Formal Aspects of Computing

, Volume 20, Issue 6, pp 637–662 | Cite as

On the correctness of upper layers of automotive systems

  • Jewgenij Botaschanjan
  • Manfred Broy
  • Alexander Gruler
  • Alexander Harhurin
  • Steffen Knapp
  • Leonid Kof
  • Wolfgang Paul
  • Maria Spichkova
Original Article


Formal verification of software systems is a challenge that is particularly important in the area of safety-critical automotive systems. Here, approaches like direct code verification are far too complicated, unless the verification is restricted to small textbook examples. Furthermore, the verification of application logic is of limited use in industrial context, unless the underlying operating system and the hardware are verified, too. This paper introduces a generic model stack, allowing the verification of all system layers as well as the concrete application models being used in the upper layers. The presented models and proofs close the gap between the correctness proof for the lower layers of car electronics developed at the Saarland University and the verification procedure for distributed applications developed at the Technische Universität München.


Formal verification Automotive software Model-based development Time-triggered systems 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. Abs06.
    AbsInt Angewandte Informatik. Worst-case execution time analyzers., 15.12.2006
  2. Aut06.
    AutoFocus Project., accessed 15.12.2006
  3. BBG+05.
    Beyer S, Böhm P, Gerke M, Hillebrand M, In der Rieden T, Knapp S, Leinenbach D, Paul WJ (2005) Towards the formal verification of lower system layers in automotive systems. In: 23rd IEEE international conference on computer design: VLSI in computers and processors (ICCD’05). IEEE, New YorkGoogle Scholar
  4. BGH+06.
    Botaschanjan J, Gruler A, Harhurin A, Kof L, Spichkova M, Trachtenherz D (2006) Towards modularized verification of distributed time-triggered systems. In: Formal methods 2006. LNCS, vol 4085. Springer, Heidelberg, August 23–25 2006Google Scholar
  5. BKKS05.
    Botaschanjan J, Kof L, Kühnel Ch, Spichkova M (2005) Towards verified automotive software. In: ICSE, SEAS Workshop, St. Louis, Missouri, USA, May 21 2005Google Scholar
  6. CGP99.
    Clarke EM, Grumberg O, Peled DA (1999) Model checking. The MIT Press, CambridgeGoogle Scholar
  7. Con06.
    FlexRay Consortium. FlexRay overview., accessed 15.12.2006
  8. DHP05.
    Dalinger I, Hillebrand M, Paul W (2005) On the verification of memory management mechanisms. In: Borrione D, Paul W (eds) CHARME 2005. LNCS. Springer, Heidelberg (to appear)Google Scholar
  9. dRK05.
    In der Rieden T, Knapp S (2005) An approach to the pervasive formal specification and verification of an automotive system (Status Report). In: Tenth international workshop on formal methods for industrial critical systems (FMICS 05)Google Scholar
  10. Eur03.
    European Commission (DG Enterprise and DG Information Society). eSafety forum: Summary report 2003. Technical report, eSafety, March 2003Google Scholar
  11. Fle06.
    FlexRay Consortium., accessed 15.12.2006
  12. GHLP05.
    Gargano M, Hillebrand M, Leinenbach D, Paul W (2005) On the correctness of operating system kernels. In: Hurd J, Melham T (eds) TPHOLs 2005. LNCS. Springer, HeidelbergGoogle Scholar
  13. HSE97.
    Huber F, Schätz B, Einert G (1997) Consistent graphical specification of distributed systems. In: Industrial applications and strengthened foundations of formal methods (FME’97). LNCS, vol 1313. Springer, Heidelberg, pp 122–141Google Scholar
  14. IBM06.
    IBM Rational Rose Technical Developer., accessed 18.05.2006
  15. IdRLP05.
    In der Rieden T, Leinenbach D, Paul WJ (2005) Towards the pervasive verification of automotive systems. In: Correct hardware design and verification methods. Lecture Notes in Computer Science, vol 3725. Springer, Heidelberg, pp 3–4Google Scholar
  16. KG94.
    Kopetz H, Grünsteidl G (1994) TTP—a protocol for fault-tolerant real-time systems. Computer 27(1): 14–23CrossRefGoogle Scholar
  17. Kna05.
    Knapp S (2005) Towards the verification of functional and timely behavior of an ecall implementation. Master’s thesis, Universität des SaarlandesGoogle Scholar
  18. KP06.
    Knapp S, Paul W (2006) Realistic worst case execution time analysis in the context of pervasive system verification. In: Program analysis and compilation, theory and practice: essays dedicated to Reinhard Wilhelm, vol 4444, pp 53–81Google Scholar
  19. KS06.
    Kühnel Ch, Spichkova M (2006) Upcoming automotive standards for fault-tolerant communication: FlexRay and OSEKtime FTCom. In: International workshop on engineering of fault tolerant systems (EFTS 2006), Luxembourg, June 12–13Google Scholar
  20. KS07.
    Kühnel Ch, Spichkova M (2007) Fault-tolerant communication for distributed embedded systems. In: Software engineering and fault tolerance. Series on Software Engineering and Knowledge Engineering, vol 19. World Scientific Publishing, SingaporeGoogle Scholar
  21. LPP05.
    Leinenbach D, Paul W, Petrova E (2005) Towards the formal verification of a C0 compiler. In: 3rd international conference on software engineering and formal method (SEFM 2005), Koblenz, GermanyGoogle Scholar
  22. Mat06.
    The MathWorks., accessed 18.05.2006
  23. Moo03.
    Strother Moore J (2003) A grand challenge proposal for formal methods: a verified stack. Lecture Notes in Computer Science, vol 2757/2003. Springer, BerlinGoogle Scholar
  24. Mot06.
    Motor Industry Software Reliability Association (MISRA). Guidelines for the use of the C language in critical systems, UK, 18.05.2006Google Scholar
  25. NPW02.
    Nipkow T, Paulson LC, Wenzel M (2002) Isabelle/HOL—a proof assistant for higher-order logic. LNCS, vol 2283. Springer, HeidelbergGoogle Scholar
  26. OSE01a.
    OSEK/VDX. Fault-Tolerant Communication—Specification 1.0, 2001., accessed 15.12.2006
  27. OSE01b.
    OSEK/VDX. Time-Triggered Operating System—Specification 1.0, 2001., accessed 15.12.2006
  28. OSE06.
    OSEK/VDX., accessed 15.12.2006
  29. Pau05.
    Paul W (2005) Lecture notes: computer architecture 2—automotive systems., December 2005
  30. PSS98.
    Pnueli A, Siegel M, Singerman E (1998) Translation validation. In: TACAS ’98: proceedings of the 4th international conference on tools and algorithms for construction and analysis of systems, London, UK, 1998.Springer, HeidelbergGoogle Scholar
  31. Rus97.
    Rushby J (1997) Systematic formal verification for fault-tolerant time-triggered algorithms. In: Dependable computing for critical applications—6, vol 11. IEEE Computer Society, New York, pp 203–222Google Scholar
  32. Sch05.
    Schirmer N (2005) A verification environment for sequential imperative programs in Isabelle/HOL. In: Baader F, Voronkov A (eds) Logic for programming, artificial intelligence, and reasoning. LNAI, vol 3452. Springer, HeidelbergGoogle Scholar
  33. STY03.
    Sifakis J, Tripakis S, Yovine S (2003) Building models of real-time systems from application software. Proc IEEE 91(1): 100–111CrossRefGoogle Scholar
  34. Ver06.
    Verisoft Project., accessed 15.12.2006
  35. WLPS00.
    Wimmel G, Lötzbeyer H, Pretschner A, Slotosch O (2000) Specification based test sequence generation with propositional logic. J STVR Special Issue on Specification Based Testing, 2000, 10:229–248Google Scholar

Copyright information

© British Computer Society 2008

Authors and Affiliations

  • Jewgenij Botaschanjan
    • 1
  • Manfred Broy
    • 1
  • Alexander Gruler
    • 1
  • Alexander Harhurin
    • 1
  • Steffen Knapp
    • 2
  • Leonid Kof
    • 1
  • Wolfgang Paul
    • 2
  • Maria Spichkova
    • 1
  1. 1.Institut für InformatikTechnische Universität MünchenGarching bei MünchenGermany
  2. 2.Department of Computer ScienceSaarland UniversitySaarbrückenGermany

Personalised recommendations