Specification and Verification of Time Requirements with CCSL and Esterel

The UML Profile for Modeling and Analysis of Real-Time and Embedded (MARTE) systems has recently been adopted by the OMG. Its Time Model extends the informal and simplistic Simple Time package proposed by UML2 and offers a broad range of capabilities required to model real-time systems including discrete/dense and chronometric/logical time. MARTE OMG specification introduces a Time Structure inspired from Time models of the concurrency theory and proposes a new clock constraint specification language (CCSL) to specify, within the context of UML, logical and chronometric time constraints. This paper introduces the formal semantics of a fundamental subset of CCSL clock constraints and proposes a process to use CCSL both as a high-level specification language for UML models and as a golden model to verify the conformance of implementations with the specification. A digital filtering video application is used as a running example to support the discussion. The application is first formally specified with CCSL and the specification is refined based on feedback from our CCSL-dedicated simulator. In a second phase, an Esterel program of the application is considered. This program is instrumented with observers derived from the CCSL specification. Esterel Studio formal verification facilities are then used to check the conformity of the Esterel implementation with the CCSL specification. A specific library of Esterel observers has been built for this purpose.