Automated Formal Verification of the TTEthernet Synchronization Quality

  • Wilfried Steiner
  • Bruno Dutertre
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6617)


Clock synchronization is the foundation of distributed real-time architectures such as the Timed-Triggered Architecture. Maintaining the local clocks synchronized is particularly important for fault tolerance, as it allows one to use simple and effective fault-tolerance algorithms that have been developed in the synchronous system model.

Clock synchronization algorithms have been extensively studied since the 1980s, and many fundamental results have been established. Traditionally, the correctness of a new clock synchronization algorithm is shown by reduction to these results. Until now, formal proofs of correctness all relied on interactive theorem provers such as PVS or Isabelle/HOL. In this paper, we present an automated proof of the TTEthernet clock-synchronization algorithm that is based on the SAL model checker.


Model Checker Formal Proof Clock Synchronization Local Clock Correct Clock 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Kopetz, H., Bauer, G.: The Time-Triggered Architecture. Proceedings of the IEEE 91(1), 112–126 (2003)CrossRefGoogle Scholar
  2. 2.
    Howard, C.E.: Orion avionics employ COTS technologies. In: Avionics Intelligence (June 2009)Google Scholar
  3. 3.
    Lundelius, J., Lynch, N.: An upper and lower bound for clock synchronization. Information and Control 62(2-3), 190–204 (1984)CrossRefMATHGoogle Scholar
  4. 4.
    Lamport, L., Melliar-Smith, P.M.: Byzantine clock synchronization. In: PODC 1984: Proceedings of the Third Annual ACM Symposium on Principles of Distributed Computing, pp. 68–74. ACM, New York (1984)CrossRefGoogle Scholar
  5. 5.
    Kopetz, H.: TTP/C Protocol – Version 1.0. Vienna, Austria: TTTech Computertechnik AG (July 2002),
  6. 6.
    Schneider, F.B.: Understanding protocols for byzantine clock synchronization. Cornell University, Ithaca, NY, USA, Tech. Rep. TR87–859 (1987)Google Scholar
  7. 7.
    Rushby, J., von Henke, F.: Formal verification of the interactive convergence clock synchronization algorithm. Computer Science Laboratory, SRI International, Menlo Park, CA, Tech. Rep. SRI-CSL-89-3R, (February 1989), (revised online August 1991)
  8. 8.
    Shankar, N.: Mechanical verification of a generalized protocol for byzantine fault-tolerant clock synchronization. In: Vytopil, J. (ed.) FTRTFT 1992. LNCS, vol. 571, pp. 217–236. Springer, Heidelberg (1992)CrossRefGoogle Scholar
  9. 9.
    Miner, P.S.: Verification of fault-tolerant clock synchronization systems. NASA, NASA Technical Paper 2249 (1993),
  10. 10.
    Schwier, D., von Henke, F.: Mechanical verification of clock synchronization algorithms. In: Ravn, A.P., Rischel, H. (eds.) FTRTFT 1998. LNCS, vol. 1486, pp. 262–271. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  11. 11.
    Pfeifer, H., Schwier, D., von Henke, F.: Formal verification for time-triggered clock synchronization. In: Weinstock, C.B., Rushby, J. (eds.) Dependable Computing for Critical Applications, vol. 7, pp. 206–226 (January 1999)Google Scholar
  12. 12.
    Barsotti, D., Nieto, L., Tiu, A.: Verification of clock synchronization algorithms: experiments on a combination of deductive tools. Formal Aspects of Computing 19, 321–341 (2007)CrossRefMATHGoogle Scholar
  13. 13.
    Pike, L.: Modeling time-triggered protocols and verifying their real-time schedules. In: Proceedings of Formal Methods in Computer Aided Design (FMCAD 2007), pp. 231–238. IEEE, Los Alamitos (2007)CrossRefGoogle Scholar
  14. 14.
    Steiner, W., Dutertre, B.: SMT-Based formal verification of a TTEthernet synchronization function. In: Kowalewski, S., Roveri, M. (eds.) FMICS 2010. LNCS, vol. 6371, pp. 148–163. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  15. 15.
    Malekpour, M.R.: Model checking a byzantine-fault-tolerant self-stabilizing protocol for distributed clock synchronization systems. NASA, Tech. Rep. NASA/TM-2007-215083 (2007)Google Scholar
  16. 16.
    de Moura, L., Owre, S., Rueß, H., Rushby, J., Shankar, N., Sorea, M., Tiwari, A.: Tool presentation: SAL2. In: Alur, R., Peled, D.A. (eds.) CAV 2004. LNCS, vol. 3114. Springer, Heidelberg (2004)Google Scholar
  17. 17.
    de Moura, L., Rueß, H., Sorea, M.: Bounded model checking and induction: From refutation to verification. In: Voronkov, A. (ed.) CAV 2003. LNCS, vol. 2725, pp. 14–26. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  18. 18.
    Dutertre, B., Sorea, M.: Modeling and verification of a fault-tolerant real-time startup protocol using calendar automata. In: Lakhnech, Y., Yovine, S. (eds.) FORMATS 2004 and FTRTFT 2004. LNCS, vol. 3253, pp. 199–214. Springer, Heidelberg (2004)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  • Wilfried Steiner
    • 1
  • Bruno Dutertre
    • 2
  1. 1.TTTech Computertechnik AGChip IP DesignViennaAustria
  2. 2.SRI International, Computer Science LaboratoryMenlo ParkUSA

Personalised recommendations