This paper describes the formal verification of a fault-tolerant group membership algorithm that constitutes one of the central services of the Time-Triggered Protocol (TTP). The group membership algorithm is formally specified and verified using a diagrammatic representation of the algorithm. We describe the stepwise development of the diagram and outline the main part of the correctness proof. The verification has been mechanically checked with the PVS theorem prover.


Deductive verification Time-Triggered Architecture fault-tolerant distributed algorithms safety-critical control. 


  1. [1]
    G. Bauer and M. Paulitsch. An Investigation of Membership and Clique Avoidance in TTP/C. In Proc. of 19th IEEE Symposium on Reliable Distributed Systems. IEEE, Oct. 2000. To appear.Google Scholar
  2. [2]
    I. A. Browne, Z. Manna, and H. Sipma. Generalized Temporal Verification Diagrams. In 15th Conference on the Foundations of Software Technology and Theoretical Computer Science, volume 1026 of Lecture Notes in Computer Science, pages 484–498. Springer-Verlag, 1995.Google Scholar
  3. [3]
    R. W. Butler and G. B. Finelli. The Infeasibility of Quantifying the Reliability of Life-Critical Real-Time Software. IEEE Trans. on Software Engineering, 19 (1): 3–12, Jan. 1993.CrossRefGoogle Scholar
  4. [4]
    S. Katz, P. Lincoln, and J. Rushby. Low-Overhead Time-Triggered Group Membership. In M. Mavronicolas and P. Tsigas, editors, 11th International Workshop on Distributed Algorithms: WDAG’97, volume 1320 of Lecture Notes in Computer Science, pages 155–169, 1997.Google Scholar
  5. [5]
    H. Kopetz. The Time-Triggered Approach to Real-Time System Design. In B. Randell, J.-C. Laprie, H. Kopetz, and B. Littlewood, editors, Predictably Dependable Computing Systems. Springer-Verlag, 1995.Google Scholar
  6. [6]
    H. Kopetz. Real-Time Systems: Design Principles for Distributed Embedded Applications. Engineering and Computer Science. Kluwer, 1997.MATHGoogle Scholar
  7. [7]
    H. Kopetz and G. Grttnsteidl. UP–A Time Triggered Protocol for Fault-Tolerant Real-Time Systems. IEEE Computer, 27 (1): 14–23, 1994.CrossRefGoogle Scholar
  8. [8]
    H. Kopetz and W. Ochsenreiter. Clock Synchronization in Distributed Real-Time Systems. IEEE Trans. Computers, 36 (8): 933–940, 1987.CrossRefMATHGoogle Scholar
  9. [9]
    Z. Manna and A. Pnueli. Temporal Verification Diagrams. In M. Hagiya and J. C. Mitchell, editors, International Symposium on Theoretical Aspects of Computer Software: TACS’94, volume 789 of Lecture Notes in Computer Science, pages 726–765. Springer-Verlag, 1994.Google Scholar
  10. [10]
    S. Owre, J. Rushby, N. Shankar, and F. von Henke. Formal Verification for Fault-Tolerant Architectures: Prolegomena to the Design of PVS. IEEE Trans. on Software Engineering, 21 (2): 107–125, February 1995.CrossRefGoogle Scholar
  11. [11]
    H. Pfeifer, D. Schwier, and F. W. von Henke. Formal Verification for Time-Triggered Clock Synchronization. In C. B. Weinstock and J. Rushby, editors, Dependable Computing for Critical Applications 7, volume 12 of Dependable Computing and Fault-Tolerant Systems, pages 207–226. IEEE Computer Society, January 1999.Google Scholar
  12. [12]
    J. Rushby. Formal Methods and their Role in the Certification of Critical Systems. In R. Shaw, editor, Safety and Reliability of Software Based Systems (Twelfth Annual CSR Workshop). Springer-Verlag, 1995.Google Scholar
  13. [13]
    J. Rushby. Formal Verification of a Low-Overhead Group Membership Algorithm, 2000. In Preparation.Google Scholar
  14. [14]
    J. Rushby. Verification Diagrams Revisited: Disjunctive Invariants for Easy Verification. In Computer Aided Verification (CAV 2000), Chicago, IL, July 2000. To appear.Google Scholar
  15. [15]
    C. Scheidler, G. Heiner, R. Sasse, E. Fuchs, H. Kopetz, and C. Temple. Time-Triggered Architecture. In J.-Y. Roger, B. Stanford-Smith, and P. T. Kidd, editors, Advances in Information Technologies: The Business Challenge. Proceedings of EMMSEC’97. IOS Press, 1997.Google Scholar
  16. [16] Scholar

Copyright information

© IFIP International Federation for Information Processing 2000

Authors and Affiliations

  • Holger Pfeifer
    • 1
  1. 1.Fakultät für InformatikUniversität UlmUlmGermany

Personalised recommendations