In automotive control systems, the potential risks of software defects have been increasing due to growing software complexity driven by advances in electric-electronic control. Some kind of defects such as race conditions can rarely be detected by testing or simulations because these defects manifest themselves only in some rare executions. Model checking, which employs an exhaustive state-space exploration, is effective for detecting such defects. This paper reports our approach to applying model checking techniques to real-world automotive control programs. It is impossible to directly model check such programs because of their large size and high complexity; thus, it is necessary to derive, from the program under verification, a model that is amenable to model checking. Our approach uses the SPIN model checker as well as in-house tools that facilitate this process. One of the key features implemented in these tools is boundary-adjustable program slicing, which allows the user to specify and extract part of the source code that is relevant to the verification problem of interest. The conversion from extracted code into Promela, SPIN's input language, is performed using one of the tools in a semi-automatic manner. This approach has been used for several years in practice and found to be useful even when the code size of the software exceeds 400 KLOC.

We propose a lightweight scheme for fault diagnosis in time-triggered (TT) systems. An existing scheme is preferable in its capability but incurs computation time that can be prohibitively large for some real-time systems, such as automotive control systems. Our proposed scheme, which we call voting sharing, can substantially reduce the computation time by sharing the diagnosis result obtained by each node with all nodes in the system. We clarify the properties of the voting sharing scheme with respect to fault tolerance and show some experimental results.