In this paper we describe the development and verification of software for an automotive Brake-by-Wire System. This is a new brake system without mechanical or hydraulic backup. The system is based on a time-triggered communication architecture. The central control computer in this distributed system, called Brake-by-Wire Manager, is a redundant design in order to tolerate any single failure. The software of this computer is subject to a set of safety related requirements which must be verified. We have developed the software using synchronous software components based on the synchronous language ESTEREL. Many safety properties have been verified successfully and the software has been integrated in a prototype Brake-by-Wire system in a research car.