Guaranteeing functional safety: design for provability and computer-aided verification


When autonomous robots begin to share the human living and working spaces, safety becomes paramount. It is legally required that the safety of such systems is ensured, e.g. by certification according to relevant standards such as IEC 61508. However, such safety considerations are usually not addressed in academic robotics. In this paper we report on one such successful endeavor, which is concerned with designing, implementing, and certifying a collision avoidance safety function for autonomous vehicles and static obstacles. The safety function calculates a safety zone for the vehicle, depending on its current motion, which is as large as required but as small as feasible, thus ensuring safety against collision with static obstacles. We outline the algorithm which was specifically designed with safety in mind, and present our verification methodology which is based on formal proof and verification using the theorem prover Isabelle. The implementation and our methodology have been certified for use in applications up to SIL 3 of IEC 61508 by a certification authority (TÜV Süd Rail GmbH, Germany). Throughout, issues we recognized as being important for a successful application of formal methods in robotics are highlighted. Moreover, we argue that formal analysis deepens the understanding of the algorithm, and hence is valuable even outside the safety context.

This is a preview of subscription content, log in to check access.

Access options

Buy single article

Instant unlimited access to the full article PDF.

US$ 39.95

Price includes VAT for USA

Subscribe to journal

Immediate online access to all issues from 2019. Subscription will auto renew annually.

US$ 99

This is the net price. Taxes to be calculated in checkout.


  1. Althoff, M., Althoff, D., Wollherr, D., & Buss, M. (2010). Safety verification of autonomous vehicles for coordinated evasive maneuvers. In Intelligent vehicles symposium (IV), 2010 IEEE (pp. 1078–1083).

  2. ANSI R15.06 (1999). Industrial robots and robot systems—safety requirements.

  3. Barnes, J. (2003). High integrity software: the SPARK approach to safety and security. Reading: Addison-Wesley.

  4. Baudin, P., Cuoq, P., Filliâtre, J. C., Marché, C., Monate, B., Moy, Y., & Prevosto, V. (2008). ACSL: ANSI C specification language., version 1.4, retrieved Jan 2011.

  5. Bengtsson, J., Larsen, K. G., Larsson, F., Pettersson, P., & Yi, W. (1995). Uppaal—a tool suite for automatic verification of real-time systems. In Lecture notes in computer science: Vol1066. Proc. of workshop on verification and control of hybrid systems III (pp. 232–243). Berlin: Springer.

  6. Bensalem, S., Gallien, M., Ingrand, F., Kahloul, I., & Nguyen, T. H., (2009). Designing autonomous robots: toward a more dependable software architecture. IEEE Robotics & Automation Magazine, 16(1), 67–77.

  7. Bensalem, S., Bozga, M., Nguyen, T. H., & Sifakis, J. (2010a). Compositional verification for component-based systems and application. IET Software, 4(3), 181–193. doi:10.1049/iet-sen.2009.0011.

  8. Bensalem, S., da Silva, L., Gallien, M., Ingrand, F., & Yan, R. (2010b). Verifiable and correct-by-construction controller for robots in human environments. In DRHE 2010 dependable robots in human environments, seventh IARP workshop on technical challenges for dependable robots in human environments, Toulouse, France.

  9. Braman, J. M. B. (2009). Safety verification of goal-based control programs for autonomous robotic systems. Talk at ICRA09 workshop on formal methods in robotics.

  10. Braman, J. M. B., Murray, R. M., & Wagner, D. A. (2007). Safety verification of a fault tolerant reconfigurable autonomous goal-based robotic control system. In Proceedings of the IEEE/RSJ international conference on intelligent robots and systems (pp. 853–858), San Diego.

  11. Burdy, L., Cheon, Y., Cok, D., Ernst, M. D., Kiniry, J., Leavens, G. T., Leino, K. R. M., & Poll, E. (2005). An overview of JML tools and applications. International Journal on Software Tools for Technology Transfer, 7(3), 212–232.

  12. Cohen, E., Dahlweid, M., Hillebrand, M., Leinenbach, D., Moskal, M., Santen, T., Schulte, W., & Tobies, S. (2009). VCC: a practical system for verifying concurrent C. In Lecture notes in computer science: Vol5674. TPHOLs 2009. Berlin: Springer.

  13. Dion, B., & Gartner, J. (2005). Efficient development of embedded automotive software with IEC 61508 objectives using SCADE drive. In VDI 12th international conference: electronic systems for vehicles, VDI (pp. 1427–1436).

  14. Dolginova, E., & Lynch, N. (1997). Safety verification for automated platoon maneuvers: a case study. In Lecture notes in computer science: Vol1201. Hybrid and real-time systems (pp. 154–170). Berlin: Springer.

  15. Du Toit, N. E., Wongpiromsarn, T., Burdick, J. W., & Murray, R. M. (2008). Situational reasoning for road driving in an urban environment. In Intelligent vehicle control systems: proceedings of the 2nd international workshop on intelligent vehicle control systems (IVCS) (pp. 30–39). Setubal: INSTICC Press.

  16. EN 1525 (1997). Safety of industrial trucks—driverless trucks and their systems.

  17. Ericson, C. (2005). Real-time collision detection. San Mateo: Morgan Kaufmann.

  18. European Parliament and Council (2006). Directive 2006/42/EC. Official Journal of the European Union L 157.

  19. Fiorini, P., & Shillert, Z. (1998). Motion planning in dynamic environments using velocity obstacles. The International Journal of Robotics Research, 17, 760–772.

  20. Fox, D., Burgard, W., & Thrun, S. (1997). The dynamic window approach to collision avoidance. IEEE Robotics & Automation Magazine, 4(1), 23–33.

  21. Fraichard, T. (2007). A short paper about motion safety. In Proceedings of the IEEE international conference on robotics and automation.

  22. Fraichard, T., & Asama, H. (2004). Inevitable collision states—a step towards safer robots? Advanced Robotics, 18(10), 1001–1024.

  23. Gates, B. (2007). A robot in every home. Scientific American, 296(January), 58–65. doi:10.1038/scientificamerican0107-58.

  24. Gordon, M., Milner, R., & Wadsworth, C. (1979). Lecture notes in computer science: Vol78. Edinburgh LCF: a mechanised logic of computation. Berlin: Springer.

  25. Gurevich, Y. (2000). Sequential abstract state machines capture sequential algorithms. ACM Transactions on Computational Logic, 1(1), 77–111.

  26. Harel, D. (1987). StateCharts: a visual formalism for complex systems. Science of Computer Programming, 8, 231–274.

  27. Henzinger, T. A., Ho, P. H., & Wong-Toi, H. (1997). HyTech: a model checker for hybrid systems. Software Tools for Technology Transfer, 1, 110–122.

  28. Hoare, C. A. R. (2009). Viewpoint: retrospective: an axiomatic basis for computer programming. Communications of the ACM, 52(10), 30–32.

  29. Holzmann, G. J. (2003). The SPIN model checker: primer and reference manual. Reading: Addison-Wesley.

  30. IEC 61508 (2000). Functional safety of electrical/electronic/programmable electronic safety-related systems.

  31. ISO 10218-1 (2006). Robots for industrial environments—safety requirements—part 1: Robot.

  32. ISO 15623 (2002). Road vehicles: forward vehicle collision warning system—performance requirements and test procedures.

  33. ISO 26262 (2011). Road vehicles—functional safety (Final draft).

  34. Khatib, O. (1986). Real-time obstacle avoidance for manipulators and mobile robots. The International Journal of Robotics Research, 5(1), 90–98.

  35. Lankenau, A., & Röfer, T. (2001). A safe and versatile mobility assistant. IEEE Robotics & Automation Magazine, 8(1), 29–37.

  36. Loos, S., Platzer, A., & Nistor, L. (2011). Adaptive cruise control: hybrid, distributed, and now formally verified. In Lecture notes in computer science: Vol6664. Formal methods (pp. 42–56). Berlin: Springer.

  37. Lüth, C., & Walter, D. (2009). Certifiable specification and verification of C programs. In Lecture notes in computer science: Vol5850. Formal methods (pp. 419–434). Berlin: Springer.

  38. Meikle, L., & Fleuriot, J. (2009). Mechanical theorem proving in computational geometry. In Lecture notes in computer science: Vol3763. Automated deduction in geometry. Berlin: Springer.

  39. Meyer, B. (1991). Design by contract. In D. Mandrioli & B. Meyer (Eds.), Advances in object-oriented software engineering (pp. 1–50). New York: Prentice Hall.

  40. Minguez, J., & Montano, L. (2004). Nearness diagram (ND) navigation: collision avoidance in troublesome scenarios. IEEE Transactions on Robotics and Automation, 20(1), 45–59.

  41. MISRA (2004). MISRA-C:2004—guidelines for the use of the C language in critical systems. Nuneaton: Motor Industry Research Association (MIRA) Limited.

  42. Nilsson, N. J. (1984). Shakey the robot. Tech. rep. 323, SRI International, Menlo Park, California.

  43. Nipkow, T., Paulson, L. C., & Wenzel, M. (2002). Lecture notes in computer science: Vol2283. Isabelle/HOL—a proof assistant for higher-order logic. Berlin: Springer.

  44. Parthasarathi, R., & Fraichard, T. (2007). An inevitable collision state-checker for a car-like vehicle. In Proceedings of the IEEE international conference on robotics and automation.

  45. Philippsen, R., & Siegwart, R. (2003). Smooth and efficient obstacle avoidance for a tour guide robot. In Proceedings of the IEEE international conference on robotics and automation.

  46. Platzer, A., & Clarke, E. M. (2009). Formal verification of curved flight collision avoidance maneuvers: a case study. In Lecture notes in computer science: Vol5850. Formal methods (pp. 547–562). Berlin: Springer.

  47. Puri, A., & Varaiya, P. (1995). Driving safely in smart cars. In Proceedings of the American control conference (Vol5, pp. 3597–3599).

  48. Rabe, C., Franke, U., & Gehrig, S. (2007). Fast detection of moving objects in complex scenarios. In Proceedings of the IEEE intelligent vehicles symposium (pp. 398–403).

  49. Roscoe, A. W. (1998). The theory and practice of concurrency. New York: Prentice Hall.

  50. RT-Tester (2006). User manual. Verified Systems International GmbH,, retrieved Jan. 2011.

  51. Schlegel, C. (1998). Fast local obstacle avoidance under kinematic and dynamic constraints for a mobile robot. In Proceedings of the IEEE/RSJ international conference on intelligent robots and systems.

  52. Simon, D., Pissard-Gibollet, R., & Arias, S. (2006). Orccad, a framework for safe robot control design and implementation. In 1st national workshop on control architectures of robots: software approaches and issues CAR’06, Montpellier, France.

  53. Täubig, H., Bäuml, B., & Frese, U. (2011). Real-time swept volume and distance computation for self collision detection. In Proceedings of the IEEE/RSJ international conference on intelligent robots and systems (IROS), San Francisco, CA, United States.

  54. Varaiya, P. (1993). Smart cars on smart roads: problems of control. IEEE Transactions on Automatic Control, 38(2), 195–207.

  55. Victorino, A. C., Rives, P., & Borelly, J. J. (2003). Safe navigation for indoor mobile robots. Part I: A sensor-based navigation framework. The International Journal of Robotics Research, 22(12), 1005–1118.

  56. Winner, H., Haskuli, S., & Wolf, G. (Eds.) (2009). Handbuch Fahrerassistenzsysteme. Berlin: Vieweg+Teubner (in German).

  57. Wongpiromsarn, T., Mitra, S., Murray, R., & Lamperski, A. (2009). Periodically controlled hybrid systems. In Lecture notes in computer science: Vol5469. Hybrid systems: computation and control (pp. 396–410). Berlin: Springer.

Download references

Author information

Correspondence to Holger Täubig.

Electronic Supplementary Material

Below is the link to the electronic supplementary material.

(AVI 17.0 MB)

(AVI 17.0 MB)

Rights and permissions

Reprints and Permissions

About this article

Cite this article

Täubig, H., Frese, U., Hertzberg, C. et al. Guaranteeing functional safety: design for provability and computer-aided verification. Auton Robot 32, 303–331 (2012).

Download citation


  • Collision detection
  • Functional safety
  • Formal verification
  • Certification
  • IEC 61508
  • Braking model
  • Mathematical proof