Making Implicit Safety Requirements Explicit

An AUTOSAR Safety Case
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8666)


Safety standards demand stringent requirements on embedded systems used in safety-critical applications such as automotive, railways, and aerospace. In the automotive domain, the AUTOSAR software architecture provides some mechanisms to fulfill the ISO26262 requirements. The verification of these mechanisms is a challenging problem and it is not always clear in which context the safety requirements are supposed to be met.

In this paper, we report on a case study developed in the SafeCer project, where we combined contract-based design and model-based testing. A contract-based approach has been used to formalize the safety requirements to detect communication failures. The formal specification shows under which assumptions the AUTOSAR protection mechanism fulfills these requirements. A model-based testing approach has been used to test the software implementing such protection mechanism. The model used for testing has been model checked against the contract specification ensuring that the system-level safety requirements are met.


Formal Methods Contract-Based Design Testing AUTOSAR 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    AUTOSAR: Software architecture specification,
  2. 2.
    ISO 26262: Road vehicles Functional safety (2011)Google Scholar
  3. 3.
    AUTOSAR. In: Specification of SW-C End-to-End Communication Protection Library. AUTOSAR consortium (2008-2013)Google Scholar
  4. 4.
    Cimatti, A., Dorigatti, M., Tonetta, S.: OCRA: A tool for checking the refinement of temporal contracts. In: ASE, pp. 702–705 (2013)Google Scholar
  5. 5.
    Arts, T., Hughes, J., Johansson, J., Wiger, U.: Testing telecoms software with Quviq QuickCheck. In: ACM SIGPLAN Workshop on Erlang (2006)Google Scholar
  6. 6.
    Svenningsson, R., Johansson, R., Arts, T., Norell, U.: Formal methods based acceptance testing for AUTOSAR exchangeability. SAE Int. Journal of Passenger Cars Electronic and Electrical Systems 5(1), 209–213 (2012)Google Scholar
  7. 7.
    Pnueli, A.: The Temporal Logic of Programs. In: FOCS, pp. 46–57 (1977)Google Scholar
  8. 8.
    Cimatti, A., Tonetta, S.: A Property-Based Proof System for Contract-Based Design. In: EUROMICRO-SEAA, pp. 21–28 (2012)Google Scholar
  9. 9.
    Cimatti, A., Tonetta, S.: Contracts-refinement proof system for component-based embedded systems. Sci. Comput. Program (to appear)Google Scholar
  10. 10.
    Cimatti, A., Clarke, E., Giunchiglia, E., Giunchiglia, F., Pistore, M., Roveri, M., Sebastiani, R., Tacchella, A.: NuSMV 2: An OpenSource Tool for Symbolic Model Checking. In: Brinksma, E., Larsen, K.G. (eds.) CAV 2002. LNCS, vol. 2404, pp. 359–364. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  11. 11.
    Claessen, K., Hughes, J.: QuickCheck: A lightweight tool for random testing of Haskell programs. In: ACM SIGPLAN ICFP, pp. 268–279 (2000)Google Scholar
  12. 12.
    Armstrong, J.: A history of erlang. In: HOPL, pp. 1–26 (2007)Google Scholar
  13. 13.
    Blanquart, J.-P., et al.: Towards Cross-Domains Model-Based Safety Process, Methods and Tools for Critical Embedded Systems: The CESAR Approach. In: Flammini, F., Bologna, S., Vittorini, V. (eds.) SAFECOMP 2011. LNCS, vol. 6894, pp. 57–70. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  14. 14.
    Baumgart, A., Reinkemeier, P., Rettberg, A., Stierand, I., Thaden, E., Weber, R.: A Model-Based Design Methodology with Contracts to Enhance the Development Process of Safety-Critical Systems. In: Min, S.L., Pettit, R., Puschner, P., Ungerer, T. (eds.) SEUS 2010. LNCS, vol. 6399, pp. 59–70. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  15. 15.
    Damm, W., Josko, B., Peikenkamp, T.: Contract Based ISO CD 26262 Safety Analysis. In: Safety-Critical Systems. In: SAE (2009)Google Scholar
  16. 16.
    Damm, W., Hungar, H., Josko, B., Peikenkamp, T., Stierand, I.: Using contract-based component specifications for virtual integration testing and architecture design. In: DATE, pp. 1023–1028 (2011)Google Scholar
  17. 17.
    Westman, J., Nyberg, M., Törngren, M.: Structuring Safety Requirements in ISO 26262 Using Contract Theory. In: Bitsch, F., Guiochet, J., Kaâniche, M. (eds.) SAFECOMP. LNCS, vol. 8153, pp. 166–177. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  18. 18.
    Vedder, B., Arts, T., Vinter, J., Jonsson, M.: Combining fault-injection with property-based testing. In: Proc. of Int. Workshop on Engineering Simulations for Cyber-Physical Systems, ES4CPS 2014, pp. 1–8. ACM, New York (2014)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  1. 1.QuviQ and FBKItaly

Personalised recommendations