-- This example is taken from Timed Automata by Rajeev Alur and adapted to the CHESS environment.
-- see Alur R. (2000) Timed Automata. In: Inan M.K., Kurshan R.P. (eds) Verification of Digital and Hybrid Systems. NATO ASI Series (Series F: Computer and Systems Sciences), vol 170. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-59615-5_12 

--------------------------------Train-Gate-Controller--------------------------------

Consider an example of an automatic controller that opens and closes a gate at a railroad crossing. The system is
composed of three components: Train, Gate and Controller. 

Each component has its own (real-valued) clock that allows to specify the system behaviour in terms of timing constraints.

With each transition, a clock constraint can be associated, thus requiring that the transition may be taken only if the current values of the clocks satisfy this constraint. 
With each state, a clock constraint can be associated, called its invariant, thus requiring that time can elapse in a state only as long as its invariant stays true.

The safety correctness requirement for the system is that whenever the train is inside the gate, the gate should be closed. 

In order to check that, the following ltlspecs and invariants need to be verified:

ltlspec -- G (enter -> down) 
    -- if train is inside the gate, then the gate is closed.

ltlspec -- G (!down -> !enter)
    -- if the gate is not down, then the train does not enter.

invar -- !(enter & up)
    -- the train is not inside the gate while the gate is up.

The following ltlspecs and invariants will fail:

ltlspec -- G (enter -> up)
    -- if the train is inside the gate, then the gate is open.

invar -- !(enter & down)
    -- the train is not inside the gate while the gate is down.

-----------------------------------------------------------------------
