|
| Type | Property | BNF statement | Result |
|
| Logic verification statements | IMA system is not deadlock | A[] not deadlock | Satisfy |
| Application layer works normally | E<>AL.Off or AL.Work | Satisfy |
| Operating system works normally | E<>OS.Idle or OS.AE or OS.HM | Satisfy |
| Generic system management works normally | E<>GSM.Idle or GSM.CM or GSM.SM or GSM.HM or GSM.FM | Satisfy |
| Module support layer works normally | E<>MSL.Idle or MSL.AE or MSL.HM | Satisfy |
| Common functional module works normally () | E<>CFMX.Idle or CFMX.Work or CFMX.Check or CFMX.Fault | Satisfy |
|
| Time-series verification statements | The MSL will not load the module until the system is configured or reconfigured | A[]MSL.AE imply (C==1 or RC==1) | Satisfy |
| MSL will enter HM only after the module works | A[]MSL.HM imply (s[0]!=0 and s [1]!=0 and s[2]!=0 and s [3]!=0 ) | Satisfy |
| MSL will enter HM only after MSL and OS enter HM | A[]GSM.HM imply (MSL_HM_s! =0 and OS_HM_s!=0) | Satisfy |
| GSM will enter FM after detecting faulty | A[]GSM.FM imply (HM_s!=2&& HM_s!=3) | Satisfy |
| GMS will enter CM after FM provides the solution | E<>GSM.CM imply RC==1 | Satisfy |
|
