF; INSERT\_INTER] THE REPRET SEE TAG THEN COSD CASES TAG THE RESILITE TACINGT INSERT HUPTY1): let 18\_18P\_18\_UNIQUE = TAC\_PRODF(( ... "((x;0) a t. (x IS t) -> x IS (a UNIOS t)"), DESCRIPTION TAGGES - WEIGH: 00. SPING. THEY ! ) :: I Versey. Edge and Graph are defined as abbreviations for the types used. I to represent vertices, edges and graphs. I let Verses - Fiel and Edge = ": (\* 0 \* 0 \*\*)" and draph = ":(0)get 8 (0 8 0 8 00)pet";; I The following three definitions are required by the definition of graph! L c.orc(s) is the source of an edge o L La\_des(a) is the destination of an edge a L I alb(a) to the label of an odge a I has a are MOF a non definition('s are MOF'. "a\_are (a: "\$4ga) = PST a");; let a des DEF s nes definition('a des DEF'. "a\_des (a: "Edge) = FST (SSD e)");; let alb.DEF - sec.definition('alb.DEF'. "alb (a: "Edge) = SED (SED a)");; let e\_ore = prove\_thm('a\_ere', "ipt p2 e. e\_are((p1.p2,s); "Hage) = p1", nippar old\_tac THES PURS\_GROUP\_REVELTS\_TAC(e\_ere\_DEF) THEN PURE DUCK REPRETE TAC [PAY] THEN REFL. TAC) . : let o\_den = preve\_thm('e\_den', "ip1 p2 s. e\_den((p1,p2,s):"Edge) = p2", REPRAT ORD. TAC THES PURE\_ORGE\_RESISTS\_TAC(+\_4=4\_BEF) THE PURE REWRITE TAC (PRT : SED) THES REPL TAC) ; ; let alb = prove\_thm('alb', "ip1 p2 s, alb((p1,p2,s):"Edge) = s", REPRAT ORS. TAC THES PURE\_GREEN\_MERRITE\_TAC(+16\_REF) THES PURE REMETTE TAC [PRT : SED] THES REPL\_TAC) ; ; 1- 4 graph, by definition, is a pair of sets, where -1 I- V is the vertex set, which can be a set of any type and I- I is the edge set which is a set of vertex pairs and labels. -I I- The constraint on graph in that all vertices appeared in "I I- the vertex pairs in the edge set are mombers of the vertex set. "I I------let GRAPH\_DEF = nes\_definition('GRAPH\_DEF'. "GEAPH ((V:("Vertex)set),(E:("Edgs]set]) = (g. e IS S ==> ((e.src e) IS V) /\ (e.des e) IS V))");; I- A special graph is the ampty graph -T let BULL\_GRAPH = new\_definition('EGLL\_GRAPH' "SULL\_GRAPH = ((EMPTY:("Vertex)pat), (EMPTY:("Edge)ant))");; I The vertices set og a graph I let VS\_DEF = new\_definition('VS\_MEF', "VS (G:"Graph) = FST G");; I The edge set of a great I let ES\_DEF = new\_definition('ES\_DEF', "ES (0:"Graph) = SED 0");; let VERTICES - prove\_thm('VERTICES', "!(V:("Vertex)met) (E:("Edge)met). VS(V,E) = V". RENDITE TAC [VO.DEF: PUT]):: lot 20028 - preventhm("EDGES", "1(V:('Vertex)met) (E:('Edge)met), ES(V.E) = E". REMRITE VACIES DEF: SHET) :: %- a 15\_EDGE 6 165 a 1a In (ES 6) -% let IS EDGE DEF - now infin definition('IE EDGE DEF'. "IS\_EDGE a (6: "Graph) = a IE (ES 4)");; 1- . IS SERVER & 125 w in In (98 6) -1 let IS\_VERTES\_DEF = men\_infin\_definition('IS\_VERTES\_DEF', "15\_VERTER = (0: "Graph) = = 18 (VS 8)");; 1------1- Same basic facts about graph -% ...... I- There exists a graph -I let GRAPE\_EXISTS = prove\_thm('GRAPE\_EXISTS', "7(4: Granh) GRAPH 4" EXISTS TAC "BULL GRAPS : "Graph" THEN REMAITS TAC [BULL GRAPH GRAPH DEF : NOT 18 MEPTY]) ; ; let dlaps\_PAIR = prove\_thm('dlaps\_PAIR', "!(6: "Graph) GRAPH 6 --> (6 = (VH 6, HH 6))", BENETTE TACIVE DEF: EN MEFT):: let GLAPS\_DECOMP = preve\_the('GRAPS\_DECOMP', "1(6:"Graph). (GRAPH 6) = (GRAPH (VH 6, MH 6))", BENETTS TAC (VS\_DEF; Ex\_DEF)); let GRAPH\_EG = mreve\_thm('GRAPH\_EG'. "1(0:"draph) H. GRAPH G /\ GRAPH H ==> ((4 - H) - (((48 4) - (48 H)) /\ ((88 4) - (88 H))))", AGRICULTUL TAG [VO\_DIFF: NO\_DIFF] THE REPRAT STRIP\_TAG THEN NATCH\_ACCEPT\_TAG PAIN\_EQ\_EQ1:: let BOT\_VERTER\_BOT\_EDGE = prove\_the('BOT\_VERTER\_BOT\_EDGE'. lat BOT. WENTE, BOT. EDGE = prose, late 'HOT, WENTE, BOT. EDGE'. '(4): '47mph' vi vi vi v. (MANN 4) ==> ('v) i i v. Wente o V. 'v. i i v. Wente o) => '(vi v. v. a.) i i EDGE d'. POR. BOC. Lambity. Sacédary. HORDEY : 1.0 v. V. v. a.) FURE DUEL ALBERTIT, 'ACCIDATE ARE'; 10.000, BOT. 12. V. WENTE, DOT') THE BURNAT dist. Not There will be relieve that Contrained, CONTRAINED. ``` THEN REMAITS TACIDS HOMAN THE THEN DISCH TAC THEN BES THEN BY THE THEN BENEFITE TAC[o_src:o_des] THEN BEPEAT STRIP_TAC THEN PURSU ASSESS ACCRPT TAC) :: let chart_mot_verter_mat = prove_the('dhart_mot_verter_mot_mat', "((d:"(resh) v. (GRAPH 6) /\ "(v 16_VERTER 6) --> In z. "((v,u,z) 18,8002 4)". PURE SUCK RESIDENCE TACTORAPS RECEIPED THEN REWRITE TAC (GRAPH DEF: IS MORE DEF: IS WESTER DEF) THEN REPORT OF THE THE STRIP TAG THE REPORT OF THE THER ASSESS LIST (\As1. ASSUME TAC (CONTRAPON (IMPEC '(w,m,m): "Edge' (el 2 asl)))) THEM POP_ASSUM (\s_ASSUME_TAG (REWRITE_ROLE(RE_HERMAN_TEM;o_des;o_ercl s)) THEN BES TAC) :: les (RAPH_ROT_VERTEX_ROT_ROCK2 = prove_thm('GRAPH_ROT_VERTEX_ROT_ROCK2'', "!(4: "Greek) v. (GRAPH 4) /\ "(v 18_VERTEL 4) -> Im m. "((m.w.m) IS.EDGE 4)". PURE_GROW_RESET TAC [GRAPS_MICHIES] THEN BERN 178 TAC [48APS DEF ; 16 MAR. SEF ; 11 VENTEX DEF] THEN REPEAT ARE THE THE STRIP TAC THES REPEAT ARE THE THER ASSUM LIST (\as), ASSUME_TAC (CONTRAPOS (ISPEC "(n.v.s): "Edge" (el 2 asl)))) THEN POP_ASSUM (\s. ASSUME_TAG (REMRITE_BRIZE[DE_SERMAN_THE; a_dos; a_arc] t)) THEN BUG TACL ... ______ I- Leone and multiple edges -1 ----- 1- A loop is an edge having identical and paints -1 les LOOP_DEF - new_definition('LOOP_DEF'. "LDDP (a: "Size) = (a_arc e = a_des a)");; let HAR_LOSP_DEF = new_definition('MAS_LOSP_DEF'. "MAN_LDOP G = 7(e:"Bige). (e IN (ES G)) /\ (LDOP e)");; I- Rultiple edges are distinct edges but having the same and paints -I les MR.T1 EDGE DEF - nen definition('MR.T1 EDGE DEF'. "SULTI_EDGE 6 = 7(e1: Edge) e2. (at 18 (ES 6)) /\ (a2 18 (ES 6)) /\ '(a1 * a2) /\ (e_src ei = e_src e2) /\ (e_den ei = e_den e2)");; 1..... L- Simple graphs -1 ...... I & simple graph is a graph mithout loop and mithout multiple edges I les SIMPLE GRAPH DEF - new_definition('SIMPLE_GRAPH_DEF', "SIMPLE_GRAPH (G: "Graph) " (GRAPH 6) A "(MAG_LOOP 6) A "(MULTI_EDGE 6)"):: let lemmas - TAC_PROSF(([]. "1(d: 'Graph) a. "HAS_LGOP & /\ a IS (ES &) -> "(a_arc a = a_dos a)"), REPEAT ORS. TAC THES RENAITS TAC(SAS LOOP DEF LOOP DEF) THEN CORN TAC(GROUP SEPTE CORN BOT_EXISTS_CORN) THEN STREET TAC THEN AND TAC THEN THE BEN TAC SEP-FILL let SIMPLE SO LOOP - TAC_PROOF (([]. ``` -IG: Graph . SIMPLE\_GRAPH G -> (to. (a IH (HS G)) -> "(a\_arc o \* a\_des o))"), RESELTS\_TAC(SIGNLE\_GRAPS\_REF) THEN REPEAT STRIP TAC THEN IMP\_RES\_TAC learned):: %- |- ta y. "(FST x = FST y) \/ "(180 x = 180 y) -> "(x = y) -% lot pair\_lessa = QES\_ALL (RENDITE\_BOLE[BE\_HORSE\_THE] (CONTRAPOS( fat(HQ\_IRP\_BULE (1PBC\_ALL PAIR\_EQ\_EQ)))));; let eq\_lemme = TAC\_PROGF(([]. "!(a:e) h (c:e) d. (a = d) /\ (b = c) --> ("(a = h) --> "(a = c))"), REPEAT ORS\_TAC THES STRIP\_TAC THEN ASH\_REMAITE\_TAC[]):: let EDGE\_EG = preve\_thm('EDGE\_EG'. "I(a1: "Edga) a2. (a1 = a2) = ((e\_grc qi = q\_grc q2) / (e\_dee qi = q\_dee q2) / (qlb qi = qlb q2))", REMETER TAC (a. arc. DEF; a. des. DEF; alb. DEF, PAIR EQ. EQ.)); E- Anti-parallel edges in a simple graph are distinct, se nimple graph in directed "T lot GRAPH\_BIRECTED " prove\_thm('GRAPH\_BIRECTED', "[(G: 'Granh), (1] MPLE\_GRAPH () -> (tal a2. (a1 IH (RH 6)) /\ (a2 IH (RH 6)) /\ (s\_arc ai = a\_dea a2) /\ (s\_des ai = s\_arc a2) ==> "(ai = a2))". COCH\_RESERVED\_TAC[EDGS\_IN] THEN GES\_TAC THEN STRIP\_TAC THEN REPRAT GEN. TAC THEN STRIP. TAC THEN INPURES TAC SIMPLE NO LOOP THEN ASH RESISTE TAC[]);; I- A graph in finite iff both vertex set and edge set are finite -1 ...... les PIRITE GRAPH DEF a new definition('FIRITE GRAPH DEF'. "FIRITE\_GRAPH (G: Graph) = (GRAPH G) /\ FIGURE (VS 4) /\ FIGURE (ES 4)")|| 1------%- Adjacency relations -% I-------I- vertices are adjacent if there is an edge connecting them -I les VER\_ADIA\_DEF - new\_definition('VER\_ABIA\_DEF', "FER ADJA 0 =1 (=2:0) = (GRAPE 6) /\ (wi 18\_WERTEX 6) /\ (w2 IS\_WERTEX 6) /\ (?(a:"Rigs), (a IS\_EDER 6) /\ (((a\_arc a = vi) /\ (a\_dex a = v2)) \/ ((e\_src e = v2) /\ (e\_des e = v1))))");; I- two edges are adjacent if they incident with a common vertex "I let E\_ABJA\_DEF = now\_definition('E\_ABJA\_DEF', "E\_ADJA 6 ol (ol:"Hage) = (GRAPH 4) /\ (a1 13\_EDGE 41 /\ (a2 15\_EDGE 4) /\ ((a\_dos ai = a\_arc a2) \/ (a\_dos a2 = a\_arc a1))");; 1-----L- Incident relations of verter -1 %- & subset of edges of graph 4 which is incident from v -% let ISCIDEST\_FROM\_DEF = new\_definition('ISCIDEST\_FROM\_DEF'. "ISCIDENT FROM (4: "Granh) v . let g\_lemma1 = TAC\_PROSF(([], "!(6:"Graph). (GMAPH 6) ---> to. (a 18 (ES 4)) --> ((a\_arc a) 18 (VS 4)) /\ (a | (a 12.EDGE 6) /\ (a\_arc a = v) 3");; I- the out degree of w is the cardinal of the set INCIDENT\_FROM -T let OUT\_DEGREE\_DEF = ses\_definition('OUT\_DEGREE\_DEF' "GUT\_REGREE (6: Graph) w = CARD (INCIDENT\_FROM 6 w)");; T- Similar for incident to a vertex -I let INCIDENT\_TO\_DEF = new\_definition('INCIDENT\_TO\_DEF', "ISCIDENT\_TO (6: Graph) v . (a | (a IS.EDGE S) /\ (a.des a " v))");; I- the in degree of v is the cardinal of the set INCIDENT TO -T let IN DESIGN DEF - new\_definition('IN\_DESIGN DEF' "IN DECRME (G. Granh) w = CARD (INCIDENT.TO G w)"):: %- A subset of edges of graph G shich is incident with w -% let ISCIDENT WITH DEF . new\_definition('INCIDENT\_WITH\_DEF'. -18CIBEST\_MITH (4.\*4raph) w = (a | (a IS\_EDGE 4) /\ ((a\_src a = v) \/ (a\_des a = v))}");; I- The total degree of a vertex is the gam of the above two -I les Decker DEF - nes\_definition('Decker DEF' "DEGREE (G. "Grash) w = (18 DEGREE G w) + (OUT\_DEGREE G w)"): I------I- fuccessor and predocessor relations of vertex -1 I IS\_SUC\_VER 6 v1 v2 iff v2 is a successor of v1 % let IS\_SUC\_VER\_DEF - new\_definition('IS\_SUC\_VER\_DEF', "IS\_SUC\_VER (d. "Graph) vi v2 " ?e. (a IS\_EDEE 0) /\ (s\_arc a = vi) /\ (s\_des a = v2)");; I IS PRE VER & wi w2 iff w2 is a predacement of Wi E let IS\_PER\_VER\_DEF = new\_deftstate('IS\_PER\_VER\_BEF', "IS\_PER\_VER\_G: Graph) v1 v2 = 7a. (a 15\_EDGE 4) /\ (a\_des a = ui) /\ (a\_srs a = u2)");; I DUC. THE E v delivers a set of all vertices which are successors of v I let SUC\_VERS\_BEF - seu\_definition('SUC\_VERS\_BEF', "anc vens (4. draph) v = (\*\* | (\*\* IS\_VENTER 4) / (IS\_SUC\_VEN 4 \* \*\*)}");; I FRE\_TERS G w delivers a set of all vertices which are predecessors of w I lot PRE VERS DEF - non\_definition('PRE\_VERS\_DEF'. "PRE VERS (4: "Grash) v " (v' | (v' 14, TERTER 4) /\ (I4\_PRE\_VER 4 v v'))");; I HOUSE ARTHUE 4 vs v2 delivers a get of edge(a) all of which are from vi to v2 % let EDGES SETVERS DEF - neg definition('EDGES DEFVERS DEF'. - Ebs Es\_BETHERS (6. "Graph) vs v2 = (a | (a 18\_2008 4) /\ (a\_erc u = v1) /\ (a\_dec a = v2))");; ((a\_des a) 18 (VS 4))"). SINCE ADDITE TAC (SEATE BROOK) THEN DESIGNED TACGODAPH BEF. VERTICES : EDGES!):: let VER\_INCIDENT\_NOT\_EMPTY = prove\_thm('VER\_INCIDENT\_NOT\_EMPTY', "!(d:"Graph) v. (GRAPH 4) /\ "((INCIDENT\_WITH 0 +) = EMPTY) ==> (v 18\_VERTEX 0)". ADDRESS: TAC (INCLINES)\_WITH\_DEFT; IS\_WENTER\_BEFT; IS\_EDGE\_DEFT) THEN BRIDGE TACIONS ALL (BYR (SPEC\_ALL RESIDER\_SOT\_EMPTY))] THEN CONV.TAC (DEPTH\_CONV SET\_SPEC\_CONV) THEN CORV. TAC (DECK.DEPTH\_CORV SYM\_CORV) THEN REPEAT ORS THE STRIP TAC THE ISP\_RES\_TAC g\_lemmat THES ASH\_REMRITE\_TAC());; let BOT\_VER\_ISCIDENT\_EMPTY = prove\_thm('BOT\_VER\_ISCIDENT\_EMPTY', "1(4: 'Graph) v. (CRAPE 6) -> '(v IS\_VERTER 6) -> ((ISCIDEST\_NITE 6 +) = EMPTY)", REPEAT OF THE STRIP TAC THEN CONV. TAC CONTRAPOS.COMV THE RESIDENCE TACK! THE BIRCH TAC THES HEP-RES. TAC VER. DECIDENT, NOT DESTY);; let GRAPH\_EDGE\_VERTER = prave\_thm('GRAPH\_EDGE\_VERTER'. "!(4:"4ranh) e. (4RAPE 6) /\ (e IS\_EDGE 6) --> ((a\_ore a) IS\_VERTER 4) /\ ((a\_den a) IS\_VERTER 4)", BERRITH TAC(IS VERTEX MET; IS RESEDED) THEN REPEAT ONE TAC THEN STRIP TAC THE 18P\_MES\_TAC g\_lemes THE ASS\_RESELTS\_TAC());; let SOT\_IS\_SAME\_SET = prove\_thm('SOT\_IS\_SAME\_SET', "1(g:0) y a. y IS a /\ 's IS a -> "(a-y)", REPRAY ORD THE THER ASS CASES TAC "x: - y" THEN ASS\_RESERVE TE\_TAC(SOT\_AND));; let SCT\_IS\_SAME\_GRAPH = prove\_thm('EST\_IS\_SAME\_GRAPH'. "1(4: 'Graph) w a. (# 18\_28\_81 a) /\ (# 18\_VERTEL 6) /\ (# 18\_EB#1 a) --> '(a\_arc a = u) /\ '(a\_des a = u)" MERGER TACELS SENTEL BEY: 19 EDGE DEV THEN REPRAY CHE\_TAC THEN STRIP\_TAC THEN INP\_RES\_TAC (REMRITE\_ROLE[IS\_VERTEX\_DEF; IS\_EDGE\_DEF) THES 16P ARE THE SOT IS SAME SET THEN COMP. TAC (GROW DEPTH COMP SYN COMP) THEN ASH BENGITE TAC[]):: let VERTEX\_EDGE = prove\_the('VERTEX\_EDGE', "1(6: "Grach) w a. (GRAPH G) /\ (w IS\_WERTER G) /\ (a IN (INCIDENT\_WITH G w)) -> ((e\_arc a = v) \/ (a\_des a = v))", MINISTRATOR SERVICE WITH AND S THE CONV.TAC (DEPTH\_CONV SET\_SPEC\_CONV) THEN REPRAT ORD\_TAC THEN STRIP\_TAC THEN AND\_REPRETE\_TAC([);; 1- DELETICS --- DELETE\_EDGE deletes an edge from the graph -T I- DELETE VERTER deletes a verter and all edges incident with it "I let DELETE\_EDGE\_DEF = med\_infis\_definition('DELETE\_EDGE\_DEF'. "DELETS\_EDGE (d: Graph) a = ((VS G), ((ES G) DELETE a))"];; ((a\_den e) 1H (VH d))") ORCE REVRITE TACIGRAPH DECOMPI THES REWRITE\_TAC[GRAPH\_DEF; VERTICES; EDGES]);; let WER\_INCIDENT\_ROT\_EMPTY = prove\_the('VER\_ISCIDENT\_NOT\_EMPTY'. "1(0: 'Graph) v. (CRAPH 6) /\ "((INCIDENT\_WITH 6 +) = MIPTY) -> (+ 16 SERTER 6)". SENDITE TAGGLECIMENT MITH DEF-14 VERTEX DEF-15 EDGE DEF! THEN RESERVE TAC [GEN\_ALL (NYM (APRC\_ALL MEMBER\_NOT\_EMPTY))] THEN COME TAC (DEPTH COME SET SHEC COME) THEN CONV. TAC (GROW DEPTH\_CODY SYN\_COST) THE EXPRAT ORS TAC THEN STRIP TAC THE INPURE TAC g. Lames THE ASS. REVRITE TAC[]);; let for von Incident Supry - prove that 'Sor ven incident Empty'. "iff:"Graph) v. (GRAPH 6) -> "(w 19 VERTEX 6) -> ((INCIDENT WITH 6 v) - EMPTY)". REPRET GEN. TAC THES STRIP\_TAC THEN CONV\_TAG CONTRAPON\_CONT THEN RENALTS TACID THEN DINCH TAC THEN THP REN\_TAC VER\_INCIDENT\_MUT\_MEPTY);; let GRAPH\_EDGE\_VERTER = prove\_thm('GRAPH\_EDGE\_VERTER', "((0:"Granh) a. (GRAPH 0) /\ (a IS\_EDGE 0) --> ((s\_orc e) IS\_VERTER 6) /\ ((s\_des e) IS\_VERTER 6)". MODELTE TACTIS VENTER DEFY: IS REGEREN! THEN REPEAT GEN. TAC THEN STRIP\_TAC THE 189 RES. TAC g. leases THES ASS. RENGITE\_TAC();; let SOT\_IS\_SARE\_SET = prove\_thm('SOT\_IS\_SARE\_SET', "((x:\*) y s. y 18 s /\ "x 18 s --> "(x=y)", REPRAT GEN\_TAG THEE ASH\_CASHX\_TAG "x:\* \* y" THEN ASH\_RENDITE\_TAC(HUT\_ARD)):: let SCT\_IS\_SAME\_GRAPS = prove\_thm('SCT\_IS\_SAME\_GRAPS'. "1(4:'Graph) v a. (# 15.000 a) // (# 15.000 a) // (# 15.000 a) --> "(a\_aze a = v) /\ "(a\_dea = = v)" ACCRETATION THE CASE STREET, THE COST OFF THEN REPEAT GEN. TAC THEN STRIP. TAC THES INPURED TAC (REMRITE BULE (IS VERTEX DEF : IS EDGE DEF) GRAPH\_EDGE\_VERTER) THEN IMPURED THE NOT THE NAME OF THEN CORV. TAC (ORCH. DEPTH\_CORV SYN\_CORV) THEN ASH\_REVRITE\_TAC(1);; let VERTEX\_SDGS - prove\_thm('VERTEX\_SDGS', "1(0:"Granh) v a. (GRAPE 6) /\ (+ 15\_VERTEX 6) /\ (+ IS (INCIDENT\_NITH 6 +1) --> ((a\_arc a = v) \/ (a\_des a = v))", SMIRITE TACTIFICIARRY WITH BOY! THE CORV.TAC (DEPTH\_COMV BET\_SPEC\_COMV) THE REPRAY CENTAC THEN STRIP THE THEN ASS ASSESSED THE TAC(1): E- DELETION --- DELETE\_EDGE deletes as edge from the graph -% DELETS\_VERTEX deletes a vertex and all edges incident with it "E let DELETH\_EDGE\_DEF - new\_infin\_definition('DELETE\_EDGE\_DEF'. "DELETS\_EDGE (6: Graph) a = ((TS 4), ((ES 4) DELETE =))");; let DELETE\_VERTER\_DEF = new\_infin\_definition('DELETE\_VERTER\_DEF', "DELETE\_VERTEX (6: Graph) v = (((48 4) DELETE +), ((28 4) DIFF (INCIDENT\_NITE ( +)))");; let E\_DELETE\_ARREAD = prove\_thm('E\_DELETE\_ARREAD', "1(d:"Graph) a. (GRAPH G) /\ "(e IS\_EDGE G) -> ((DELETE\_EDGE G a) = G)". BENEFITE TAC [IN MARC SEP : SELECTE SACE SEP] THEN REPRAT GES. TAC THEN STRIP TAC THES INP RES. TAC DELETE ROS. ELEMENT THEN ASH, MANDETT, TAC [] THES INP DES THES (\amm. RATCH\_ACCEPT\_TAG (STR onn)) GRAPE\_PAIR); let V\_DELETE\_AREORP = prove\_thm('V\_DELETE\_AREORP', "((4:"Graph) w. (GRAPH 6) /\ "(w 10\_WENTER 6) --> ((DELETE\_VENTER 6 w) - 6)", RESERVED THE TACETE VENTER BUS DELETE VENTER DEFT THEN REPRAY CHR. TAC THEN STRIP. TAC THE 189 ARM TAC DELETT 100 KINNEY THE INPURE TAC (RESELTS AND THE RULE [15 VERTEX DEF] SOT VER INCIDENT MENTY) THE ASS\_RESERVE TR\_TAC[DIFF\_EMPTY] THEN INP\_RES\_TERM (\acc. MATCH\_ACCEPT\_TAC (SYN acc)) GRAPS\_PAIR);; les GRAPS DELETE EDGE - exeve\_the('GRAPS\_DELETE\_EDGE', "16:('Graph) (a: Bigo) (GRAPH 4) -> (GRAPH (4 DHLETE EDGE 4))". BENEFIT TAC (BELETE, MAR, 187) THEN ORCE\_RENGITE\_TAC [GRAPH\_DECORP] THE BUILTY TAC [VERTICES : EDGES : GRAPH\_BEF; 13 \_RELETE] THEN REPEAT STRIP\_TAC THEN RES\_TAC THEN AND REWRITE\_TAC[]);; let GRAPS\_DELETE\_VERTEX = prove\_thm('GRAPS\_DELETE\_VERTEX'. "16:("fresh) (w:"Vertes) (GRAPE 4) -> (GRAPE (4 DELETE\_VERTER +))", POLE\_BOOK\_RANGE 178\_TAC (SELECTE\_VERTEX\_REF) THEN PURE GROSE RENDITE TAC [GRAPH DECORP] THE RESIDENT TACTURETICES : EDGES : QBAPK\_BEF; IN\_BELETE; IN\_BIFF; INCIDENT\_WITH\_BEF] THEN CONV\_TAG (DEPTH\_CONV SET\_SPEC\_CONV) THEN RESELTE\_TAG(IS\_EDGE\_DEF; DE\_HORGAS\_THE) THE REPEAT ORS. TAC THES STRIP. TAC THES GES. TAC THES STRIP. TAC THEN BES\_TAC THEN ASS\_RESSITE\_TAC(]) :: les DELETE\_VERTEX\_COM = prove\_the('DELETE\_VERTEX\_COM'. "|(4: "draph) v1 v2. ((4 BELETE\_VERTES v1) DELETE\_VERTER v2) = ((4 DELETE\_VERTER +2) DELETE\_VERTER +1)" MEND ITE, TAC [DELETE, VERTER | DEF ; VERTICES ; MICH : PAIR\_M] THEN REPEAT ORD, TAC THEN COST, TAC THENL! NATCH\_ACCEPT\_TAC DELETE\_COM: RESERVE TAC [ DIFY\_REF : SECIRET\_STR \_BEF : SE\_ERES\_BEF : ERES\_ THE COUNTY AC (DEPTH\_CERY SET\_SPEC\_COUNT) THEN REWRITE\_TAC[EXTENSION] THEN CONV.TAC (DEPTH\_CONV.NET\_SPEC\_CONV.) THEN REMRITE TAC [DE MORGAN THE] THEN GES TAC THES EQ. TAC THE STREP TAG THE RESIDENCE THEN ASSURED THE TAGE [] ) : 1 let DELETS\_EDGE\_COM = prove\_the('DELETS\_EDGE\_COM' . "1(d: draph) at a2 ((G DELETE, EDGE o1) DELETE, EDGE o2) = ((G DELETE, EDGE o2) DELETE, EDGE o1)\*, NUMBERTE, EDGE o2) DELETE, EDGE o1)\*, THESE SATCE, ACCEST, TAC DELETE, COMM(); let [MREAT\_EDGE\_DEF = neo\_infin\_definition(')MREAT\_EDGE\_DEF', "INFERT\_EDGE = (6: 'draph') = ((MR 0), ('(c\_dee e) MR\_MEATEX 0) /\ ((c\_dee e) MR\_MEATEX 0)) => (a INSERT (BM 0) \cdot (BM 0)) \cdot (); let IMBERT, VERTEL COME = preve\_the('IMBERT\_VERTEL\_COME', "4(41'65)blt = 7. (vs IMBERT, VERTEL (vs IMBERT, VERTEL 4)) = (vs IMBERT, VERTEL (vs IMBERT, VERTEL 40)\*\*, MARRITH, IMC(IMBERT, VERTEL AND VERTEL AND VERTEL, DAW (PAIR, DO) THEM AND VERTEL AND VERTEL AND VERTEL AND VERTEL, DAW (PAIR, DO) THEM AND VERTEL V let EDGE\_18.185EDT\_TERTEX = prave\_the(\*18\_185EDT\_VERTEX; "'(c: [Mage] > c. (c 18\_EDGE\_0) =>> (c 18\_EDGE\_(v 186EDT\_VERTEX d))", smmblyE\_Tac(1s\_EDGE\_0BSF\_EMGES\_185ET\_VERTEX\_DES) THEN REPLAY GEN\_TAC THESE COME\_CASES\_TAC THESE REMSITE\_Tac(18\_185EXT\_CB\_18TAC\_TEXZ)); let EDGE\_IN\_INDEXT\_EDGE = prove\_thm('IN\_INDEXT\_EDGE', "'(c' 'Edge) o' c. (c IN\_EDGE o) =>> (c IN\_EDGE (c' INSERT\_EDGE d))", again 178\_Tac[in\_index\_sur\_edge;index\_sur\_edge\_DGF] TREE ARPEAT GEI\_TAC TREE COMP\_CASEL\_TAC TREE REPRITE\_TAC[in\_INDEXT\_EDGE\_DGF] ``` Les INCIDENT MITS INSERT VERTER - ereve the ("INCIDENT WITS INCIDENT VERTER", "1(4: '4raph) v. (4RAPH 4 ) -> '(v 15_VERTEL 4) -> ((INCIDENT_WITH (w INCEST_WENTER () w) = ( ))". REPEAT ONE TAC THE REPEAT STRIP. TAC THE IMP.RES. TAC BOT .. VIR. INCIDENT SEPTY THEN REPORTED TAC (TRUMPS MERTER DEF-18010887 MITS DEF- 16 . god E . DEF ( BOOKS ; EXTENSION ) THE COLUMN TAC (DEPTH COST SET SPEC COST) THEN GET THE THEN BY THE THEM. STRIP_TAC THEN IMP_RES_TAC (REMRITE_BULE[16_EDGS_DEF] NOT_18_SAME_GRAPH); REMDITE TACTION IN SEPTEMBLE: let a = (CHCK_BERNITE_MOLE(RO_SYR_EG] 10_EDGE_DGF) in (BENTALTE BULEfel (SPEC "(ES 4):("Edge)set" (1980 "a: "Mage" (1881_TYPE [": "Mage", ":e"] 188831_SHLETS)));; let DELETE ISSEET COSE = prove the('DELETE_ISSEET_ENGS'. "((4: 'dramb) a. (48498 4) // (a 18 8848 4) -> ((e | HEERT_EDGE (G DELETE_EDGE e)) = q)". AMBRITA TAC (188887 MOR DEF : MELSTE EDGE DEF: VERTICES: EDGES) THER REPEAT ORS TAC THES STRIP TAC THE 18P RES THEN IN TAC GRAPS SOUR VENTER THE BENETTS TACELS NEWTON DEV. VERTICES (EDGES) THE REPEAT STRIP TAG THEN RES. TAG THER ASH ADMITS TAG[] THES IMP_RES_THES (\t. REMRITE_TAC(s)) located THEN CURY_TAC STR_COMY THEN INP_RES_THEN RATCH_ACCEPT_TAC (RAPS_PAIR);; leg ISSERT_DELETE_VERTEX = prove_the('ISSERT_DELETE_VERTES', "|(4:"Graph) v. (GRAPH 4) /\ "(v IN VERTER 4) --> (((* IRERRY VERTER 4) DELETE VERTER *) = 4)". REPEAT ONE TAG THEN STREP TAG THEN IND RES TAC ENCIONET MITS INSIDE VINCEN THE ADVALTE TAC [ INCRET .. VENTER .. BUT | BULLETS .. VENTER .. DEF ; VENTERS ; EDGES ] THEN THE THE THEN (No. CONV.TAC (ORCH.DEPTH_CONV (BARRITE_CONV s))) GRAPH PAIR THES REPRESE TAG [PAIR BO: VERTICES: EDGES] THES CONJ. TAG THESE. RENDITE_TAC[BULETE_INNERT] THEN ARRUM_LINY (\amble RP_TAC (REMRITE_RULE(IS_MERTEL_REF) (el 2 ambl))) THEN ADDRESS TAC [DELETE BOX DLEMENT] POP_ASSUR (\s. BUNDITE_TAC[(MENDITE_BELE[INSERT_VERTE_DEF;VERTICES:EMES] t)]) les VERTICES_INSERT_EDGE = prove_the('VERTICES_ISSERT_EDGE', "1(4:"Graph) a. VS(a ISSERT_SDAE 4) - VS 4" REPEAT GES_TAC THEN REVENITE_TAC(ISSERT_EDGS_GEF; VERTICES));; let Epons_ISSERT_VERTER = prove_the('EDONS_ISSERT_VERTER'. "1(G: Graph) v. EG(w 1898RT_VERTER 4) = EG 4", mapped des fac them newsite facilment wenter may: EDGES]);; lot VERTEL ISSENT_VERTEX - prove_thm('VERTEX_ISSENT_VERTEX'. *1(4: 'Granh) a v. (a 15 VERTEX (v 1898RT_VERTEX 4)) = ((x = v) \/ (x 19_VERTEX 4)1". BENESTS TAC(188887_VERTEX_BEF; IS_SERTES_BEF; VERTICES; IS_SERET));; let 1008_189207_2008 = prove_the("E008_186227_2008", ``` "i(d:"draph) a. | | ((e_arc a) 15_VERTEX 6) /\ ((a_das a) 15_VERTEX 6) -><br>(a_15_EDSE (a_185ERY_EDSE 6))", | |-----|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | | REPRAT STRIP_TAC THEM<br>ARE_REVRITS_TAC(THEMENT_EDGE_REF; S_EDGE_DEF; EDGEN; S_ESSERT]); | | let | EDEZ_H_HERMY = proce_be('EDEZ_H_HERMY',<br>"((c"depth ) . ((s_arc s) 15 YENTYH 80 // ((s_des s) 15_VENTH 8)<br>->> (s 15_EDEX_G HERMY, EDEX 6));<br>THE APPLAY THE JAC THER PORE_GEN_MENTY_TAC[HERMY_LDEZ_HER]<br>THE APPLANTYK_TAC[15_EDEX_DEX_HERMY]); | | let | EDGE_18_18EEDT2 = ave_the('EDG8_18_18EET2', PORE_SOCI_ARMSTYE_DEE[6_erc;e_dea] GGEE_(Tel:Telephy="fsize", "value", "size") (ISPEC "(si_v2_x):"Sige" (SPEC "G:"Graph" EDG8_18_18EEXT)))); | | let | VERTEX_IS_INS_VERTEX = prove_thm('VERTEX_IS_INS_VERTEX',<br>-!(S:-Eraph) v =. | | | (w IS_VERTEX (w INSERT_WERTEX d)) = (* = w) \/ (w IS_UNRES d)",<br>BROWNITS_TAC(INSERT_WERTEX_DEF; IS_VERTEX_DEF; WERTICES; IS_INSERT]);; | | 141 | IN. INSERT, ABBREW = TAG_PRODY(C[], -(6 (s)=) (, 0 18 a) => (( o 185EX s) = o)=), FIG. (100 10 18 a) => (( o 185EX s) = o)=), FIG. (100 10 18 a) => (( o 185EX s) => ( o 185EX s)=), FIG. (100 10 18 a) == ( o 185EX s)= | | 101 | V_ISSEXT_ABSORP = prove_thm('V_ISSEXT_ABSORP', '(G:'Graph) >. (GALDH G) /\ (V IS_VERTER G) =>> ((V:ISSEXT_ABSORP) = prove_thm('V_ISSEXT_ABSORP', ) | | 144 | # | | 101 | FISITA_GRAPS_INNERT_EDGE = prove_that(FISITA_GRAPS_INNERT_EDGS_, ""(G. "Graps_) o. FISITA_GRAPS d. => FISITA_GRAPS_C INSERT_EDGS_graps_" FREE_EDGE_BRESTY_TAGE_CREST_C FISITA_GRAPS_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_CREST_EDGE_ | | 14 | | | F | | ``` let G_INTER_DEF = new_infin_definition('G_INTER_DEF', "Q_INTER (01: | Oranh) 42 - (((VS 01) 18TER (VS 02)), ((ES 01) 18TER (ES 02)))");; let GRAPH_INTER = prove_thm('GRAPH_INTER', "1(Q1: 'Grant) Q2. (GRAPE G1) /\ (GRAPE G2) -> (GRAPE (G1 G_IETER G2))". PURE_DECE_BENETTS_TAC [48APH_BECOMP] THE PURE ORCE REMRITE TAC (G . I STER DEF) THEN PURE GREE BUNE TE TAC [VERTICES : HDG HE] THE PURE ORCE REMRITE TACIGRAPH DEFT THEN REPEAT ONE TAC THEN STRIP TAC THEN REWRITE TAC(IN INTER) THEN ORD THE STRIP TAC THEN RES TAC THEN ASS BENEITE TAC!) :: let Q_ISTER_IDEST = prove_thm('Q_ISTER_IDEST', "((0: "Greek). (0 0 18788 0) = 4". GES_TAC THEN REMNITE_TAC[G_ISTER_HEF; | BTER_IDERPOT; VS_DEF, HS_DEF]); | let G_ISTER_STR = prove_thm('G_ISTER_STR'. "((G1: Grash) G2. (G1 G.ISTER G2) = (G2 G.ISTER G1)". REPEAT GES_TAC THES RENEITS_TAC[4_ISTER_DEF; PAIR_EQ] THEN CONS.TAC THEN MATCH. ACCEPT. TAC SHTHR. COMMS: let G_ISTER_ASSOC = prove_thm('G_ISTER_ASSOC', "((41: 'Granh) 42 43. ((G1 G_INTER G2) G_INTER G3) = (G1 G_INTER (G2 G_INTER G3))". REPEAT ORD. TAC THES REMOITS TACEG. INTER DEF: PAIR SG: VERYICES : EDGEN! THE COST. TAG THE NATCH ACCEPT TAG INTER ASSOCIATION lot VERTEX_IN_INTER = prove_the('VERTEX_IN_INTER', "|(61: Grash) G2 v. (v 18. VERTEX (G1 G.18TER G2)) = ((v 18. VERTEX G1) /\ (v 18. VERTEX G2))". REPRAT GER TAC THE RESELTS TAC(4_18THR_DEF, 14_4GBTRS_DEF, SERTICES, 18_18TEB)); let EDGE_IS_INTER = preve_thm('EDGE_IS_INTER'. "((61:"Graph) G2 a. (a IS_EDGE (Q1 4_ISTER 42)) = ((a IS_EDGE 41) /\ (a IS_EDGE 42))", REPRAT GEN TAC THEN REPORTED TACES INTER_DEF : IS ROOM DRY : EDGES : IN . IFTER ) : : $----- I G_UHIGH --- union of two graphs L ..... let & UNION DEF - new infin definition('& UNION DEF'. "d_UNIOS (01: "draph) 42 = (((VB d1) UNION (VN d2)), ((RN d1) UNION (RS d2)))-);; let GRAPH_UNION = prove_thm('GRAPH_UNION'. "1(d1: "Granh) 42. (SEAPE G1) /\ (SEAPE G2) -> (GRAFE (G) G_UEIGE G2))", ORCE_REMNITE_TAC[GRAPH_BEGGEP] THEN ONCE_REMRITE_TAC[G_UNION_DEF] THEN DUCK REVENUE, TAC (VERTICES : EDGES) THEN ORCH REVENUE, TAC [GRAPH DEV] THEN REPRAT GEN_TAC THEN STRIP_TAC THEN REPRITE_TAC[IN_UNION] THE OCC. TAC THE STRIP TAC THE RES. TAC THE ASS. REVETTS. TAC [] ) : let G_UNION_IDENT = prove_thm('G_UNION_IDENT'. ``` "1(G: 'Graph). (G G\_UNION G) = G", GEN\_TAC THEN REWRITE TACIG UNION DEF: UNION\_INEMPOY.VN\_DEF EP\_DEF]):: let d\_UNION\_NYN = preve\_thm('d\_UNION\_NYN', -\*(41:'0raph) 42. (4) 4\_UNION 42) = (42 4\_UNION 41)\*, hUPPRAT GNS\_TAC THEN REWNITY\_TAC(E\_UNION\_DUFFAIR\_RQ] THEN CONS\_TAC THEN RETUR\_ACCEPT\_TAC UNION\_CONN);; let VERTICES\_IS\_UBIOS = prove\_thm('VERTICES\_IS\_UBIOS'. -((d):'draph 0 2 ut v2. (GADP) 01) // (GADP 02) // (v) IS\_VERTE (01) // (v2 IS\_VERTES (02) ==> (v3 IS\_VERTE (01) // (v2 IS\_VERTES (02) ==> (v3 IS\_VERTE (01) // (v3 IS\_VERTES (02) ==> (v3 IS\_VERTE (01) // (v3 IS\_VERTES (02) ==> (v3 IS\_VERTE (03) // (v3 IS\_VERTES (03) ==> (v3 IS\_VERTES IS\_VE lat VERTEX\_INNERT\_EDGE = preva\_thm('VERTEX\_INNERT\_EDGE); ('G:'Graph') v a. (v IS\_VERTEX (a INSERT\_EDGE ); (v IS\_VERTEX G)", APPEAT GES\_TAC\_TERS\_ENVERTEX\_EDGE\_EDG: 15 v(STEX\_EDGE);; % 1 ammai = |- (0 vi v2. GRAPH 0 / vi IE (VE 0) // v2 IE (VE 0) ==> GRAPH(vi v2.s) ISERT\_EDGE 0) % let lemmai = REMBITE\_BULE[s.arc\_DFT\_c.des\_DFT\_FTT,SBD] (GRE\_ALL (SPEC "(vi,vz,s)." Nega" (SPEC "(draph" GRAPH\_IBERET\_EDGE));; let lenne2 = 2EMRITE\_BURE[e\_erc\_DEF;e\_des\_DEF;FUT;SHE] (dEB\_ALL (SPEC "(v2,v1,x2):"Edge" (SPEC d:"draph" GRAPH\_ISSET\_EDGE)));; let lemma: = dEM\_ALL ( SPEC "(0: d\_UMION 02):"Graph" GRAPH\_INSERT\_EDGES);; les Q\_UBIGS\_INSERT\_EDGES = preve\_she('Q\_UBIGS\_INSERT\_EDGES', "|(G1:'Graph) G2 v1 v2 (GRAPH 91) /\ (GRAPH 92) /\ (w1 18\_VERTER Q1) /\ (w2 18\_VERTER Q2) -> ((1x1, GRAPH ((v1,v2,x1) IMMERT\_EDGE (G1 G\_UMIDM G2))) /\ (122 GRAPH ((+2,+1,22) INSERT\_EDGE (61 0\_UBIGS 62))))". REPEAT ORS TAG THES STRIP TAG THEN SATGE UP TAG Lament THEN CONJ. TAC TRENL [ IMP\_RES\_TAC GRAPH\_UNION MATCH\_RP\_TAC VERTICES\_IN\_UNION THEN ASR\_REMRITE\_TAC[]]);; let Q\_ISS\_ISS\_E = prove\_thm('Q\_ISS\_ISS\_E'. "1(0:"Graph) at a2. ((CRAPH (e1 INSERT\_EDGE Q)) /\ (CRAPH (e2 INSERT\_EDGE Q))) -> ((GRAPH (e1 INSERT\_MDGE (e2 INSERT\_MDGE 6))) /\ (GRAPH (e2 156887\_8005 (e1 155887\_8008 0)))". REPEAT STRIP. TAG THEN 189 RES TAG GRAPH INSERT EDGS THER FIRST ASSESS HATCH ACCEPT TACLES let GRAPH\_INSERT\_MDGES2 = TAC\_PROGF(([]. "1(d:"draph) vs v2 mi #2. (GRAPE G) /\ (v1 IS\_VERTEL G) /\ (v2 IS\_VERTEL G) ==> (GRAPH((v1.v2.s1) IMMERT\_EDGE G)) /\ (GRAPH((v2.v1.x2) IMMERT\_EDGE 4))"). REPEAT ONE TAC THEN STRIP TAC THEN USP RES TAC LARGEST let lemma: = GEN\_ALL ( SPEC "(01 G\_UNION G2):"Graph" GRAPH\_INSERT\_EDGES2);; let G.UHIGH.IHERRY.EDGRES - TAC.PROSPICES. "!(G1:"Graph) G2 v1 v2 s1 s2 (QBAPE 61) /\ (QBAPE 62) /\ (w1 IS.VERTEX G1) /\ (w2 IS.VERTEX G2) -> ((GRAPH ((v1,v2,z)) INSERT\_EDGE (G1 G\_UNION G2))) /\ (GRAPE ((+2.+1.+2) IMPERT EDGE (G1 G UNIGE G2))))"). REPEAT CES\_TAC THEN STRIP\_TAC THEN MATCH\_RP\_TAC lemmas THEN CORD TAC THESE ( IMP\_BES\_TAC GRAPS\_UNION; MATCH\_MP\_TAC VERTICES\_ID\_UNION THEM ASS\_REMAITE\_TAC[]]);; % Q\_UNION\_ING\_EDGES - 1-"1(Q1: "Graph) Q2 v1 v2. (GRAPH G1) /\ (GRAPH G2) /\ (v1 IS\_VERTER 01) /\ (v2 IS\_VERTER 02) -> (1st a2. GRAPH ((v1.v2.st) INSERT EDGE ((v2.v1.s2) INSERT EDGE (G1 G UNION G2))))"E let d\_UNION\_INE\_EDGES = save\_thm('d\_UNION\_INE\_EDGES', GEN\_ALL (DISCS\_ALL (GEN "x2:00"(GEN "x1:00" (UNDINCH (IMP\_TRANS (SPEC\_ALL G\_UNION\_USERT\_EDGESS) (SPEC "(v2,v1,x2):"Edge" (SPEC "(v1,v2,x1):"Edge" (SPEC "((G1: "Granh) & UNIGN G2)" @ 188 ING E))))))));: ## B.3 The file mk\_subgraph.ml E-TILE: mh\_oubgraph.ml % NESCRIPTION: definition of subgraph and some theorems % ``` I AUTHOR: Was Mong BATE: 1 AUG 1990 modified Jun 91 % I------ I----- I- Befinition of a subgraph I- I is a subgraph of 6 iff I is a graph and its vertex set is a subset I I- of that of 6 and its edge set is also a subset of the edge set of 6. I les SUNGRAPH DEF - new definition('SUNGRAPH DEF'. "SUMGRAPH (S:"Graph) (G:"Graph) = (GRAPH II) A (GRAPH II) A ((VS N) NURSET (VN G)) /\ ((ES N) SUMSET (ES G))"):1 let SUBGRAPH REFL = prove the('SUBGRAPH REFL'. "14: 'Grash . 484PH 4 --> SUNGRAPH 4 4". RENRITE TAC [BURG BAPH_DRF: SUBSET_BUFL]) :: les summars TRADS - prove the ("SUMMBARS TRADS". "I(41: 'Graph) 42 43. (HUBGRAPH 61 62) /\ (HUBGRAPH 62 63) -> (HUBGRAPH 61 63)". AUDITITE TACTOURGRAPH DOFT THEN ASPEAT ORN. TAC THEN STRIP. TAC THEN INPURED TAC SUBSET TRANS THEN ASSURED TACTORS let SUBGRAPH_ARTISTS = prove_thm('SUBGRAPH_ARTISTS'. "!(G1:"Graph) G2 (SUNGRAPH 61 62) /\ (SUNGRAPH 62 61) --> (61 - 62)". AMMITT TACCOMMENAPO MET] THEN REPEAT GES TAC THEN STRIP TAC THEN INP_RES_TAG SURSET_ARTISYS THEN INP_RES_TAG GRAPH_EQ);; les SUBSEAPS_GRAPS = preve_shm('SUBSEAPS_GRAPS', "1(4: 'Graph) H. (SUMMAPH H 6) --> (GRAPH 6) /\ (GRAPH H)", BEIRITH TACCHURGAPH REFT THEN REPRAT STRIP TAC THE FIRST_ARREST ACCEPT_TAC) : 1 •------ I- Definition of a proper subgraph -I I- I is a proper subgraph of G iff I is a graph and its vertes set is a -L I- proper subset of that of 4 and its edge set is also a proper subset "I 1- of the edge set of 4. -1 log PRODUCTAPH_DEF = new_definition('PRODUCTAPH_DEF', -Patmanapa (#: "Grach) (4: "Grach) - (SUBSTAFF N 6) / (((VS N) PEURIET (VS 6)) \/ ((ES N) PSUBSET (ES 6)))");; let PSUBGRAPH_SUBGRAPH = szeve_thm('PSUBGRAPH_SUBGRAPH'. "((6:"Granh) (N:"Granh) . (PSUDGRAPH N 4) --> (SUDGRAPH N 4)", PARE . ORCE . RENE 172 TAG (PEUBERAPE DEF) THE REPEAT STRIP_TAC THEN FIRST_ASSUM ACCEPT_TAC) ; let PSUBGRAPH_IRREFL * prove_thm('PSUBGRAPH_IRREFL', "(d: "Graph . GRAPH & --> "(PSUSGRAPH & d)", REVETTE_TAC(PRUNCKAPI_DEF; SUNCKAPI_DEF; DE_ROMAR_THE; PRUNCKT_IRRAFL]); ; tes SUMMET CARRY . let les . OECE_RENDITE_RULE(DISI_STR]SECLUDED_RIDDLE in TAC_PROOF(([]. "!(s:(*)set) t. (s $UBART t) = (s PSUBERT t) \/ (s = t)"). REPEAT CES_TAC THES RESERVE_TAG[PROBRET_REF; 814HT_68_8VER_ASB; 1 cm] ``` THEN SQ.TAC THEM! JICKL.THEN (1. DEMA\_MENDING\_TAC(:, SQ.CARNES)); PAGE\_SENTIN\_TAC(SUTHERING: TOWNT\_MEN) PAGE\_SENTIN\_TAC(SUTHERING: TAC THEM PAGE\_SENTING\_TAC([MP\_CLARMEN])); Let NUM\_PAGE\_TALE = TAC\_PAGE\_C(). - ((a(c)act) t u. (a SUBERT t) // (t PRUBERT t) -> (a PRUBERT t) -> ) PURE\_DECE\_ENVERTE\_TAC(SUBSET\_CASES) THEN REPRAT STRIP\_TAC THENL( 1100\_RES\_TAC PRUBERT\_TRANS; ASS\_ENRIFYE\_TAC(3)); lee PROS.SUM\_TRANS = TAS\_PROMINC(C). "(G:(-)set) 0 m. (c. PSUMSET t) // (s. SUMSET w) --> (s. PSUMSET w)-/-); PROS.\_REGE\_SUMSETYM\_TAS\_CROSSET\_CASS(S) THEN MEPRIT STRIP\_TAG\_TEXTS.( INP\_MEM\_TAGE PROMINET\_TRANS: URDINGL\_TAGE = PROMINET\_CIC+(>>>=)\* TEXT ASS\_REMINETYM\_TAG\_[]); | lat PUDDRAPH\_TAIRS = prove\_the('PUDDRAPH\_TAIRS', "I(41: Graph) 02 03. (PUDDRAPH 01 03) /> (PEDDRAPH 02 03) -> (PEDDRAPH 01 03)", PUBL\_REBULT\_TAIRS\_PEDDRAPH\_BES\_INDEASS\_INS) TEXE REPUTAT 083\_TAIR ENTIF\_TAIRS THE INS\_RES\_TAIR PROPERT\_TAIRS TEXE INS\_RES\_TAIRS\_RES\_TAIRS THE INS\_RES\_TAIRS\_TAIRS THER INS\_RESTRIT\_TAIRS\_TEXE INS\_RES\_TAIRS\_TAIRS let lemmal = 7aC\_PAGEF(([], "'(4(:'druph), (GARPH 0) => (1e, at 1(GH 0) => (a\_mac o) IN (VE 0) /\ (a\_don o) IN (VE 0))"), NOTE: THE NAME OF THE PAGE OF THE OWNER OF THE NAME les DELETS\_PROMENT = TAC\_PADGF((), "((:())=01) : ( ill s) => (c) DELETS s) PROMETS"), PROM\_LIMENTE\_MAGFFORMERS\_PROMENTSTEED THES METHAT GEN\_TAC THES STRIP\_TAC THES COSI\_TAC THESIC GROUP\_TAC DELETS\_TACUMENT; COSY\_TAC GROUP\_TAC DELETS\_TAUGHT; COSY\_TAC GROUP\_TAC DELETS\_BROWNERS\_COSY\_TAC THESE RESTRY\_TAC "s:o" THEN ASS REGRESTE TACKET BROWNERS\_TAC let PUDDLAFF, DELETE, ENGE = prove\_the(\*PUDDLAFF, ENGE\*). (CALPF C // (c 12 EDDL (d)) =>> (PUDDLAFF, (d BELTE, ENGE c) d)\*, ABBS15, ANGLESSEAS, EST; RESEASAS, EST; RESEATA, EST; VEXTICOS; REMIR: 15, MORE, EST). PAC THEN 18P, ANGLESC DELETE, PUDDLAFF THEN AREASTE, TACCOURSET, ANGLESC DELETE, PACKETT, THEN ASS. ANGLESC T, TACCOURSET, ANGLESC DELETE, let SUBCRAPH\_DELETH\_EDGS = provo\_that("SUBGRAPH\_DELETH\_EDGS", -1(S:'Groph) e. (GRAPH 0) = (SUBGRAPH\_GB (G BELETH\_EDGE e) 0)\*, sensite\_zeo[subgraph\_edf];set\_zet\_zet\_bet\_set\_vention\_edds] rest\_attrat\_res\_zet\_set\_set\_set\_set\_set\_vention\_edds] rest\_attrat\_res\_zet\_set\_set\_set\_set\_set\_set\_set\_vention\_edds] THEN ASS\_RESIDITE\_TAC(]]);, ``` THEN ASK CARRY TAC "(RS (6: Graph)) = ()" TRESL( ASS_RESERVED_TAC (REPTT_SHEET; EMPTY_MILETE; $100.007 REPL.: GRAPH DEF: NOT IN SHPTT): ASS RUNDITE TAC [SUBSET BEFL: BELLTH SUBSET: GRAPH DEF: 18 DELETE] THEN ARE TAG THEN STREET TAG THEN 1800 ARE TAG Lamma ! THEN ASS. BEHRLITH, TAC(11): 1 Let DIFF SURSET - TAC PRODUCT . "1(g:(*)mat) t. (s BIFF t) SUBSET s"). REPEAT ONE TAC THE RESULTS TAC(SUBSET REF: IN DIFF: AND! THE ):: les SUMGRAPH DELETE VERTEI - orove the ("SUMGRAPH DELETE VERTEI". "((C: Graph) v (SPAPE 4) set (SUMSBAPE (S DELETS TESTES +) 4)". RESERVED THE TAC FROM MAPS DRY : DELETT VIRTHE DEF : VENTICES : 824ES ; 18 VENTER DEF: 18 EMES.DEFT THEN REPEAT STRIP TAC THREE! $288178_74C(484FE_88F; 18_21FF; 18_38L878; 18C(488F_417E_88F; 14_884E_88F) THEN CORY TAC (DEPTH CORY SET SPEC CORY) THEO REVALUE TAC [DE HOME AN _THE | HOMES] THEN ORD THE THEN STRIP THE THERLE BER TAC: INP_MEN_TAG lemma: THEN ASH_REMNITE_TAG[]]; POP_ASSUR ACCEPT_TAC: HATCH ACCEPT THE DELETE SUBSET: MATCH_ACCEPT_TAC DIFF_SUBSET]);; let PHUMGRAPH_DELETE_VERTES = prove_the('PHUMGRAPH_DELETE_VERTEX'. "1(0:Türaph) v. (GRAPH 4 /\ (w 15_WENTER 6)) -> (PRINCRAPH (4 RELETE_WENTER w) 6)", MARKETTS_TAG (SUMMAAPS_DOT; PRUMBAAPS_NOT; NOLETS_VENTES_RET; VERTICAL: EDGE: 11 VERTER DEF: 11 CDGE_CEFT THE REPEAT ORS THE THER STREET, THE THE SEPTEMBER THE BELLETS PROBLET THE ARE RESILITE TAGISHDARY BAPT : DELETS STREET : DIFF STREET] THE REVELTE TAC [GRAPH_DEF; IS_DIFF; IS_DELETE; INCIDENT_WITS_DEF; IS_EDGE_DEF] THER CORV.TAC (DEPTH_CORV SET_SPEC_CORV) THE BENEITE TAC[DE_HOMAS_THE] THEN GEN_TAC THEN STRIP_TAC THESE! BES TAC: INP_RES_TAC 1 man THES ASH_REMAITS_TAC(VS_MEF)]);; 1- HI_SUMBAPH creates a subgraph from a graph giving two predicates "L I which select the vertices and edges from the original graph. I- There are an additional constrait that the and points of the edges in the subgraph must be the vertices in that subgraph, thus "I 5- the following two theorems let HE_SUBGRAPH_DEF = now_dofinition('HE_SUBGRAPH_DEF'. "HE SUNGAPH (4: "Graph) fo fe ... (w | w IS_SERTER Q /\ fo w). (a | a | 15 EDGE 6 /\ fa a /\ fv (a are a) /\ fv (a_dea a)}");; let ME_SUBGRAPH_GRAPH = prove_the('ME_SUBGRAPH_GRAPH'. "((&:"Graph) fv fo. (GRAPH 4) -> GRAPH (HE_SUNGRAPH 4 fv fe)". ARMATTE TACCHE SUMMAPH DEF : GRAPH DEF : VERTICES : EDGES] THES COSV_TAC (DEPTH_COSV SET_SPEC_COSV) ``` THEN PURE REMRITE TACTIO VERTEX DEF. 12 EDGE DEFT THE REPEAT ORS THE STREP THE GES THE THE STREP THE THEN THE RESULTS LANGUAGE THEN ASK RESERVED. TAC(1):: let HE\_SUNGRAPH\_SUNGRAPH = preve\_thm("HE\_SUNGRAPH\_SUNGRAPH". ""(d: "dranb) fy fo. (SEAPE 4) -> SUBGRAPE (RE.EURGRAPE 4 2v fe) 4". REPORTER TACCOMMUNAPH DEFT THEN REPEAT GEN. TAC THEN STRIP. TAC THE IMP. RES. TAC BE SUNGBAPH GRAPH THEN PURE AND RESENTITE TACIAND CLAUSES! THEN DEVELOR TAC [RE SUMMEAPS DEF; VERTICES; EDGES: SUMET\_DEF. 18\_SDGE\_DEF: 15\_VERTEX\_DEF] THER CORP.TAC (REPTH\_COMY SET\_SPEC\_COMY) THER COMJ.TAC THEN REPRAY STREET TAG THEN PIRST ASSUM MATCH ACCEPT TAG) :: **]**..... T SEAPS\_120 -- Graph isomorphism T ..... sas\_special\_symbol '-->>'|| nes special symbol '>-->'11 nes\_special\_symbol '4-->';; let dRAPH\_ISD\_DEF = new\_definition('GRAPH\_ISO\_DEF', "GRAPH\_180 (G:"Graph) (H:"Graph) (f.g) = (GRAPH 4) /\ (GRAPH H) /\ ((VS 4) <--> (VS H))\$ /\ ((ES 4) <--> (ES H))g");; les GRAPH\_ISC\_AUTC = prove\_thm('GRAPH\_ISC\_AUTC'. "(G: Graph . GRAPE G --> GRAPE\_ISO G G (1,1)", BENETTE\_TAC[68APS\_186\_88F;PUB\_1]);; let GRAPH\_ISG\_TRANS = prove\_thm('GRAPH\_ISG\_TRANS', "1(G1: "Graph) (G2: "Graph) (G3: "Graph) f1 g1 f2 g2. (GRAPH\_ISO G1 G2 (F1.g1)) / (GRAPH\_ISO G2 G3 (F2.g2)) -> (GRAPH\_ISS S1 62 ((#2 a #1), (g2 a g1)))", PARK SECK RESERVE THE (SEAPS 188 MEY) THEN REPRAY STRIP, TAC TREET, ALL\_TAC; ALL\_TAC; IMP\_RES\_TAC FUS\_ISQ\_o: IMP\_RES\_TAC FUS\_ISQ\_o] THEN FIRST\_ASSESS (\th g. ACCEPT\_TAG th g));; let GRAPH\_ISO\_STR = prove\_thm('GRAPH\_180\_SYR', "1(0: Graph) (H: Graph) f g. (GRAPH\_ISG G H (f,g)) --> (12' g'. (GRAPS\_ING N & (2',g')))", PURE\_SECR\_RESERVE\_TAG (SEAPS\_ISS\_REF) THES REPEAT STRIP\_TAG THEN HISTS\_TAC -(PUB\_SBV (VS (4:"Graph)) (VE (S:"Graph)) f)" THEN EXISTS\_TAC -(FUR\_187 (RS (4: Graph)) (ES (8: Graph)) g)" THE INPURESTAC INCUPIES THE ASSUMENTED TACE[]);; let GRAPH\_ISO\_SYM\_INV - preve\_thm('GRAPH\_ISO\_SYM\_INV'. "!(4:"draph) (8:"draph) f g. (GRAPH\_ISG & H (f,g)) ==> (BRAPH\_ISQ H & ((FUR\_INV (VS &) (VS N) f), (FUR\_INV (RR &) (RR H) g)))", PURE\_SUCE\_RESULTS\_TAG (GRAPH\_ISS\_SEP) THES REPEAT STRIP\_TAG THEN THE AND TAC ISO FIRS THEN FIRST ASSUM ACCUST TAC) ; ; cless\_theory();; #### B.4 The file mk\_elist.ml now\_theory'elist';; lond\_library'sets';; new\_nerent'eranh': autolond all'graph'sk set\_flag('aticky',true);; let Verter - ": " and Edgs = ":(0 0 0 00)" and Graph = ":(0)get 0 (0 0 0 0 00)set";; let BELLEIL . prove\_thm('BOLL\_BIL'. "11:(0)list. NULL 1 = (1 = [])". LIST\_INDUCT\_TAC THEN ANNAITE\_TAC[GRAL: NOT\_CHIN\_BIL]);; les 18\_189\_18\_UBIOS - TAC\_PROOF(([]. "!(g:0) s t. (x IS t) ==> x IS (a UNION t)"), REMNITE\_TAC[IN\_UNION; OR\_ 18780\_THE2] );; **L**..... I Sambarship of list--- in analogy with set membership (IS) 1 I MIN I s is THUR iff s is an element of the list 1 I let ELE DEF - new\_list\_rec\_definition('ELEM\_DEF'. "(ELER [] (a:0) = F) /\ (ELEN (CORS h 1) (g:0) = (g = h) \/ (ELEN 1 g)=);; 1-----1 I Some theorems shout ELD and other list operators I t-----let SULL\_SOT\_ELEM = prove\_thm('SULL\_SOT\_ELEM', "11. BELL 1 -> 1s. "(ELES 1 s)", GROS ANDRESTS TAG CHILL BILL THE GEN. TAC THES BINCH THEN (No. MENDITE TAC[4: MLHI, DEF]));; let KLEN\_COMS - preve\_the('RLEN\_COMs', "(1 s y. (MLEN 1 s) -> (MLEN (COMS y 1) s)", LIST ISDUCT TAC THES DENRITE TAC [BLUE BUY : BULL] THEN REPEAT ORD. TAC THEN STRIP. TAC THEN ASS. MUNITE, TAC[]) :: lot ELEM\_APPEND - prove\_thm('ELEM\_APPEND', "111 12 m. (SLES) (APPEND 11 12) m) = ((SLES) 11 m) \/ (SLES) 12 m)". LIST\_ISSUCT\_TAC THES ASMAITS\_TAC[APPEND:ELES\_BED] THE REPEAT GES\_TAC THES ASS\_RENDITS\_TAC[DIS]\_ASSEC]):: les ELEN\_EL = prove\_thm('HLHG\_EL', "1(1:(0)list) s. ELES 1 s => (7s. s = EL s 1)", LIST INDUCT\_TAC THEN REWRITE\_TAC(BLEM\_DEF) THE REPEAT STRIP TAC THREE. EXISTS TAC "O" THEN ASH RENDITE TAC(EL:HD): RES. TAC THEN EXISTS TAC "SUC S" THEN ASM REMRITE TAC[EL;TL]]);; \_\_\_\_\_\_ I Prove the conivalence of get membership (IS) and list membership (ELER) ``` let II_MLER = prove_thm('IR_MLER', "Talk sat $18172 a mm> 71:0 1tat. (s IS a) = (ELES 1 s)". SET . THROCK TAC YERSE. EXISTS TAC "[]: line" THEN REMRITE TAC[BLES_BOD; GOT_15_BEDTY]; HEISTS_TAC "(COMS o (01. tg. s IN s - MLRE 1 g)):0 list" THRE REMBITS TAC[SLEW_DEF; IS_INSERT] THEN ORD THE THEN BO THE THEN STREP THE THERLE BIRLL TAC THER FIRST ASSES ACCEPT TAC: DIGIZ_TAG THEN FIRST_ASSUM (ASSUMS_TAG . SELECT_SHLE) THEN CEDISCH_TAC "(g:0) IS a" THEN PIRST_ASSES (\s. SATCH_ACCEPT_TAC ((fot a 80.189 MULE a SPEC_ALL) 9)); DIRECT TAC THE PERST ASSUR ACCEPT TAC: DISIS TAC THEN FIRST ASSUM (SURST) TAC & SPEC ALL & SHLECT BULE) THEN FIRST_ASSUR ACCEPT_TAC]]);; 1- UNIQUE AL is true if all elements of the list are distinct -1 let UMIQUE_EL_DEF = mew_list_rec_definition('UMIQUE_EL_DEF'. "(MICHE E. () = 2) /\ (UNIQUE_EL (COMS (hd:+) +1) - (EVERY (\s. '(x = bd)) v1) /\ (UHIQUE_EL v1))"); let USIQUE_BL_TL = preve_thm('USIQUE_BL_TL', "11 (h:0), UNIQUE_EL (CORS h 1) -> UNIQUE_EL 1", SOCK BANKETTE TACCOMISCH IL BOWT THEN RENDITE TACCAMD THE ) : 1 let UNIQUE_EL_SINP = prove_thm('UNIQUE_EL_SINP'. "fare, Unique M. [a]". ORN TAC THEN BEHOLTS TAC (MILOUS EL. DEF-EVENT DEF) :: let ELM_HOT_UNIQUE_EL_COMM = prove_sim('ELM_HOT_UNIQUE_EL_COM', "(1 (h:e). (MLHH 1 h) -> "(MH16UH.SL (CORE h 1))". LIST REPORT TAC THREE! BRINGITE TACIFIED DEVI RECE ADDRESS TACINED BY WINDS IL BUT THEN REPEAT ORS. TAC THEN STRIP. TAC THEN ONCE REMRITE TACTEVERY DEPT THREE. CORV_TAC (DECE_DEPTH_COST BETA_COST) THEN ASH_RESTRICTS_TAC[DE_HODGAN_THR] ARE THE RP TAC THE REMRITE TAC[DE HOMAN TEN : UNIQUE AL DEF] THEN STRIP_TAC THEN ASH_REHRITE_TAC[]]]);; let 807_8188_001Q08_61_0088 = prove_the('807_5188_001Q08_61_0088', "11 (h:e). (UB1QUE_EL 1) /\ '(ELEH 1 h) -> (UB1QUE_EL (COM h 1))", LIST, INDUCT, TAC THERL[ DENDITE TACISTER DEF CHIQUE SE DEF CHEST DEFT: PURE BECK MENTIN TAC (BLEE BEF | COLQUE, CL., REF) THEN PURE SUCE BENEATTS TAC (NO ROBERT THE WINDOW, TL. DEF. STEET, DEF. THE REPEAT OF THE STRIP TAC THES CORV.TAC (ORCE.DEPTH_COMV RETA_COMV) THES BUS.TAC THE POP_ASSUM (\s. STRIP_ASSUME_TAC (ORCH RONDITE BOLK(VAIGUE BL.DOFTE)) THEN ANN_RENDITE_TAC[] THEN CONV_TAC (DECK_DEPTH_CONV STR_CONV) THER PIRET_ARROW ACCEPT_TACT) | 1 ``` ``` 1- EL_SET constructs a set containing all elements of a list -1 let EL_SET_BEF = new_list_rec_definition('EL_SET_MEF', "(SL_SET [] = ()) /\ (EL SET (COSS he el: + line) = INSERT he (EL SET el))"):: let EL_SET_APPERD = prove_thm('EL_SET_APPERD', "((1: = liet) 12. EL_SET(APPERD 11 12) = (EL_SET 11) UBIGS (EL_SET 12)". LIST_ISSUCT_TAC THUSL! REHRITH_TAC[APPEND; EL_SET_REF; UQ 100_EMPTY]; SECR_REPRETE_TAC[APPEND ; EL_SET_REF] THE ORCH RENDITE TAC [EL. SET_DEF] THES ASK_RENDITE TAC [ HERET_UNION] THEN REPEAT ARE THE THEN COME CAMES THE THERE! POP_ASSUM (ASSURE_TAG a RESIDITE_BULE[]) THER ARRUNE_TAC (SPEC "(EL_SET 12):(*)act" (SPEC "(EL_SET 11):(0)met" (SPEC "(h:0)" IN_ISP_IN_UNION))) THER RES. TAC THER IMP_RES_TAC ASSORPTION; BEFL TACILLE let MLDI_IS_ML_SET = preve_thm('MLBI_IS_ML_SET', "11 s. KLES 1 s = s 18 (KL_SET 1)", LIST_RESOURT_TAG TRUSK [ REWRITE_TAC[ELEN_DEF; EL_SET_DEF; NOT_18_EMPTY]; MENTALTE_TAC[ELEN_DEF; EL_SET_DEF; IN_INSERT] THEN REPEAT ORD. TAC THEN ASK ARMSITE TAC[]]);; I BISI_LIST --- two lists are disjoint if the sate of their elements I I are disjoint . - 1 let BISJ_LIST_BEF - neg_definition('BISJ_LIST_BEF', "BISI_LIST (11:(0)14st) 12 = BISIGIST (EL_SET 11) (EL_SET 12)");; les Disj_List_SUPTY = prove_she('Disj_List_SUPTY', "11:(0)1400. (BISJ_LIST [] 1) /\ (BISJ_LIST 1 [])". AMMRITE_TAG[RIS]_LIST_DEF;EL_SET_DEF;DISJOIST_DEF;18TER_BEFTY]);; let DISI_LIST_COMS = prove_thm('DISI_LIST_COMS', "(11 (12:(0)lint) h. (DISJ_LIST (COMS h 11) 12) = ((818J_L187 1: 12) /\ "(8188 12 h))", LIST, INDUCT, TAC THES ADDRITE_TAC[DISJ_LIST_DAY; NL_SET_DAY; ELM_IN_SL_SET; DISJOINT_INSERT]); | los DISI_LIST_APPERD = prove_thm('DISI_LIST_APPERD', "(11 (12:(0)1140) 13. (DISJ_LIST (APPEND 11 12) 13) = ((DISJ_LIST 1: 13) /\ (DISJ_LIST 12 13))". LIST_INCOCT_TAG THEN PURE REVOLTS TAC [APPEND: DISJ LIST COME: DISJ LIST SEPTY] THE REPRAY CON_TAC THEN ASS_REMOTE_TAC[] THEN HO THE STRIP TAC THEN AND MEMBETS TAC[] ): les BISJ_LIST_COMM = preve_she('BISJ_LIST_COMM', "!(11:(0)15mg) 12. BISJ_LIST 1: 12 - BISJ_LIST 12 1:". ``` #### REVOLTS\_TAC[DISJ\_LIST.DEF] THEN NATCH ACCEPT.TAG DISJOIST\_SYN):: I-diven a path p. VED\_LIST returns a list of all vertices p visits -\frac{1}{2} -\f let VED\_LIST\_DEF = new\_list\_rec\_definition('VED\_LIST\_DEF', "(VED\_LIST\_D = []) /\ (VED\_LIST\_COME (Add Telephon) til = COME (a arc bd) (V L (COME bd bl)))");; let V.L.APPERS opreve.thm('V.L.APPERS', "191 (\$71'C Edge))let). (V.L. (APPERS ) 1 p2) = (APPERS (V.L. p1) (V.L. p2))", LIST\_ISSOCT\_TAC TERM SECK\_MONITY\_TACLAPPERS V.L.GET] THES SOCK\_ARMITY\_TACLAPPERS, V.L.GET] THESL GEN\_TAC THES ARTH\_TAC() THE APPERS OF TACTHES ARTH\_TAC() THE let BCT\_BULL\_VER\_LIST = prove\_thm("BOT\_BULL\_VER\_LIST", "(g)("Edge)list). "BULL p => ((VER\_LIST p) = (COBS (e\_prc (EB p)) (V\_L p)))", GES\_TAC\_VERS\_STRESS (\nk\_b COSS\_REBRITE\_VAC(\nk\_b)) (COSS\_REBRITE\_REBLE\_GES\_STRESS) THERE REPRESS (VER\_LIST\_RESS\_RESS); THERE REPRESS (VER\_LIST\_RESS\_RESS\_TALE); let VXB\_LIST\_COSS = preve\_thm('VEB\_LIST\_COSS', "Ip (h:('Edgel). (VEB\_LIST (COSS b p)) = (COSS (e\_erc h) (COSS (e\_des h) (V\_L p)))\*, LIST\_LISSCOT\_TAG TWEE BEDELTE\_TAG(VEB\_LIST\_EMST,T\_L\_GOST));; let NOT\_NULL\_VER\_LIST\_CORS = preve\_thm('NOT\_NULL\_VER\_LIST\_CORS', "11 (h: "Edge). "NULL | / (a\_de h = a\_set (ED 1)) => (NULLIY (CORS h 1) = CORS (a\_set h (NULLIST 1))", REPEAT STRIP\_TAC THEN ISP\_RES\_THEN BORNT\_TAC NOT\_NULL\_VER\_LIST THEN ASSENTET\_TAC (TRUE\_LIST\_CORS)); les VER\_LIST\_APPERD = prove\_bbm('VER\_LIST\_APPERD', -(opt: "Magallact") p2. "(GRL p1) /\ "(GRL p2) ==> (GRELLEST (APPERD p1 p2)) = (APPERD GRELLEST p1) (TL (VER\_LIST p2)))", LIST\_LISHOUT\_YAC YERL( BENAITS\_TACGERL() REPHAT GRE\_TAC THES SYMP\_TAC THES ARMAITS\_TACGYER\_LIST\_DEF;APPERD] THES INF\_MERT\_SHEE (GREL\_MERSTT\_TACG(ME)) TL\_VER\_LIST THES GREC\_MANAITS\_TACG(GREC\_MERSTT\_DALE(ME,SYM\_RG]V\_L\_APPERD)] THES HERLYTT TACGARDED[]. ``` let UNIQUE_EL_CORS = prave_the('UNIQUE_EL_CORS'. "13 (h:a) (UNIQUE M. 1) /\ "(h IN (ML ART 1)) -> (UNIQUE M. (COMS h 1))". LIST_INDUCT_TAC THRUL! ASSISTED TACKED ONT DRY WITCHE D. DRY HOT 18 MAPTY STUDY BOY | DECE REMEITE TACIUMIANE EL DEVI THER RESOLVE TACCHE SET DRY : 18 INCRY : DC MINING THE : EVERY DRY THEE BEPRAY STRIP TAC THREE! BETA TAC THEN CORV. TAC (CHCH DEPTH CORV SYN. CORV.) THEN ARE ARRESTED TO TAC! 1: ARE THEN RP TAG THEN BENESTE TAC (UNIQUE, M., DEF) THEN REPEAT STREET TAC THES BEE TAC: ASS_RENRITE_TAC(UNIQUE_EL_DEF)]]);; let 807 USIGUE EL COSS - ereve the('807 USIGUE EL COSS'. "11 (h:0). (h IH (HL_SET 1)) -> (UNIQUE_HL (COMS h 1) = F)", SANSATE TAC [WEIGHT BY AND SUPPLEMENT AND THE ] THE LIST IMPOURT THE THREE. AMORITE_TAC($L_$67_80F; $6 1996_8L_80F; $657_10_68977); ORCH_RENGITE_TAC[EL_SET_DEF] THEN ONCE RESIDENT TACTUMENTS OF DRAFT THEN ASSESTED TACTIO INCOME. THEN REPEAT OFF, TAC THEN STRIP, TAC THENL! REMBITE TAC(HUMBY_DOF) THEN BETA_TAC THEN ANN_REMBITE_TAC[]. RESIDITE TACIEVERY DEF: DE ROMAN THE THEN RES TAC THEN AND BRANDITE TAC(111):: les USIQUE_EL_APPEND = let thm = "121 (12:0 15st). UNIOUE.EL (APPEND 25 12) = (OHIQUE_ML 11) / (OHIQUE_ML 12) /\ (DISJ_LIST 11 12)- 4.0 let EVERY_APPEND = TAC_PRESP(([]. "((11:0 11at) 12 P. EVERY P (APPEND 11 12) * (EVERY P 11) /\ (EVERY P 12)*). LIST ISSUCT TAC THES ASS BURNITH TAC(APPERS SVIRT BEF : COS.) ASSOC!) let les = TAC_PROGF(([]. "((1:(0))ist) h: EVERY(\n. '(x = h)); = 'ELEM 1 h"). LIST IMPORT TAC THE RESERVE TAC (SUREY BOY DAME SHOW) THER CORV.TAC (CHCR.SEPTH_CORV BETA_CORV) THES REPRAT GER_TAC THE PURE GROW, ASS, ASS, 1 TR. TAC (DR. HORS AS .. THE) THEN BY THE STRIP TAC THEN CONV. TAC (DUCK_DEPTH_CONV SYN_CHRV) THE CORL TAC THE PIRST ARREST ACCEPT TAC) prove_she('UNIQUE_SL_APPESD', she. LIST. INDUCT. TAC THREE! ABUATTE_TAC[APPEND; SL_BET_DEF; UNIQUE_EL_DEF, DISJ_LIST_DEF; DIGIGINT DRY: 18788 - COPTY) : GECK_BENGITE_TAC(APPEND; EL_SET_DEF) THEN ONCE AND ITS TAC (UNIQUE IL DEF) THEN PURE_GROW ASS_BREETE TAC[DISJ_LIST_CORN_EVERY_APPEND] THEN PURE DUCK AND RENDITE TACTION! THEN REPEAT ONE TAC THEN BO TAC THEN STRIP TAC THEN AND AND AND THE TAC[]]);; let UBIQUE_V_L_COOS = prove_thm('UBIQUE_V_L_COOM'. "((p:('Hige))tet) b. GHIQHE, HL(Y_L p) /\ "(ELM (Y_L p) (a_des b)) -> UNIQUE_BL(V_L (COMS h m))". ``` REMAITE\_TAC[V\_L\_DEV] THEN MATCH ACCEPT TAC NOT ELEM\_UNIQUE\_EL\_CORN);; let URIQUE\_VEN\_LIST\_COSS = prove\_the('URIQUE\_VEN\_LIST\_COSS'. "[(p:("Edga)15st) h. "(EULL p) /\ WIIGH St (VER\_LIST s) / ((a\_ore (SD p)) = (a\_dem b)) // "(LOOP h) /\ "(ELSH (VER\_LIST p) (e\_erc h)) --> 081Q08\_EL(VER\_L187 (CORR & p))-PURE CHCH BENEFITE TACTUME LIST. HEFT THEN REPEAT STRIP. TAC THEN INP\_RES\_TAC NOT\_MLKN\_USIQUE\_ML\_COMS THES POP ASSUR MP TAG THEN IMP BES THEN SUBSTITAC SOT BULL TER LIST THEN ASH\_BENDITE\_TAC[V\_L\_DEF]);; let UNIQUE\_RL\_VER\_LIST\_TL = prove\_the('UNIQUE\_EL\_VER\_LIST\_TL', "ip:("Edga)list. "(BULL p) ==> UNIQUE\_ML (VER\_LIST p) -> UNIQUE\_ML (VL (VER\_LIST p))", GES TAC THES STRIP TAC THE [SP\_RES\_THES (\sh. RESESTED\_TAC(th)) SOT\_SOLL\_VAR\_LIST THER REMOTTS TAC [UNIQUE\_SL\_DEF; TL; AND2\_THN]);; les USIQUE\_VER\_LIST\_APPEND = prove\_thm('UNIQUE\_VER\_LIST\_APPEND', "!(pi:("Bige)list) p2 (4:"Graph). 'BULL p1 /\ 'BULL p2 --> UNIQUE\_EL (VER\_LIST p1) /\ UNIQUE\_EL(VER\_LIST p2) /\ B181\_LIST(V\_L p1)(V\_L p2) /\ '(SLES (VER\_LIST p2) (a\_ere (ED p1))) --> UHIQUE\_SL(WIR\_LIST(APPRIN 91 92))". REPRAT ORD TAC THES STRIP TAC THEN IMP\_RES\_TAC VER\_LIST\_APPEND THEN STRIP\_TAC THEN ASH BURGETE TAC (UNIQUE IL APPREE) THEN CONJ\_TAC THENL! IMP\_RES\_TAC UNIQUE\_BL\_VER\_LIST\_TL; IMP\_BES\_THEN SURSTS\_TAC TL. VER.LIST THEN UNDINCH\_TAC ""SLEN(VER\_LIST(pl=("Rige)list))(e\_src(ED(pl=("Rige)list)))" THEN IND\_RES\_THEN SUBSTICTAC BOT BEAL WERLLIST THEN PURE GROW, MINKSTR. TAC (\$143\_L187\_CORS; ELEN\_BOY) THEN PURE ORCH MENNITE TAC [MI\_HORGAN\_TIM] THEN STRIP\_TAG THEN ASH\_REVRITE\_TAC[]);; cless\_theory();; ## B.5 The file mk\_path.ml lead\_library'sets'; now\_parent'graph';; autoload\_all'graph';; now\_parent'elist';; autoload\_all'elist'; | Verter, Edge and Graph are defined as abbreviations for the types send! to represent vertices, edges and graphs. | | |-------------------------------------------------------------------------------------------------------------------|---| | Let Vertex = " #" and | | | Edge = ":(0 B 4 B 00)" and | | | Grash * ":(*)get 8 (* 8 * 8 **)set";; | | | arapi(-/idi b to o o o o/idi ); | | | let MD_APPERD = TAC_PROSF(([]), | | | "ini p2:(0)list. ("NULL p1) -> (ND (aPPEND p1 p2) = ND p1)"), | | | LIST_IMMOT_TAC THEN | | | RENDITE_TAC (APPEND; MOLL; ND) );; | | | | | | | 1 | | I- A walk in a graph to a list of edges to which the EIIT of each element | | | except the last, is equal to the ENTRY of the following element. | | | L | × | | let WALK_TAIL_DEF = mem_list_rec_definition('MALK_TAIL_DEF', | | | "(WALE_TAIL MIL (G: Graph) = T) /\ | | | (((hd:"Rige) tl. VALE_TAIL (COMS he tl) 0 = | | | (GRAPE G) // (hd IS_EDGE G) // | | | ((MULL tl) \/ (WALE_TAIL tl 0) /\ (a_des bd = a_arc (HD tl))))"); | ١ | | | | | lot WALE_DEF = nee_definition('WALE_DEF', | | | "MALE 4 (m:("Magn)line) = "(MULL o) /\ (MALE_TAIL m 4)");; | | | | | | let WALE_MITET_MAY = new_definition('WALE_SETRY_MAY', | | | "MALE_RETRY (1:("Edge)list) = s_src (ED 1)");; | | | A | | | let WALE_EXIT_DEF = now_list_rec_definition('WALE_EXIT_DEF', "WALE_EXIT (CORE (hd:"Edge) tl) = | | | "MALE_EXIT (COMM (Ad: "Adgo) 51) " (BELL \$1) => (o_don hd) (MALE_EXIT \$1)");; | | | (Med 21) as (4"444 mm) (4007"7711 411)!! | | | <b></b> | ÷ | | I- à trail in a graph is a malk whose odges are all distinct | | | <u></u> | | | let TRAIL DEF = new_definition('TRAIL DEF'. | | | "TRAIL (6: "Graph) (1: ("Edge)list) = (NALE 6 1) /\ (DE1QUE_EL 1)");; | | | • | | | <b>1</b> | 1 | | | ĸ | | ¥ | 1 | | let PATE_DEF = men_definition('PATE_DEF'. | | | "PATH (G: "Graph) (1: ("Edge)lint) = | | | (TRAIL 6 1) /\ (UBIQUE_EL (VER_LIST 1))");; | | | | | | let PATE_ESTRY_DEF = men_definition('PATE_ESTRY_DEF', | | | "PATH_METRY (1:("Hdge)lint) = c_nrc (HD 1)");; | | | | | | let PATE_EEIT_DEF = men_definition('PATE_EEIT_DEF', | | | "PATS_SELT (p:("Edge)line) = MALS_EXIT p");; | | | | | | let NOT_NULL_LIST = TAC_PROSP(([], | | | "(1:(*)1int "NUL 1 -> (Th t. 1 = (COMS h t))"), | | | LIST_ISOUT_TAC THEEL MENRITE_TAC(SULL); | | | | | PORE ORGENIZATION THE PIRST AND ACCEPT. TAC.) [1] THE REPEAT STRIP TAC THE PIRST AND ACCEPT. TAC.) [1] Les CORRECTED\_SIZE = prave\_thm('CORRECTED\_SIZE'). #### THEN HISTS\_TAC "1:(+)line" THEN BEFL\_TAC));; Y- Some facts about WALE, TRAIL and PATH let PATH\_TRAIL = preve\_thm('PATH\_TRAIL', "((1:("Hage)list) G. PATH G 1 --> TRAIL G 1", AMIRITE TACIPATI BIF : AND L. THE ! :: lot TRAIL\_MALE = prove\_thm("TRAIL\_MALE". "1(1:("Edge)list) G. TRATE G 1 -> WALE G 1", BENDITE\_TAC(TRAIL\_BEF; ABB; THE]); les PATE\_MALE = preve\_she('PATE\_MALE', "1(1: ( Edge)11st) G. PATE G 1 --> WALE G 1", REPRAT STRIP\_TAG THEN IMP\_RES\_TAG PATH\_TRAIL THER IMP\_RES\_TAG TRAIL\_WALK);; let PATE\_GRAPH = prove\_thm('PATE\_GRAPH'. "!(0:"Graph) 1. PATE 0 1 -> GRAPE 0" PERSON REPORTED TACKET AND TRAIL OF THAIL OF THEN REPEAT STRIP, TAC THEN UNDISCH, TAC "HALF, TAIL 1 (0: "Graph)" THEN INPURSURAL NOT WOLL LIST THES POP ASSUR SURST: TAC THES PURE ORCE REMRITE TAC [WALK TAIL DEF] THEN STRIP TAG THEN PIRST ASSUR ACCEPT TAG): let PATE\_SET\_SULL = preve\_thm('PATE\_SET\_SULL', "ip (6:"Graph) PATH 6 1 --> "BULL 1", REPEAT CENTAC THEN BIRCH THE THEN INPURENTEEN BP. TAC PATH. WALE THEN RESELTS TAC [MALE\_DEF] THEN STRIP\_TAC 1:: let PATH\_WALE\_KETRY = prove\_thm('PATH\_WALE\_KETRY', "in: ("Edge)lies. PATH\_ESTRY p = WALE\_HETRY p". BEER TH TAC (PATE ENTRY DEF ; MALE ENTRY DEF) ); ; lot PATH\_COMMICTED = prove\_the('PATH\_COMMICTED'. "1p (h:"Rige) 4. (PATE 6 (CORE h p)) /\ '(BULL p) --> ((a\_6as h) = (a\_erc (ED p)))", ABURITE TACIPATE DEV: TRAIL DEV: WALK DEFT THEN OSCH\_MENTITE\_TAC[WALK\_TAIL\_DEF] THEN REPEAT GEN\_TAC THEN STRIP\_TAC THER UNDISCR\_TAC ""BULL (p:("Bage)list)" THEN AND\_RESHITE\_TAC[]);; \_\_\_\_\_\_ 1- A graph is connected if there is a path in it between any pair of vertices let COMMETED\_DEF = new\_definition('COMMETED\_DEF'. "COMMECTED (G: Graph) . (dhape d) /\ (191 92. (91 18\_998582 6) /\ (92 18\_988582 6) /\ '(91 = 92) -> (71. (PATE 6 1) /\ (#1 = PATE\_HETET 1) /\ (#2 = PATE\_EXIT 1)))-);; let COMMECTED\_GRAPH - prove\_the('COMMECTED\_GRAPH', "1(4: "Graph). CORRECTER 4 -> GRAPH 4". "(w: CORRECTED (((w), ()):"Grash)". REWRITE\_TAC(COMMECTED\_DEF: IS\_VERTEX\_DEF: GRAPH\_DEF: VERTICES: SOT\_IS\_EMPTY: IS\_INSERT) THEN REPRAY OF TAC YOUR STRIP YAS THEN POP ASSESS OF TAC THEN ASS. RESEATED TACTION. I- Two pathes are disjoint iff their edge sets are disjoint and their -I I- vertix sets expect the entries are disjoint. let DISJ PATH DEF - new\_definition('DISJ\_PATH\_DEF' "BISI\_PATE (4: "Graph) (p1: ("Edge)list) (p2: ("Edge)list) = (PATE 4 p1) /\ (PATE 4 p2) /\ (BISJ\_LIST p1 p2) /\ (BISJ\_LIST (V\_L pt) (V\_L p2))");; \_\_\_\_\_ E- HAS\_PATE 6 wy w2 if there is a path in 6 from w1 to w2 1----les HAS PATH DEF = meg\_definition('HAS\_PATH\_DEF'. "MAS\_PATH (G: Graph) vt v2 = ?p:("Hdge)list. PATH G p /\ (PATE ENTRY D = V1) /\ (PATE\_EXIT D = V2)"): let WALE\_ENTRY\_CORS = prove\_thm('WALE\_ENTRY\_CORS', "!(p:("Edge)list) h d. (MALE\_ESTRY (CORS h p)) = (a\_szc h)", BENDITE TACINALS SETTY DEF: 101) :: let WALE\_RETRY\_APPEND = prove\_thm('WALE\_RETRY\_APPEND', "ini (m2:("Edge)limi) G. (WALE G m1) /\ (WALE G m2) ==> (WALE\_MATRY (APPEND p1 p2) - WALE\_MITRY p1)" SERVICE TAC [MALE DEF: MALE RETRY DEF] THEN SEPRET ORD TAC THEN STRIP\_TAC THEN INP\_RES\_TAC HD\_APPEND THEN ASS\_REVRITE\_TAC[]);; let MALE\_REIT\_APPEND\_leme \* let for mull appens - TAC\_PROSP(([]. "1(a1:("\$4em)11a1) a2, "BULL a2 mm) "BULL (APPEND a1 a2)"). LIST\_ISSUCT\_TAC THES (BENEITS\_TAC(APPEND; SOLL])) is TAC PROOF (([]. "(p1 (p2:("Edge)list). "(SULL p2) ==> (WALK\_EXIT(APPEND p1 p2) = WALK\_EXIT p2)"), LIST\_INDUCT\_TAG THEN BURRITE\_TAG[APPEND] THE GROW REMRITE TAC [MALE MAIN DEF] THES REPRAY STRIP TAC THES ARE TAC THEN IMP\_RES\_TAC HOT\_BULL\_APPEND THEN ASH\_REMAITE\_TAC[]);: let WALK\_REIT\_APPEND = prove\_thm('WALK\_REIT\_APPEND', "(p1 (p2:("Edge)liet) G. (WALE 6 pt) /\ (WALE 6 p2) --> (WALK\_MEIT(APPRIE p1 p2) - WALK\_MEIT p2)". REDULTE\_TAC[HALE\_DEF] THEN REPEAT STRIP\_TAC THEN IMP\_RES\_TAC HALE\_EXIT\_APPEND\_LounG THEN ASS\_RESERVE TAC[]);; les PATE RETRY BIRP - prove she('PATE\_ESTRY\_SIRP'. "!(n:e) y (n:ee), PATH\_ESTRT[(u,v,s)] = u", BENDITE TAC [PATE RETRY\_DEF: o\_arc : HD]); let PATH\_REST\_SIRP = prove\_thm('PATH\_EXIT\_SIRP', "1(u:a) v (u:aa). PATE\_ERIT[(u,v,s1] = \*\*, BRURITS TAC (PATH EXIT DEF: WALE BXIT MEF; a\_dea; BD; BULL));; let PATH\_HETRY\_COMS = prove\_the('PATH\_ESTRY\_COMS'. "Ip (h:"Bigo). PATE\_SETRY(COSS h p) = a\_orc h", ``` PURE_ORCH_RIMB ITE_TAC [PATH_WALE_RETRY] THEN MATCH ACCEPT TAC WALK_RUTRY_COURS) :: let PATH_REIT_CORR = prove_thm('PATH_REIT_CORR', "in (h: Edge). "BELL p => (PATH_EXIT(CRES h p) = FATH_EXIT p)", PRINT REPORTE TACTPATE SELT DEF HALE, EXIT, DEFT THE REPEAT ORS, TAG THEN DISCO, TAG THEN ASK, RENDITE, TAG [] ) : let PATE_RETET_APPEND = prove_thm('PATE_RETET_APPEND', "(11 (12:("Edge)lint). PATE 6 11 --> (PATE_ESTRY(APPEND 1: 12) - PATE_SSYRY 1:)-. REPRAY STRIP_TAG THEN IMP_RES_TAG PATH_HOT_HULL THEN IMP. MED. YAC BOT. BULL LIST THEN POP. ASSUM SURSTI. TAC THEN RESERVED_TAC[APPEND; PATH_KNYRY_DEF; ED]);; les IMP_APPEND_BOT_BULL = TAC_PROOF(([]. "111 (12:(0)11a0). "WULL 11 V "WULL 12 ==> "WULL (APPRED 11 12)"), LIST_INDOCT_TAC THEN RESERVE TAC[BULL; APPEND] 1:14 lot PATH_REIT_APPERD = prove_thm('PATH_REIT_APPERD'. "121 (12:("Edge)lies). "WOLL 12 --> (PATH_EXIT(APPEND 1: 12) - PATH_EXIT 12)", PURE ORCE ASSESTS, TAC[PATH_EXIT_BOY] THEN LIST IMPOUT TAC THES REMRITE TACTAPPED HALE REST DUFT THEN REPEAT STRIP_TAC THEN INP_RES_TAC INP_APPEND_SOT_BULL. THER ASH_RESELTS_TACE THEN RES_TAC) :: let WALK_CORS - preve_thm('WALE_CORS'. "ip h (6: Graph) (WALE G p) /\ (h IS_HDGE G) /\ ((q_des h) = WALE_RETRY p) --> (WALE & (COME h p))". BENEFITE TAC (WALR SEP; HALR SETTING SEW) THEN LIST ISSUET TAC THEIL! REMBITE_TAC[MULL] . ORCH_REMRITE_TAC(WALE_TAIL_DEF) THEN REMRITE_TAC(MRLL: MD) THEN REPRAY ORD, TAC THEN STRIP, TAC THENL! PURE ORCE AMINITE TAC(WALL TAIL DEF): ASS_CASES_TAC "SOLL (p:("Sign)line)" THESE[ PURE_GROW_RENEITE_TAC[WALK_TAIL_DEF]; RES_TAC]] THE ASE MENBETS TAG []]):: lot Walf_APPRES " prove_thm('Walf_APPRES', "ips p2 (0:"Graph) (WALE 0 pt) /\ (WALE 0 p2) /\ (WALE_SSIT ps = WALE_ESTRY p2)-> (HALE G(APPEED ps p2))", REMNITS_TAC(WALE_DEF) THEN LIST_INDUCT_TAC THEN REMNITS_TAC(APPRIN; SULL) THE ORCE BENEITH TAC (MALE TAIL NEW) THEN ORCE BENEFIT TAC (MALE EXIT DEF) THEN ASS_CASES_TAC "BOLL (p1:("Régn)line)" THESL( INPURES TAC BULL BIL THER ASS BROWNING TACKAPPEND: MALL: MALE. CETTLY DOFT THE REPEAT ORS. TAC THE STRIP TAC THE ASS RESELTS TAC[] : ASS_RENBITS_TAC[] THEN REPEAT ORS_TAC THEN STRIP_TAC THEN BES. TAC THEN 189 BES. TAC HD. APPEND THEN ASH REWRITE, TAC[] 1111 let HALE_CAT = prove_the ('WALE_GAT', "f(G: Graph) ps p2. (Walk & ps) // (Walk & p2) // (WALK-ESIT of - (WALK-ESTRY o2):0) --> ``` ``` 7m3. (WALE G p3) /\ (WALE_ESTRY p3 = WALE_ESTRY m1) /\ (WALE_MAIT as - WALE_MAIT as) /\ (as - APPEND at as)". REPRAT GEN. TAC THEN STRIP. TAC THEN EXISTS TAC "APPEND of (02:("Edge)list)" THES COR! TAC THESE! THE RES TAC WALE APPRIED: IND BUS TAC HALF MOTRY APPEARS THEN INPURES TAC WALK MAIN APPEND THEN AND AND REWRITE TAC[]): let FATE_BDGE_SO_LOOP = preve_thm('PATE_BDGE_SO_LOOP'. "ip (h:("Hage)) 6. (PATH 6 (COHS h p)) -> ("(e_arc h = e_don h))", MURRITH TACIPATE BEF: TRAIL DEF: VALE DEFT THEN ORCH BURRITH TAG [MALE TAIL DAY : UNIQUE EL DEF : VEN LIST DEF] THEN ONCE RENRITE TACIVILIDES! THEN ONCE REMRITE TACIUMIQUE EL DES! THEN ORCH BURRISH TACIFIED MET THEN BETA TAC THE REPEAT ORS. TAC THEN STRIP. TAC THEN CORV TAC (ORCH DEPTH.CORV (REVE)TE.CORV RO_SYM_RG)) THEN ARE RESULTE TACILLE let PATH_SIRP = preve_timt'PATH_SIRP'. "((: "Graph) q. (GRAPH 0) /\ (a 15_EDGE 0) /\ '(LODP a) -> (PATH 0 [a])". PURE ARRESTS TAG (PATE NEW TRAIL DEF ; MALE DEF ; MALE TAIL DEF) THEN REPRITE TAC(BULL DEF UNIGOR AL DEF: VER LIST DEF: V. DEF RVERY DEF LOOP DEF) THEN COMM TAC (ONCE DEPTH COMM BETA COMM) THES ASPEAT ORS TAC THES STRIP. TAC THEN COMY TAC (CHCH DEPTH COMY AVE COMY) THE REPEAT COST, TAC THES FIRST ASSUR ACCEPT, TAC);; let PATH_CORR = prove_thm('PATH_CORR'. "ip h (d: "draph) (GRAPH 6) /\ (PATH 6 m) /\ (h IS_EDGE 6) /\ ((PATH_ESTRY p) = (a_des h)) A (LAGP h) /\ '(ELER (VER.LIST n) (a.erc h)) /\ "(HLER p h) -> (PATE 6 (GGES h p))", LIST_ISSUCT_TAC THEEL( REPEAT STRIP. TAC THES IRP. RES. TAC PATE SIMP: REMITE TAC[PATH SEP: TRAIL BEF: PATH WALE ENTRY] THE REPEAT STRIP TAC THEFL! 189_RES_TAC (COST_BULE (DECH_DEPTH_COST SYN_COST) NALE_COSS); INP_RES_TAC BOT_MILES_UNIQUE_ML_COMS; NATCH AP TAC UNIQUE VER LIST COMM THEN PURE CHICK ASSESTE TAC [MD] THEN ASK DEWRITE TAC [ HOLL ] THEN PIRST_ASSUM(\*_ACCEPT_TAG(RESSITE_ROLE(WALK_ENTSY_COSS)*))]);; les PATH_CAT - let the " "(8 p1 (p2:("Sign)list). (GRAPE 6) /\ (BISI_PATE 0 p1 p2) /\ (PATE_ERIT p1 = PATE_ERTRY p2) /\ *(ELEN (VER_LIST =2) (PATH_ESTRY =1)) --> (7p3. (PATH 6 p3) /\ (PATH_METRY p3 * PATH_METRY p1) /\ (PATH REIT =3 = PATH ESIT =2) /\ (=3 = APPEND =1 =2))" let lest = TAC_PROSF(([]. "(@ (p.("Biga)liet). PATH @ p amb Uflique_EL p"), BREETE TACIPATE BEF TRAIL DEFT THES REPRAT STRIP, TAC THES PIRST, ASSUR ACCEPT, TAC) ``` ``` let len2 = FURE_DECK_RESELTE_ROLE[ (COMY_BULE (OMCE_DEPTH_COMY SYM_COMY) WALK_ENTRY_DEF)] UNIQUE VER LIST APPEND presenthm('PaTH_CAT', thm, PURE BENEFITE TAC (PATE BEF : TRAIL BEF : BIS ) PATE BEF : PATE SIT BEF : PATE WALL RETENT THES REPEAT STRIP TAG THES SKISTS TAG "APPEND B1 (92:("Edge)list)" THEN REPEAT CONJ. TAC THERL! INP ARE TAG PATH WALE THEN INP BUT TAG WALE APPEND: IMP_BES_TAG 1-1 THEN 18P_RES_TAG DEIQUE_EL_APPERD; THE RES TAC WALK BEF THREE THE BER TAC 1482 - INP RES TAC WALK RETRY APPEND: IRP_RES_TAC WALE_EXIT_APPEND; BEET, TACIDA let PATE APPEND - prove the ('PATE APPEND'. "16 p1 (p2:("Edge)lint). (GRAPH 6) /\ (BISI_PATE G pt p2) /\ (PATE_EXIT p1 = PATE_ESTRY m2) /\ *(ELEN (VER_LIST p2) (PATH_ENTRY p1)) **> (PATH 4 (APPRIE ps p2))" REPRAT STRIP_TAC THEN INP_RES_TAC PATH_CAT THEN UNDISCH TAC "PATE (0: "Graph) p3" THEN ASH BENEITH TAC[]);; % |- 101 42 v1 v2 m1 x2. CRAPE OF / CRAPE OF / VI IS VERTER OF / VE IS VERTER OF -> GRAPH ((v1,v2,m1) 188ERT_EBGE ((v2,v1,x2) 188ERT_EBGE (61 0_UHIGE 62))) % lot lemmas - GHE_ALL (DISCH_ALL (COMJUNCT) (SPEC_ALL (OUDISCH_ALL(SPEC_ALL q_ONION_INS_EDGES))))); let resent a f = latrac rep m f 1 = if m = 0 than 1 also (f . (res (n-1) f 1)) in (rep m f []);; les PATH_HOT_HIL - prove_thm('PATH_HOT_HIL', "1(G: Graph). "(PATE G [])" MANNETS TAG (PATH BRY: TRAIL BRY: WALK DRY: BULL) ) : 1 let WALE_TAIL_G_UNION = prove_thm('HALE_TAIL_G_UNION', "1(1:('Hdan)1ins) 41 42 (GRAPH G1) /\ (GRAPH G2) /\ (HALE TAIL 1 G1) --> WALE_TAIL 1 (01 0_UMION 02)". LIST, INDUCT, TAC THEN ADMITT, TAC [WALK, TAIL, DEF] THEN REPEAT CON_TAC THEN STRIP_TAG THEN REPEAT CONJ_TAC THERE! IRP_BER_TAG GRAPS_UBIGE ASE BEERITE TAC[SDGE_18_UE108]; ASE REMNITE TACEL. IMP_RES_TAC GRAPH_UNION : ASE_BENDITE_TAC(SHEE_IS_BESIDE) RES_TAC THEN ASS_RESESTE_TAC[]]); les PATH_C_UNISS = prove_thm('Path_C_UNISS'. "1(1:("Hige)15mt) 05 02. (GRAPH 01) /\ (GRAPH 02) /\ (PATE 61 1) -> PATE (61 4_UBIOS 62) 1" ABBRITH_TAG[PATE_BRF; TRAIL_BRF; WALR_BRF] THEN LIST_INDOCT_TAG THE RESERVE TACCINEAL WALE TAIL BUY! THER REPEAT ONE TAC THE STRIP. TAC THEN REPRAT CONJUTAC THEN ASSURENCE THE TAC [] THERE! ``` ``` INP_RES_TAC GRAPH_USION; ASH_RENRITE_TAC(EDGE_IS_GRICE); INP RES. TAC GRAPH USION: ASS. RESERVE TAC [EDGE_18_USION]; IMP_RES_TAC MALE_TAIL_4_UNION THEN ASK_REMNITE_TAC[]]);; let WALE_TAIL_ISS_WERTEX - preve_thm('WALE_TAIL_ISS_WERTEX', "(():("Rice)list) w 4. (WALE TAIL 1 4) -> (WALK_TAIL 1 (* ISSERT_VERTER 6))", LIST_ISDUCT_TAC TEXE RENDITE_TAC[WALE_TAIL_DEF] THEN REPRAT STRIP TAC THESE [ INP RES THER MATCH ACCEPT. TAC GRAPS INSERT, VERTER: INP RES THE MATCH ACCEPT. TAC 18 INSERT. VERTEX; AND BENDITE TACE : INP. RES. THEN HATCH ACCEPT, TAC GRAPH, ISSERT, VIRTER INP RES. THEN RATCH ACCEPT TAC IN INSERT. WENTER: BES TAC THES ASS RESENTED TAC(11):: let WALE_TAIL_IRS_EDGE = prove_thm('WALE_TAIL_IRS_EDGE', "I(1:('Hdge)list) e G. (WALE_TAIL 1 G) -> (WALE_TAIL 1 (e IMERT_EDGE G))". LIST_INDUCT_TAC THEN RESERVE_TAC(WALK_TAIL_MEN) THE REPEAT STRIP, TAC THESE [ INP_RES_THEN MATCH_ACCEPT_TAC GRAPH_ISSET_ENGE: INF.RES.THEN MATCH. ACCEPT. TAC 18.189ERT. EDGE. ASH ASHRITE TACIT : INP_RES_THEN RATCH_ACCEPT_TAG GRAPH_ISSET_EDGE; INP_BES_THEN MATCH_ACCEPT_TAC IS_INSERT_EDGE; BOR TAG THEN ASS RESERVE TAG [11] :: let PATH_ING_VERTER = prove_thm('PATH_ING_VERTER', "1(1:("Edge)14et) v 4. (PATH G 1) -> (PATH (v 1998) venter 4) 1)". LIST. INDUCT. TAC THURL! AMMITE_TAC(PATE_HOT_SIL]; ABSENTE TAC[PATE_BEF; TRAIL_BEF; MALE_BEF] THE REPEAT CENTAC THES STRIP TAC THES ASSUMENTE, TAC[] THEN INPURES THEN MATCH ACCEPT TAC WALK TAIL INS VENTEX]);; let PATE_ISS_EDGE = prove_thm('PATE_ISS_EDGE', "!(1:("Edge)list) a f. (PATH 6 1) --> (PATH (a IMMENT_EDGE 6) 1)". LIST. ISSUET, TAC THERE! RENDITE TACIPATE BOT BILL: REMAITS TAC(PATE DEF : TRAIL BEF : MALE BEF) THE REPRAT CHE TAC THES STRIP TAC THE ASSUMENTED TAC[] THE IRP_RES_THEN MATCH_ACCEPT_TAC WALK_TAIL_ING_EDGE[]);; let PATH_INS_EDGE2 = prove_thm('PATH_INS_EDGE2', "t(d:"draph) wt w2. (GRAPE 4) /\ (w1 16.WERTES 6) /\ (w2 16.WERTES 6) /\ '(w1 = w2) -> (m. PATE ((w1.w2.m) IMMERT.EDGE () [(w1.w1.m)]". PURS_BREBITE_TAG [PATE_BEF; TRATL_BEF; MALE_DEF] THE RESERVE TAC (MALE TAIL DEF; MOLL) THE REPEAT STRIP_TAC THESE. MATCH MP TAC GRAPH INTERT MINE THEN FIRST ARREST ACCEPT. TAC: IRP_RES_TAC EDGE_IS_INSERT2 THES FIRST_ASSUR RAYCS_ACCEPT_TAC. MATCH_ACCEPT_TAC UNIQUE_EL_SIMP; PURE_REPRITE_TAC[VER_LIST_MEF | V_L_DEF : 0_are | 0_des] THE DENDITE TACKWIGHT OF DEF. BURN DEFT THE RETA THE THES CONV. TAC (DECR. DEPTH. COS'S SYN. CONV.) THEN FIRST_ASSUM ACCEPT_TAC] ) : 1 ``` lot PATH\_IS\_EMRE = neave\_the('PATH\_IS\_EDGE'. "1(4: "4cmb) b 1. PATE 4 (COSS b 3) -> b 14 EDGE 4". SHER RESELTS TAGGETTS BRY: TRAIL BOY: WALS DEF. WALS TAIL BOY! THEN REPEAT STRIP TAC THEN PIRST ASSUM ACCOUNT TACL :: let PATH\_HLEN\_IS\_HDGS = preve\_the('PATH\_HLEN\_IS\_HDGS'. "((4:"Granh) 1. (PATE 4 1) -> (x. ELEE 1 x -> x 15.ED4E 4". BENEFITE TACTIONS BEF: TRAIL BEF: WALK BEF! THE ONE TAC THEN LIST INDUCT TAC THEN REPORTED TAC [MULL: VALE, TAIL, DRY : MLEN, DRY] THEN ARE THE THEN STREET THE THEOLOG INP\_RES\_THEN SURGESTS\_TAC BULL\_BIL THEN BEHRITS\_TAC(SLES\_DEF) THE GEN TAC THEN STRIP TAC THE ASS DESCRIPT TACE : ARE CARES TAC "BULL (1:("Rape)) tes)" THESL! INP ARE THEN SURETY TAC BULL SIL THEN BENETTE TAC (GLES DEF) THEN ORD. TAC THEN STRIP TAC THEN ASK REMRITS TAC! 1: INP REST TAC DRIEGE EL TL THEN DEDINGS TAC "DESIGN BL(VER LIST(CORS (h: "Rice) 1))" THE PURE DECK REVRITE TAC (VER LIST CORE) THEN PURE DROKE ANNALTH TAC [DOLGOR M. DAY] THEN SURST1\_TAC (ANSUME "e\_des (h: "Edge) " e\_erc(RD (1:("Edge)list))") THEN IMP.RES.THEN (\1. SUMST1.TAG (CORV BOLE (ORCH BUPTH CORV SYN CORV) a)] BOT BULL VER LIST THEN STRIP TAG THEN RES TAG THEN SUPRAT STRIP TAG THESE. ASS\_RESERVE TAC[]: RES\_TAC]]]);; let PATH\_IS\_VERTER = prove\_thm('PATH\_IS\_VERTER', "1(4: "Graph) h 1. PATE 4 (COES h 1) --> ((e.erc h) IS VERTER 6) /\ ((e.dee h) 15 VERTER 6)". REPRAY GEN\_TAG THEN STRIP, TAG THEN 1MP\_RES\_TAG PATH\_IS\_EDGE THEN THE RESENTAC PAYER GRAPH THEN THE THE TAC GRAPH ENGL VIRTEE THE COOL TAC THE FIRST ASSESS ACCEPT, TAC) :: let PATH\_ELEM\_VER\_LIST\_IS\_VERTEX = areve\_the('PATH\_ELEM\_VER\_LIST\_IS\_VERTEX') "!(d: 'Graph) 1. (PATE 0 1) -> (z. ELES (VEL\_LIST 1) z -> z 15\_VERTEX 0", BERRITE TAC (PATH \_BET ; TRAIL\_BET ; BALE\_BET) THEN GRO. TAC THEN LIST INDUCT TAC THE RESERVE THE [BULL | MALE\_TAIL\_DEF | BLEN\_DEF] THE ASR\_CASES\_TAC "HULL (1:("Edge)15et)" THE GES. TAC THES STRIP TAC THESE! INP\_RES\_THEN SURSTI\_TAC SULL\_SIL THE BEST AMERITE TAC [MIN BOY : WEB\_LIST\_BOY : V\_L\_BEY] THE GES TAC THEN STRIP TAC THEN POP ASSUM NUMBERS THE THEN SEP THE TAC GRAPH BOME VERTEN: INP. BES. THEN SURST: TAC WILL BIL THEN AMBRITAL TAC (MINISTER VERLIST DEF: V.L. DEF) THEN GEN. TAC THEN STRIP. TAC THEN POP ASSUM SUBSTICTAC THEN THE SECTAC GRAPH ENGL VERTER; BEE TAC. 100\_MEL\_TAC UNIQUE\_EL\_DEF THEN IMP\_RES\_THEN MP\_TAC (GEN\_ALL (REWRITE\_RURLE[SULL] (SPEC "CORS (h: "Hage) 1" UNIQUE\_EL\_VER\_LIST\_TL))) THEN INPURED TAC NOT SULL VER LIST COM THEN PURS AND REPORTED TACTAL SELECTION OF THEM REPEAT STREP. TAC THERE! POP\_ASSON SUBSTITAC THES IMP\_RES\_TAC CRAPS\_EDGE\_VERTES; BER. TAC111:1 let PATH\_INS\_INS\_COMM = preve\_the('PATH\_INS\_INS\_COMM'. "1(4:"Graph) 1 vt v2 s. (PATH G 1) // (w2 14 URSTRE G) // "(w1 14 VERTE G) // (#2 = PATH\_RHTRY 1) /\ "(#1 = #2) -> PATE ((w1.w2.m) ISSERT\_EDGE (w1 ISSERT\_VERTER 0)) (CDSS (w1.w2.m) 1)", REPRAT ON THE THE STRIP TAC THE SATCH MP TAC PATH CORE THE REPRAY CORN TAC THERE! RATCH\_RP\_TAG GRAPH\_INSERT\_SEGS THEN RATCH\_RP\_TAG GRAPH\_INSERT\_VERTEX THEN INP RES. TAC PATH\_GRAPH: MATCH MP TAC PATH INS MORE THEN MATCH MP. TAC PATH INS VERTEX THEN PURST ASSUR ACCEPT TAC: BATCH HP TAC EDGE IN INSERT THEN COULTAC THREE. BIRLL TAC THE BEFL TAC: BIRLS TAC THES FIRST ASSES ACCEPT TACT: ARH\_REBRITE\_TAC[o\_des]; PURE REVELTE TAC[LOOP\_DEF: o\_orc:o\_des] THEN FIRST\_ASSUR ACCEPT\_TAC; PORE\_RESERVE TAC[ - are] THEN INV\_RES\_TAC PATH\_BLOS\_VER\_LIST\_IS\_VERTER THER POP ASSUM (\s. IMP\_BES\_TAC (CONTRAPOS (ISPEC "v1:0" t))); THE REA TAC PATE BLANK IN ROOM THEM POP\_ASSUR (\s. RATCH\_RP\_TAC (CONTRAPOS (IMPEC "(v1,v2,s):"Edge" s))) THEN 180 BES TAC PATH GRAPH THEN INPURES TAC SOT VERTES SOT MORE THEN FIRST\_ASSUR MATCH\_ACCEPT\_TAC]);; let CORRECTED 189 EDGE - sceve\_the('CORRECTED\_189\_EDGE', "(d: Graph CORRECTED 6 -> (te. CORRECTED (e INSERT\_EDGE 0))". PURE GROW ADDRUTE TAC [CRESSED NOT] THE PURE ORCE REMRITE TACTUMENTS INCENTURED. THES REPEAT STRIP TAC THREE! IMP\_RES\_THES MATCH\_ACCEPT\_TAC GRAPH\_IMMERT\_EDGE; Bus\_TAC THER EXISTS\_TAC "1:("Hdge)lies" THER THE BES TAC PATH .. INC. MAS. THEN REPEAT CONJ. TAC THEN FIRST ASSUR MATCH. ACCEPT. TAC]) :: cless, theory ();; ## B.6 The file mk\_signal.ml % File: signal al --- Theory of signals Version: 3.1 - Bate: 26 New 1981 Author: N Mong 2% nes-theory 'SIGNAL':: %- Definition of chusting nignal espects -% let Mhispect\_izion = define\_type 'Shispect\_Azion' 'Shispect = sh\_on | sh\_off | sh\_fenlty';; let Shispect\_const\_dist = save\_thm('Shispect\_const\_dist', prava\_constructors\_distinct Shispect\_ixiom);; let Shispect\_ISDOCT = save\_thm('Shispect\_ISDOCT', prove\_induction\_thm Shispect\_izion);; | 101 | Shispect_case = save_thm('Shispect_cases',<br>prove_cases_thm Shispect_ISDUCT);; | |-------------|-----------------------------------------------------------------------------------------------------------------------------------------| | Bef<br>: nw | inities of a abenting signal | | | Sheig_Axion = dafina_type 'Sheig_Axion'<br>'Sheig = SCOTESIG (num->Shêspect)' | | let | Shrig_ore_une = save_thm('Shrig_one_ene', prave_constructore_one_one Shrig_&xiom);; | | let | Sheig_IEDCT = save_thm('Sheig_IEDCT';<br>prove_induction_thm Sheig_Szion);; | | let | Shrig_cases = seve_thm('Shrig_cases',<br>prove_cases_thm Shrig_ISDUCT);; | | let | SHORT_FUBC_REF = new_recursive_definition<br>false Sheig_Axiom 'sHORT_FURC_REF'<br>= newst_FUBC_CERF'; | | 144 | SEUNT_OS_DEF = nos_recursivo_definition<br>false Shaig_Axion 'HEWIT_OS_DEF'<br>"SEUNT_OS (SEUNTSIG s) t = (6 t = sh_on)";; | | 141 | SRUST_OFF_DEF = new_facersive_definition<br>falso Shrig_Axiom 'SRUST_OFF_DEF'<br>"SRUST_OFF (SRUSTSIG e) t = (e t = ab_off)";; | | 141 | SUDIT_FAULT_DEF = new_recursive_definition<br>false Shatg_Asiam 'SUMIT_FAULT_DEF'<br>"SUMIT_FAULT_GENERISE = t = t = nb_faulty)";; | | | Befinition of ambuidinty signal aspects -L<br>Sublapect_Axion = define_type 'Sublapect_Axion'<br>'Sublapect = sub_net_show sub_off';; | | 149 | : Bubáspect_cemet_dist = seve_thm('Subáspect_cemet_dist',<br>preve_cemetractors_distinct Subáspect_distem);; | | 241 | Subispect_IEDUCT = gavs_thm('fshispect_IEDUCT',<br> prevs_inductios_thm Subispect_Izion);; | | le | Bubiapoct_cases = gave_thm('Imbiapact_cases',<br> preve_cases_thm | | Det | Cinition of a submidiary signal | | | Subaig_Azion = dafina_typa 'Anhaig_Azion'<br>'Subaig = 40801d (num->Oubhapact)';; | | 10 | Bubsig_one_one = save_thm('Subsig_one_one',<br> prove_constructors_one_soc_Subsig_Sation); | ``` lot Subsig_:ShUCT = savs_thm('Subsig_:SBUCT', prevs_induction_thm Subsig_Asiem);; ``` let Subsig\_cases = save\_thm('Subsig\_cases', preve\_cases\_thm Subsig\_ISDUCT);; let SUB\_FUNC\_BEF = new\_recursive\_definition false Subsig\_inion 'SUB\_FUNC\_BEF' "SUB\_FUNC (SUBSIS s) = a\*t; let SUB\_OFF\_DEF = new\_recursive\_definition false Subsig\_Axion 'SUB\_OFF\_DEF' "SUB\_OFF (SUBSIQ a) t = (a t = oub\_off)":| Definition of a junction indicator --- :num->heel function returning current state of the indicator f --> preved OH, F -- net OH or faulty les Jeig\_Anien = define\_type 'Jeig\_Anien' 'leig = Ifid (nun->bool)';; let Jsig\_one\_ene = save\_thm('Jsig\_ene\_ene', prove\_constructors\_ene\_ene lsig\_drien);; let Jeig\_INDUCT = enve\_the('Jeig\_INDUCT', preve\_induction\_the Jeig\_Axion);; let Jaig\_cames = mave\_thm('Imig\_cames', preve\_cames\_thm leng\_1880CT);; let J\_FUEC\_DEF = new\_recursive\_definition false leig\_Asiem 'J\_FUEC\_DEF' "J\_FUEC (SEE 1) = 1";; I- Define Enumeration type for main signal aspects -I lot Mänpoct\_Aniem = dofine\_type 'Mänpoct\_Sniem' 'Mänpoct = green | deuble\_yellen | yellen | red | green\_flash | deuble\_yellen\_flash | yellen\_flash | famlty\_espect';; let Maspect\_const\_dist = asvo\_thm('Maspect\_const\_dist', prove\_constructors\_distinct Maspect\_Axiom);; let Maspect\_(MDUCT = nove\_thm('Maspect\_IMDUCT', prove\_immection\_thm Maspect\_Asion);; let Maspect\_cases = save\_thm('Maspect\_cases', preve\_cases\_thm Maspect\_1980UT1;; 1- Define the main signal types "N les Hype\_Azies " define\_type 'Htype\_Azies' 'Htype " tme\_aspect | three\_capact | fonr\_aspect | tme\_repeat | three\_repeat';; let #type\_commt\_dist = save\_thm('Htype\_commt\_dist', ``` prove_constructors_distinct Stype_Axiom);; let Mtype_IMBUCY = save_thm('Rtype_IMBUCY', prove induction the Stype Agion) :: let Htype_cases = save_thm('Htype_cases', prove_cases_the Mtype_IMBUCT);; ţ----- Definition of a main signal -- Haves type of main signal Mapeet function returning current aspect of the signal ..... let Heig_Axion - define_type 'Heig_Axiom' 'Heig = Hild Hayne (num->HAgnest)':: let Heig and one " save_thm('Heig end one', preve constructors one one Heig Asies):: let Heig_IMDUCT = save_thm('Reig_IMDUCT', prove_induction_thm Hoig_Azion);; lot Roig_cases = save_thm('Reig_cases', prave_cases_the Heig_IMBOCT);; let S_TYPE_DEF = new_recursive_definition false Heig_Arion 'H_TYPE_DEF' "H_TYPE (REIG type of) = type";; let M_FUNC_BEF - see_recursive_definities false Maig_Asies 'S_FUEC_DEF' "H_PURC (RSIG type af) " af":1 let H.ASPECT = new recursive definition false Heig_Asies 'S_ASPECT_DEF "H_ASPECT (HBIG type of) t = of t";; Definitions of signal GB or GFF as seen at Control Centre OF - RED aspect palacted and proved. OFF - Any other aspect and proved. let RAIS_OS_MOV - new_definition ('RAIS_OS_DOV', "HAIR_OR a (1:aum) = (H_ASPECT a 1) = red");; les MAIN FAULTY DEF - new definition ('MAIN-FAULTY-DEF'. "MAIR_FAULTY & (1:num) = (N_ASPECT # 1) = family_aspect");; let MAIN_OFF_DEF = new_definition ('MAIN_OFF_DEF', "MAIR_OFF a (1:000) # "(MAIR_OR a t) /\ "(MAIR_FAULTY a t)");; lot RED_DEF - neg_definition ('RED_DEF', "RED a t = (R_ASPECT a t) = red");; let YELLOW_DEF = sew_definition ('YELLOW_DEF', "YELLEN a s = (R_ASPECT a s) = yellen");; ``` - let Signal\_one\_ene = save\_thm('Signal\_one\_one', oreve\_constructors\_one\_one Signal\_Szien);; - let Rignal\_IRDUCT = save\_thm('Signal\_IRDUCT', prave\_trajection\_thm Signal\_Axism);; - let Signal\_cases = save\_thm('Signal\_cases', preve\_cases\_thm Signal\_1880CT):; Beclaration of projection operators for signal - let HIGHAL ID\_DBW = new\_recurrive\_definition false Bigmal\_Asium 'BIGHAL\_ID\_BBW' 'CISCOMAL\_ID (GROWAL IS dm) = id / // GROWAL\_ID - let SIGEAL\_RAIN\_NET = non\_recursive\_definition falce Signal\_saine 'SIGHAL BAIN\_NET' "(SIGHAL\_RAIN (SIGHALN id n) = n) /\ (SIGHAL\_RAIN (SIGHALN id n n) = n) /\ (SIGHAL\_RAIN (SIGHALN id n n) = n) /\ (SIGHAL\_RAIN (SIGHALN id n n) = n) /\ - let SIGRAL\_JUNC\_DEF = nen\_recorsive\_definition felse Signal\_Ariem 'SIGRAL\_JUNC\_DEF' "(SIGRAL\_JUNC (SIGRALNS) id n = j) = j) /\ (SIGRAL\_JUNC (SIGRALNS) id n = j) = j) "[; - let fidfal\_fUB\_DEF = new\_recursive\_definition false Signal\_Axion 's148al\_6UB\_DEF' "(fidfal\_BUB (SIGNALERI id n o) = a) /\ (fidfal\_BUB (SIGNALERI id n o i) = a) ":: - let 810HiL\_SMST\_DEF = new\_recursive\_definition false Signel\_saiom 'SIGHAL\_SMST\_DEF' "(SIGHAL\_SHOWT (SIGHALS id sh) = sh)";; ``` let SIG_SPURC_SEF = new_recursive_definition falge Signal Anten 'Sie SFORC BEF' "(BIG_SPURC (BIGHALE 14 m) = INL(H_FURC m, (ARR:num->beel),(ARR:num->SubAspect))) / (SIG_SPURC (SIGNALE) 14 m 1) " IBL(S_FURC m, J_FURC j, (ABR:num->SubAspect))) /\ (SIG SPURC (SIGNALES 14 m e) = INL(N_FORC m. (ABB:num->husl), SUB_FUEC a)) / (STA_BFUSC (STABALAS) 34 m m j) = INL(B FORC m. J.FORC 1. SUB_FORC s)) A (RIG SPUNC (SIGNALS to sh) - INR (SHURT_FUNC sh))":: Befigitions of signal CB or OFF as seen at Control Contro OH - RED aspect selected and proved. GFF - Any other aspect and proved les OH DEF - new recursive definition false Signal Axion '05_BEF' "(OH (BIGBALN 14 m) 9 = (BAIR_OH m 0)) / (SE (SIGNALE) 14 m j) t = (HAIR_GE m t)) / (OE (SIGNALES 14 m m) t = (SAIS_GS m t)) / (OH (SIGNALES) is m a j) t = (MAIN_OH m t)) / (OR (SIGNALS 14 sh) + = (SECRT OR sh 1)) *11 lat OFF_DEF = mes_recursive_definition false Signal_Axies 'GFF_DEF' "(GFF (SIGNALH 14 m) t = (MAIS_GFF = t)) /\ (OFF (BIGHALH) id m j) t = (RATH_OFF m t)) / (GFF (SIGNALES 14 m a) t = (MAIS_OFF = t)) / (OFF (SIGNALUS) 14 m m () 0 = (HAIH_OFF m 0)) / (BFF (8148ALS 14 sh) t = ($8007_GFF sh t)) "|1 I- Thus, when a signal is neither OH nor OFF, it is faulty -I les Sidual FASET DEF - new_definition ('Sidual_FASET_DEF'. "S] GHAL_PAULT a 4 = "((GH a 4) \/ (GFF a 4))");; let repeat m f - letrec rep a f 1 = if a = 0 then 1 elem (f . (rep (n-1) f 1)) in (ren a f D):: let $8007_807_08_0FF - preve_thm('12077_807_68_0FF'. "(a 1. '(($MUST_0S a 1) /\ ($MUST_0FF a 1))" REPRAY ORS. TAC THEN RP. TAC (SPEC "s: Sheig" Sheig.cases) THEN CONT. TAC LEFT. 18P. EXISTS CORT THEN GEN. TAC THEN BLOCK THEN SURET: TAC THEN REWRITE TACISEUT OF DEF: SHORT OFF. TACI THEN BISI_CASES_THESE (repeat 3 SURST1_TAC) (SPEC -(g' t): Shannect" Shannect_cases) THE RESIDENCE TAC (SE_SESSES, THE Shasport_const_dist) THEN CORY TAC (DECK_DEPTH_CORY SYN_CORY) THE RESIDENCE TAC [Shaspect_const_dist]);; les SIGNAL_STATE = preve_thm('SIGNAL_STATE'. "in 1. (QB a 1) \/ (QFF a 1) \/ (BIGHAL_FAULT a 1)". REPEAT CRE_TAC THEN DISJ_CASRS_THESL (repeat 6 MP_TAC) (SPEC "s" Signal_cases) ``` ### B.7 The file mk\_track.ml cless\_theory();; | E file: track.al --- theory of track components | Beat: 28 [Eq. 1981 | | State: I long | YI lot Ppes\_Aries = define\_type 'Ppes\_Aries' 'Ppes = nermal ( reverse | neving';; lot Ppes\_const\_dist = save\_thm('Ppes\_const\_dist', prava\_cnnstructers\_distinct Ppos\_Asion);; let Ppos\_ISDOCT = save\_thm('Ppos\_ISDOCT', prava\_isductios\_thm Ppos\_Asiom);; I Type of the positions of paints I let Ppes\_cases = save\_thm('Ppos\_cases', prave\_cases\_thm Ppos\_IMBUCT);; I Type of the counts locking states of points t les Ploc.Axiom = define\_type 'Ploc.Axiom' 'Ploc = free\_news | free\_ner\_tree | free\_rev\_int | remats\_locked';; let Ploc\_const\_dist = sevo\_thm('Ploc\_const\_dist', preve\_constructors\_distinct Ploc\_ision);; let Plec\_HBUCT = save\_thm('Plec\_HBUCT', preve\_induction.thm Plec\_Asion):: let Floc.comes - save\_thm('Ploc.comes', | | prave_cases_thm Plac_1890CT);; | |-----|---------------------------------------------------------------------------------------| | | Paint_Axion = define_type 'Paint_Axion' | | | 'Point = PUIST num (num->Ppos) (num->Floc)';; | | let | Paint_ene_ene = cave_thm("Paint_ene_ene", | | | preve_constructors_one_one Point_Axion);; | | let | Paint_IRROT = save_thm('Point_IRROT', | | | prava_induction_thm Foint_Aniem);; | | let | Point_cages = save_thm('Point_cases', | | | prove_cames_thm Peint_IEDUCT);; | | 101 | PET_ID = mgs_recursive_definition | | | false Point_Aries 'PST_ID_DEF' | | | "PST_10 (PGIST = pes lec) = a";; | | 166 | PST_PGS - new_recursive_definition | | | false Point_Azion 'PHT_PGS_DEF' | | | -PET_POS (POIST a pas lac) = pos";; | | let | PST_LOC = new_recursive_definition | | | false Point_Axion 'PST_LDC_BEF' | | | "PET_LOC (PRIST a pea loc) = loc";; | | let | PET_BLOCKED = new_definition('PET_RLOCKED_DEF', | | | "PRT_REDCRED p t = ((PRT_LDC p t) = remate_lecked)");; | | lat | PUT_SORMAL = new_definition ('PST_SORMAL_DEF', | | | "PST_SCREAL p t = ((PST_PGS p t) = marmal)"];; | | 141 | PRI_REVERSE = now_definition ('PRI_REVERSE_DEF', | | | "PET_REVERSE p t = ((PET_POS p t) = reverse)");; | | | | | | The type Istate represents track circuit states which may be en-<br>of the following: | | | OCCUPIED the track circuit is accupied or family. | | | CLEAR the track circuit is clear of ebstruction and it | | | may be included in a rests. | | | LOCEED it is remote locked, i.e., it has been included | | | in a route and a train is appreaching. | | 1 | Totate_Axims = define_type 'Totate_Axims' | | | 'Intate = occupied locked clear' | | 141 | Totate_const_dist = save_thm('Totate_const_dist', | | | prava_constructure_distinct Tstate_Asion); | | let | Tatale_IBDOCT = anve_thm('Tatale_IBDOCT', | | | preve_induction_thm Tatate_Aziem) | | 10 | Tatate_cases = paye_thm('Tatate_cases', | | | prove_cases_thm Tetate_IMPUCT);; | The type Toir represents track circuit: num --- 14 number Totate --- the track circuit state: -----let Teir.Axies - define.tune 'Teir.Axies' 'Teir - TCIR num (num->Tatate)'; let Trir.ene.ene = enve.the('Trir.ene.ene'. prove constructors and one Telr.Axion):: let Trir\_IMBUCT = mave\_thm('Trir\_IMBUCT', prove\_induction\_thm Tcir\_Axiom);; let Trir\_cases = save\_thm('Trir\_cases'. preve\_cases\_thm Telt\_ISBOCT1;; let TC\_ID\_DEF = nee\_recursive\_definition false Tetr Agies 'TC. 19 BEF' "TC\_ID (TCIR m m) = m";; let TC\_SFURC\_DEF - new\_recursive\_definition false Teir Agies 'TC SPURC DEF' "TC SPURC (TCIR n a) = a":: les TC\_ST\_DEF - now\_recursive\_definition false Teir Agies 'TC ST DEF' "TC ST (TCIR a a) & = a &":: let TC\_DCCUPIED\_DEF = new\_definition('TC\_DCCUPIED\_DEF', "TC\_DOCUPIED a t = (TC\_ST a) t = occupied");; let TC\_CLEAR\_DEF = new\_definition('TC\_CLEAR\_DEF', "TO\_CLEAR a t = (TC\_ST c) t = clear");; let TC\_LOCKED\_DEF = sec\_definition('TC\_LOCKED\_DEF'. "TC\_LCCHED a a = (TC\_ST a) a = locked");; The type Join represents track circuit joins. There are four types of them: J\_conduct ---- conducting joins J.insulate --- insulated feigs J\_everlap ---- everlap joins I terminate --- termination joins let Join Agies a define type 'Join Agies' 'Join - J\_conduct | J\_inemiate | J\_overlap | J\_terminate'; let Join count diet " neve thm('Join count diet'. prove\_canatructers\_dietinat Jein\_Aniem);; let Jain\_ISDUCT = save\_thm('Jain\_ISDUCT', preve\_induction\_thm Jain\_Agiam);; let Join\_cases = save\_thm('Jein\_cases'. prove\_cases\_the Join\_ISDUCT);; ``` let IS_JCOND_DEF = new_definition('IS_JCOND_DEF', "If_JCOSO 1 = (1 = J_conduct)"):: lot 18_JIMSU_DEF = new_definition('IS_JIMSU_DEF'. "IS_JIESU j = (j = J_inselate)");; lot 18_JOVER_DEF = new_definition('IS_JOVER_DEF'. "II_JOVER j = (j = J_overlap)");; let IS_JTERM_DEF = new_definition('IS_JTERM_DEF'. "15_JTERM | = (| = J_terminate)");; close_theory():: B.8 The file mk_part.ml I- File part al --- theory of parts Date: Nav 1981 Author: Val Vong -L non_theory 'PART';; new_parent 'TRACE':: nes . perent 'SIGPAL': The type Part represets individual section of track on the railway track network. There are four different kinds of parts: SPART --- the last piece of track on the network i.e. buffer num --- Part identiv sumber TPART --- a piece of plain track num --- Part identity number fetr --- the track circuit PPART --- a junction usually centain a point num --- Part identity number Teir --- the track circuit Point --- the point in this part (numberedsum) the part numbers of the adjacent parts the first is the trailing part the second is the sermal and the third reverse plant DPART --- a dismond creasing num --- Part identity number Teir --- the track circuit numbers --- the id's of the associated parts on first leg numbrum --- the id's of the associated parts on second leg lot Part_Axion = define_type 'Part_Axion' 'Part - SPART num | TPART num Toir ( DPART num Teir (numbers) (numbers) | PPART num Toir Point (numbeundnum)'i; I Prove some theorem for Part 1 lot Part Induct " save the ('Part_Induct', prove_induction_thm Part_Asiem); ``` - lot Part\_ene\_one = save\_thm - ('Part\_ene\_ene', prove\_constructors\_one\_ene Part\_Axion); - lot Fort distinct save the - ('Part\_distinct', prave\_countructors\_distinct Part\_ision);; - lot Part cames " save thm - ('Part\_cases', preve\_cases\_the Part\_Induct):: - T- projection operator on Port -1 - lat PART\_ID\_DEF new\_recursive\_definition false Part\_Asiam 'PART\_ID\_DEF' - "(PART,ID (BPART a) = a) /\ - (PART\_ID (TPART m u) = m) /\ - (PART\_ID (DPART n t m1 m2) = m) / - (PART IN (PPART m t m m3) = m)":: - let PART\_CIRCUIT\_DEF = see\_recursive\_definition - folse Port\_Agion 'PART\_CIRCUIT DEF' - "(PART\_CIRCUIT (TPART a tc) = tc) / - (PART\_CIRCUIT (BPART a te mi m2) = tc) / - (PART\_CIRCUIT (PPART m tc p m3) = tc)";; - let PART\_POIST\_DEF = new\_recursive\_definition false Part\_Anies 'PART\_POINT\_DEF' - "(PART\_POINT (PPART m to p m2) = p)";; - let PART\_PHT TRAILING DEF = new recursive definition false Part\_Anies 'PART\_PET\_TRAILING\_DEF' "PART\_PRT\_TRAILING (PPART a to a a3) = (PRT a3)";; - let PART\_PUT\_HORMAL\_DEF = new\_recursive\_definition - false Part\_Auton 'PART\_PRY\_HORMAL\_DEF' "PART\_PAT\_SORMAL (PPART = tc p m2) = PUT (SED m2)";; - let PART\_PRT\_REVERSE\_DEF = non\_recursive\_definition false Part Autom 'PART PRT BEVERUE DEF' - "PART\_PET\_REVERSE (PPART a to p al) = SED (SED al)";; - les PART\_BIA1\_BEF new\_recursive\_definition false Part\_Agion 'PART\_DIA\_DEF' - "(PART\_DIA1 (SPART s ec st s2) = s1)";; - let PART\_BIA2\_DEF = max\_recursive\_definition false Pers\_Asies 'PART\_BIAS\_DEF' - "(PART\_DIA2 (SPART & tc at a2) " a2)";; - Y- predicates on Parts -Y - let 18\_BPART\_DEF new\_recursive\_definition false Part Asies 'IS SPART DEF' - "(18\_BPART (SPART a) = T)/\ - (18\_SPART (TPART = 1) = 5) /\ - (IS\_SPART (SPART a t at a2) a F) /\ - (IS\_SPART (PPART m t p m3) = F)"|1 - let IS\_TPART\_BEF = new\_recursive\_definition false Part\_Aries 'IS\_TPART\_DEF' - "(IS\_TPART (BPART m) = F)/\ - (IS\_TPART (TPART a t) = T) / ``` (IS_TPART (DPART m t m1 m2) = F) / (IS. TPART (PPART n t n n3) . F)":: let IS_DPART_DEF = new_recursive_definition false Pers Agion 'IS SPART DEF' "(IR_DPART (SPART a) = F)/\ (IS_BPART (TPART a t) . F) / (18_DPART (DPART a t at a2) = T) / (IS_DPART (PPART a 1 p m3) = F)"; let IS_PPART_DEF - new_recursive_definition false Part Agies 'IS PPART DEP' '(IS PPART (SPART m) = F)/\ (IS_PPART (TPART m s) = F) /\ (18_PPART (DPART a t at m2) = F) /\ (IS_PPART (PPART a t p a3) = T)";; I The type Hibl combines signals and joins for used as edge labels 1------ les Elbl_Agies = define_type 'Elbl_Agies' 'Elbl - ELSESIG Join Signal | ELSE Join':: let $161_leduct = days_the ('Elbl_Induct', prove_induction_thm Elbl_ision);; let Elbl.one.one " save.thm ('Elbl_one_one', prove_constructors_one_one Elbl_Axion);; lot Elbl_distinct . save_thm ('Elbl_distinct', preva_constructors_distinct Elbl_Azion); lot Elbl_cases * save_thm ('Elbl_cases', prove_cases_the Elbl.Induct):: les If_ELBL_SIGNAL_DEF - new_recursive_definition false Blb1 Agtes '15 BLBL SIGNAL DEF "IS REAL SIGNAL (SERESIG 1 a) - T-:: let ELBL_SIGNAL_DEF = see_recursive_definition false Elbl_Axion 'ELBL_SIGNAL_DEF' "ELBL_SIGNAL (ELBLSIG | e) = a";; let HLBL_1018_DEF = new_recursive_definition false Elbl Axion 'ELBL 1018 DEF' "(ELBL 1018 (ELBLSIG | a) = 1) // (REAL_1018 (REAL 1) = 1)";; class_theory():: ``` ### B.9 The file mk\_network.ml FILE: Setwork.ml | AUTHOR: W. WORD | | |------------------------------------------------------------------------|------| | | | | new_theory 'HETWORE';;<br>load_library'graph';; | | | room"vinterà Brobe :: | | | add_te_search_path '/sigmal/';; | | | Bell parent 'PART'; | | | autolead_all'PART';; | | | Tautelend_all'signal';; | | | nutolend_all'trach';;[% | | | nem_type_abbrev('Hotsork', ":(Part)setS(PartSPartSE(b1)set");; | | | [ | | | M MFC (Bot Fully Connected) is true if more connection can be made tol | | | I a node | | | h | | | let MFC_DEF = new_recursive_definition false Part_Anjem 'SFC_DEF' | | | "(SPC (N: Network) (NPART a) = (IN DEGREE N (NPART a) < 1)) / | | | (SPC (B:Setwork) (TPARY m t) = (IN_REGREE N (TPARY m t) < 2)) /\ | | | (SFC (S:Setwork) (PPART a t P a3) = (IS_DEGREE S (PPART a t P a3) < | 911 | | (HFC (B: Betwerk) (DPART m t mi m2) = (IM_DEGREE H (DPART m t m1 m2) | < 41 | | *************************************** | | | I SJOID operation | | | I Two udges at ans s2 and passibly one vertex s2 can be added to as I | | | axisting notwork using this operation. They must satisfy the | | | T proceeded from the second of the deduction | | | | | | let BJDIS_BEF = set_definition('BJDIS_BEF'. | | | "BJGIS (E:Setsork) (a1:Part) (a1:Elb1) a2 a2 = | | | ((=1,=2,=1) 189ERT_EDGE ((=2,=1,=2) 189ERT_EDGE | | | (#2 184EST_ARBIEX #))).).)! | | | }t | | | A Well Formed Setwork (MFS) is a finite graph of type :Setwerh I | | | I with the following restrictions specified by SETWORE I | | | [ | | | let METHORE_DEF - mee_definition('METHORE_DEF', | | | "SETWORK (B: Setwork) = | | | IP.(()n. P(((EPART n)), ( ))) /\ | | | (In t. P(((TPART n t)), ( ))) /\ | | | (in t p m3. F({(PPART m t p m3)}, { })) /\ | | | (In t mi m2. F({(DPART m t mi m2)}, ( ))) /\ | | | (18 p1 p2. (P B) /\ (p1 15_VENTER B) /\ | | | '(pi = p2) /\ (BFC H p11 /\ (BFC H p2) | | | (1st s2. P(BJGIH H st s1 s2 s2)))) | | | 00) P B");; | | | | | | å single part of all kinds in a netuerk | | | F | | - let HETWORK\_HUPPER prove\_thm('HETWORK\_HUPPER', -is. RETWORK\_((LEPAIT a)), ( ))HERS REPEAT GEN\_TAC THOSE STRIP\_TAC THESE REPEAT GEN\_TAC THOSE STRIP\_TAC THESE ARE HERNITH TACE[); - les HETWORK\_TRACE preve\_shm('HETWORK\_TRACE', -in s. HETWORK (((TPART n s)), ())-, AMPHITE\_TAC(HETWORK\_NEW) THEN APPART ARE\_TAC THEN STRIP\_TAC THEN ARP HERBITE TAC(1): - let HETMORE POINT = preve\_shm("HETMORE\_POINT", -'in = p nh. HETMORE\_(((PPART n = p nh)), ( ))", AMMORTE\_ACC\_HETMORE\_DENT THEN REPERT END\_TACT THEN STRIP\_TAC THEN RAPERT END\_TACT(): - low SETWORS\_DIAR = prove\_thm("SETWORS\_DIAR", "In a mi nd. SETWORS\_(GUPART n u ni nd)), ( ))", RESSITE, VAC(SETWORS\_DEF) TERS REPRET 4ES\_TAC THES STRIP\_TAC THES AND RESSITE ACTION. - let ENTHGRE\_SIMP = prove\_thm('HETHGRE\_SIMP', "In. RETUGRE\_((a), ())", GEN\_TAG THER HD\_TAG (SPEC' == Part\_cases) THER STRIRE\_TAG THER HD\_TAG (SPEC' == Part\_cases) THER STRIRE\_TAG THER PSP\_SSIUM (\t. PURE\_SIGE\_REMNITE\_TAG[0]) HUBBLE BATCH\_ACCEPT\_TAG RETUGRE\_SUPPRE: BATCH\_ACCEPT\_TAG RETUGRE\_THAGE; BATCH\_ACCEPT\_TAG RETUGRE\_PSP\_SIMPLE; BATCH\_ACCEPT\_TAG RETUGRE\_PSP\_SIMPLE; BATCH\_ACCEPT\_TAG RETUGRE\_PSP\_SIMPLE; BATCH\_ACCEPT\_TAG RETUGRE\_PSP\_SIMPLE; - let STREAM\_BUSIS = prove\_tam('STREAM\_BUSIS', "IS. (STREAM B) -> ('IS 52. (a) IS./USITE B) /\ '(A) = a2 /\ ('FFC 10.1) /\ (SFC 10.2) -> ('IS 52. (a) IS./USITE B) /\ '(A) = a2 /\ ('FFC 10.1) /\ (SFC 10.2) -> ('IS 52. STREAM (SJOID 8 at a1 52 02)))", ('IS 52. STREAM (SJOID 8 at a1 52 02)))", ('IS 52. STREAM (SJOID 8 at a1 52 02)))", ('IS 10.1 STREAM (SJOID 8 at a1 52 02)))", ('IS 10.1 STREAM (SJOID 8 at a1 52 02)))", ('IS 10.1 STREAM (SJOID 8 at a1 52 02)))", ('IS 10.1 STREAM (SJOID 8 at a1 52 02))", ('IS 10.1 STREAM (SJOID 8 at a1 52 02))", ('IS 10.1 STREAM (SJOID 8 at a1 52 02))", ('IS 10.1 STREAM (SJOID 8 at a1 52 02))", ('IS 10.1 STREAM (SJOID 8 at a1 52 02))", ('IS 10.1 STREAM (SJOID 8 at a1 52 02))", ('IS 10.1 STREAM (SJOID 8 at a1 52 02))", ('IS 10.1 STREAM (SJOID 8 at a1 52 02))", ('IS 10.1 STREAM (SJOID 8 at a1 52 02))", ('IS 10.1 STREAM (SJOID 8 at a1 52 02))", ('IS 10.1 STREAM (SJOID 8 at a1 52 02))", ('IS 10.1 STREAM (SJOID 8 at a1 52 02))", ('IS 10.1 STREAM (SJOID 8 at a1 52 02))", ('IS 10.1 STREAM (SJOID 8 at a1 52 02))", ('IS 10.1 STREAM (SJOID 8 at a1 52 02))", ('IS 10.1 STREAM (SJOID 8 at a1 52 02))", ('IS 10.1 STREAM (SJOID 8 at a1 52 02))", ('IS 10.1 STREAM (SJOID 8 at a1 52 02))", ('IS 10.1 STREAM (SJOID 8 at a1 52 02))", ('IS 10.1 STREAM (SJOID 8 at a1 52 02))", ('IS 10.1 STREAM (SJOID 8 at a1 52 02))", ('IS 10.1 STREAM (SJOID 8 at a1 52 02))", ('IS 10.1 STREAM (SJOID 8 at a1 52 02))", ('IS 10.1 STREAM (SJOID 8 at a1 52 02))", ('IS 10.1 STREAM (SJOID 8 at a1 52 02))", ('IS 10.1 STREAM (SJOID 8 at a1 52 02))", ('IS 10.1 STREAM (SJOID 8 at a1 52 02))", ('IS 10.1 STREAM (SJOID 8 at a1 52 02))", ('IS 10.1 STREAM (SJOID 8 at a1 52 02))", ('IS 10.1 STREAM (SJOID 8 at a1 52 02))", ('IS 10.1 STREAM (SJOID 8 at a1 52 02))", ('IS 10.1 STREAM (SJOID 8 at a1 52 02))", ('IS 10.1 STREAM (SJOID 8 at a1 52 02))", ('IS 10.1 STREAM (SJOID 8 at a1 52 02))", ('IS 10.1 STREAM (SJOID 8 at a1 52 02))", ('IS 10.1 STREAM (SJOID 8 at a1 52 02))", ('IS 10.1 STREAM (SJOID 8 at a1 52 02))", ('IS 10.1 STREAM (SJOID 8 at - les ERTWORM\_IRDOCT = preve\_thm('SETWORM\_IRDOCT', -TB.(in P((GPART ml), { }))) // (in n p ml. P((GPART ml), { }))) // (in n p ml. P((GPART ml), { }))) // (in n p ml. P((GPART ml), { })) // (in n p ml. P((GPART ml), { })) // (in n p ml. P((GPART ml), { })) // (in n p ml. P((GPART ml), { }) // (p ml. Referrat N) // (p ml. Pl) // (in n ml. Referrat N) // (p ml. Pl) // (in n ml. P(EROSE N) // (p ml. Pl) // (in n ml. P(EROSE N) // (p ml. Pl) // (in n ml. P(EROSE N) // (p ml. Pl) // (in n ml. P(EROSE N) // (p ml. Pl) // (p ml. Pl) // (in n ml. P(EROSE N) // (p ml. Pl) ml (18. BETWORK # --> P E)", PORE OFCE ASSESTE TACCHETHORS DEPT THEN REPEAT STRIP. TAC THEN PIRRY ANNUM MATCH MP. TAC. THEN REPRAT CORD\_TAG THEN FIRST\_ASSUR NATCH\_ACCEPT\_TAG);; I SETWORE\_INDUCT\_TAC performs induction on network. It reduces a goal of the form (B. HETHIGHE B and P[B] to five subgoals which are the hypothesis of the theorem SETHORS\_INDUCT, 1.o. IS RETURNED IN .... PERT PERSONS INDUCT. TAC PERI PERI PERI PERSONAL PERSONAL let SETWORE\_ISDUCT\_TAC (A,t) = (let (s,bedy) = dest\_forall t in let pre = and (dest\_imp body) in let tyl " and(match (fit (dest\_ferall (cent) HETWORE\_INDUCT))) "\"s.T") in let spec = SPEC (mk\_mbs (s.pre)) (IEST\_TYPE tys SETWORK\_INDECT) in let spec' - DISCH\_ALL (COSV\_BULE (GRS\_ALPHA\_COSV g) (UNDISCH spec)) in let the " COSY\_BULE(TOP\_DEPTH\_COSY SETA\_COSY) spec' is let tec " (MATCH\_RP\_TAC the THEE REPEAT COSS\_TAC) is (tac (a,t))) 7 failuith 'BETWORE | INDUCT\_TAC';; 144 SPC SIMP = let LERMA1 - TAC\_PROOF(([]. "(a. ISCIDENT\_TO (((p),()): Batmark) p = ()"), GEN\_TAC THEN PURE\_RENRITE\_TAC[INCIDENT\_TO\_MET; IS\_EDGE\_DEF; EDGES; EXTENSION] THEN CONV. TAC (DEPTH\_CONV NET\_SPINC\_CONV) THEN ASSESTED TACINOT IN COPTAIN prove\_shm('EPC\_SIRP', "in. EPC ((n),()) a", GEN\_TAC THEN HP\_TAC (SPEC "s" Part cases) THEN STPIP\_TAC THEE POP\_ASSUM (\t. PURE\_ONCE\_REWRITE\_TAC[t]) THEE PURE REVRITE TAC [UFC\_DEF; IN\_DEGREE\_DEF; INCIDENT\_TO\_DEF; LEMMA1] THEN CONV\_TAC (DECK\_DEPTH\_CONV ===\_CONV) THE REMAITE VACCARD COPTY LESS Of Last let IN\_INSERT\_ARRORS = TAC.PROOF(([]. "to (2:0), (a 18 a) => ((a 189007 a) = a)"). PRINT BRUDITE TACTIONED OF EXTERNION THEN REPEAT STRIP\_TAC THEN CONV\_TAC (CHCH\_DEPTH\_CONV SET\_SPEC\_CONV) THEN EQ. TAC THEN STRIP\_TAC THEN ASS\_RESDITE\_TAC[]);; les BJOIR\_REP - prove\_the('BJOIR\_REP', "I(#: Betweek) at at al al (at 19\_VERTER B) /\ '(a2 18\_VERTER B) -> ((SJOIS & st st s2 s2) -((m2 IMBRAT (VS 21)). ((a1,a2,a1) ISSERT ((a2,a1,a2) ISSERT ((ES B))))))-. REPEAT GED. TAC THEN STRIP. TAC THEN PURE DECK REMRITE TACINIDES NEW! THEN PURE\_GREE ARMSTE\_TAC[188107\_6048\_DEF] THEN PURE DUCK RESIDENTS TACKETTED JOSEPH COME THE PURE SHOE ARMS ITE TACE . arc ; a. deal THEN PURE DICK RESIDENT TACTURERS IN THE VERTEX! THES ASS\_REMRITE\_TAC(VERTICES; Encies) ``` THEN PURE ORCE REMRITE TACTIFICAT. EDGE. DEFT THEN PURE OUCH REMRITE TAC[VERTEX | HOURT EDGE] THEN PURE COCK ASSESTE TAC [ a proje dee] THEN PURE OGCE ASSISTE TAC[VERTEX_IS_ISS_VERTEX] THEN ASS RESIDITE TACTVESTICES EDGES : IRRENT_VERTEX_DEF; EDGES_ISSERT_VERTEX]);; les $3018 EXP2 - preve thm('$3018 EXP2'. "((B:Betwerk) at at a2 g2. (at 15 VERTER S) /\ (a2 15 VERTER S) ---- ((BJDIB B at at a2 a2) = ((75 B), ((a1,a2,a1) ISSERT ((a2,a1,a2) [SSERT ((ES E)))))", REPRAY ORD TAC THES STRIP TAC THEN PURE ORCH REPORTE TACCHIOLS DEFT THEN PURE ORCE REVEITE TAC[INNET_EDGE_DEF] THEN PURE CHCK_RESIDITE_TAC(VENTER_INSERT_EDGE) THEN PURE QUEE LENGTH TACE . arc : a. deel THEN ASK RESERVED TACTURETICES : EDGES! THES PURE ORCE REMRITE TAC[INSERT_EDGE_DEF] THEN PURE GROW RESERVE TAC [VERTEX 1888RT EDGE] THEF PURE ORCE BENEITS TACE are: a deal THE PURE DECE RESELTS TAC (VERTEX 18 185 VERTEX) THEN POP_ASSUM (\c. ASSUME_TAC (PURE_ORCE_REMAITE_MALE[IS_VERTEX_DEF] c)) THER ASS. REVELTE TACIVERTICES : EDGES . INSERT_VERYEX_DEF : EDGES_INSERT_VERTEX] THEN IMP_RES_THEN SURSTS_TAC IN_INSERT_ARRORP THEN REFL_TAC);; E SETUDBER are graphs E let BETWORE_GRAPH = preve_the('BETWORE_GRAPH', "IS. SETHORE S -> GRAPE S". BETWORK INDUCT TAC THRUL! REMBITS TACTORAPH DEF: SOT IN EMPTY]: REMRITE TACTORAPH DEF: NOT IN EMPTY) REWRITE TAC[GRAPH_DEF; BOT_IS_EMPTY]; REMRITE_TAC[GRAPH_DEF; HOT_IN_SHPTY]; PURE_CROS BENEVITE TAC[SIGIR_DEF] THEN REPEAT STRIP_TAC THE MATCH OF TAC GRAPH | HERBY ROOM THER HATCH MP TAC GRAPH INSERT ROOM THEN MATCH MP TAC GRAPH INSERT VERTER THEN FIRST ASSUM ACCEPT TACT) :: let lemma = TAC_PROOF(([]. "1(G:"Graph) v. (GRAPH G) --> (INCIDENT_MITM Q v = ()) -> (INCIDENT_TO Q v = {})"), REPRAT CENTAC THEM STRIP_TAC THEN PURE_ORCE_RENEITE_TAC[18C1DEST_WITH_DEF;18C1DEST_TO_DEF] THEN PURE ORCE REMAITS TACTESTERS [08] THES CONV_TAG (DEPTH_CONV SET_SPEC_CONV) THEN REWRITE TAC[BOT_IN_EMPTY] THEN DISCRITURE (\s. NP_TAC (RENDITE_RULE[DE_RURGAN_THE] 1)) THEN COMV. TAC RIGHT_IMP_FORALL_COMV THEN GEN_TAC THEN DIRCH THEN (to. STRIP ASSURE TAC (ARWRITE BERRELEFT_DR. OVER_AND] t)) THER ASH_REWRITE_TAC[DE_HORGAN_THR]);; let HGT_VER_IMP_HFC = preve_the('HGT_VER_IMP_HFC', "((Billetoork) p. (BETHORN B) -> "(p IS_VERTER B) -> (SFC B p)". ``` ``` REPEAT ORS THE THER STREET THE THEN STRIP_ASSUME_TAC (SPEC "n:Part" Part_cases) THE POP. ASSUM SURST1. TAC THES PURE ORCE REMOTTE TACINEC DEFT. THE STRIP.TAC THES MAP SURRY INPLANTAGE [BETWORE GRAPH : NOT VER INCIDENT EMPTY] THE PURE ORCE RESERVE TAC [18 DECREE DEF] THEN THE RES TAC LORDS THEN POP ASSUR SURET! TAC THEN CONV_TAC (DECK_DEPTH_CONV num_CONV) THEN RENDITE TAC[CARD_DUPTY : LENG_0]) :: lot FIRITE_IRRENT_EDGE = TAC_PROOF(([]). "((G: "Graph) a. FISITE (ES (a 188ERT_EDGE G)) = FISITE(ES G)"). REPEAT ORS THE PURE RENRITE TAC[188837_BMCE_DEF; EDGES] THOSE COME CARRY TAC THES PURS_RESERVE THE TAC [FINITE_INSERT] THES REFL_TAC);; let SETWORE_FIRITE " prove_thm('SETWORE_FIRITE'. "IS. SETHORE S -> PINITE (VS S) /\ PINITE (RE S)". SETWORE_SUDUCT. TAC THESE! RESERVE TACCOUNTIONS STORES PIRITE REPTY PIRITE STORES REMRITE TACCVERTICES EDGES FIRITE EMPTY FIRITE STREET RENDITE_TAC(VERTICES : EDGES : FIBITE_EDGTY . FIBITE_SING) : REMRITE_TAC[VERTICES : EDGE: PIBITE_EDGTT : PIBITE_SING] : REPEAT STRIP TAG THEN PURE ANYRITE TAG [BJOIN DOF) THERE! ARE REPRITE TACFFIRITE INSERT! VERTICES! VERTICES_INSERT_EDGE: IMMERT_VERTEX_DEF]; ASH_RENDITE_TAC(VIBITE_INSERT_EDGE:EDGES_IDSERT_VERTER)));; lot SETUCRE_FIRITE_GRAPS = prove_thm('SETUCRE_FIRITE_GRAPS', "IN METWORE & -> FINITE_GRAPH B". SELTAC THE DISCH TAC THEN PURE ORCE ABORTTE TAC [FIRSTE GRAPH DEF] THE IMP_RES_TAG BETWORK_GRAPH THEN THE REN YAC METHORS PLRITS THEN PURE ASS REMNITE TAC(AND CLAUSES) :: les CORRECT LERMA . TAC PRODUCCES. "!(G: Graph) p. (CONNECTED Q) /\ (p IS_VERTEX Q) -> IV. (V IS_VERTER 0) /\ '(V = p) --> (71. (PATE Q 1) /\ (w = PATE_ESTRY 1) /\ (p = PATE_ESIT 1))-), AMERICA TAC [GRANCTER_REF] THEN REPEAT GES_TAC THEN STRIP_TAC THER CHILTAC THEN STRIP TAC THEN RESUTAC THEN EXISTS_TAC "1.("Edge)list" THEN REPEAT CONJ.TAC THER FIRST ASSUR MATCH ACCEPT TAC) :: les COMMECT_LENHAS - TAC_PRODF(([]. "(d: 'draph) p. (CORRECTED G) /\ (p | E_VERTEX G) --> (v. (v IS_VERTEX 6) /\ "(v = p) ==> (71. (PATH G 1) /\ (n = PATH_ERITRY 1) /\ (w = PATH_ERIT 1))-). RESIDETS_TAC[COMMISSION_MEN] THEN REPEAT CEN_TAC THEN STREP_TAC THEN QUELTAC THEN STRIP, TAC THEN POP_ASSUM (\nam. ASSURE_TAC (COST_BULE (ORCE_DEPTH_COST SYN_COST) nam)) THEN ANNUM_LINY (\an1, IMP_RES_TAC (SPEC "v" (SPEC "p" (ol 4 asl)))) THER REISTS_TAC "1:("Edge)list" THES REPEAT CONJ_TAC THEN PIRST, ASSUN HATCH, ACCEPT, TAC) :: ``` ``` les MOT_IN_DISJOINT_SETS = TAC_PROOF(([]). "in (t:(0)not) DISIDIST a t = (iz. '((z IS a) /\ (z IS b)))"), PORS_SUCK_RESELTS_TAC[DISJSIST_BEF] THES PERS SECREMENTS TAC($27501161) TIXE PURE CHCK RESILITE TACTIFFER DEFT THER CORY_TAC (ORCE_DEPTH_CONV NET_SPEC_CONV) THEN RENRITE_TAC[NOT_IS_SEPTY]):: les Disjoint so common - Tac Proop((f) "14 (1:(4)444) DISIBIRT - - ---- ta v. (x II e) /\ (v II t) -> "(x = v)"). PRES, CHCE RESERVE TAC [BOT_IS_DISJOINT_SETS] THES REPEAT CEN_TAC THEN DISCH_TAC THEN REPEAT CEN_TAC THEN DISCH_TAC THEN STRIP_TAC THEN UNDISCH_TAC "# 18 # /\ y 18 1" THEN ASS. REVELTE TACETO:: 1 (- DISJOIST(SS B1)(VS S2) --> (In y. s IS_VERTER S1 /\ v IS_VERTER S2 -> "(z - v)) % les BJGIS_VERTICES - let w = CDEV_BULE (GECE_DEPTE_COSV SYN_COSV) IS_VENTER_DEF in PURE ORCH RESERVE AMERICAL (ISPEC "(TE (B2:Betmark))" (ISPEC "VS (B1: Betwork)" DISJGIST_SG_COMMGS));; let 4_lenna = TAC_PROSF(([], "!G1 G2. (GRAPH G1) /\ (GRAPH G2) --> 191 92 23 22. GRAPH ((91,92,21) INSERT_EDGE ((92,91,22) INSERT_EDGE (41 4 DRIOS 4211)*) REPEAT STRIP TAC THES HATCH SP TAC GRAPH 189ERY PROP THER HAYCE MP. TAC GRAPH INSERT_EDGE THEN INPURES TAC GRAPH UNION) :: let P_letme = TAC_PRODF(([]). "(61 62 1. (GRAPE 61) /\ (GRAPE 62) /\ ((PATE 01 1) \/ (PATE 02 1)) --- | w1 w2 x1 x2. PATE ((w1.w2.x1) ISSERT_EDGE ((w2.w1.x2) ISSERT EDGE (d1 d_UHIOS 42))) 1"). REPRAT STRIP, TAC THES HATCH MP. TAC PATH ... INS .. STREET THEN HATCH MP TAC PATH ING MINGE THESE! ALL_TAC; PURE_GROS REWRITE TACIG UNION SYNIT THER IMP_RES_TAC PATH_G_UHION);; let BETWORK_COMMECTED = prove_the('SETWORK COMMECTED' "IS SETHOLE S -> COSSECTED S". SETUDRE_ISDUCT_TAC THESE [ $1.2.3.45 MATCH_ACCEPT_TAC COMMECTED_SING. BATCH ACCEPT TAC CONTECTED $184 MATCH_ACCEPT_TAC COMMECTED $180: HATCH_ACCEPT_TAC CONSECTED_SING; REPEAT ONE THE STRIP TAG THEN PURE DUCK REMNITE TAG (COMMECTED DEF) THE REPEAT GEN_TAC THEN CONJ. TAC THEN PURE_CHCK_RENDITS_TAC[BJGIN_DEF] THERMAL TRAINS NATCH MP. TAC GRAPH INSERT EDGE THEN NATCH MP. TAC GRAPH INSERT EDGE THEN MATCH_MP_TAC GRAPH_INSERT_VERTEX THEN IMP_RES_TAC CONSECTED_GRAPH; 16.21 ``` ARM CASES TAC "n2 15 VERTES (B:Betmark)" THESL! \$ 6.2.1 pt 18\_VERTEX B /\ p2 18\_VERTEX B T THE RES TAC CONSECTED GRAPH THEN THE BUS TAC V. INSERT. ANSCR. THEN ASK REWRITE TAC [VERTEX 1868BT ROOK] THES REPEAT STRIP TAG THES IMP\_RES\_TAG CONSECTED\_DEF THEN EXISTS\_TAC "1: (PartSPartSE(b))lint" THEN REPEAT CONJ. TAC THEN ((REPEAT (MATCH\_MP\_TAC PATH\_IRS\_EDGE)) DRELSE ALL\_TAG) THER PIRST ASSUR ACCEPT TAC: 1 5.2.2 pt IS\_VERVEY S /\ "p2 IS\_VERTER S T PORE\_RESERVE TAC (VENTER\_IRESET\_EDGE; VENTER\_IS\_IS\_VENTER) THEN REPEAT STRIP\_TAC THESE! \$ 5.2.2.1 v1 = p2 /\ v2 = p2 \$ POP\_ASSUM RP\_TAC THES ASH\_REWRITE TAC[]: \$ 5.2.2.2 v1 = p2 /\ v2 IS\_VERTEX H % ABR\_CASES\_TAC "v2 = (p1:Part)" THREL[ 1 5.2.2.2.1 v2 = p1 1 EXISTS\_TAC "[(p2,p1,a2):PartSPartSE(b)]" THES REPRAT CONJ\_TAC TRESL[ 8 5 2.2.2.1.1 E MATCH\_MP\_TAC PATH\_ING\_EDGE THEN MATCH\_MP\_TAC PATH\_ING\_EDGE2 THEN CONJ. TAC THRUL! NATCH RP TAC GRAPH INSIRT VIRTEX THRE 18P BER TAC CONSECTED GRAPH . ASH REMAITS TAC (VERTEL IN 189 VERTEL) THES COST. TAC (CHCE\_DEPTH\_CONT STR\_CONT) THEN FIRST\_ASSUM ACCEPT TAC): 1 5.2.2.2.1.2 1 ASS. RESERVE TACIPATE CETAY SIRP). \$ 6.2.2.2.1.3 % ASS SENSITE TACIDATE SELV SINDIL. \$ 6.2.2.2.2 "v2 = p1 \$ POP\_ASSUM (\c. ASSUME\_TAC (CONV\_BULE(DECK\_DEPTH\_CONV SYN\_CONV) s)) THEN INP MEN TAC COMMECT\_LERINA THEN EXISTS\_TAC "COSS (v1.p1.a2) (1:(PartSPartSE1b1)1ist)" THEN REPEAT CONJ. TAC THENL! 1 5.2.2.2.2.1 E SUBST1\_TAC (ASSUME "v1 = (p2:Part)") THEN MATCH\_MP\_TAC PATH\_INS\_EDGE THEN MATCH\_MP\_TAC PATH\_INS\_INS\_COMM THEN REPEAT CONJ. TAC THEN (FIRST\_ANSUM ACCEPT\_TAC DRELSE ALL\_TAC) THEN CONV.TAC (ONCE.DEPTH\_CONV SYN\_CONV) THEN FIRST ASSUM ACCEPT. TAC. 862222228 PURE RENDITE TAC [PATH ENTRY COURSES and THEN BEFL TAC-1 5.2.2.2.2.3 1 MAP\_EVERY INP\_RES\_TAC [PATH\_SQT\_SULL:PATH\_SELT\_COSS] THEN SUBSTI\_TAC (INPEC "(v1,p1,s2) |PartSPartOE1b1" (ASSUME "(h:PersoPersoRib), PATE\_EXIT(COMS & 1) = PATE\_EXIT 1")) THES FIRST\_ASSUR ACCEPT\_TAC]]: E 5.2.2.3 vs IS\_VERTER 8 /\ v2 = p2 E ASS\_CASES\_TAC "v1 = (p1:Pert)" THESE! \$ 5.2.2.3.1 v1 - p1 \$ EXISTS\_TAC "[(p1,p2,s1):ParesPareSE1b1]" THEN REPEAT CONJ. TAC THESL( MATCH\_MP\_TAC PATH\_ISS\_EDGES THES CONJ.TAC THESE.( MAP\_RYERY MATCH\_MP\_TAC [QRAPH\_IMMENT\_EDGE:GRAPH\_IMMENT\_VERTEX] THEN IMP\_RES\_TAC CONNECTED\_GRAPS : ASH\_REWRITE\_TAC(VERTEX\_IN\_ISS\_VERTEX:VERTEX\_INSERT\_EDGET): ASH\_REWRITE\_TAC[PATE\_ESTRY\_SIRP]; ARE\_REDURITE\_TAC[PATH\_REIT\_DEF; WALE\_EXIT\_DEF; e\_dos: FULL]]; \$ 6.2.2.3.2 "v1 " p1 \$ POP\_ASSUR (\s. ASSURE\_TAC (COSY\_BULE(DECK\_DEPTS\_COSY SYN\_COSY) s)) THES IMP\_RES\_TAC COMMECT\_LEMMA? THEN HEISTS TAC "APPRED 1 [(p1.p2.g1):PartSPartSElb1]" THEN REPRAT CONJ. TAC THESE! E 6.2.2.3.2.1 E MATCH\_MP\_TAC PATH\_APPEND THEN REPRAT CONJ\_TAC THEML [141 1 5.2.2.3.2.1.1 1 REPEAT (MATCH\_IP\_TAC GRAPH\_ISSET\_EDGE) THE HATCH MP TAC SHAPE INSERT VERTER THEN 1MP BES. TAC CONSECTED GRAPH . 2 5.2.2.3.2.1.2 1 PERSON REPORTED TACIDIST PATE DEPT THEE REPEAT COST TAC THESE (\$45) REPEAT (MATCH\_RP\_TAC PATH\_ISS\_EDGE) THEN MATCH MP. TAC PATH LINE VERTEX THEN FIRST ASSUM ACCEPT TAC: MATCH HP TAC PATH INS EDGE2 THEN COMU TAC THERE! RAP\_EVERY HATCH\_MP\_TAC [GRAPH\_189ERT\_EDGE;GRAPH\_199ERT\_VERTEX] THER INP\_RES\_TAC COMMECTED\_GRAPH; ASH ASWRITE\_TAC(VERTER\_IN\_ISS VERTEX; VERTEX INSERT\_EDGE)); PURE DECE ARMAITE TACIDIES LIST CORN! THE REWRITE, TAC[DISJ\_LIST\_COSS;DISJ\_LIST\_EMPTY] THEN IMP\_BES\_TAC PATE\_BLEN\_IS\_EDGE THESE POP ASSUR (\t ASSURE TAC (COSTRAPOS (ISPEC "(p1,p2,s1):PartSPartSElbl" t))) THEN POP ASSOCIATION BY TAC THE MAP\_EVENT IMP\_RES\_TAC [CONNECTED\_GRAPH GRAPH\_NOT\_VENTES\_NOT\_EDGES] THEN POP ASSUR SATCH ACCOUNT TAC: PURE GROW MENTS TAC[BIS] LIST COME! THEN ASWRITE\_TAC[DISJ\_LIST\_COMS: DISJ\_LIST\_EMPTY: V\_L\_DEF: o\_dee] THEN IMP RES. TAC PATH REAR YES LIST IS VERTER THEN POP\_ASSUM (\c.MP\_TAC (CONTRAPOS (19PSC "p2:Pare" 1))) THEN MAP EVERY IMP MEN TAG [PATH NOT BULL NOT BOLL VER LIST] THEN SURSE! TAC (ASSURE "VER\_LIST (1: (PersePerseElb1)1ins) = COSS(e\_arc(ED 1))(V\_L 1)") THEN PURE BEYNNITH TACKELER, DEF : DE HORGAN THEN THER DISCH THEN INP RES TACT : \$ 6.2.2.3.2.1.3 \$ PURE\_GECR\_BERRITE\_TAC(PATE\_ESTRY\_SIRP) THES COMY TAC (ONCH DEPTH COMY SYN COMY) THEN FIRST ASSUR ACCEPT TAC: X 5.2.2.3.2.1.41 PURE REMRITE TACIVES LIST CORS: a arc:a dea:V L DEFT THEN SURSTILTAC (CONV.BULE (DECK\_DEPTS\_COST STR\_CONV) (ASSUME "v1 = PATH\_ESTRY (1:(PartSPartSE)h1)list)")) THEN REVELTE TACTELED DEF: BE BORGAN THAT THEN COMPLYAC THRULE CORV.TAC (GECE\_DEPTH\_CORV SYR\_CORV); SURSTA TAC (CORV\_BULE (ORCE\_DEPTS\_CORV SYN\_CORV) (ASSUME "v2 = (s2:Part)"))] THER FIRST\_ASSUM ACCEPT\_TAC] : 1 5.2.2.3.2.2 1 IRP\_RES\_TAC PATE\_ESTRY\_APPEND THEN POP\_ASSUR (\s.PURE\_ORCE\_REWEITE\_TAC(t)) THEN PIRST ASSUR ACCEPT TAC. 1 6.2.2.3.2.3 1 SURST1\_TAC (ARWRITE\_BULE[HULL] (ISPEC "[(p1,p2,m1):PersSPersSE1b1]" (ISPEC "1: (PartOPartOEIbl)lies" PATH\_EXIT\_APPEND))) THEN REWRITE TAC [PATH MIT DEF : WALK MIT DEF : 0.400 : BULL] THER PIRST\_ASSUR ACCEPT\_TAC]]; \$ 6.2.2.4 vs 18, VERTEX 8 /\ v2 18, VERTEX 8 \$ IMP\_RES\_TAC CONNECTED\_DEF THEN EXISTS\_TAC "1 (FortePorteRiblilian" THEN REFEAT CONJ.TAC THEN ((RMP\_EVENT (the REFEAT (RATCH\_RP\_TAG th)) (PATW\_INS\_EDGE.FATW\_INS\_VERTEL)) ORKIN ALL\_TAG) THEN FIRST\_ARROW ACCORPT\_TAG]]]]); class\_theory();: # Appendix C # Listings of the verifier This appendix lists the ML source files of the network verifier which consists of the following files: rail.grm the input grammar of the parser rail\_decls.ml declarations of the parser generated by the parser generator rail.al functions of the parser generated by the parser generator rail\_help.ml functions used by the parser rail\_load.ml loader of the verifier ver\_network.ml verifier functions mk\_verifier.ml source for creating the base theory in which the verifier works Makefile makefile for compiling the verifier Since the files rail.ml and rail.decls.ml are generated automatically and very long, they are not listed. ## C.1 The file rail.grm FIRST\_CHARM 'A B B D E F G H I J E L H B O P Q R S T U V W E Y Z O 1 2 3 4 5 6 7 6 9'. CHARM 'A B B D E F G H I J E L H B O P Q E S T U V W E Y Z O 1 2 3 4 5 6 7 6 9 \_' RAIN\_LOOP --> definition\_part construction\_part [ROF] ``` definition part --> [BEF1817108] def list def_list --> def def_list [ [] . def --> bpart | tpart | ppart | dpart | teir | paint | signal | adjetain | adjenig beart --> [BFART] (def_bmart(TORES)) tpart --> [TPART] (def_tpart(TORES, TORES)) ppart --> [PPART] (def_ppart(TORES, TORES, TORES, point_cons)) dpart --> [DPART] (def_dpart(TORES, TORES, dism_cons, dism_cons)) paint_com --> [(] (get_point(TORES, TORES, TORES)) [)]. diam_comm --> [(] (get_diam(TORES, TORES)) [)]. teir --> [TCIR] {def_tcir(TURES)} meint --> [POINT] (def meint(TOKEN)). signal --> [SIGNAL] (def_signal(TOXES, TORES)). odgejein --> [EDGEIGIN] {def_ejein(TOREN, TOREN)}. edgesig --> [EDGESIG] (def_esig(TORES, TORES, TORES)) construction_part --> [COMSTRUCTION] simp_op not_op_list. net_ep_list --> net_ep net_ep_list | [] . net_op --> njein_op | odgo_op. simp_op --> [SIRP] (mb_sims(TORES)). sjeis_op --> {Bl018} (uk_sjeis(part_sums, odgs_sums)}. odge_op --> [EDGE] {mh_edge(part_nume, edge_nume)} part_name --> {get_parts(700EB, TORES)} edge_sums --> (get_edges(TORES, TORES)) ``` # C.2 The file rail\_help.ml ``` Elend_theory 'verifier';; E let tcir_func = "tcf";; let patpen_func = "putpen";; let patlec_func = "putlec";; let Reig_func = "H_sig";; ``` ``` let Jeig_func = "J_eig";; let Subsig func " "Sub_sig":: let Shaig func " "Sh.aig" :: let se the s TRUTS. lot in_upper s = % : string -> heel % let code - ascii_code s in let code_8 = (ascii_code '8') - 1 and code_E = (ascii_code 'E') + 1 is ((code > code_A) B (code < code_Z));; let is_leser s = T : string -> bool T let code - apcii_code s in let code_a = (ascii_code 'a') - i and code_s = (ascii_code 's') + 1 in ((code > code_a) & (code < code_m)):: let telever s = 1 : string -> string 1 if (is_upper s) then let code = (ascii_code s) - (ascii_code 'A') in (ascii ((ascii_code 'a') + code)) alse en let temper s = 1 : string -> string 1 if (is_loser s) let code = (ascii_code s) - (ascii_code 'a') in (macii ((macii_code 'A') + code)) elee s;; lot lower_string a = implade (map telever (emplode s));; let upper_string s = implade (map toupper (explode s));; lot is_digit s - I : string -> beal I let code - escii code e in let code_0 = (ascii_code '0') - 1 and code_9 = (ascii_code '9') + 1 is ((cods > cods_0) & (cods < cods_9));; lot is_num s = % : string -> bool % forall is_digit (explede s): let is_part s = % string -> beel % let al = (explede a) in (mem (hd sl) ['B': 'T': 'B': 'P']) & (forall is_dists (tl sl)):: let is_edge s = % string -> beel % let sl = (explede s) in (mem (hd s1) ['j'; 's']) & (forall is_digit (t1 s1));; lot mh_num s = 1 : string -> torm 1 mh_const(s, ":num");; lot def_point id = % etring -> string list 0 thm % if (is_num id) (lot prname - "#" " id in let t = mk_eq(mk_var(ptness, ":Point"), ``` ``` sh comb( sh comb( sh comb("POIST", sh_comst(id, ":sum")), patpen_func), patlec_func)) in ([strane], new_definition(ptname, t))) else failuith 'expecting a number on point ID (def_point)';; let def_teir id = I string -> string list 8 thm I 12 (1s_mam 14) then (let pinese = 'C' - 14 in let t = mk_eg(mk_var(ptness, ":Tcir"), mb_comb(mb_comb("TCIR", mb_comst(id, ":mm")), tcir_func)) in ([ptname], now_definition(ptname, t))) else failuith 'expecting a number on circuit ID (def.tcir)';; let get_paint (at, s2, s3) = 1 :(string 6 string 8 string) -> (string list 6 thm) % if (is sum al) & (is num a2) & (is num a3) then ([st; s2; s3], se_thm) else failuith 'expecting three numbers as adjacent part IB's (get_point)'s; let cet.dism (et. e2) = 1 :(etring 0 string) -> (etring list 0 thm) 1 if (is_num s1) & (is_num s2) then ([s1; s2], so_thm) also failuith 'expecting the numbers as adjacent part ID's (set_diss)'; let def_beart s = % :string -> string list 6 thm % if (icam s) - (let strone - 'B''s in let t " mb_eq(mb_war(ptname, ":Part"), oh conh("RPART", (nh_nun n))) in ([ptname], mes_definition(ptname, t))) else failuith 'expecting a number on part IB (def_bpart)';; let def_tpart (id, tc) = % (string 0 string) -> (string list 0 thm) % if ((is.nom id) & (is.nom to)) .... (let steams a 'T' " id in let toir = mk_const(('C'*tc), ":Teis") in let t = mh_eq(mh_war(ptname, ":Part"), sh_cosh( sk_cosh("TFART", (sh_nom id)), tcir)) is ([ptname], new_definition(ptname, t))) alse failuith 'expecting two numbers as IB's (def_tpart)'|| lot def_pport (id, cid, pid, ([trail; norm; rav], th)) = T :(string B string G string B (string list S thm)) -> (string list S thm) T if (is_num id) A (is_num cid) & (is_num pid) ... (lot ptnome = 'P' " id in let teir - mk count(('C'*cid), ":Teir") in let pat " mh_conet(('fl'"pid), ":Point") in les tri = mk_pair( (mk_num trail), ob_mair( (mb_num marm), (mk_num rev))) in lat t = mk_eq( mk_war(ptume, ":Part"), mk_comb( mk_comb( mk_comb( mh_comh("PPART", (mh_num id)), tcir), pat), tri)) in ([ptname], new_definition(ptname, t))) also failuith 'expecting three numbers as ID's (dof_ppart)' || ``` ``` let def_dpart (id, cid, ([pal;pa2], th1), ([ph1;ph2], th2)) = 1 : string 8 string 8 (string list 8 thm) 6 (string list 6 thm) -> (atring list 6 thm) $ if (ig_num id) & (ig_num cid) then (lot ptname = 'B' " id in lot telr = mk_count(('d' cid), ":Telr") in let 11 = mh_pair((mh_aum pai), (mk_num pa2)) in lot 12 = mb_pair((mb_num pb1), (mb_num ph2)) in let t = mk_eq( mk_var(ptname, ":Part"). ab_camb( mt_camb( mt_camb( mt_camb("SPART", (mt_mam id)), tcir), 11), 12)) is ([ptname] , new_definition(ptname, t))) else fellwith 'expecting the numbers as IB's (def_dpart)' || let def_signal (id, stype) = 1 : (string 6 string) -> string list 6 thm 1 if (in num id) .... (let present " "#" " id in let rhe - case stype of 'HAIR' . (mk_canh( mb_canh("SIGRALR", (mb_num id)), Reig_func)) | 'HAIR_JUNG' . ( mh_comb( mk_comb( ab_crab("fidHalsJ", (ab_sum id)), Heig_func), Jeig_func)) | 'HAIR_SUR' . ( mh_canh( mh_conh( mb_comb("SIGNALES", (mb_num id)), Heig_func), Subsig_func)) ( 'RAID_SUB_JUNC' . ( mb_comb( mb_comb( mb_comb mk_comb("SIGNALMS", (mb_num id)), Heig_func), Subnig_func), Jaig_func)) | 'SERRY' . (mb_comb( mb_comb("SIGEALS", (mb_sum id)), Shaig_func)) let t * mb_eq( mb_var(ptname, ":Higmal"), rhe) in ([ptname], nen_definition(ptname, t))) else failuith 'expecting a number as ID (def_signal)' ;; let def_ejein (id, jtype) " I : string & string -> string list # the I 12 (in_num 1d) (let ptname = 'j' * id in lot jtp = mk_const(('J_' ' (lower_string jtype)), ":Join") in let t = mb_eg( mb_var(ptness, ":Elbl"). mb.comb ( 'M.M.", 1901) in ([ptname], nes_definition(ptname, t))) eles failwith 'expecting a number as ID (def_sjain)' ;; let def_usig (id, jtype, sig) = I : string & string & string -> string list & thm % if (is_num id) # (is_num sig) - (let pineme " 's' " id in let its - mb_cenet(('J_' " (lover_string itype)), "|Join") is let t = mb_eq( mb_ver(presse, ":8161"), mh_comb( mh_comb("SLBLS16", jap), mh_compt(('S''mig), "digmal"))) in ([ptname], waw_definition(ptname, 1))) else failwith 'aspecting a number on IB (def_estg)' |; ``` ``` 1-------- I functions for construction part I . letref rail_tmp_thm = TEUTE;; let mh_simp pt :(string list 8 thm) = let t = mk_const(pt, ":Part") in let th " prove_simple_network t in ([pt], (rail_tmp_thm | save_thm((pt"TM(), th))) ;; ([pt], gave_thm((pt"'TM"), th) ) ;; % let mk_njein (([pti; pt2], ti:thm), ([edi; ed2],t2:thm)) % : (string list 6 thm) 6 (string list 6 thm) -> % (string list & thm) - lot pi = mh_const(pti, ":Part") in let p2 - mb_censs(pt2, ":Part") in let el = eh_cengt(ed), ".Elbl") in let e2 = mb_censt(ed2, ":E161") in lot th a prove_notwork_sjoin rail_tsp_thm pi p2 e1 e2 in ([pt2], (rail_tmp_thm := save_thm((pt2"'THH'), th))) ;; ([p12], mare_thm((p12"'TM"), th)) ;; % let mk_edge (([pxt; px2], s1:thm), ([ed1; ed2], s2:shm)) I : (string list & thm) & (string list & thm) -> T : (string list 8 thm) " lot pi = mk_const(pti, ":Part") in let p2 - mb_const(pt2, ":Part") in let et " mb_cenet(ed1, ":Elbl") in let e2 = mk_const(ed2, ":E1b1") in les th - preve_netmorh_odgs rail_tmp_thm pl p2 at a2 in ([ng2], (rail_ton_thm := save_thm((sq2^(TML)), th))) ;; let get_parts (si, s2) = % :(string 8 string) -> (string list 8 thm) % if (is_mart s1) & (is_mart s2) then ([s1; s2], no_thm) else failuith 'especting two parts (get_parts)';; lot got_odges (st, s2) = % :(string 8 string) -> (string list 8 thm) % if (is_odge s1) 8 (is_odge s2) then ([e1; s2], no,thm) else failuith 'expecting two edges (got_edges)';; ``` #### C.3 The file rail\_load.ml I Concreted pareer land file First lead some basic definitions: % leadf '/home/quail/hol/Library/parser/general';; % Insert any other files you mant leaded here: % add\_te\_search\_path '../sigmal/':| add\_te\_search\_path '../setuerh/':| ### C.4 The file ver\_network.ml ``` I FILE: ver_network.ml A railway setterh verifier AUTHOR: Was Wong BATE: & Jan 1982 X 1 I------ I preve simple network . . . conv preve_simple_network p returns a theorem [- SETNOBE (("P), ( )) iff p to a part, i.e. of type :Part. T 1..... let prove_simple_setwork p = SPEC p METHORE_SIMP 7 failuith 'prove_simple_mateerh';; 1------ T prove_in_network = - : (term -> conv) prove_in_actuark p m returns a theorem |- p 19_VERTER 0 iff p is a part in the nestwork . 1------ let prove_is_metuerh p m = TAC_FREEF (([], ""p IS_VERTEX "n"), PURE ORCE REVRITE TAC[IS_VERTEX_DEF] THEN PURE CHCK AMERITE TAC (VERTICES) THER COMV_TAC (IR_COMV ALL_COMV)) 7 faileith ('met im metwork');; I mair EQ.COST - - | conv -> conv pair_EQ_COST canv "(...,xi,...) = (...,yi,...)" ---> ``` ``` [= ((...,xi,...) = (...,yi,...)) = T iff (xi = yi) for all i [- ((....gi....) = (....yi,...)) = F atherwise canv is used to prove (ni " yi), typically, it will be non_EQ_COMY for fields of type | non and bool_EQ_COST for type : beel % let pair_M_CONV canv to - let _,[lhe;rhe] = strip_conh to in if (lbs = rbs) then (RESELTE_COST REFL_CLASSE tm) (let het = TOP_DEPTH_COMY (REMENTE_COMY PAIR_RM) to in (PERS_MAINTI_MAI(AM_GLAVIES; MOT._GLAVIE) (RIGHT_COST_RULE (DEPTH_COST conv) lm1))) 7 failuith 'pair_EQ_COSV';; 1------ I Part IS COST - - : conv Part_EQ_CORY "(SPART | ...) = (E'PART ....)" ---> (- ((IPART ...) = (I'PART ...)) = T iff two parts are systectically identical [- ((EPART ...) = (E'PART ....)) = F etherwise % ______ let Part_EQ_CHEV to " let _.[lhe;rhe] = etrip_cosh to in let find_def t = if (is_coust t) then definition (current_theory()) (fat (dest_count t)) else TRUTE in if (the - rhe) then (AMMRITE_COMV REFL_CLAUSE to) alsa (let thedet - find def the in lot rhaded - find def the in let cubl = filter (\th.t. set(th = TRUTE)) [(lhadef,lhe);(rhedef,rhe)] in let esp . if not(sull subl! then SUBST_COST subl "The " "the" to else (BEFL to) is let the', rhe' = dest_eq (and(dest_eq (cencl exp))) in if (lhe' " rha') then (PURE_DECE_REMETTE_BULE [REFL_CLAME] exp) (lut subl' a filter (\t. met(s = ThUTH)) [lhadef;rhedef] in let Part_distinct " theorem 'PART' 'Part_distinct' in let Part_all_distinct = append (CREJUNCTE Part_distinct) (mag (CGHY_MOLE (GHCE_SEPTH_CGHT SYR_CGHT)) (COMJUNCTS Part_distinct)) in let Part_ene_one = theorem 'PART' 'Part_ene_ene' in let the = TAC_PABRE(([], "" 'tm"). SUBST. TAC sebl' THEN ((MAP_FIRST MATCH_ACCEPT_TAC Part_all_distinct) (FURE_URCH_BONDITE_TAC[Fort_ens_ens] THE CORY TAC (REPTS_CORY app_EQ_CORY) THEN PURS BENEITS TAC(AND CLAUSES (SOT_CLAUSES)))) in 207_1FTM (hm)! ? fallwish 'Part_EB_CORV';; [...... I prava_net_in_netmerh = - : (term -) cunv) prove_set_is_setwork p m returns a theorem 1- "a 18 TERTEL a ``` | iff p is not a part in the nextuerh n | | |-----------------------------------------------------------------------------|----| | | - | | let preve_met_im_meteerh p m = TAC_PRAGE (([], | | | PURE_GREE_TACTIS_VERTES_GREE] | | | THE PURE ORCE ADMITT TAC(VERTICES) | | | THEN CONT. TAC (DEPTH_CONT (IN_CONT Part_EQ_CONT)) | | | THE PURE ORCE EMPRITE TAC[SOT_CLAUSES]) | | | f failuith ('p is in network m');; | | | ************************************** | ÷ | | I prove_finite = - : conv | | | prove_finite "( )"> (- FIBITE ( ) % | | | ······ | 3 | | let preve_finite to - | | | let fintm = mk_comb(mk_commt('PINITE', | | | mh_type('fun', [(type_ef tm); ":beel"])), tm) in | | | mgT_RLIM (FINITE_CONV finem) ? | | | failuith 'prove_finite: net a finite set';; | | | T | | | 1 SUC_COMV : comv | 7 | | SUC_COMY "NUC a"> [- SUC a = a' chare a' * a * 1 % | | | 1 | - | | let SUC_COMV = | | | let check at = assert(\c. fst(dest_censt c) = st) is | | | \tm. | | | let _ ntm = (chech 'SUC' 8 I) (dest_comb tm) in | | | let matr = etring_of_int (int_of_string((fat a dent_censt) atm) + 1 | 1 | | TTR (num_COST (mk_const(netr, ":num"))) ? | | | failuich 'SUC_CERV'; | | | | -7 | | I CARD_CORV = - : conv -> conv | | | CAR_COST come "CARD (HO, x(n-1))"> (- CARD (HO,, x(n-1)) = n | | | fails if the set cannot be proved to be finite. | | | conv is used by IS_COSV to check whether the new element is already | | | in the set, e.g., | | | CARD_CORY ===_EQ_CORY "CARD (1,2,3)"> (- CARD(1,2,3) = 3 | | | CARD_COST ===_EQ_COST "CARD (1,2,2)"> (- CARD(1,2,2) = 2 % | | | CARD_COMP HEN_EQ_COMP "CARD (1,2,2)"> (- CARD(1,2,2) - 2 4 | | | let CARD_COMV comv tm = | - | | let comp " theorem 'sets' 'CARD_EMPTY' in | | | let cine " theorem 'sets' 'CARD_INSERT' in | | | let check at " assort(\c. fat(dest_campt c) = at) is | | | letrac strip_mat to a | | | (let _,[h;t] = (check 'ISSERT' # I)(strip_comb tm) in | | | h . atrip_act t) ? | | | (fat(dest_coast tm) = 'EMPTY' => [] fail) is | | | let preve_finite tm " | | | lat fiatm = mh_comb(mh_comss('FINITH', | | | mh_type('fun', [(type_of tm); ":bool"])), tm) in | | | EQT_MLIM (FIMITE_COMY fintm) ? failwith 'praye_finite: net a finite set' in | | | let _,els = (chech 'CARD' f strip_set) (dest_cemb tm) in | | | ten from a deep reprinted of front poly ( | | ``` let empty " mb_const('EWTY', ":("ety)set") in let ins " mb_const('INSERT', ": "ety->("ety)set->("ety)set") in let itfn cith a (iset, ith) " (mh_camb( mh_camb(ind, s), iset), (let ifth = preve_finite inet in let the COST BOLE ((DECE DEFTE COST (18 COST (cost))) THERE (GROE DEPTH_CORV CORD_CORV)) (SPEC a (MATCH_MP eich ifch)) is let th' - PURE_GECS_RENBITE_BULE[sth] th in COMV_RULE (CHCH_BEPTH_COMV SUC_COMV) sh')) in and (itliet (itfn cine) als (empty.comp)) ? failuish 'CARD_CORY'; b----- Y mh_set_list = - : ((term -> bool) -> term -> term list) ob oot liet f on returns a list of elements which satisfies the predicate f. i.e., [ xi] where xi in es and f zi. L ..... let mk_set_list f es = let check at a assert(\c fut(dest_count c) = ut) in letrec strip_met to - (let _,[h;t] = (chech 'HEERT' 6 1)(strip_cemb tm) in h . atrip_set t) 7 (fat(dest_comet to) = 'ERPTY' -> [] | fail) in let els - strip_set es in let _. [aty] = dest_type(type_of es) in let itto P z a = if (P z) then ( z . s) else s in jeline (itfm f) ols [] 7 failaith 'mb_set_list';; I mb_incident_pat_list = - : (string -> term -> term -> term list) mb_incident_set_list atz as v returns a list of edges which are in the get on and are incident TO/FROM/WITH the given vertex v. I let mh_incident_set_list str es v = lot Pfrom * (\t. fst(dest_pair t) = v) is lot Pto = (\t. fat(dest_pair(and (dest_pair t))) = v) in let Puith = (\t. (fst(dest_pair t) = v) er (fot(dest_pair(sed (dest_pair t))) = v)) is let P = if (ntr = 'PROH') then Pfrom olse if (atr " 'TO') then Pto also if (ger a 'MITH') then Puith also failuith 'mh_incident_set_list: unknown type string' in (mk_met_list P on) ? failuith 'mh_incident_met_list' | 1------ I prove_in_incident = - : term -> term -> cenv prove_in_incident s 4 v ---> (- s 18 (18018887_78 4 v) % 1----- let prove_in_incident s & w = TAC_PROOF(([]. -"E 18 ISCIDENT_TO "6 "w"). PURB_GGCE_RESETTE_TAC[18G18887_TG_SEF] THEN PURE ORCH AMERITE TAC[18_Shek_DEF] THES PURE GROW, DENBITE TAC(SIGNAL) THEN CORY TAC BET SPEC CORY ``` ``` THEN PURE REWRITE TAC[ - des DEF: FST: SED : REFL_CLAUSE: AND_CLAUSES] THEN COMP TAG (18 COMP ALL COMP)):: Y------ 1 list_to_met = +| term list -> term list_to_est ["mi"] ---> "{ mi }" % let list to set al ty " if null al then "():("ty)" also let sty = type_of(hd al) in lot empty = ch_canst('ERPTT', ":('ety)set") in let ins = mb_const('18887', ": "ety->("ety)set->("ety)set") in let itfn s s " mk comb( mk comb(iss. x), s) in (ithint itfm al ampty) 7 failuith 'list_to_set';; I prove_incident_subset = - : term -> term -> cenv preve_incident_subset G v a ---> |- (ISCIDENT_TO G v) SURSET # 1 let prove_incident_subset 4 v s = let imp3 = OES_ALL (e) 3 (CONJUNCTS (SPEC_ALL INP_CLAUSES))) in TAC PROOF(([], "(ISCIDEST.TO "G "v) SUBSET "e"). PURE_REWRITE_TAC[ISCIDENT_TO_BENT; 18_EDGE_DEF; EDGES; SUBSET_DEF] THE COPY TAC (ORCH DEPTH COPY HET HERC CORY) THEN ORD TAC THES PURE REVELTS TACTIS INSERT: BIONT AND OVER OR! THE STRIP, TAC THE POP ASSOUR RP. TAC THES ASP. SEVENTE TACO THE PURE REWRITE TAC [o_des_DEF; FST; SED] THEN CONV_TAC (RATOR_CONV (ONCH_DEPTH_CONV Part_EQ_CONV)) THER PURE REVEITE TAC [imp3]) ? failuith 'prove_incident_ambest': .... I INCIDENT_TO_COMV = - : term -> comu INCIDENT_TO_COM# Q # ---> (- (INCIDENT_TO Q #) = ( ... ) It works out the set of edges shich are incident to w and returns a theorem asserting this fact. I let ISCIDENT_TO_CON & v = let ESG - and (dest_pair G) is let ell = mk_incident_set_list 'TO' ESG v in let sty . type_of ESG in let els - list_te_set ell sty in let cith - GHE_ALL(and (EQ_IRP_BULE (SPEC_ALL INSET_SUBSET))) in let eth = 18PEC "INCIDENT_TO "G "w" EMPTY_SUBMET in les itfm cith z ith - MATCH_MP cith (COM) (prove_in_incident z @ v) ith) in let thi - preve_incident_subset Q v els in let th2 = (itlist (itfm cith) all ath) in (RATCH MF SURGET AUTISTS (COS) shi shi)) ? faileith 'INCIDENT_TO_CONV';; I prove_SPC . - itera -> cenv prove_HPC p 8 ---> |- HPC p H iff p is a node in H and it is not fully connected. I ``` ``` let prove HFC p H = let inth' = INCIDENT_TO_COMV 8 p in let pdef = if (is_comst p) then definition (current_theory()) (fot (dest_count p)) else TRUTE in let inth - if (is_count a) then sums [adef] inth' else inth' in TAC .PROOF(([] . "NPC "H "a"). (AURIT_TAC [pdef] CRELEE ALL_TAC) THEN PURE_OBCE_REVRITE_TAC[MFC_DEF] THEN PURE GROS REMAITS TAC(IN DECARE DEF) THE PURE ORCE ABORITE TACKINGS THER ((PURE_GROW_REWELTE_TAC[CARD EMPTY] THES CONV. TAC (ORCH. DEPTH_CONV num_CONV) THEN MATCH_ACCEPT_TAC LESS_O) (CONV_TAC (DECK_DEPTH_CONV (CARD_CONV (pair_EQ_CONV Part_EQ_CONV))) THES COST. TAC (REDEPTS COST and COST) THE PURE RESPRITE TACTLESS HONO RE-LIESE THE BEST CLASSIC OR CLASSES !!! ? failuith 'prove_BFC' :1 % provo_notworh_njoin = - : thm->taru->taru->taru->taru->thm % % prove_network_njein that pi p2 il i2 ---> % 1- METHORE (BJOTH at pt jt ({p2},()) p2 j2) % (- BETWORE ((p2 189887 (VS m1)), % ((m1,m2,j1) IMMET (m2,m1,j2) IMMET (ES m1))) % that -- HETHORE at pi is a vertes in mi p2 is a vertex to be added to the network % it is the join of the edge (p1,p2) % 12 is the join of the edge (p2.p1) I let prove_metmorh_mieis thmi mi m2 ii i2 - let p.mi " (dest_comb (conel thmi)) in if (met('METHORE' = (fet (dest_censt p)))) then failuith 'not SETWORE theorem' olso let im = (SPEC ""at" BETWORE_BJGIR) in let the? " prove_in_network pt si in lot the3 - EQF_HLIN (Part_EQ_CONV ""p1 = "p2") is let that - prove_SPC p1 m1 im let thm6's prevenet_in_network p2 mi in let that - HP (HP (SPECL[n1:p2] HOT_VER_IMP_HPC) that) that' is let ante = COEJ the2 (COEJ the3 (COEJ the4 the6)) is let lm' = SPECL [p1:p2] (RP lm thm1) in let network_cames the let mjeinthm = RP (SPECL [m1;p1;j1;p2;j2] BJGIB_EXP) (COBJ the2 thes!) is les sh - PORE_GROE_RENDITE_BULE(VERTICES: MDG EN (PURISONCE_REMOTES_ME.S[ajajathe] the) is (COSV_RULE (DEPTH_COSV (USIGS_COSV Part_EQ_COSV)) th) in let ath = (APECL [j1; j2] (MATCH_RP lm' ante)) in network_cames sth 7 failuith 'prove_setuerh_sjeis';; I------ I prove_network_edge = - : the->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term->term prove_network_edge that p1 p2 |1 |2 ---> |- BETHOME ((p2,p1,j2) | HHERT_EDGE ((p1,p2,j1) | HHERT_EDGE =1)) ``` ``` [- SETHORE ((VS m1), ((p2,p1,j2) INSERT (p1,p2,j1) INSERT (R8 m1))) that - BETHORN at at is a verter to at p2 is another vertex in mi it is the join of the edge (p1,p2) j2 in the join of the edge (p2,p1) % let preve_meteerk_edge thm1 p1 p2 j1 j2 = let p.ni = (dest_camb (concl thmi)) in if (not('BETWORE' = (fat (dest_comet m)))) them failuith 'not SETUCKE theorem' also let le = (SPEC ""ai" RETWORK BJDIR) to let thm2 - prove_in_actoorh pi mi in let the3 = HQF_HLIH (Part_EQ_COMY ""pi = "p2") in let thed - srave SPC at at in let them. - prove_in_meteorh p2 m1 is let them = preve_HPC p2 m1 in let aute - COHJ thm2 (COHJ thm3 (COHJ thm6 thm6)) in let le' - spuct [p1:p2] (W le that) in lot network_camen thm - let njeinthm = RP (SPECL [n1;p1;j1;p2;j2] BJGIS_EXP2) (COSJ thes thes!) in let th - PURE_DECE_RENDITE_BELE[VERTICES: EDGES] (FULL COCK_BERKITS_MLE(sjeingles) that is (COST_BULE (DEPTH_COST (DEIGS_COST Part_EQ_COST) th) in let seb - (SPECE [11: 12] (RATCE_NP he' sets)) is netserk_cames ath ? failuith 'prave_satuarh_adge';; ``` ### C.5 The file mk\_verifier.ml ``` mem.theory 'worlflor';; add.te_mem.th.path' ','signal/';; add.te_mem.th.path' ','signal/';; add.te_mem.th.path' ','signal/';; lead_tic_mem.th.path' ','signal/';; ass_press' 'SETMORE';; ass_press' 'SETMORE';; ass_press' 'SETMORE';; let tef = nes_definition('tef',"tef = (\times. clear)');; let tef = nes_definition('tef',"tef = (\times. clear)');; let patic = nes_definition('fightod','princ', (\times. nesmall');; let patic = nes_definition('fightod','princ', (\times. nesmall');; let sig = nes_definition('fightod','princ', (\times. nesmall');; let sig = nes_definition('fightod','princ', (\times. nesmall'); let sig = nes_definition('fightod','princ', \times. nesmall'); let sig = nes_definition('fightod','princ', \times. nesmall'); let sig = nes_definition('fightod','princ', \times. nesmall'); let sig = nes_definition('fightod','', \times. nesmall'); let sig = nes_definition('fightod','', \times. nesmall'); let sig = nes_definition('fightod','', \times. nesmall'); let sig = nes_definition('fightod','', \times. nesmall'); let sig = nesmall' \times. n ``` ### C.6 The file Makefile 8 Finally do the ectual functions ``` 8 Constant narger Sakefile A Version of MOL to be used: HOL-bel 8 General definitions for all generated payment: demnat-/home/queil/hol/Library/parser/general 8 Insert entries for meer-defined stuff here: 8 Bemember to insert the appropriate dependencies and "lead"'s below. ver_metwork_ml.e: ver_metwork.ml sche 'set_flag('abert_when_fail',true);;'\ 'load_library 'graph' | | ' 'add_to_search_path '../setuerh/';;'\ 'add_to_search_path '../signal/';;'\ 'lead_theory 'EXTUGES';;" 'astaload_all 'EETWORS';;'\ 'compilet 'ver_meteerh' | | '\ 'quit();;' | $(HSL) ruil_help_al.o: rail_help.ml ver_networh_ml.o verifier.th achs 'sat_flag('abort_when_fail',true);;'\ 'landf '6(4EHERAL)';; '\ 'load_library 'graph'::'\ 'add_ts_search_path ' .. /setserh/';; ! '\ 'add_to_search_path ' .. /signal/';; '\ 'lend_theory 'BETWORE'::'\ 'annelend_all 'SETWORE';;'\ 'leadf (ver_metworh';;') 'load_thee.y 'verifier';;'\ 'compilet 'rail_help';;"\ 'quis();;' | #(#BL) verifier.th: mk_verifier.ml rm -f verifier th ochs 'set_flag('abert_shes_fail',true);; !\ 'leadf 'mk_verifier';;'\ 'quit();;' | $(HOL) 6 Box compile the declarations: roil_decls_ml s: rail_decls.ml rail_balp_ml s oche 'set_flag('sbert_uben_fail',true);;'\ 'loadf '$(4EEEAL)'||' 'lland_library 'graph';;'\ 'add_ts_search_path '.../matserh/';;'\ 'add_ts_search_path '.../aigmal/';;'\ 'land_theory 'HETHURE';;'\ 'ausalead_all 'SETWORE';;'\ 'leadf 'ver_network';;'\ 'load_theory 'verifier';;'\ 'leadf 'rail helm' | ! '\ 'compilet 'reil_decle'::'\ 'quás(); | 1 0(HRL) ``` ``` rail.ml.s: rail.ml.rail.decis.ml.s cho 'rest.Tagg('ther.ml.m.fail', 'sree);;'\ 'load' '[468HHMA1'[5]' 'load' '[468HHMA1'[5]' 'load', ' ``` clean: ### Appendix D add\_tq\_mearch\_path '../graph/';; # Routes and control tables This appendix lists the ML source of the definitions described in Chapter 8. ``` add_to_search_path '../signal/';; load_library 'graph';; lead_theory 'HETHORS';; astelend_all 'SETWORK';; autaload_all 'graph';; neg_theory 'ROUTS'; | load_library 'more_lists';; E Punctions for finding reutes I T if e is a trailing edge, i.e., (s_des e) is a facing point or I % (e_ers e) is a trailing point lot TRAILTING_EDGE_DEF = new_definition('TRAILING_EDGE_DEF'. "TRAILING EDGE (n:PartsPartsElbl) = ((15_PPART (a_des e)) /\ (PARY_IB (e_ere e) = PART_PET_TRAILING (e_dee e))) \/ ((18_PPART (e_src a)) /\ (PART_IS (e_des e) = PART_PRT_TRAILING (e_sre e)))");; I I if a is a sermal edge, i.e., (e.des a) is a facing point or I L (e_ere e) is a trailing point let ICHAL_EME_DEF - ses_definition('ECHAL_EME_DEF'. -EGBEAL_EDGE (# PartSFartSE161) = ((18_PPART (4_444 4)) /\ (PART_IS (e_erc e) = PART_PST_SUBMAL (e_des e))) \/ ((IS_PPART (o_arc a)) /\ (PART_ID (a_des a) = PART_PET_HURRAL (a_arc a)))");; I T if e is a reverse edge, i.e., (e_des e) is a facing point or I I (e_ere e) is a trailine point let BEVERSE EDGE DEF . new_definition('BEVERSE EDGE DEF'. "REVERSE_EDGE (a FertePertdElb1) = ``` ``` ((IS_PPART (s_des s)) / (PART_ID (e_erc e) = PART_PRT_REVENSE (e_dec e))) \/ ((IS_PPART (e_src e)) /\ (PART_ID (e_dee e) = PART_PRT_REVERSE (e_erc e)))"):: I T if al ans al are the same les of a dismond crossing I let SAME_LEG_DEF - new_definition('SAME LED'. "SARE_LEG (at:PartsPortsElb1) (a2:PartsPortsElb1) a ((IS_DPART (e_des al)) /\ (IS_BPART (e_arc a2)) /\ ((a_das e1) = (e_erc e2)) /\ (let dp = e_des et and id1 = PART_ID (e_src e1) and id2 = PART_ID (e_des e2) is (((id1,id2) = (PART_DIA1 dp)) \/ ((id1,id1) = (PART_DIA1 dp)) \/ ((id1,id2) = (PART_DIA2 dp)) \/ ((id2,id1) = (PART_DIA2 dp)))) ((IS_SPART (e_src el)) /\ (IS_SPART (e_des e2)) /\ ((a are at) = (a dea at)) /\ (let do " e_ore of and id1 = PART_ID (o_des ui) and id2 = PART_ID (o_des o2) in (((id1.id2) = (PART_BIA1 dp)) \/ ((id2.id1) = (PART_BIA1 dn)) \/ ((id1,id2) = (PART_DIA2 dp)) \/ ((id2,id1) = (PART_DIA2 dp)))) ");; I Definition of routes --- a reute is a path and the successive I I odge of a PPART or SPART must savisfy the following conditions! I------- les BOUTE_TAIL_DEF = men_list_rec_definition('BOUTE_TAIL_DEF', · (ROUTE_TAIL [] - T) /\ (BOUTE TAIL (CORE (h:PartsPartsElb1) s) = (1 = D) V (((IB_PPART (a_des h)) => ((TRAILIEG_EDGE b) => ((BORNAL_EDGE (ND t)) \/ (REVERSE EDGE (ND t))) | (TRAILING_EDGE (ND s))) | ((IS_DPART (s_des h)) => (SAME_LEG h (ND t)) | T)) /\ (ROUTE_TAIL a)))");; let BOUTE_DEF = nee_definition('BOUTE_DEF', "ROUTE (B Setwork) (r: (ParesParesElb1)1(as) = (SETHORE S) /\ (PATE S r) /\ (ROUTS_TAIL 2) /\ (15_ELBL_SIGNAL (alb (HD r))) /\ (18_ELBL_SIGNAL (alb (LAST r)))");; lot BOUTE_EDGES_DEF = new_definition('BOUTE_EDGES_DEF'. "ROUTE_EDGES (r:(PartSPartSE1b1)list) = (BUTLAST r)");; let BOUTE_PARTS_DEF = net_definition('BOUTE_PARTS_DEF'. "BOUTE_PARTS (r: (Part@Part@Elb1)list) . VER_LIST (BUTLAST (TL p))"):: 1------ T Conflicing routes T 1-----1 les CONFLICTING_ROUTES_DEF = new_definition('CONFLICTING_ROUTES_DEF', "COSPLICTISE SOUTES (S. Setwork) r1 r2 - (BOUTE B r1) / (BOUTE B r2) / "(DISJ_LIST (BOUTE_PARTS +1) (BOUTE_PARTS +2))");; ``` ``` 1----- I Punctions for proving routes 1 I TCIMCUITS returns a list of track circuit in the rests 1 1 let TCIRCUITS_DEF " nes_definition('TCIRCUITS_REF'. "TCINCUITS (r:(PartSPartSS1b1)list) = HAP PART_CIRCUIT (ROUTE_PARTS #)"):: I BORR returns a list of points required BORRAL if a mavement E I from pl to p2 is made. [] is returned if mone is required I let HORM_DEF = new_definition('HORM_DEF', "HORE (p1.p2.(e #1b1)) = ((IR_PPART p1) /\ (PART_PRT_HUBBAL p1 = PART_ID p2)) => (PART POINT and 1 (3mb); I BORM_POINTS returns a list of points required BORMAL in the route 1 % let HORE, POINTS DEF - nes_definition ("HORE_POINTS_DEF" "SURM_POINTS x = FLAT (MAP HORN (BOUTE EDGES +))");; I MEV returns a list of points required REVERSE if a movement I I from pl to p2 is made. [] is returned if some is required I let REV_DEF = new_definition('REV_DEF'. "REV (p1,p2,(a:81h1)) = ((IS_PPART p1) /\ (PART_PST_REVERSE p1 = PART_ID p2)) => [PART_POINT p1] ( []");; I REV_POINTS returns a list of points required MEVERSE in the rests 1 1 let MEV_POISTS_DEF = mes_definition('BEV_POISTS_DEF'. "REV_POINTS y = PLAT (MAP BET (ROUTE_EDGES y))");; I MIT_SIGNAL returns the exit signal of a route I let EXIST_SIGNAL_DEF = new_definition('EXIT_SIGNAL_DEF'. "ETIT_SIGNAL (x:(Part@Part@Elb1)list) = let a = alb (LAST c) in (IS_REAL_SIGNAL a) -> [REAL_SIGNAL a] | []-)|; I COMPLICE BONTEN riet r returns a list of routes which are in rist and are conflicting routes with r T let COMPLICT_ROUTES_DEF = nes_list_rec_definition('COMPLICT_ROUTES_DEF', "(COMPLICT_MOTES [] F = []) /\ (COMPLICT_MOTHS (COM h 1) r = ("(DISI_LIST (ROUTE_PARTS r) (ROUTE_PARTS h)) /\ *(h = r)) => (COME & (COMPLICT_ROUTES t r)) | (COMPLICT_ROUTES t r) |**);; I METRY_Sid r returns the enignal attached at the first edge of the route I let EFFRY_$14_BEF = new_definition('EFFRY_$14_BEF', "MITRY_SIG (r:(ParesPertSHIb))list) = let e = elb (HB r) in (18_STRL_SIGNAL a) -> [SLRL_SIGNAL a] [ [] -) | 1 lot MITRY_SIGNALS_DEF = non_definition('MITRY_SIGNALS_DEF'. "ESTY_SIGNALS o rise - MAP ESTRY_SIG (COMPLICY_MOTES rise 2)");; let FILTER_DEF = nes_list_rec_definition('FILTER_REF', "(FILTER [] (f:=->beel) = []) /\ (FILTER (COME & 4) # - (f h) => (COSS h (FILTEN t f)) | (FILTEN t f))"):: ``` les CR\_TARE\_BEF = new\_list\_rec\_definition('CR\_TARE\_BEF', "(CR\_TARE [] (p.Fare) = [] /\ (CR\_TARE (CORE h t) p = (a = p) => [] i (CORE h (CR\_TARE t p)))");; let CH\_PRS\_DEF = new\_definition('Ch\_PRS\_DEF', "CB\_PRS (p:Fare) pl1 = let crist = FiltEm pl1 (\l. (ELEN 1 p)) in RAP (\l. CB\_TARE 1 p) crist"); cless\_theory();; ### Appendix E # Level crossing—a case study This appendix lists the ML source files of the level crossing case study. A level crossing is represented by an object of type: Cross consisting of five state functions: Bighway whether highway traffic is occupying the crossing, Track whether rail traffic is occupying the crossing, Approaching whether there is a train approaching, HighwaySignal whether the highway stop signal is ON, and RailSignal whether the rail stop signal is ON. All of these functions return value of type: bool with the value T representing active state, e.g., in the case of Highway and Track state, T indicates the crossing in occupied by the traffic of the respective kind. The state machine controlling the level crossing can be in one of the following internal states: Road Proc highway traffic can proceed; Rail App a train is approaching: Road\_Clr the crossing is clear of traffic: Rail\_Set rail signal is set; Rail\_Proc rail traffic can proceed; All Lock both rail and highway traffic are stopped. Initially, the machine is in the All Lock state with both highway and rail signals proved ON. This is defined as the predicate INIT. The function NEXT specifies the possible state transitions. The crossing is safe if not both rail and highway traffica are allowed to proceed, i.e., not both the rail and highway signals are turned OFF. This is defined as the predicated SAFETY. The theorem INIT\_SAFE asserts that the initial state of the machine is safe. The theorem NEXT\_SAFE asserts that, if the current state is safe, the next state of the machine is also safe. The theorem STATE\_MACHINE\_SAFE asserts that the state machine specified by INIT and NEXT\_possesses the safety property SAFETY. ``` new_theexy'Chami': set_flag('sticky', true);; nen_parent'TTA';; auselend_all'LEA'; let Cress_Axies = define_type 'Cress_Axies' 'Cress = CROSS (num->bool) (num->bool) (num->bool) (num->bool) (num->bool) 'I: Bighnay Track Approaching BighnaySignal BailSignal & let HIGHWAY_DEF - new_recursive_definition feloo Cress_Anion 'HIGHWAY_DEF' "HIGHWAY (CROSS h t app ch qt) " h":: let TRACE_DEF = new_recursive_definition false Cress_Asies 'TRACE_MEF' "TRACE (CROSS h t app sh st) = t";; let APPROACE_BEF = nor_recursive_definition false Cross_Axion 'APPROACE_BEF' "APPROACH (CROSS h t app sh at) = app";; let #_SIGNAL_DEF = mos_recursive_definition false Crees_axion 'H_SIGNAL_DEF' "H_SIGNAL (Chass h t app sh st) = sh":: let B_SIGNAL_DEF = neg_recursive_definition false Cross_Axies 'B_SIGNAL_DEF' "h_SIGHAL (CROSS h t app sh st) = st";; nou_type_abbrev ('Estate', ":heal@beel@beel@beel@beel");; let State_Axion = define_type 'State_axion' 'State = Bond_Proc | Rail_App | Read_Clr | Rail_Set | Rail_Proc | All_Loch';; let State_comet_dist " save_thm('State_comet_digt', press constructors distinct State Anies) | let State_Induct = save_thm('State_Induct', preve_induction_thm State_Aziem);; lot State_cases = save_thm('State_cases', prove_cases_thm State_Induct);; los CROSS_STATE = new_recursive_definition false Cress_Axion 'CMSS_STATE' "CROSS_STATE (CROSS & tr a sk st) t = (h t, tr t, a t, sk t, st t)";; lot SE_STATE - new_definition('SE_STATE'. "SE_STATE ((ht:heel), (trt:beel), (at:heel), (aht:heel), (stt:beel)) = sht");; let ST_STATE = mor_definition("ST_STATE", "ST_STATE (ht, trt, at, sht, stt) = stt");; let H_STATE = new_definition('H_STATE', "H_STATE (ht, trt, et, oht, set) = ht");; les TR_STATE = mem_definition('TR_STATE', "TR_STATE (ht. srt. at. abt. att) = trt");; let &_STATE = mes_definition('A_STATE', "&_STATE (ht, trt, at, sht, att) = at");; let IBIT = new_definitien('IBIT', "ISIT (c, s) = ((SE_STATE c) = T) /\ ((ST_STATE c) = T) /\ (s = All_Loch)");; let SAPETY - men_definition('SAPETY' "SAPETY (c. e) . "("SE_STATE c /\ "ST_STATE c)");; ``` ``` let HEET = new_definition('EEST'. "HEAT (c. s) (c'. s') = (fa = #11 Lach) =) (("TB_STATE c /\ "A_STATE c) => ((a' = Band_Frac) /\ "SS_STATE c' /\ ST_STATE c') | (A_STATE a => ((a' = Bail_Amm) /\ SH_STATE a' /\ 'ST STATE a') | (a, = a) \\ (a, = c))) i ((a = Band_Prec) => (A_STATE c => ((c' = Bail_App) /\ SH_STATE c' /\ ST_STATE c') | (a' = a) (a' = c)) | ((s = Bail_App) => ("H_STATE c => ((s' = Bead_Clr) /\ SH_STATE c' /\ ST_STATE c') ( (a' = a) /\ (c' = c)) | ((a = Band_Clr) => (('B_STATE c /\ a_STATE c) -> ((a' = Bail_Set) /\ SE_STATE c' /\ 'ST_STATE c') | (a' = a) /\ (c' = c)) [ ((a = Bail Bat) u) (TR_STATE c => ((s' = Reil_Proc) /\ SE_STATE c' /\ ST_STATE c') | (a' = a) /\ (a' = a)) | ("TR_STATE c => ((s' = All_Lock) /\ SE_STATE c' /\ ST_STATE c') ( (a' = a) /\ (e' = e)) ( (a' = a) /\ (a' = a))))))");; let ISIT_SAFE - preve_thm('ISIT_SAFE', "(te m. 1817(c, a) -> SAFETY(c, a))", RESERVE TACCIONAL SAFETY) THES REPEAT ONE TAC THE STREET TAC THE ASK REMRITS TAC(1): let SEIT_SAFE " prove_them('SEIT_SAFE'. "(c s c' a'. BEST (c, s) (c', s') /\ SAFETY (c, s) -> SAFETY (c', s')-, PRINCERSON_MENSITE_TAG[HEST: SAFETY] THEN REPEAT 455 TAG THE REPEAT COMB_CASES_TAC THES STRIP_TAC THES ASS_REWRITE_TAC()); let CROSS_MACRIME = preve_the("CROSS_MACRIME". "(le s. IBIT(c, s) -> SAFETY(c, s)) /\ Cle s et st. BEST (c, s) (c', s') /\ SAFETY (c, s) => SAFETY (s', s')) (I(e:man->EState), LEA (INIT, MEXT) a = PLSA(INIT, MAPETY, NEXT) e )", STRIP_TAG THEN POP_ASSUM (MP_TAG + GEN_ALL + (SPECI ["(c:nm->Ellesta) t"; "(s:num->fitate) t"; "(c:num->Eltate) (fEC t)"; "(s:num->fite a) (fEC t)"])) THEN POP_ASSUM (MP_TAG & SEM_ALL & (SPECE ["(c:num->Mitate) t"; "(a:num->State) t"))) THE REMRITE TAC[LAS:PLUS] THE REPRAT STRIP TAC THEN ES TAC THEN STRIP TAC THEN REISTS TAC "a: non->State" THEN AND ARRESTS TACE! THE ISDUCT_TAC THESE [RES_TAG; ASSON_LIST (\ch1. ASSURE_TAC (SPEC "0:num" (cl 2 ch1))) THEN BES_TAC]);; T (- ic. LEACIETY, MET) . - PLEACIETY, SAFETY, MET) . T les Choss_SACRIE_SAFE - seve_the('Choss_SACRIE_SAFE'. CROSS_RACRISE (COS) 1811_SAPE SEXT_SAPE));; close_theory();; ``` ### Appendix F # Dynamic networks and state # machines The following ML source listing contains the definitions described in Chapter 9. ### F.1 The file dnetwork ml net\_theory 'DEET';; nou\_type\_abbrev('HetnerkState' noe\_type\_abbrev ('SignalState', ":(Råspect S beel S Subåspect) + Shåspect");; new\_type\_abbrev('SignalStateFunc', ":(num -> Minpact) 0 ((num -> bonl) 0 (num -> Subinpact)) + (num -> Shinpact)");; num\_nype\_abbrev('FointState', ":Ppos 0 Pluc");; ":(Totate)list 9 (PaintState)list 8 (SignalState)list");; let TC\_STATE\_FURCS\_DEF = new\_definition('TC\_STATE\_FURCS\_DEF', "TC\_STATE\_FURCS (H\_Heteork) = SET\_LIST () HAGE (TC\_STURC = PART\_CIRCUIT) (TH\_H))"):: let PST\_STATE\_FUNCS\_DEF = neo\_definition('PST\_STATE\_FUNCS\_DEF', "PST\_STATE\_FUNCS (S:Network) = let plat \* SST\_LST\$ (IRAGE PART\_POINT (VS S)) in (MAP (\p. (PET\_PGS p, PST\_LGC p)) ples)");; les SIG\_STATE\_PURCS\_DEF = new\_definition("SIG\_STATE\_FURS\_DEF", "SIG\_STATE\_FURCS (S:Setterk) = let siglet = SET\_LIST (IMAGE (SLBL\_SIGNAL e clh) (ES P)) in (RAF SIG\_SFURC siglet)");; lot APPLT\_DEF = non\_list\_rec\_definition('APPLT\_DEF', "(APPLT\_F f [] x = ([]:(oo)list)) /\ (APPLY (f:ecc->(e->ec)) (CDES hd tl) (s:e) e CORE (f hd m) (APPLY f tl m))"):: let APPLY\_SIG\_FUNC\_DEF = new\_definition('APPLY\_SIG\_FUNC\_DEF', "APPLY\_SIG\_FUNC = (\ef t. ISL (ef:SignalStateFunc) => IRL (((FST (OUTL ad)) a), ((FST (SED (QUTL af))) e), ((SED (SED (GUTL ag))) t)) | INR ((OUTE of) 1))");; let SETHERE STATE DEF - new\_definition('SETHERY\_STATE AND'. "RETUCAL STATE (B: Betwerk) : let oflas - TC. STATE FUNCS & to lot pflat = PST\_STATE\_FUNCE & in let eflet - SIG\_STATE\_FUNCS S in ((APPLY (\f 1. f 1) eflet 1), (APPLY (\((21,22) t. (21 t, 22 t)) ofict t). (APPLY APPLY\_SIG\_FUEC aglas t))");; let DEETWORK\_DEF = nen\_definition('DEETWORK\_DEF'. "DERTHORE (B:Retwork) q = (VS H), ((e | (e IS\_EDGE H) /\ (18\_PPART (e\_arc e) => ((PRT\_MORNAL (PART\_PGINT (e\_erc a)) t) /\ (PART\_ID (e\_des e) = PART\_PET\_SORMAL (e\_erc e)) \/ (PHT\_REVERSE (PART\_POIRT (a\_arc o)) 1) /\ (PART\_ID (e\_des u) = PART\_PHT\_RETERMSE (e\_arc a)) \/ (PART\_ID (e\_dee e) = PART\_PET\_TRAILIES (e\_erc e))) [ (18\_PPART (a\_dea a) => ((PRT\_BORMAL (PART\_POIRT (s\_des o)) 1) / (FART\_ID (e\_erc e) = PART\_PHT\_BORRAL (e\_des e)) \/ (PRT\_REVERSE (PART\_PRINT (s\_des a)) t) /\ (PART\_ID (e\_arc a) = PART\_PIT\_REVENIE (e\_des a)) \/ (PART\_ID (e\_erc a) = PART\_PRT\_TRAILING (e\_den a))) { T)) ))");; I ROUTS\_PROVED in T if there is a rests from pt to p2 in H and I % at time t, it can be preved let RESTR\_PROVED\_DEF = new\_definition('ROSTR\_PROVED\_DEF', "BOUTE\_PROVED pl r s = let ries - COMPLICY\_ROUTES el r in ((EVERY (\x. TC\_CLEAR = a) (TCIRCUITS =)) /\ (EVERY (\p. PST\_SCREAL p t) (SCRE\_POINTS c)) /\ (EVERY (\p. PET\_REVERSE p t) (REV\_POINTS t)) /\ (EVERY (\s. "(SIGNAL\_PAULT a 1)) (EXIT\_SIGNAL p)) / (EVERY (\a. OH a t) (RETRY\_SIGNALS z clot)) /\ (EVERY (\a. TC\_CLEAR a s) (CR\_TCIRCUITS r rlas)))");; ### F.2 The file setlist.ml see\_theory'catlist'; let ELEM\_EL\_INE - prove\_thm('ELEM\_EL\_INE', ``` "11 s. ELES 1 x ==> ?s. (s < LESGTS 1) /\ (s = EL = 1)". LIST INDUCT TAC THEN RESIDETE TACISLES DEFI THEN REPRAY OND THE THEN STRIP TAC THESE! EXISTS TAC "O" THEN POP ASSUR SUBSTICTAC THEN REPORTED TACFLESOTS: EL: LESS .0: 801: RES_TAC THES EXISTS_TAC "BUC a" les LEBRAS - TAC_PROSPECCES. "1s. (FIEITE a) -> (76. (18:0. (8 EE a = ELEH (6 a) a)) /\ (CARR a = LEBSTH (6 a)))*). HRY_IMPOUT_TAC THERL! ENISTS. TAC "\s: (*) set. []: (*)lise" THEN COMP TAC (GROW DEPTH COMP BETA COMP) THEN RESELTS TAC [SOT 13 MIPTY; MINI DEF; CARD, MIPTY; LEGISTS]; PIRST ASSUR CHOOSE TAC THES EXISTS_TAC "\a':(*)eet. (a' = a ISSERT a) -> COSS a (f a) | f a'" THER CORV.TAC (ORCE_DEPTH_CORV RETA_CORV) THER CORJ.TAC THERE! REMRITE TAC[18 1898RT: GLOW_DUV] THEN ASH_REMBITS_TAC[]: lot is_met t = (fat(dest_cemb t) = "$"") ? false in INP RES THEN (No. PILTER ASH REMRITE TAC to not (s)) CARD INSERT THEN PURE DECK ASS RESIDETS TAC (LESSEES) THEN REVL. TAC) ]);; let TOLIST_DEF = E I- In. PIRITE a -> (ig. (s IN a - REER(TOLIST s a)s) /\ (CARD a - LEBSTE(TOLIST s a))) % let lemme - CONV_ROLE ((DECE_DEPTH_CONV BIGHT_ISP_EXISTS_CONV) THRUC SECLER CORY) LEHRAL mes_specification 'TOLIST_DEF' ['constant','TOLIST'] lemma;; let BET_LIST_DEF = new_definition('SET_LIST_DEF', "SET LIST (a: (a)max) = TOLIST a a"):: les SET_LIST_THE - 1 I- to. PINITE a men (to. (a 10 a - gram(ser_tist a)a) /\ (case a - Length(ser_tist a))) } let in a cory more (once paper cory see cony) (spec all set list ner) save_thm('SET_LIST_THE', FORE_CHCS_RENRITS_BULE [1m] TOLIST_DUF);; les SLES SET LIST - prove the ("SLES SET LIST". "1a:(+)est. FIEITE a --> (a. ELER (SET_LIST a) a -> fa. (a < CARS a) /\ (a = (EL a (SET_LIST a)))", SEE TAC THE DISCULTAC THES IMPLACE TAC SET_LIST THER POP ARRUN SURST1. TAC THEN QUALTAC THEN DISCH TAC THEN INPUREN TAC BLEN BL. 181 THEN EXISTS TAC" .: DON' THEN CONJ. TAC THEN FIRST ASSUM ACCEPT TAC) :: let MLM_SET_LIST_ISSERT = prove_the('ELM_SET_LIST_ISSERT'. "((a:(*)sat) q. FIHITH a -> IR. R IS (a ISSERT a) - SLES (SET_LIST (a ISSERT a)) a-. REPRAY ORS TAC THES STRIP TAC THES IN RES TAC PINITE INCHES THE POP_ASSUR (\e. ASSURE_TAC (SPEC "a:o" e)) THEN 189 BER TAC SET LIST) | | ``` les ELEN\_SET\_LIST\_EQ = preve\_she('ELEN\_SET\_LIST\_EQ', "to t. (FIRITE a /\ FIRITE t) -> ((a = 0) = (in. ELEN (SET\_LIST a) x = ELEN (SET\_LIST 0) x))", SEPERT STRIP\_TAC THEN IND\_RES\_TAC SET\_LIST THEN ASS\_RENDITE\_TAC[RETERMICH]);; ## Index -->, 169, 170 -->>, 169, 170 <-->, 169, 170 >-->, 169, 170 Abbreviated types Metwork, 87 ABS FIЫ. 200 ABS\_Join, 195 ABS\_isig, 186 ABS\_MAspect, 186 AB5\_Msig, 186 ABS\_Mtype, 186 ABS Part, 199 ABS Ploc. 194 ABS Point 195 ABS\_Ppos. 194 ABS\_ShAspect, 185 ABS\_Shaig, 185 ABS\_Signal, 187 ABS\_SubAspect, 185 ABS\_Subsig, 185 ABS Teir, 195 ABS\_Tstate, 195 APPLY, 141 APPLY DEF. 141 **BPART**, 82, 199 BPART, 201 BPART\_DEF, 201 clear, 75, 195, 197 clear\_DEF, 197 CONFLICT\_ROUTES, 133 CONFLICT\_ROUTES\_DEF. 133 CONFLICTING\_ROUTES, 128 CONFLICTING ROUTES DEF. 128 CONNECTED, 72 CONNECTED DEF, 72, 182 CONNECTED GRAPH, 183 CONNECTED INS.EDGE. 184 COMMECTED\_SING, 183 CR.PRS. 135 CR\_PRS\_DEF. 135 CR\_PTS, 135 CR\_PTS\_DEF. 135 CR.TAKE, 134 CR. TAKE DEF. 134 CR.TCIRCUITS, 136 CR\_TCIRCUITS\_DEF, 136 def\_tpart, 118 DEGREE, 53, 172, 174 DEGREE\_DEF. 53, 174 DELETE\_EDGE, 55, 171, 173, 175 DELETE EDGE\_COMM, 57, 176 DELETE\_EDGE\_DEF, 55, 175 DELETE\_INSERT\_EDGE, 177 DELETE.VERTEX, 55, 171, 173, 175 DELETE\_VERTEX\_COMM, 56, 176 DELETE\_VERTEX\_DEF. 55, 175 DISJ\_LIST, 67, 179, 180 DISJLIST\_APPEND, 67, 180 DISJ\_LIST\_COMM. 67, 180 DISJ\_LIST\_COMS, 67, 180 DISJLIST\_DEF, 67, 180 DISJLIST\_EMPTY, 180 DISJ\_PATH, 70, 182 DISJ\_PATH\_DEF, 70, 182 DNETWORK, 143 DMETWORK\_DEF, 143 double\_yellow, 189 double\_yellow, 78, 186 double\_yellow\_DEF, 189 double\_yellow\_flash\_DEF, 189 DPART, 82, 200 DPART, 201 DPART, 201 DPART\_DEF. 201 E.ADJA, 54, 172, 174 E\_ADJA\_DEF, 54, 174 E\_DELETE\_ABSORP, 176 e\_des, 172, 173 e\_des. 175 e\_des\_DEF, 173 E\_IMSERT\_ABSORP, 177 e\_src, 172, 173 e\_erc. 175 e erc DEF, 173 EDGE EQ. 176 EDGE\_IN\_INSERT. 177 EDGE\_IM\_IMSERT2, 177 EDGE\_IN\_INTER, 59, 177 EDGE\_IN\_UNION, 58, 178 EDGE INSERT EDGE 177 EDGES, 51, 52, 175 EDGES\_BETWEEN, 173, 174 EDGES BETWEEN DEF, 174 EDGES\_INSERT\_VERTEX, 177 EL\_SET, 66, 179, 180 EL\_SET\_APPEND, 66, 180 EL\_SET\_DEF, 66, 180 elb. 172, 173 elb. 175 elb\_DEF, 173 ELBL, 83, 200 **ELBL. 202** Elbl\_Axiom, 83, 202 Elbl.cases, 203 ELBL\_DEF, 202 Elbl.distinct, 203 Elbl\_Induct, 202 E1b1\_ISO\_DEF. 202 ELBL JOIN, 85, 200 ELBL\_JOIM, 202 ELBL\_JOIM\_DEF, 85, 202 Elblone one. 203 ELBL\_SIGNAL, 85, 200 RIBI STOWAL 202 ELBL SIGNAL DEF, 85, 202 E1b1\_TY\_DEF, 202 ELBLSIG, 83, 200 ELBLSIG, 202 ELBLSIG DEF. 202 ELEM, 65, 179, 180 ELEM\_APPEND, 65, 180 ELEM\_COMS, 65, 180 ELEM\_DEF. 65, 180 ELEM EL. 180 ELEM IN EL SET. 66, 180 ELEM NOT\_UNIQUE\_EL\_COMS. 180 ENTRY\_SIG. 134 ENTRY SIG DEF. 134 **ENTRY\_SIGNALS, 133** ENTRY\_SIGNALS\_DEF, 133 EOF ELIM. 122 E5, 172, 174 ES\_DEF, 174 EXIT\_SIG. 133 EXIT\_SIG\_DEF, 133 faulty\_aspect, 78, 186, 189 faulty\_aspect\_DEF, 189 FINITE\_GRAPH, 52, 172, 174 FINITE\_GRAPH\_DEF, 52, 174 FINITE GRAPH INSERT FOGE 177 four\_aspect, 78, 186, 190 four\_aspect\_DEF, 190 free\_move, 76, 195, 196 free move DEF, 196 free\_nor\_rev. 196 free\_nor\_sev, 76, 195 free nor rev DEF. 196 free\_rev\_nor, 196 free\_rev\_nor, 76, 195 free\_rev\_nor\_DEF, 196 FUN DEF. 170 FUN\_EMPTY\_LEFT, 171 FUN EMPTY RIGHT, 171 FIN T. 171 **FUNJINV. 169, 170** PIN THY DER 170 FUN\_INV\_TY, 170 **FUN\_INVERSE, 170** FUN\_INVERSE\_DEF. 170 FUN ISO DEF. 170 FUM ISO o 170 FUN ONE ONE DEE 170 PUM ONE ONE o. 170 FUN\_ONTO\_DEF. 170 FUN\_ONTO\_o. 170 FUN\_PINVERSE, 169, 170 FUN\_PINVERSE\_DEF, 170 FUN.TY, 170 G\_IMS\_IMS\_E, 178 G\_INTER, 58, 171, 173, 175 G\_INTER\_ASSOC, 59, 177 G\_INTER\_DEF, 58, 175 G\_INTER\_IDENT, 59, 177 G\_INTER\_SYM, 59, 177 G\_UNION, 57, 171, 173, 175 Q\_UNION\_ASSDC, 58, 177 G\_UNION\_DEF, 57, 175 G.UNION\_IDENT, 58, 177 G\_UNION\_INS\_EDGES, 178 G\_UNION\_INSERT\_EDGES, 178 G\_UNION\_SYN, 57, 177 GRAPH, 49, 172, 173 GRAPH DECOMP, 175 GRAPH\_DEF. 49, 173 GRAPH DELETE EDGE, 56, 176 GRAPH\_DELETE\_VERTEX, 56, 176 GRAPH DIRECTED, 176 GRAPH EDGE\_VERTEX, 176 GRAPH\_EQ. 175 GRAPH\_EQUIV. 175 GRAPH EXISTS, 49, 175 GRAPH\_INSERT\_EDGE, 56, 176 GRAPH\_INSERT\_EDGES, 178 GRAPH\_INSERT\_VERTEX, 56, 176 GRAPH\_INTER, 58, 177 GRAPH.ISO, 61, 173, 175 GRAPH\_ISQ\_AUTO, 62, 179 GRAPH\_ISQ\_DEF. 61, 175 GRAPH.ISO.SYN. 62, 179 GRAPH ISO SYN INV. 62 GRAPH\_ISO\_SYM\_INV, 179 GRAPH\_ISO\_TRANS. 62, 179 GRAPH NOT VERTEX NOT EDGE, 175 GRAPH NOT VERTEX NOT EDGE2, 176 GRAPH\_PAIR, 175 GRAPH\_UNION, 57, 177 green, 78, 186, 189 green DEF, 189 green\_flash\_189 green\_flash, 78, 186 green\_flash\_DEF, 189 HAS\_LOOP, 51, 172, 174 HAS\_LOOP\_DEF, 51, 174 HAS\_PATH, 182, 183 HAS\_PATH\_DEF, 183 IGRAPH, 172, 174 IGRAPH DEF. 174 III CONV. 122 IN\_DEGREE, 53, 172, 174 IN\_DEGREE\_DEF, 53, 174 IN\_ELEM, 65, 180 IN\_INSERT\_EDGE, 176 IN\_INSERT\_VERTEX, 176 INCIDENT\_FROM, 52, 172, 174 INCIDENT\_FROM\_DEF, 52, 174 INCIDENT\_TO, 172, 174 INCIDENT TO DEF. 174 INCIDENT\_WITH, 52, 172, 174 INCIDENT\_WITH\_DEF, 52, 174 INCIDENT\_WITH\_INSERT\_VERTEX, 176 IEIT\_DEF, 149 INSERT\_DELETE\_VERTEX, 177 INSERT\_EDGE, 55, 89, 171, 173, 175 INSERT\_EDGE\_COMM, 56, 176 INSERT\_EDGE\_DEF. 55, 175 INSERT\_VERTEX, 55, 89, 171, 173, 175 INSERT\_VERTEX\_COMM, 56, 176 INSERT\_VERTEX\_DEF, 55, 175 IS\_BPART, 84, 200 IS\_BPART, 201 IS\_BPART\_DEF. 201 IS\_DPART, 84, 200 IS\_DPART, 201 IS\_DPART\_DEF. 201 IS\_EDGE, 171, 173, 174 IS\_EDGE\_DEF. 174 IS\_ELBL\_SIGNAL, 85, 200 IS ELBL SIGNAL, 202 IS ELBL SIGNAL DEF, 85, 202 IS\_ICOND, 196, 198 IS\_JCOND\_DEF. 198 IS\_JINSU, 196, 198 IS\_JINSU\_DEF. 198 IS\_IOVER, 196, 198 IS\_JOVER\_DEF, 198 IS\_ITERM, 196, 198 IS\_JTERM\_DEF. 198 IS\_PPART, 84, 200 IS\_PPART, 201 IS\_PPART\_DEF, 201 IS\_PRE\_VER. 54, 172, 174 IS\_PRE\_VER\_DEF, 54, 174 IS\_SUC\_VER, 54, 172, 174 IS\_SUC\_VER\_DEF, 54, 174 IS\_TPART, 84, 200 IS\_TPART, 201 IS TPART DEF. 201 IS\_VERTEX, 122, 171, 173, 174 IS\_VERTEX\_DEF. 174 ISO\_FINV. 171 ISQ\_INVERSE, 171 J\_conduct, 74, 195, 198 J\_conduct\_DEF, 198 J\_FUNC, 186, 188 J\_FUNC\_DEF, 188 J\_insulate, 74, 195, 198 J\_insulate\_DEF, 198 J\_overlap, 74, 195, 198 Joverlap DEF, 198 Lterminate, 74, 196, 198 J\_terminate\_DEF, 198 Join Axion, 74, 199 Join\_cases, 199 Join\_const\_dist, 199 Join\_INDUCT, 199 Join\_ISQ\_DEF, 197 Join TY DEF. 197 JSIG, 79, 186, 188 Jaig\_Axion, 79, 192 Jsig\_cases, 192 JSIG\_DEF, 188 Jaig\_INDUCT, 192 Jaig\_ISO\_DEF. 188 Jaig one one, 192 Jaig\_TY\_DEF, 188 LEFT FINV. 170 LEFT\_RIGHT\_PIEV, 171 locked, 75, 195, 197 locked\_DEF, 197 Logical types Elbl, 83, 87, 199 Join, 74, 194 Jaig, 79, 185 MAspect, 78, 185 Maig, 78, 185 Htype, 78, 185 Part. 82, 86, 199 Ploc. 76, 194 Point, 77, 194 Ppos. 76, 194 Shaspect, 80, 185 Shaig, 80, 185 Signal, 80, 185 Sub&spect, 79, 185 Subsig, 79, 185 Tcir. 75, 194 Tetate, 75, 194 LOOP, 51, 172, 174 LOOP DEF, 51, 174 LSA imp LSA. 147 LSA, 146 LSA. 146 LSA eq.PLSA, 146, 151 M\_ASPECT, 186, 190 M ASPECT DEF 190 M\_FUNC. 186, 190 M. FUNC DEF. 190 M.TYPE, 186, 190 M\_TYPE\_DEF. 190 MAIN FAULTY, 79, 186, 190 MAIN\_FAULTY\_DEF, 79, 190 MAIN\_OFF, 79, 186, 190 MAIN\_DFF\_DEF. 79, 190 MAIN.ON. 79, 186, 190 MAIN\_ON\_DEF. 79, 190 MAspect Axiom, 78, 192 MARDect\_cases, 193 MAspect\_const\_dist, 192 MARDOCT\_INDUCT, 193 MASDACT\_ISD\_DEF. 189 MARDOCK TY DEF. 189 mk\_njoin, 119 MK\_SUBGRAPH, 61, 173, 175 MK SUBGRAPH DEF. 61, 175 MK\_SUBGRAPH\_GRAPH, 61, 179 MK\_SUBGRAPH\_SUBGRAPH, 61, 179 moving, 76, 194, 196 moving DEF, 196 MSIG, 78, 186, 190 Maig\_Axion, 78, 193 Msig\_cases, 193 MSIG\_DEF, 190 Mair\_INDUCT, 193 Maig\_ISO\_DEF, 190 Maig one one, 193 Hair\_TY\_DEF, 190 Mtype\_Axiom, 78, 193 Mtype\_cases, 193 Mtype\_const\_dist, 193 Mtvpe\_INDUCT, 193 Mtype\_ISO\_DEF. 189 Mtype\_TY\_DEF. 189 MULTI\_EDGE, 51, 172, 174 MULTI\_EDGE\_DEF, 51, 174 NETWORK, 88, 101, 116, 203 HETWORK BUFFER, 95, 204 network\_canon, 123 METWORK\_COMMECTED, 100, 103, 204 WETWORK\_DEF. 88, 95, 115, 120, 203 METWORK DIAM, 95, 204 WETWORK FINITE, 99, 204 NETWORK FINITE GRAPH, 99, 204 METWORK GRAPH, 98, 99, 100, 204 METWORK INDUCT, 96, 204 NETWORK MJOIN, 96, 120, 204 NETWORK POINT, 95, 204 METWOKK SIMP, 120 METWORK STRP 204 NETWORK\_STATE, 140 WETWORK STATE DEF. 140, 141 METWORK TRACK, 95, 204 NFC, 89, 122, 203 MFC\_DEF. 89, 203 MFC\_SIMP. 204 NJOIN, 90, 91, 93, 96, 100, 101, 203 MJOIN\_DEF, 90, 203 MUNITURED, 204 MJQIMEXP2, 204 **NORM. 132** HORM DEF. 132 NORM POINTS, 132 NORM\_POINTS\_DEF. 132 normal, 76, 194, 196 normal DEF, 196 NOT RIEN UNIQUE EL CONS. 180 NOT IN SAME GRAPH, 176 NOT IN SAME SET, 176 MOT\_MULL\_VER\_LIST, 180 MOT\_MULL\_VER\_LIST\_COMS, 181 BOT UNIQUE EL COMS. 181 NOT VER IMP. NEC. 204 NOT VER INCIDENT EMPTY, 176 HOT\_VERTEX\_HOT\_EDGE, 175 NULL GRAPH, 172 MULL\_GRAPH, 173 MULL\_MIL, 180 WULL\_MOT\_ELEM, 65, 180 occupied, 75, 195, 197 occupied DEF, 197 OFF, 81, 187, 191 OFF\_DEF, 81, 191 ON, 81, 187, 191 OW\_DEF, 81, 191 OUT\_DEGREE, 53, 172, 174 OUT\_DEGREE\_DEF, 53, 174 PARSE\_file, 117 Part Axiom, 82, 202 Part.cases, 202 PART\_CIRCUIT, 84, 200 PART\_CIRCUIT, 201 PART\_CIRCUIT\_DEF. 201 PART\_DIA1, 84, 200 PART\_DIA1, 201 PART\_DIA2, 84, 200 PART\_DIA2\_DEF, 201 PART\_DIA\_DEF, 201 Part\_distinct, 202 Part\_EG\_CONV. 122 PART\_ID, 84, 200 PART\_ID, 201 PART\_ID\_DEF, 201 Part Induct 202 Part\_ISO\_DEF. 200 Part one one 202 PART\_PNT\_NORMAL, 84 PART\_PNT\_REVERSE, 84 PART\_PNT\_TRAILING, 84 PART\_PNT\_NORMAL, 200 PART\_PHT\_HORMAL, 201 PART\_PHT\_MORMAL\_DEF, 201 PART\_PNT\_REVERSE, 200 PART\_PHT\_REVERSE, 201 PART\_PUT\_REVERSE\_DEF, 201 PART\_PNT\_TRAILING, 200 PART\_PHT\_TRAILING, 201 PART\_PHT\_TRAILING\_DEF. 201 PART\_POINT, 84, 200 PART\_POINT, 201 PART\_POINT\_DEF. 201 Part TY\_DEF. 200 PATH, 69, 182 PATH\_APPEND, 71, 184 PATH\_CONNECTED, 183 PATH\_COMS. 70, 184 PATH\_DEF. 69, 182 PATH\_EDGE\_NO\_LOOP, 184 PATH ELEM IS EDGE, 184 PATH\_ELEN\_VER\_LIST\_IS\_VERTEX\_ 184 PATH\_ENTRY, 69, 182 PATH ENTRY APPEND, 183 PATH\_ENTRY\_COMS\_ 183 PATE ENTRY DEF. 69, 182 PATH\_ENTRY\_SIND, 183 PATH\_EXIT, 69, 182 PATH\_EXIT\_APPEND, 183 PATH\_EXIT\_COMS, 183 PATH\_EXIT\_DEF, 69, 182 PATH EXIT SIMP, 183 PATH\_G\_UNION, 71, 184 PATH GRAPH 183 PATH\_INS\_EDGE, 72, 184 PATH INS EDGE2, 184 PATH\_INS\_INS\_CONS. 184 PATH\_INS\_VERTEX, 72, 184 PATH IS EDGE, 184 PATH IS VERTEX 184 PATH\_NOT\_NIL, 184 PATH\_MOT\_WULL, 183 PATH SIMP, 184 PATH\_TRAIL, 183 PATH\_WALK, 183 PATH\_WALK\_ENTRY, 183 Ploc\_Axiom, 76, 198 Ploc\_cases, 198 Ploc const dist. 198 Ploc\_INDUCT, 198 Ploc\_ISO\_DEF. 196 Ploc\_TY\_DEF, 196 PLSA, 146 PLSA, 146 PNTJD, 195, 197 PHT\_ID\_DEF. 197 PNT\_LOC, 195, 197 PHT LOC DRF. 197 PNT\_NORMAL, 77, 195, 197 PATH\_CAT. 184 PMT\_MORMAL\_DEF. 77, 197 PNT\_POS. 195, 197 PMT\_POS\_DEF. 197 PNT\_REVERSE, 77, 195, 197 PUT REVERSE DEF. 77, 197 PNT RLOCKED, 195, 197 PWT\_RLOCKED\_DEF, 197 PNT\_STATE\_FUNCS, 139, 140 PWT\_STATE\_FUNCS\_DEF. 139, 140 POINT, 77, 195, 196 Point Axion, 77, 198 Point\_cases, 198 POINT DEF. 196 Point\_INDUCT, 198 Point\_ISO\_DEF, 196 Point one one, 198 Point\_TY\_DEF. 196 PPART, 82, 200 PPART, 201 PPART\_DEF. 201 Pros. Axiom. 76, 198 Ppos\_cases, 198 Ppos\_const\_dist, 198 Pros\_INDUCT, 198 Pros. ISO DEF. 196 Pros.TY DEF. 196 PRE\_VERS, 54, 172, 174 PRE\_VERS\_DEF, 54, 174 prove\_in\_network, 122 prove\_network\_edge, 120 prove\_network\_nicin, 119, 120 prove\_simple\_network, 120 prove\_MFC, 122 prove\_not\_in\_network, 122 PSUBGRAPH, 173, 175 PSUBGRAPH DEF, 175 PSUBGRAPH DELETE EDGE, 178 PSUBGRAPH DELETE VERTEX, 179 PSUBGRAPH\_IRREFL, 178 PSUBGRAPH\_SUBGRAPH, 178 RED, 187, 190 red, 78, 186, 189 PSUBGRAPH\_TRANS, 178 RED\_DEF. 190 red\_DEF, 189 remote Jocked, 76 remote locked, 195, 196 remote locked DEF 196 REP EIЫ, 200 REP Join, 195 REP\_Jaig. 186 REP\_MAnnect, 186 REP\_Msig. 186 REP\_Mtype, 186 REP\_Part, 199 REP\_Ploc, 194 REP\_Point, 195 REP\_Ppos. 194 REP\_ShAspect, 185 REP\_Shaig. 185 REP\_Signal, 187 REP\_SubAspect, 185 REP\_Subsig. 185 REP. Tcir, 195 REP. Tstate, 195 **REV. 132** REV\_DEF. 132 REV\_POINTS, 132 REV POINTS DEF. 132 reverse, 76, 194, 196 reverse\_DEF, 196 RIGHT\_FINV, 170 **ROUTE, 127, 130** ROUTE\_DEF. 127, 130 ROUTE\_EDGES, 128 ROUTE EDGES DEF. 128 ROUTE\_PARTS, 128 ROUTE PARTS DEF. 128 ROUTE\_PROVED, 145 ROUTE\_PROVED\_DEF, 145 ROUTE\_TAIL, 127 ROUTE\_TAIL\_DEF, 127, 129, 130 SET\_LIST\_THM, 140 sh\_faulty, 80, 185, 188 sh\_faulty\_DEF, 188 sh\_off, 80, 185, 187 shoff DEF 187 sh.on, 80, 185, 187 ab\_on\_DEF, 187 Shaspect\_Axiom, 80, 192 Shaspect\_cases, 192 Shaspect\_const\_dist, 192 Shaspect\_IMDUCT, 192 Shaspect\_ISO\_DEF. 187 Shaspect\_TY\_DEF, 187 Shwig\_Axiom, 80, 192 Sheig\_cases, 192 Sheig\_INDUCT, 192 Shaig\_ISO\_DEF, 188 Shaig\_one\_one, 192 Sheig Ty DEF. 188 SHUNT\_FAULT, 185, 188 SHUNT\_FAULT\_DEF, 188 SHUNT\_FUNC, 185, 188 SHUBT\_FUNC\_DEF. 188 SHUNT\_NOT\_ON\_OFF, 194 SHUNT\_OFF, 185, 188 SHUNT DFF DEF. 188 SHUNT\_ON, 185, 188 SHUFT OF DEF. 188 SHUNTSIG, 80, 185, 188 SHUNTSIG DEF, 188 SIG\_SFUNC, 187, 191 SIG\_SFUNC, 140 SIG\_SPUNC\_DEF. 191 SIG\_STATE\_FUNCS, 139 SIG\_STATE\_FUNCS\_DEF, 139, 140 Signal Axion, 80, 193 Signal\_cases, 194 SIGNAL\_FAULT, 191 SIGNAL\_FAULT, 81, 187 SIGNAL FAULT DEF, 81, 191 SIGNAL JD, 80, 187, 191 SIGNAL\_ID\_DEF, 80, 191 Signal\_INDUCT, 194 Signal\_ISO\_DEF, 190 SIGNAL JUNC. 187, 191 SIGNAL JUNC DEF, 191 SIGNAL\_MAIN, 81, 187, 191 SIGNAL MAIN DEF. 81, 191 SIGNAL MOT ON OFF, 82, 194 Signal one one, 193 SIGNAL SHUNT, 187, 191 SIGNAL SHURT DEF. 191 SIGNAL STATE, 194 SIGNAL STATES, 82 SIGNAL\_SUB. 187, 191 SIGNAL SUB DEF. 191 Signal TY DEF. 190 SIGNALM, 80, 187, 190 SIGNALM DEF. 190 SIGNALMJ, 80, 187, 190 SIGNALMJ DEF. 190 SIGNALMS, 80, 187, 191 SIGNALMS DEF. 191 SIGNALMSJ, 80, 187, 191 SIGNALMSJ.DEF, 191 SIGNALS, 80, 187, 191 SIGNALS DEF, 191 SIMPLE\_GRAPH, 52, 172, 174 SIMPLE GRAPH DEF, 52, 174 SUB\_FUNC, 185, 188 SUB\_FUNC\_DEF, 188 sub\_not\_show, 79, 185, 188 sub\_not\_show\_DEF, 188 SUB\_OFF, 185, 188 sub\_off, 79, 185, 188 SUB\_OFF\_DEF. 188 sub\_off\_DEF, 188 SubAspect Axion, 79, 192 SubAspect\_cases, 192 SubAspect\_const\_dist, 192 SubAspect\_INDUCT, 192 SubAspect ISO DEF. 188 SubAspect\_TY\_DEF, 188 SUBGRAPH, 60, 173, 175 SUBGRAPH\_ANTISYN, 60, 178 SUBGRAPH DEF. 60, 175 SUBGRAPH DELETE EDGE, 60, 178 SUBGRAPH DELETE VERTEX, 61, 179 SUBGRAPH\_GRAPH, 60, 178 SUBGRAPH REFL. 60, 178 SUBGRAPH\_TRANS. 60, 178 SUBSIG, 79, 185 Subsig\_Axiom, 79, 192 Subsig\_cases, 192 SUBSIG\_DEF, 188 Subsig\_INDUCT, 192 Subsig\_INDUCT, 192 Subsig\_INDUCT, 192 Subsig\_INDUCT, 188 SUC\_VERS, 54, 172, 174 SUC\_VERS, 54, 172, 174 TC CLEAR, 195, 197 TO CLEAR DEF 197 TCJD, 195, 197 TC ID DEF. 197 TC LOCKED, 195, 197 TC\_LOCKED\_DEF. 197 TC\_OCCUPIED, 195, 197 TC\_OCCUPIED\_DEF. 197 TC\_SFUNC, 195, 197 TC\_SFUNC\_DEF. 197 TC.ST. 195, 197 TC\_ST\_DEF, 197 TC\_STATE\_FUNCS, 139 TC\_STATE\_FUNCS\_DEF, 139 TCIR. 75, 195, 197 Tcir\_Axiom, 75, 199 Tcir\_cases, 199 TOTA DEF 197 Teir\_INDUCT, 199 Tcir\_ISO\_DEF. 197 Tcir\_one\_one, 199 Toir TY DEF. 197 TCIRCUITS, 132 TCIRCUITS DEF. 132 three\_aspect, 78, 186, 190 three\_aspect\_DEF, 190 three\_repeat, 78, 186, 190 three\_repeat\_DEF, 190 TL\_VER\_LIST, 181 TPART, 82, 89, 200 TPART, 201 TPART\_DEF, 201 TRAIL, 68, 182 TRAIL DEF, 68, 182 TRAIL MALK, 183 Textec\_Assa, 199 Textec\_Assa, 199 Textec\_Const\_dist, 198 Textec\_LEDUCT, 199 Textec\_STO\_DEF, 197 Textec\_TT\_DEF, 197 two.aspect\_DEF, 190 two.aspect\_DEF, 180, 190 two\_repeat\_DEF, 180, 190 two\_repeat\_DEF, 190 UNIQUE.EL, 86, 179, 180 UNIQUE EL APPEND, 181 UNIQUE EL COUS, 181 UNIQUE EL DEF, 66, 180 UNIQUE EL SIMP, 180 UNIQUE EL TIL, 180 UNIQUE EL TIL, 181 UNIQUE YEL CONS, 181 UNIQUE VER LIST.TL, 181 UNIQUE VER LIST.CONS, 181 UNIQUE VER LIST.CONS, 181 V DELETE\_ABSORP, 176 V.INSERT ABSORP, 177 V.L. 68, 179, 180 V.L.APPEND, 68, 180 V.L.DEF. 68, 180 VER\_ADJA, 53, 172, 174 VER\_ADJA\_DEF, 53, 174 VER INCIDENT MOT EMPTY, 176 VER LIST, 68, 179, 180 VER LIST APPEND, 68, 181 VER\_LIST\_COMS, 68, 181 VER\_LIST\_DEF, 68, 180 verify, 117 VERTEX EDGE, 176 VERTEX\_IN\_INS\_VERTEX, 177 VERTEX\_IN\_INTER, 59, 177 VERTEX\_IN\_UNION, 58, 178 VERTEX\_INSERT\_EDGE, 178 VERTEX INSERT.VERTEX, 177 **VERTICES**, 51, 175 VERTICES\_IN\_UNION, 178 VERTICES\_INSERT\_EDGE, 177 # THE BRITISH LIBRARY BRITISH THESIS SERVICE A Formal Theory of Railway Track Networks | TITLE in Higher-order Logic and its Applications in Interlocking Design | | |-------------------------------------------------------------------------|----------| | AUTHOR | Wai Wong | | DEGREE | | | AWARDING BODY<br>DATE | | | THESIS<br>NUMBER | | ### THIS THESIS HAS BEEN MICROFILMED EXACTLY AS RECEIVED The quality of this reproduction is dependent upon the quality of the original thesis submitted for microfilming. Every effort has been made to ensure the highest quality of reproduction. Some pages may have indistinct print, especially if the original papers were poorly produced or if the awarding body sent an inferior copy. If pages are missing, please contact the awarding body which granted the degree. Previously copyrighted materials (journal articles, published texts, etc.) are not filmed. This copy of the thesis has been supplied on condition that anyone who consults it is understood to recognise that its copyright rests with its author and that no information derived from it may be published without the author's prior written consent. Reproduction of this thesis, other than as permitted under the United Kingdom Copyright Designs and Patents Act 1988, or under specific agreement with the copyright holder, is prohibited. # D175045