In the age of autonomously driving vehicles, functionality and complexity of embedded systems are increasing tremendously. Safety aspects become more important and require such systems to operate with the highest possible level of fault tolerance. Simulation and systematic testing techniques have reached their limits in this regard. Here, formal verification as a long established technique can be an appropriate complement. However, the necessary preparatory work like adequately modeling a system and specifying properties in temporal logic are anything but trivial. In this paper, we report on our experiences applying model checking to verify the arbitration logic of a Vehicle Control System. We balance pros and cons of different model checking techniques and tools, and reason about our choice of the symbolic model checker NuSMV. We describe the process of modeling the architecture, resulting in ~1500 LOC, 69 state variables and 38 LTL constraints. To handle this large-scale model, we automate and optimize the model checking procedure for use on multi-core CPUs and employ Bounded Model Checking to avoid the state explosion problem. We share our lessons learned and provide valuable insights for architects, developers, and test engineers involved in this highly present topic.

中文翻译：

---

大规模模型检查的经验：车辆控制系统的验证

在自动驾驶汽车时代，嵌入式系统的功能和复杂性正在急剧增加。安全方面变得越来越重要，并要求此类系统以最高的容错水平运行。在这方面，仿真和系统测试技术已达到其极限。在这里，作为一种长期建立的技术的形式验证可以是适当的补充。但是，必要的准备工作，如对系统进行适当的建模和在时间逻辑中指定属性，都是微不足道的。在本文中，我们报告了我们在应用模型检查来验证车辆控制系统的仲裁逻辑方面的经验。我们平衡了不同模型检查技术和工具的优缺点，以及选择符号模型检查器NuSMV的原因。我们描述了对体系结构建模的过程，该过程导致〜1500 LOC，69个状态变量和38个LTL约束。为了处理这种大规模模型，我们自动化并优化了用于多核CPU的模型检查过程，并采用有界模型检查来避免状态爆炸问题。我们分享我们的经验教训，并为参与此高度当前主题的建筑师，开发人员和测试工程师提供宝贵的见解。