The functions of automobiles are becoming increasingly intelligent, which leads to the increasing number of electrical control units for one automobile. Hence, it makes software migration and extension more complicated. In order to avoid these problems, the standard OSEK/VDX has been proposed jointly by a German automotive company consortium and the University of Karlsruhe. This standard provides specifications for the development of automotive software, this standard has become one of the major standards for real-time automotive operating systems (OSs). Since errors in the automotive OS may pose threat to the safety of people in a vehicle, it is necessary to verify the correctness of the OSEK OS which is used by many manufacturers around the world. Formal methods can be adopted to verify the correctness of both software and hardware. Therefore, we propose a formal model of the OSEK OS at the code level and verify three significant properties of the OSEK-based system. In this study, the code-level OSEK OS is verified to ensure compliance with the specifications. An automotive OS always requires that the systemreacts in a timelymanner to external events and performs the computations within the timing constraints. However, there is a possibility that the running time of the tasks exceeds the timing requirements due to the complexity of the tasks. Therefore, by referring to one of the extensions of the OSEK OS, Automotive Open System Architecture (AUTOSAR), we proposed tpOSEK, which is capable of extending the OSEK OS with a timing protection mechanism in AUTOSAR in this study. In our previous study, it was verified that the higher-priority task cannot be preempted by lower-priority tasks. In this paper, after improvement made to the OSEK OS model by adding interrupt service routine models and alarms, and extension of the OSEK OS model with a timing protection model, we have verified that tpOSEK satisfies three significant properties, which include deadlock f ree, complete and no timeout. These properties represent the basic conditions for the systemto run smoothly. If such properties as deadlock f ree and complete are satisfied, it means no deadlock is encountered by this system and all of the tasks can be scheduled completely. Moreover, if the property timeout cannot be satisfied, it means that none of the tasks would miss the deadline. Based on the tpOSEK model, the correct timing protection APIs can be designed at the code level. Thus, by extending the OSEKOSwith theseAPIs,we can update theOSEKOS faster and the need tomodify the dependent applications can be removed. Furthermore, we have constructed formal models for two industrial cases based on tpOSEK OS to demonstrate the soundness of our methods.

中文翻译：

---

使用 CSP 对 OSEK/VDX 操作系统中的时序保护机制进行建模和验证

汽车的功能越来越智能化，导致一辆汽车的电气控制单元越来越多。因此，它使软件迁移和扩展更加复杂。为了避免这些问题，德国汽车公司财团和卡尔斯鲁厄大学联合提出了标准OSEK/VDX。该标准为汽车软件的开发提供了规范，该标准已成为实时汽车操作系统（OS）的主要标准之一。由于汽车操作系统中的错误可能对车内人员的安全构成威胁，因此有必要验证全球许多制造商使用的 OSEK 操作系统的正确性。可以采用形式化的方法来验证软件和硬件的正确性。所以，我们在代码级别提出了 OSEK OS 的正式模型，并验证了基于 OSEK 的系统的三个重要属性。在这项研究中，验证了代码级 OSEK 操作系统以确保符合规范。汽车操作系统总是要求系统及时对外部事件做出反应，并在时间限制内执行计算。但是，由于任务的复杂性，任务的运行时间有可能超过时序要求。因此，通过参考 OSEK OS 的扩展之一，汽车开放系统架构 (AUTOSAR)，我们提出了 tpOSEK，它能够在本研究中通过 AUTOSAR 中的时序保护机制来扩展 OSEK OS。在我们之前的研究中，验证了较高优先级的任务不能被较低优先级的任务抢占。在本文中，通过添加中断服务例程模型和警报对 OSEK OS 模型进行改进，并通过时序保护模型对 OSEK OS 模型进行扩展，我们验证了 tpOSEK 满足三个重要属性，包括无死锁，完成且没有超时。这些属性代表了系统平稳运行的基本条件。如果满足无死锁和完成等属性，则说明本系统没有遇到死锁，所有任务都可以完全调度。此外，如果不能满足属性超时，则意味着没有一个任务会错过截止日期。基于 tpOSEK 模型，可以在代码级别设计正确的时序保护 API。因此，通过使用这些 API 扩展 OSEKOS，我们可以更快地更新OSEKOS，并且可以消除修改依赖应用程序的需要。此外，我们基于 tpOSEK OS 为两个工业案例构建了形式模型，以证明我们方法的可靠性。