Model checking the FlexRay physical layer protocol

Authors:
Michael Gerke;Rüdiger Ehlers;Bernd Finkbeiner;Hans-Jörg Peter
Affiliations:
Saarland University, Germany;Saarland University, Germany;Saarland University, Germany;Saarland University, Germany
Venue:
FMICS'10 Proceedings of the 15th international conference on Formal methods for industrial critical systems
Year:
2010

Citing 9
Cited 0

A theory of timed automata

Theoretical Computer Science
Hardware design

Hardware design
Towards the Formal Verification of Lower System Layers in Automotive Systems

ICCD '05 Proceedings of the 2005 International Conference on Computer Design
Analysis of a biphase mark protocol with Uppaal and PVS

Formal Aspects of Computing
A Formal Model of Lower System Layers

FMCAD '06 Proceedings of the Formal Methods in Computer Aided Design
A Formal Model of Clock Domain Crossing and Automated Verification of Time-Triggered Hardware

FMCAD '07 Proceedings of the Formal Methods in Computer Aided Design
Towards a Unifying CSP approach to Hierarchical Verification of Asynchronous Hardware

Electronic Notes in Theoretical Computer Science (ENTCS)
Realistic worst-case execution time analysis in the context of pervasive system verification

Program analysis and compilation, theory and practice
Easy parameterized verification of biphase mark and 8n1 protocols

TACAS'06 Proceedings of the 12th international conference on Tools and Algorithms for the Construction and Analysis of Systems

Quantified Score

Hi-index	0.00

Visualization

Abstract

The FlexRay standard, developed by a cooperation of leading companies in the automotive industry, is a robust communication protocol for distributed components in modern vehicles. In this paper, we present the first timed automata model of its physical layer protocol, and we use automatic verification to prove fault tolerance under several error models and hardware assumptions. The key challenge in the analysis is that the correctness of the protocol relies on the interplay of the bit-clock alignment mechanism with the precise timing behavior of the underlying asynchronous hardware. We give a general hardware model that is parameterized in low-level timing details such as hold times and propagation delays. Instantiating this model for a realistic design from the Nangate Open Cell Library, and verifying the resulting model using the real-time model checker UPPAAL, we show that the communication system meets, and in fact exceeds, the fault-tolerance guarantees claimed in the FlexRay specification.