From UML to SIMULINK CAAM: Formal Specification and Transformation Analysis by Foss, Luciana et al.
From UML to SIMULINK CAAM: Formal Specification
and Transformation Analysis
Luciana Foss 1
Simone André da Costa Cavalheiro 1
Lisane Brisolara de Brisolara 1
Nícolas Nogueira Bisi 1
Vinícius Steffens Pazzini 1
Flávio Rech Wagner 2
Abstract: UML and Simulink are attractive languages for embedded systems de-
sign and modeling. An automatic mapping from UML models to Simulink would be
an interesting resource in a seamless design flow, allowing designers to use UML as
modeling language for the whole system and at same time to use facilities for code
generation based on Simulink. In a previous work, a UML to Simulink translation was
prototyped using a Java implementation. In this paper, we present the formal definition
of this translation using graph grammars, as well as its automation, which is supported
by the AGG system. With the formalization of the metamodels and translation rules,
we can guarantee the correctness of the translation.
1 Introduction
The increased amount of software in embedded systems and tight time-to-market con-
straints have motivated the investigation of strategies to successfully manage embedded soft-
ware design and its complexity. The complexity is usually managed using abstraction by
means of models, and automation can be a solution for the pressure for fast product delivery.
This scenario motivates the use of model-driven engineering approaches.
The growing interest for using UML in software projects has led to an increase in its
popularity. UML [1] supports the whole software development process, starting with require-
ments analysis and supporting object-oriented system specification, design, and modeling,
thus being considered the standard modeling language for the software community. More-
over, UML has been used in most of model-driven design approaches recently proposed,
since it is an open, standard language supported by several tools. In the embedded system
community, mainly due to its high abstraction, UML has been proposed as the system-level
modeling language [2], and its use in hardware software codesign has been investigated [3].
1Centro de Desenvolvimento Tecnológico, UFPEL, Caixa Postal 354 - Pelotas - RS
{lfoss,simone.costa,nnbisi,vspazzini}@inf.ufpel.edu.br
2Instituto de Informática, UFRGS, Caixa Postal 15064 - Porto Alegre - RS
flavio@inf.ufrgs.br
From UML to SIMULINK CAAM: Formal Specification and Transformation Analysis
Embedded systems are usually compositions of subsystems, each of which may be
based on a different Model of Computation (MoC) [4]. Each MoC, with associated modeling
notation, is chosen with respect to its adequacy to the subsystem domain. UML is widely
used in the development of event-based systems in the software engineering domain, since
the UML modeling style maps nicely to the underlying object-oriented paradigm. However,
UML is not well suited to model dataflow or other MoCs required by heterogeneous systems,
like those present in most current or emerging embedded systems (e.g. mobile phones).
Simulink [5] is another language currently used for embedded systems design, with a
focus on control and signal processing. This language supports dataflow and continuous time
models, but it lacks the desired high-level abstraction and support to other software-oriented
models (object-orientation, for example). Furthermore, Simulink provides code generation
and simulation features. A Simulink-based multiprocessor system-on-chip (MPSoC) design
flow has been proposed previously [6], in order to support modeling of embedded multipro-
cessor systems, including facilities for hardware and software co-simulation and code gener-
ation. This design flow uses as input a Simulink CAAM model, which is an extension of the
Simulink language to model multiprocessor systems, combining Algorithm and Architecture
Models in a single model.
Recent efforts have shown that both UML and Simulink are considered attractive for
embedded system-level design [7, 8, 9, 10], a fact that motivates researchers to aim at finding
a way to simultaneously exploit the benefits of both languages. In this way, a mapping from
UML to Simulink CAAM models was proposed by Brisolara [8] to allow designers to use
UML as modeling language for the whole system and at same time to use facilities for sim-
ulation and code generation based on Simulink. However, the automation of this translation
was just prototyped using a Java implementation, without any considerations regarding the
correctness of the translation, nor any formalization of the metamodels or of the translation
rules. One way of covering such gaps is the use of formal methods. Since UML diagrams
constitute a visual language, it is natural to consider that UML translations are based on rules
that transform graphs. Graph grammars are a formal language that follow such approach
[11] and offer various results concerning different types of analysis (like termination and
confluence) that are suitable for model transformations.
This paper is an extended version of [12, 13]. With respect to the original version, we
included two relevant contributions:
1. Formal representation of UML specifications and Simulink block diagrams as graphs;
2. The proofs of termination and confluence of the translation.
The use of a formal language as graph grammars to define the translation avoids pos-
sible ambiguities from a natural language description, as well as supports its automation by
RITA • Volume 20 • Número 1 • 2013 103
From UML to SIMULINK CAAM: Formal Specification and Transformation Analysis
the Attributed Graph Grammar system (AGG tool) [14, 15]. A design flow that starts with a
UML model and provides a mapping to a Simulink block diagram is proposed. The process
of translation from UML to Simulink CAAM is semi-automatic and starts by constructing
the initial graph from UML deployment and sequence diagrams. Using the AGG tool and ap-
plying the rules defined in the graph grammar, the initial graph is automatically transformed
into a graph representing the corresponding Simulink model. The precise definition of UML
specifications and Simulink block diagrams as graphs formally define the complete process of
transformation. It is important to note that the proposed translation is independent of specific
application. Moreover, the designer does not need to know all formal definitions of graph
grammars to proceed with a translation, but just to use the AGG tool.
The graph grammar specification also allows the formal analysis of the mapping. The
proofs of termination and confluence guarantee the existence and uniqueness of the outcom-
ing Simulink model. Termination ensures that the transformation process finishes, while
confluence ensures that the transformation results in a unique target model. Using the AGG
tool these proofs were automatically performed.
The remaining of this paper is organized as follows. Section 2 presents an introduction
to the adopted specification language, which is an attributed graph grammar with negative ap-
plication conditions [11]. Section 3 introduces UML sequence and deployment diagrams and
defines a graph representation of a UML specification. Section 4 describes a brief presenta-
tion of Simulink block diagrams and presents the graph representation of a Simulink CAAM
model. Section 5 formally defines the mapping from UML to Simulink CAAM, and Section
6 details the transformation analysis. Finally, Section 7 contains concluding remarks.
2 Graph Grammars
In this section we review the main concepts about typed attributed graph grammars
with application condition and negative application conditions, based on the double pushout
approach (DPO-approach) [11]. Basically, a graph is composed by a set of vertices and edges
connecting them, but they can be enriched with other information, like labels and attributes.
Graphs in which vertices (and edges) can be assigned to attributes of some data type are often
called attributed graphs. Attributed graphs generally consist of two parts: a graph-part and
a data-part. The data-part includes an algebra which defines values and algebraic operations
over these values. An algebra is a semantical model of a signature [16]. As an analogy,
we can see a signature as the interface of a program and an algebra as the implementation
of this program. An algebra homomorphism relates two algebras over the same signature,
identifying their values and operations.
Definition 1 [Signature] A signature Σ = (S,OP ) consists of a set S of sorts and a family
104 RITA • Volume 20 • Número 1 • 2013
From UML to SIMULINK CAAM: Formal Specification and Transformation Analysis
OP = (OPw,s)(w,s)∈S∗×S of operation symbols. For an operation op ∈ OPw,s, we can
write op : w → s or op : s0, . . . , sn → s, where w = s0, . . . , sn. If w = ε, then the
operation op :→ s is called constant.
Definition 2 [Algebra and homomorphism] Given a signature Σ = (S,OP ), a Σ−algebra
A = ({As|s ∈ S}, {opA|op ∈ OP}) is defined by:
• a carrier set As for each sort s ∈ S;
• a constant cA ∈ As for each constant c :→ s ∈ OP ;
• a function opA : As0 × · · · ×Asn → As for each operation op : s0, . . . , sn → s.
The set obtained by the disjoint union of all carrier sets of a Σ-algebra A is denoted by U(A),
i.e., U(A) = ⊎s∈S As.
Given two algebras A and A′ of the same signature Σ = (S,OP ), a (partial) homomorphism
h : A→ A′, also called Σ-homomorphism, is a family h = (hs)s∈S of functions hs : As →
A′s such that:
• for each c :→ s ∈ OP , we have hs(cA) = cA′;
• for each op : s0, . . . , sn → s ∈ OP , we have hs(opA(x0, . . . , xn)) =
opA′(hs0(x0), . . . , hsn(xn)), for all xi ∈ Asi .
A homomorphism is total or injective if all functions are total or injective, respectively, and
if all functions are bijective, it is an isomorphism.
Example 1 [Signature and algebra] The following signature defines sorts, constants and
operations of STRING data type. This signature is used in the graph grammar that defines
the translation from UML to Simulink.
Signature STRING =
sorts: string, char
opns: a: -> char
empty: -> string
next: char -> char
ladd: char string -> string
concat: string string -> string
first: string -> char
RITA • Volume 20 • Número 1 • 2013 105
From UML to SIMULINK CAAM: Formal Specification and Transformation Analysis
A STRING-algebra D can be defined as follows:
Dchar = {a, . . . , z, A, . . . , Z, 0, . . . 9, _}
Dstring = D∗char
aD = a ∈ Dchar
emptyD = ε ∈ Dstring
nextD : Dchar → Dchar
nextD(a) = b, . . . , nextD(z) = A,nextD(A) = B, . . . ,
nextD(Z) = 0, nextD(0) = 1, . . . , nextD(9) = _, nextD(_) = a
concatD : Dstring ×Dstring → Dstring
∀s, t ∈ Dstring : concatD(s, t) = st
laddD : Dchar ×Dstring → Dstring
∀x ∈ Dchar : ∀s ∈ Dstring : laddD(x, s) = xs
firstD : Dstring → Dchar
firstD(ε) = a, ∀s ∈ Dstring : firstD(s) = x1,
where s = x1 . . . xn
A graph is defined by sets of vertices and edges. The set of vertices is partitioned
into two sets: a set of graph vertices and a set of data vertices. And the set of edges is also
partitioned into two sets: the sets of graph edges and node attribute edges. The graph vertices
and edges define the graphical part of a graph, while the data vertices and node attribute edges
define the data structure of this graph. In this approach the edges are directed, therefore the
source and target of each edge must be defined. There are two functions determining the
source and target of graph edges and two functions defining the source and target of node
attribute edges. Graph edges have source and target in graph vertices, and node attribute edges
associate graph vertices to data vertices. In order to relate two graphs, a graph morphism is
defined, mapping all elements of one graph into the corresponding elements of the other. This
mapping must preserve the source and target of each edge, i.e., if an edge e1 is mapped to an
edge e2, the source and target vertices of e1 must be accordingly mapped to the source and
target of e2.
Definition 3 [Graphs and graph morphisms] A graphG is a tuple (VG, VD, EG, ENA, srcG,
tgtG, srcNA, tgtNA) defined as follows:
• VG and VD are sets of graph and data vertices, respectively;
• EG is the set of graph edges, which connect graph vertices, and ENA is the set of node
attribute edges, which connect graph vertices to data vertices;
• srcG, tgtG : EG → VG are total functions, defining source and target of graph edges,
respectively;
106 RITA • Volume 20 • Número 1 • 2013
From UML to SIMULINK CAAM: Formal Specification and Transformation Analysis
• srcNA : ENA → VG and tgtNA : ENA → VD are total functions, defining source
and target of node attribute edges, respectively;














NA) and H = (V
H
G ,












NA), a (partial) graph morphism f : G → H is a
tuple (fVG , fVD , fEG , fENA) such that f commutes with all source and target functions, for
example fVG ◦ srcGG = srcHG ◦ fEG . If there is no confusion, the subscribed indexes can be
omitted, e.g., fVG(v) can be written f(v). A graph morphism is said to be total or injective if
all its components are total or injective functions, respectively.
An attributed graph is a graph combined with a data algebra over a signature Σ. In the
signature, a set of attribute value sorts is established and the corresponding carrier sets are
used to define the data vertices. The relation between two attributed graphs is determined by
a graph morphism and an algebra homomorphism, which must preserve the mapping between
data vertices.
Definition 4 [Attributed graphs and attributed graph morphisms] Given a signature Σ,
called data signature, an attributed graph is a pair AG = (G,A), where A is a Σ−algebra,
called data algebra, and G is a graph, such that VD = U(A).
Given two attributed graphs AG1 = (G1, A1) and AG2 = (G2, A2), a (partial) attributed
graph morphism f : AG1 → AG2 is a pair (fG, fD), with a graph morphism fG : G1 → G2
and an algebra homomorphism fD : A1 → A2, such that the following diagram commutes







An attributed graph morphism f is said to be total or injective if fG and fD are total or
injective, respectively. Moreover, f is a monomorphism if fG is injective and fD is an iso-
morphism of Σ−algebras.
Attributed graphs combined with the concept of typing lead to the notion of typed
attributed graphs. For typing the attributed graphs, a type graph over the final Σ-algebra is
used. The typing is given by an attributed graph morphism associating each element of a
graph to elements of the type graph. Two attributed graphs typed over the same type graph
RITA • Volume 20 • Número 1 • 2013 107
From UML to SIMULINK CAAM: Formal Specification and Transformation Analysis
can be related by an attributed graph morphism, which must preserve the types of each graph
element.
Definition 5 [Typed attributed graphs and typed attributed graph morphisms] Given a
signature Σ = (S,OP ), an attributed type graph is an attributed graph TG = (T,A), where
A is the final Σ−algebra (where all carrier sets of A are singletons). A typed attributed graph
(AG, t) over TG consists of an attributed graph AG and a total attributed graph morphism
t : AG→ TG, called typing morphism.
Given two typed attributed graphs (AG1, t1) and (AG2, t2), typed over TG, a (partial)
typed attributed graph morphism f : (AG1, t1) → (AG2, t2) is a (partial) attributed graph
morphism f : AG1 → AG2, such that t2 ◦ f = t1. A typed attributed graph mor-
phism f : (AG1, t1) → (AG2, t2) is said to be total, injective or a monomorphism if
f : AG1 → AG2 is total, injective or a monomorphism, respectively.
Typed attributed graphs over an attributed type graph TG and typed attributed graph mor-
phisms form the category AGraphsTG [16].
Example 2 [Typed attributed graphs] A typed attributed graph is shown in Figure 1. Ver-
tices are depicted as rectangles, which are divided into two parts, and edges are shaped
as arrows connecting their source and target vertices. This graph is attributed over the
STRING-algebra defined in Example 1. The data vertices and the node attribute edges as-
sociating them to graph vertices are inscribed in the bottom part of rectangles. For example,
the vertex IO (on top left of Figure 1) has an attribute named id, whose value is “IODevice”,
that is, there is a node attribute edge id connecting the graph vertex IO to the data vertex
“IODevice”. The type graph is depicted in Figure 2, and the typing information of G is given
by the labels (IO, SAengine, var, SFunction, SASchedRes and getIO) in the top part of rectan-
gles and the labels (src, tgt, in, arg and result) on the arrows. This graph is a small fragment
of the graph illustrated in Figure 9, which represents a UML specification: thread “T3” of
type SASchedRes (allocated in the processor - SAengine - “CPU2”) calls the getIO method
from an input device (“IODevice” of type IO) and returns its result in variable (var) “a”; the
getIO result is an argument of the “calc” method (of type SFunction) of thread “T3”; finally,
the result of “calc” method is returned in variable “x”.
A production defines the transformation from one graph to another one, identifying
which elements should be preserved, consumed, or created. In this work we use the double
pushout approach (DPO), where a production is defined by two total typed attributed graph
morphisms l : Kp → Lp and r : Kp → Rp, one mapping elements from the interface (Kp) to
the left-hand side (Lp) and another one mapping elements from the interface to the right-hand
side (Rp). Lp defines the elements that must be present in the graph for the production to be
applied; Rp defines the result of application of the production; and Kp defines the context
108 RITA • Volume 20 • Número 1 • 2013
From UML to SIMULINK CAAM: Formal Specification and Transformation Analysis
Figure 1. Attributed graph G typed over type graph TG in Figure 2.
Figure 2. Type graph TG.
RITA • Volume 20 • Número 1 • 2013 109
From UML to SIMULINK CAAM: Formal Specification and Transformation Analysis
of the production application, i.e., elements that must be in the graph but are not deleted by
application of the production. Elements of Lp that are not in the co-domain of l must be
deleted, and elements in Rp that are not in the co-domain of r must be created. All graphs
of p are typed over the same type graph T , with respect to a signature Σ, and the algebra
associated to these graphs is the Σ-termalgebra [16] with the variables X used in p.
Definition 6 [Typed attributed graph productions] Given an attributed type graph TG
with data signature Σ, a (typed attributed) graph production or rule (p : Lp
l← Kp r→ Rp)
consists of three typed attributed graphs Lp (left-hand side), Kp (interface) and Rp (right-
hand side), with a common Σ−algebra TΣ(X) (the Σ−termalgebra with variables X); and
two typed attributed graph monomorphisms l and r.
Example 3 [Graph production] An example of production is showed in Figure 3(a). The
morphisms l and r are defined by the numbers associated to each element of the graphs. The
required elements to apply this production are those in graph Lp. Among these elements,
those in Kp are preserved and the other ones are deleted. The created elements are those
in Rp, but not in Kp. The AGG tool, which is used to support the analysis of the transfor-
mation, uses a more compact representation for a production. The AGG representation for
the production p is showed in Figure 3(b). The graph Kp is omitted, but it is determined
by the numbered elements. Elements in the left-hand side (LHS) or right-hand side (RHS)
that have no associated number are deleted or created by the production, respectively. This
production is used in the UML to Simulink mapping. It models the transformation of a getIO
method call in the corresponding connections of Simulink blocks. The connections describe
the data flow in the Simulink diagram: in this case, they are representing the flow of variable
“x” from IO to SASchedRes passing by SAengine (vertices X specify these connections, whose
source and target are indicated by edges with labels prefixed by o and d, respectively).
The application of a production to a graph G is enabled if all elements in its left-hand
side can be found in G , i.e., the left-hand side matches with a part ofG. A match is defined as
a total (typed attributed) graph morphism from the left-hand side of a production to a graph.
It is total to ensure the presence of all needed elements in G. In this approach, if there is
some edge connected to a deleted vertex or if there are two identified vertex, where one is
preserved and the other one is deleted, the production cannot be applied.
Definition 7 [Match and gluing conditions] Given a typed attributed graph production (p :
L
l← K r→ R), a typed attributed graph G and a total typed attributed graph morphism
m : L → G, with X = (V XG , V XD , EXG , EXNA, srcXG , tgtXG , srcXNA, tgtXNA, DX , tX) for all
X ∈ {L,K,R,G}, we can state the following definitions:
110 RITA • Volume 20 • Número 1 • 2013
From UML to SIMULINK CAAM: Formal Specification and Transformation Analysis
(a) Morphisms l e r
(b) Production p in AGG tool
Figure 3. Graph production p.
• the identification points IP = {v ∈ V LG |∃v′ ∈ V LG : [v 6= v′∧mVG(v) = mVG(v′)]}∪
{e ∈ ELi |∃e′ ∈ ELi : [e 6= e′ ∧mEi(e) = mEi(e′)]}, for all i ∈ {G,NA} are graph
elements in L that are identified by m;
• the dangling points DP = {v ∈ V LG |∃e ∈ (EGG −mEG(ELG)) : [mEG(v) = srcGG(e)∨
mEG(v) = tgt
G
G(e)] ∨ ∃e ∈ (EGNA − mENA(ELNA)) : mENA(v) = srcGNA(e)} are
graph vertices in L, whose image in G are source or target of an edge that are not in
image of m.
p and m satisfy the gluing condition if all identification and dangling points are elements
preserved by p, i.e. they are in l(K). In this case, m is called match for p at G.
The production application, or derivation, is defined as a double pushout in the cate-
gory AGraphsTG [16]. Intuitively, G can be transformed by removing the part matched by
the production’s left-hand side and adding its right-hand side.
Definition 8 [Typed attributed graph transformation] Given a graph production
(p : Lp
l← Kp r→ Rp), a typed attributed graph G and a match m : Lp → G for p at
RITA • Volume 20 • Número 1 • 2013 111
From UML to SIMULINK CAAM: Formal Specification and Transformation Analysis
G. A direct (typed attributed) graph transformation from G to the typed attributed graph H
(with p at m), denoted by G
p,m⇒ H , is given by the following double pushout (DPO) diagram











G Dfoo g // H
A (typed attributed) graph transformation from G0 to Gk, denoted by G0 ⇒∗ Gk, is a se-
quence of direct graph transformations G0
p1,m1⇒ · · · pk,mk⇒ Gk.
Example 4 [Direct graph transformation] Figure 4 shows a direct derivation from G to H
with the production p (see Figure 3). There is a match m of LHS in G, which is highlighted
in the figure. In this case, G can be transformed into H by excluding the getIO vertex and its
incident edges and adding two new vertices X and their incident edges, as well as the result
edge between thread T3 and variable a.
Figure 4. Direct graph transformation from G to H with production p in Figure 3.
Now we can define typed attributed graph grammars.
Definition 9 [Typed attributed graph grammar] A (typed attributed) graph grammarGG =
(Σ, TG,G0, P ) consists of a data signature Σ, which defines the data values and operations
used in all graphs of GG; a type graph TG attributed over the final Σ-algebra; an initial
attributed graph G0 typed over TG; and a set of graph productions P typed over TG.
112 RITA • Volume 20 • Número 1 • 2013
From UML to SIMULINK CAAM: Formal Specification and Transformation Analysis
3 UML Sequence and Deployment Diagrams
A UML Sequence Diagram (SD) represents the interaction between objects. In the
object-oriented approach, on which the UML language is based, objects interact through
the exchange of messages. Thus, the main elements on this diagram are the objects and
the messages, and, for each element, UML provides a graphical notation. The objects are
instances of classes, while a message represents an invocation of an operation (or method).
From a Sequence Diagram a sequence of method invocations performed by the objects
collaborating in a given scenario can be captured. This can be useful to represent the behavior
of object-oriented code. Usually, several Sequence Diagrams are used to build dynamic views
of the software system, one for each use case.
An object is represented by a rectangle with the names of the instance and of its class.
Besides this information, stereotypes can be added to give a special meaning to an object. The
UML standard defines some stereotypes, and the UML profiles (eg. MARTE and UML-SPT)
use stereotypes to extend UML standard elements.
In UML2, the last version of the standard, Sequence Diagrams support the representa-
tion of iterations (loop), conditionals (alt or opt), parallelism (par), among other new syntax
elements. For example, one can use a fragment with the operator loop to indicate that mes-
sages inside this fragment must be repeated.
In this work, in fact, the UML Sequence Diagram must be defined with some re-
strictions. For example, at the moment, loop, alt, opt or parallel operators are not sup-
ported. Besides, three stereotypes (〈〈SASchedRes〉〉, 〈〈SAScheduler〉〉, 〈〈SAengine〉〉)
from the UML-SPT profile, and two new stereotypes are used to define an object type. Ob-
jects must be of one of four types: processor (denoted by 〈〈SAengine〉〉), thread (denoted by
〈〈SASchedRes〉〉), platform (denoted by 〈〈lib〉〉) or IO (denoted by 〈〈IO〉〉).
The 〈〈SASchedRes〉〉 stereotype is used to identify objects representing threads or
schedulable objects. The 〈〈SAScheduler〉〉 stereotype can represent the scheduler, which is
responsible for initializing the execution of a thread. 〈〈SAengine〉〉 is used to represent a
processing element (processor). Besides threads and processors, Platform and IO are other
special objects. Platform represents a pre-defined library of functions, while IO objects model
external systems (sensors, actuators, and etc). Objects can call its own methods or methods of
the object Platform, and communication between threads must be done through gets and sets,
to indicate receive or send operations, respectively. Besides, the method invocations from the
object IO represent operations for reading input ports and writing output ports.
UML Deployment Diagrams can have nodes, representing processing elements, and
artifacts or components, representing software elements. In this work, a Deployment Dia-
gram is just used to define the number of processors and capture the mapping of threads to
RITA • Volume 20 • Número 1 • 2013 113
From UML to SIMULINK CAAM: Formal Specification and Transformation Analysis
processors, so as to support the modeling of an MPSoC.
3.1 Syntax
In this section, we formally define the syntax of restricted sequence and deployment
UML diagrams, which are used in the translation. In the following definitions, we denote
the projection of the i-th element of a tuple x by Pji(x) and define the set of stereotypes
by ST = {SASchedRes, SAScheduler, SAengine, lib, IO} and the alphabet by N =
NOb ∪ NMs ∪ NX , where NOb is a set of object names, NMs is a set of message names
and NX is a set of variable names. Moreover, there is a subset of NOb that defines the set of
threads, i.e., NTh ⊆ NOb is the set of thread names. Let l be a list, a ∈ l says that a is in
some position of l, l(i) = a says that a is the i-th element of l and |l| denotes the length of l.
We first define the concepts of objects and messages and then use these elements to
define the diagrams. Each diagram has an associated vocabulary, which defines the names of
objects, messages and variables that are used as arguments or results of messages. An object
has a stereotype, a name and a list of attributes.
Definition 10 [Object] An object ob is defined by a tuple (s, n,Aob), where s ∈ ST is the
stereotype of ob, n ∈ NOb is the name of ob and Aob is the set of attributes of ob.
A message specifies a communication between two objects. It represents the invo-
cation of an operation, which has a list of arguments and a result. Moreover, in a sequence
diagram, the messages are partially ordered. This order relation defines the sequence in which
messages are sent. In this way, a message is defined by its order of transmission, an operation
name, a list of arguments, and a result.
Definition 11 [Message] A messagem is defined by a tuple (i, n, l, r), with i ∈ {1, 2, . . . , k}
and k ∈ N, denotes the message order, n ∈ NMs is the name of m, l ∈ N∗X is the list of
arguments of m and r ∈ (NX ∪ ε) is the result of m.
In this work, each SD has a vocabulary and a thread associated to it and specifies the
exchange of messages from the associated thread to other ones. An SD for a thread thr over a
vocabularyN is defined by a set of objects, a set of messages, and two total functions defining
the sender and the receiver of each message (which can be the same). These elements must
satisfy some restrictions in order to specify a well-defined sequence diagram in our approach:
(1) the associated thread thr must be in the set of objects; (2) all messages from an object
to another one must be a get or set message, except messages sent to lib objects; (3) all
messages, except the main_task message, must have their source in thr; (4) the order of
transmission of each message must be unique in the set of messages; (5) there is exactly one
114 RITA • Volume 20 • Número 1 • 2013
From UML to SIMULINK CAAM: Formal Specification and Transformation Analysis
object scheduler in the set of objects; (6) there is exactly one message main_task; (7) the
main_task is the first task in the order of transmission, and it is sent from the scheduler
object to thr; (8) all messages to IO objects are either getIO or setIO messages; (9) get
messages must be sent at the beginning of the thread execution; and (10) set messages must
be sent at the end of the thread execution. A sequence diagram specification SD is the set of
sequence diagrams associated to all thread names in the vocabulary (NTh).
Definition 12 [Sequence Diagram] A sequence diagram for a thread thr over the alphabet
N , with thr ∈ NTh, is defined by a tuple SDthrN = (O,M, to, from, ord), where:
• O is a set of objects;
• M is a set of messages;
• to : M → O is a function defining for each message the object which receives it;
• from : M → O is a function defining for each message the object which sends it;
• ord : M → N is a function defining an order for the messages.
such that:
1. (SASchedRes, thr,A) ∈ O;
2. for all m ∈ M , from(m) 6= to(m) and Pj1(to(m)) 6= lib iff Pj2(m) = set_x or
Pj2(m) = get_x, with x ∈ Pj3(to(m));
3. for all m ∈M , if Pj2(m) 6= main_task, then Pj2(from(m)) = thr;
4. m1,m2 ∈M , if Pj1(m1) = Pj1(m2), then m1 = m2;
5. #{o ∈ O | Pj1(o) = SAScheduler} = 1;
6. #{m ∈M | Pj2(m) = main_task} = 1;
7. if Pj2(m) = main_task, then Pj1(m) = 1 and Pj1(from(m)) = SAScheduler
and Pj2(to(m)) = thr;
8. if Pj1(to(m)) = IO, then Pj2(m) = getIO or Pj2(m) = setIO;
9. for all m1 ∈ M , if Pj2(m1) = get_x, then there not exist m2 ∈ M such that
Pj1(m2) < Pj1(m1) and Pj2(m2) 6= get_x or Pj2(m2) 6= main_task;
10. for all m1 ∈ M , if Pj2(m1) = set_x, then there not exist m2 ∈ M such that
Pj1(m2) > Pj1(m1) and Pj2(m2) 6= set_x or Pj2(m2) 6= main_task.
RITA • Volume 20 • Número 1 • 2013 115
From UML to SIMULINK CAAM: Formal Specification and Transformation Analysis
A sequence diagram specification over the alphabet N is the set of sequence diagrams over
N , defined by SD = {SDthrN |thr ∈ NTh}. We denote by OSD = {Pj1(s)|s ∈ SD} and
MSD = {Pj2(s)thr|s = SDthrN ∈ SD} the sets of objects and messages of SD, respectively.
A deployment diagram is defined by two sets of objects: one defining the processors of
the system and another one defining the threads of the system. Moreover, there is a function
in defining where each thread will be executed.
Definition 13 [Deployment diagram] A deployment diagram over the alphabetN is defined
by a tuple DD = (PDD, TDD, inDD), where PDD is a set of objects defining the processors
of the system, TDD is a set of objects defining the threads of the system and inDD : TDD →
PDD is a total function mapping each thread to a processor where it will run.
A UML specification is defined by a sequence diagram specification and a deployment
diagram, such that all threads defined in the sequence diagrams are in the set of threads of the
deployment diagram.
Definition 14 [UML specification] A UML specification over the alphabet N is defined by
a pair (DD,SD), where DD = (PDD, TDD, inDD) is a deployment diagram and SD is
a sequence diagram specification, both over N , such that for all o ∈ OSD, if Pj1(o) =
SASchedRes, then o ∈ TDD.
From a UML specification, defined as above, we can obtain a typed attributed graph.
The set of graph vertices VG is composed by: a vertex for each processor object in the de-
ployment diagram; a vertex for each object in the sequence diagram specification, except the
scheduler; a vertex for each message in the sequence diagram specification; and a vertex for
each variable name used as argument or result of each message. The set of data vertices VD
contains all strings defining the names of all objects (except for the scheduler object) and
messages and all variables in NX (set of variables in the vocabulary).
The set of graph edges EG is defined by: one edge ino for each thread in DD; one
edge inm for each message different from gets and sets; one source edge srcm and one target
edge tgtm for each get and set; one argmj edge for the j-th argument of each message; one
resultm for each message that has a result. The set of node attribute edges ENA is formed
by one edge idv for all graph vertices, except those representing gets and sets messages.
The source of graph and node attribute edges are determined by the own index of each
edge. The target of graph edges are specified according to its type: if it is an ino edge, the
target is the object associated to o by function in of DD; if it is an inm or srcm edge, the
target is the object associated to m by function from of SD; if it is a resultm edge, the
116 RITA • Volume 20 • Número 1 • 2013
From UML to SIMULINK CAAM: Formal Specification and Transformation Analysis
target is the vertex associated to the variable which corresponds to the message result; if it is
an argmj edge, the target is the vertex associated to the variable that corresponds to the j-th
argument of message m. The target of node attribute edges are determined according to its
index and type: for all idv edge, if v is a vertex associated to a variable, the target is the name
of the variable; otherwise it is the name of the object or the message.
The algebra Alg is the STRING-algebra defined in Example 1, while the type graph
is detailed in Figure 2. The graph vertex typing function is specified as follows: if the vertex
represents an object, its type is given by the object stereotype; if the vertex represents a
message to an IO object, its type is the name of the message; if the vertex represents a get or
set message, its type is get or set, respectively; if the vertex corresponds to a message with
the same source and target, its type is SFunction; if the vertex is a message to a lib object,
its type is lib; if the vertex is a variable, its type is var. For all data vertices, its type is string.
For each graph edge typem, its type is given by type. For all node attribute edges, its type is
id. And the algebra typing function associates each element of the algebra to its sort.
Definition 15 [Graph representation of a UML specification] Given a UML specification
US = (DD,SD), over the alphabet N , and the signature STRING (see Example 1). The
graph representation of US is the typed attributed graph UG = (AG, t : AG → TG),
defined by:
• AG = ((VG, VD, EG, ENA, srcG, tgtG, srcNA, tgtNA), Alg), where:
VG = PDD ∪OSD − {o ∈ OSD|Pj1(o) = Scheduler} ∪MSD ∪ V
V = {vertx|x ∈ NX ∧ (i, n, l, r) ∈MSD ∧ (x = r or x ∈ l)}
VD = {n|(s, n,A) ∈ PDD ∨ (s, n,A) ∈ OSD ∨ (i, n, l, r) ∈MSD}∪
{x|x ∈ NX ∧ (i, n, l, r) ∈MSD ∧ (x = r or x ∈ l)}
EG = InO ∪ InM ∪ Tgt ∪ Src ∪Arg ∪Res
InO = {ino|o ∈ TDD}
InM = {inm|m ∈MSD ∧
(from(m) = to(m) ∨ Pj1(to(m)) = lib)}
Tgt = {tgtm|m ∈MSD ∧ from(m) 6= to(m)}
Src = {srcm|m ∈MSD ∧ from(m) 6= to(m)}
Arg = {argmj |m = (i, n, l, r) ∈MSD ∧ l 6= ε ∧ j ∈ {1, . . . , |l|}}
Res = {resultm|m ∈MSD ∧ Pj4(m) 6= ε}
ENA = {idv|v ∈ VG − {m ∈MSD|from(m) 6= to(m)}}
∀e ∈ EG : srcG(e) =

o if e = ino ∈ InO
m if e = xm ∈ (InM ∪ Tgt ∪ Src ∪Res)
m if e = argmj ∈ Arg
RITA • Volume 20 • Número 1 • 2013 117
From UML to SIMULINK CAAM: Formal Specification and Transformation Analysis
∀e ∈ EG : tgtG(e) =

inDD(o) if e = ino ∈ InO
from(m) if e = xm ∈ (InM ∪ Src)
to(m) if e = xm ∈ Tgt
vertx if e = resultm ∈ Res,
where Pj4(m) = x
vertl(j) if e = argmj ∈ Arg,
where Pj3(m) = l
∀idv ∈ ENA : srcNA(idv) = v
∀idv ∈ ENA : tgtNA(idv) =
{
Pj2(v) if v ∈ (PDD ∪OSD ∪MSD)
x if v = vertx ∧ x ∈ NX
Alg is the STRING-algebra D, defined in Example 1.
• TG is depicted in Figure 2
• t = (tVG , tVD , tEG , tENA , tD) is defined by:
∀v ∈ VG : tVG(v) =

Pj1(v) if v ∈ (PDD ∪OSD)
Pj2(v) if v ∈MSD and Pj1(to(v)) = IO
get if v ∈MSD and Pj2(v) = get_x
set if v ∈MSD and Pj2(v) = set_x
SFunction if v ∈MSD and to(v) = from(v)
lib if v ∈MSD and Pj1(to(v)) = lib
var if v = vertx ∈ NX
∀v ∈ VD : tVD (v) = string
∀e ∈ EG : tEG(e) = type, where e = typem
∀e ∈ ENA : tENA(e) = id
∀x ∈ Algs : tDs(x) = s, for all s ∈ SSTRING
4 Simulink Block Diagrams
Traditionally, the functional block (FB) modeling approach has been used by the sig-
nal processing, industrial automation, and control engineering communities for the develop-
ment of embedded systems. These models are widely accepted in industrial design, driven by
an extensive set of design tools, as for instance, Matlab/Simulink from MathWorks. Features
like modularity, abstraction level, and reusability contributed to the popularity of this model-
ing approach. In the functional block (FB) approach, applications are designed by connecting
several FBs. Each FB output must be connected with an appropriate input, coming from an
FB or another model element.
118 RITA • Volume 20 • Número 1 • 2013
From UML to SIMULINK CAAM: Formal Specification and Transformation Analysis
Simulink supports several models of computation, which means we can find two
Simulink models with different semantics. For that reason, in this work, we focus on the
discrete-time Simulink models. In this context, a Simulink block represents a function that
takes inputs and produces outputs. Examples of Simulink blocks include User-defined (SFunc-
tion), discrete delay, and pre-defined blocks, such as mathematical operations. Using Simulink,
pre-defined components from libraries can be reused to build a solution (adders, multipliers,
switches, etc), and, when this is not possible, an SFunction block can be used. SFunction
blocks allow the user to link a C-code to a block to represent the desired behavior for a block.
Other elements in a Simulink model are the connections or links. The Simulink link
connects one output port of a block (or subsystem) to one or more input ports of one or more
blocks (or subsystems), representing a data flow in the system. A connection can start in an
output port and arrive at several input ports from different components (named a Branched-
Line), which means that the same data can be sent to several blocks. However, an input port
of a block cannot be connected to several outputs of other blocks.
An interesting feature from Simulink is the hierarchy of composition. This feature
allows a complex system to be represented at several levels. At the high level, the system is
composed of interconnected subsystems. After that, each subsystem can be decomposed in
several interconnected blocks (or yet subsystems). Thus, the Simulink Subsystem is a spe-
cial modeling element, which can contain blocks (pre-defined or user-defined blocks), links,
gates, and other subsystems, to represent hierarchical composition, and conditionals, such
as the for-loop iteration or the if-then-else structure. A subsystem is defined with its input
ports and output ports. Using the Simulink GUI, a double-click in the subsystem graphical
representation allows one to see its decomposition at the next hierarchical level, where the
subsystem is represented by interconnected blocks. At this level, the input and output ports
are represented by Input and Output Gates, respectively.
In this work, we are using an extension of Simulink, where the use of subsystems is
also used to represent CPUs, threads, and communication resources, following the Simulink
CAAM [17]. Similarly to the stereotypes used in UML, parameters defined in the subsys-
tem description are used to indicate when a special semantics should be considered for this
subsystem. Since we have UML-SPT stereotypes to describe some of these aspects we keep
them in the Simulink graph representation, using the stereotype 〈〈SAEngine〉〉 for CPU
subsystems, and 〈〈SASchedRes〉〉 for Thread subsystems. However, for communication
subsystems (intra-SS and inter-SS subsystems ) we use CPUCOMM , changing the id to
indicate communication between threads allocated to the same CPU (id = “intra”) and to
different CPUs (id = “inter”).
RITA • Volume 20 • Número 1 • 2013 119
From UML to SIMULINK CAAM: Formal Specification and Transformation Analysis
4.1 Syntax
In this section, the syntax of Simulink block diagrams and their graph representations
are determined. Basically, a Simulink block diagram is composed by blocks (or subsystems)
and connections. Therefore, a block diagram is defined by a set of blocks; a set of links
(connections); a function defining the subsystems; two sets determining the input and out-
put ports; and two functions defining the source and target ports of each link. All elements
(blocks, links and ports) have a unique identifier, allowing the system to have different in-
stances of the same element. Moreover, blocks and links have names; and blocks have also a
type identifying the parameters for each component. The hierarchy of subsystems is defined
by a function that associates each block to a set of its component blocks. This means that,
if the associated set is not empty, the block is a subsystem composed of blocks in the set,
otherwise it is a simple block. Each port is associated to a block, and the links associate one
source port to a list (not empty) of target ports.
A Simulink block diagram is well defined if some restrictions are satisfied: (1) the
identifier of each block is unique in the set of blocks; (2) the identifier of each link is also
unique in the set of links; (3) a block cannot be a component of itself; (4) the subsystem
hierarchy is not symmetric, i.e., if a block is a component of another one, the latter cannot be
a component of the former; (5) each block can be a component of only one subsystem; (6)
links must connect ports according to a given set of restrictions. Components of a subsystem
can only be connected to the subsystem or to other components in this subsystem. In this
way, a link can connect blocks if its source is a subsystem and its target is a component of
this subsystem, or vice-versa (P1−P2); or if its target and source are the same block (P3); or
if both target and source blocks are components of the same subsystem (P4); or if both target
and source blocks are not components of any subsystem (P5). In addition, depending on the
type of link (P1 − P5), the connected ports must be either an input or an output port. Links
of type P1 (or P2) connect input to input ports (or output to output ports); links of type P3
connect input to output ports; and, finally, links of types P4 and P5 connect output to input
ports.
Definition 16 [Simulink block diagram] Given a set ID of identifiers and a set NM of
names (strings), a Simulink block diagram is defined by a tuple SB = (B,L, sub, Pin, Pout,
sl, tl) where:
• B = {(id, name, type)|id ∈ ID∧name ∈ NM∧type ∈ {SAengine, SASchedRes,
SFunction, lib, CPUCCOMUN, IO}} is the set of blocks;
• L = {(id, name)|id ∈ ID ∧ name ∈ NM} is the set of links;
• sub : B → P(B) is a total function associating each block to the set of its components
(blocks).
120 RITA • Volume 20 • Número 1 • 2013
From UML to SIMULINK CAAM: Formal Specification and Transformation Analysis
• Pin = {(id, b)in|id ∈ ID ∧ b ∈ B}, is the set of all input ports;
• Pout = {(id, b)out|id ∈ ID ∧ b ∈ B}, is the set of all output ports;
• sl : L→ (Pin ∪ Pout) is a total function defining the source port of each link;
• tl : L→ (P+in ∪ P+out) is a total function defining the list of target ports of each link;
such that:
1. ∀b1, b2 ∈ B : if Pj1(b1) = Pj1(b2) then b1 = b2;
2. ∀l1, l2 ∈ L : if Pj1(l1) = Pj1(l2) then l1 = l2;
3. ∀b ∈ B : b 6∈ sub(b);
4. ∀b1, b2 ∈ B : if b1 ∈ sub(b2) then b2 6∈ sub(b1);
5. ∀b1, b2, b3 ∈ B : if b1 ∈ sub(b2) ∧ b1 ∈ sub(b3) then b2 = b3;
6. ∀l ∈ L :
[∀pd ∈ tl(l) : ∨i∈{1,...,5} Pi(pd, sl(l)) ∧
(if P1(pd, sl(l)) then pd, sl(l) ∈ Pin)) ∧
(if P2(pd, sl(l)) then pd, sl(l) ∈ Pout) ∧
(if P3(pd, sl(l)) then pd ∈ Pout ∧ sl(l) ∈ Pin) ∧




= Pj2(pd) ∈ sub(Pj2(po))
P2(pd, po)
def
= Pj2(po) ∈ sub(Pj2(pd))
P3(pd, po)
def
= Pj2(pd) = Pj2(po)
P4(pd, po)
def
= ∃b ∈ B : Pj2(pd), P j2(po) ∈ sub(b)
P5(pd, po)
def
= @b ∈ B : Pj2(pd) ∈ sub(b) ∧ @b ∈ B : Pj2(po) ∈ sub(b)
In the following, we have oX = {oE, oI, oC, oS, oL, oF} and dX = {dE, dI, dC,
dS, dL, dF}. Moreover, we say that an edge e has type oX or dX , if tEG(e) ∈ oX or
tEG(e) ∈ dX , respectively.
A Simulink CAAM block diagram can be represented by a typed attributed graph.
This graph must be typed over the type graph T depicted in Figure 5. Vertices of graph T
represent a block (SFuncion, lib, CPUCOMMUN , SAengine, SASchedRes or IO),
or a variable (var) or links (X). In fact, a link is represented by a vertex of type X; one
RITA • Volume 20 • Número 1 • 2013 121
From UML to SIMULINK CAAM: Formal Specification and Transformation Analysis
edge of type oX , indicating the source block of the link; one edge of type dX , defining the
target block of the link; and one edge of type var, determining the data which are transmitted
through the link. A graph can represent a block diagram if it satisfies the following restric-
tions: (1) the graph must be typed over the type graph T depicted in Figure 5; (2−4) a vertex
can be the source of at most one edge of each type in, result and id; (5) two edges of type in
cannot connect the same vertices in opposite directions; (6) each vertex of type X must have
exactly one outgoing edge of each type var, oX and dX; (7) if there is a link (a vertex of
type X and edges of types oX and dX with source in X) connecting two blocks, then either
one of the blocks is a component of the other or both are components of the same subsystem.
Definition 17 [Graph representation of a Simulink block diagram] A typed attributed
graph GT = (G, t) is a graph representation of a Simulink block diagram (gSD) if it is typed
over T , such that:
1. T is the type graph depicted in Figure 5;
Figure 5. Type graph for gSDs.
2. ∀e1, e2 ∈ EG : if t(e1) = t(e2) = in ∧ src(e1) = src(e2) then e1 = e2;
3. ∀e1, e2 ∈ EG : if t(e1) = t(e2) = result ∧ src(e1) = src(e2) then e1 = e2;
4. ∀e1, e2 ∈ ENA : if t(e1) = t(e2) = id ∧ src(e1) = src(e2) then e1 = e2;
5. @e1, e2 ∈ EG : [t(e1) = t(e2) = in ∧ src(e1) = tgt(e2) ∧ src(e2) = tgt(e1)];
122 RITA • Volume 20 • Número 1 • 2013
From UML to SIMULINK CAAM: Formal Specification and Transformation Analysis
6. ∀v ∈ VG : if t(v) = X then #V ar(v) = #Orig(v) = #Dest(v) = 1, where:
• V ar(v) = {e ∈ EG|t(e) = var ∧ src(e) = v}
• Orig(v) = {e ∈ EG|t(e) ∈ oX ∧ src(e) = v}
• Dest(v) = {e ∈ EG|t(e) ∈ dX ∧ src(e) = v}
7. ∀x ∈ VG :
if t(x) = X
then ∀e ∈ EG :
if t(e) = in ∧ (oXV (x) ∈ src(e) ∨ dXV (x) ∈ src(e))
then P (e, oXV (x), dXV (x)) ∧ P (e, dXV (x), oXV (x))
where oXV (x)
def
= v such that e ∈ EG : [src(e) = x ∧ t(e) ∈ oX ∧ tgt(e) = v]
dXV (x)
def
= v such that e ∈ EG : [src(e) = x ∧ t(e) ∈ dX ∧ tgt(e) = v]
P (e, vo, vd)
def
= if src(e) = vo,
then (tgt(e) = vd) ∨
(∃e′ ∈ EG : [t(e′) = in ∧ src(e′) = vd ∧
tgt(e) = tgt(e′)])
Since each vertex v of type X has exactly one outgoing edge of each type var, oX or
dX , we use var(v), oX(v) and dX(v) to denote them, respectively. Moreover, for a vertex
v ∈ VG with an outgoing edge e ∈ ENA of type id, we denote the tgtNA(e) by id(v).
Given a graph representing a Simulink model, we can obtain the Simulink block dia-
gram corresponding to this graph.
Each vertex v of type SFuncion, lib, CPUCOMMUN , SAengine, SASchedRes
or IO defines one block b of the set of blocks of the Simulink diagram. For each block b, its
identifier is defined by v, its name by the value of attribute id of v and its type by the v type.
A set of vertices of type X defines a link l associated to a variable v. The identifier of
l is determined by the set of X vertices and its name by the value of attribute id of v. Each
vertex X in the set that defines an identifier Lvo must have the same source block o (that is,
X is connected to o by an edge of type oX) and the same associated variable v. Besides, all
vertices X in Lvo must satisfy one of the following restrictions: each X must have its source
in a component of a subsystem and its target either in a block inside the same subsystem or
in the subsystem itself (that is, X belongs to Intvo and l is of type Int
v
o); X must have source
and target in blocks that are not components of any subsystem (that is, X belongs to Extvo);
X must have source in a subsystem and target either in a component of this subsystem or in
the subsystem itself (that is, X belongs to Mixvo).
RITA • Volume 20 • Número 1 • 2013 123
From UML to SIMULINK CAAM: Formal Specification and Transformation Analysis
The edges of type in determine the hierarchy of subsystems. Each in edge with source
in block b′ and target in block b establishes that b′ is a component of subsystem b.
The set of links (created from X vertices together with its outgoing edges oX , dX
and var) specifies the set of input and output ports of each block. Each link l of type Mixvo
defines an input port of block o identified by v. In case that l has an X vertex with target in
some component d of block o, then it defines an input port in d. If l has an X vertex with
both source and target in block o, then it also specifies an output port in o. Each link l of type
Extvo defines input ports in the target of each X in Ext
v
o and specifies an output port in block
o. Each link l of type Intvo defines an input port in a block d if there is an X in Int
v
o with
target in d such that o and d are components of the same subsystem. Besides that, each link l
of type Intvo determines an output port in o. If l has an X vertex with target in a subsystem d
which contains o, then it specifies an output port in d.
The source of each link of type Mixvo is the input port of o identified by v. The source
of each link of type Intvo or Ext
v
o is the output port of o identified by v. The target d of each
X in a link l defines a target port p of link l in block d identified by v . If l is of type Extvo , p
is an input port. If l is of type Intvo and d and o are in the same subsystem, then p is an input
port. If l is of type Mixvo and d is a component of subsystem o, then p is also an input port.
Otherwise, p is an output port.
Definition 18 [From a gSD to a Simulink block diagram] Given a graph gSD GT =
((VG, VD, EG, ENA, srcG, tgtG, srcNA, tgtNA, Alg), t : G → T ), a Simulink block dia-
gram equivalent to GT is defined by SB = (B,L, sub, Pin, Pout, sl, tl), where:
• B = {(v, id(v), t(v)) | v ∈ VG ∧ t(v) 6∈ {X, var}};
• L = {(Lvo, id(v)) | Lvo 6= ∅∧o ∈ B∧v ∈ VG∧t(v) = var}, where Lvo = Intvo∨Lvo =
Extvo ∨ Lvo = Mixvo, with
Intvo = {x ∈ VG | P (x, o, v) ∧ vd = tgt(dX(x)) ∧
∃w ∈ B : [o ∈ sub(w) ∧ (vd = Pj1(w) ∨ SB(vd, w))]}
Extvo = {x ∈ VG | P (x, o, v) ∧ vd = tgt(dX(x)) ∧
@w ∈ B : o ∈ sub(w) ∧ @w ∈ B : SB(vd, w)}
Mixvo = {x ∈ VG | P (x, o, v) ∧ (tgt(dX(x)) = Pj1(o) ∨ SB(tgt(dX(x)), o))}
with P (x, o, v)
def
= t(x) = X ∧ tgt(oX(x)) = Pj1(o) ∧ tgt(var(x)) = v
SB(v, o)
def
= (v, id(v), t(v)) ∈ sub(o)
• ∀b ∈ B : sub(b) = {b′ ∈ B | e ∈ EG ∧ tEG(e) = in ∧ srcG(e) = Pj1(b′) ∧
tgt(e) = Pj1(b)}
124 RITA • Volume 20 • Número 1 • 2013
From UML to SIMULINK CAAM: Formal Specification and Transformation Analysis
• Pin = M1 ∪M2 ∪ E ∪ I , where
M1 = {(v, o)in | (Mixvo, n) ∈ L}
M2 = {(v, d)in | (Mixvo, n) ∈ L ∧ x ∈Mixvo ∧ tgt(dX(x)) = vd ∧
d = (vd, id(vd), t(vd)) ∈ sub(o)}
E = {(v, d)in | (Extvo, n) ∈ L ∧ x ∈ Extvo ∧ tgt(dX(x)) = vd ∧
d = (vd, id(vd), t(vd))}
I = {(v, d)in | (Intvo, n) ∈ L ∧ x ∈ Intvo ∧ tgt(dX(x)) = vd ∧
d = (vd, id(vd), t(vd)) ∧ o 6∈ sub(d)}
• Pout = M ∪ EI ∪ I
M = {(v, o)out | (Mixvo, n) ∈ L ∧ x ∈Mixvo ∧ tgt(dX(x)) = Pja(o)}
EI = {(v, o)out | (Extvo, n) ∈ L ∨ (Intvo, n) ∈ L}
I = {(v, d)out | (Intvo, n) ∈ L ∧ x ∈ Intvo ∧ tgt(dX(x)) = vd ∧
d = (vd, id(vd), t(vd)) ∧ o ∈ sub(d)}
• ∀l ∈ L : sl(l) ={
(v, o)in if l = (Mix
v
o, n)
(v, o)out if l = (Int
v
o, n) ∨ l = (Extvo, n)
• ∀l ∈ L : tl((Lvo, n)) = ld, where
(v, d)in ∈ ld if x ∈ Lvo ∧ vd = tgt(dX(x)) ∧ d = (vd, id(vd), t(vd)) ∧
((Lvo = Mix
v
o ⇒ d ∈ sub(o)) ∨ (Lvo = Intvo ⇒ o 6∈ sub(d)))
(v, d)out ∈ ld if x ∈ Lvo ∧ vd = tgt(dX(x)) ∧
d = (vd, id(vd), t(vd)) ∧ Lvo 6= Extvo ∧
((Lvo = Mix
v
o ⇒ d = o) ∨ (Lvo = Intvo ⇒ o ∈ sub(d)))
5 Specifying the Mapping from UML to Simulink
In this section, we propose a design flow to use UML as modeling language of a sys-
tem and provide the generation of a Simulink model. A graph grammar specification defines
the mapping from a graph representation of a UML specification to a graph representation of a
Simulink block diagram. In this way, designers have to know a single modeling language with
a high-level abstraction for systems specification. The translation also handles the allocation
of processors, the mapping of threads to processors, and the insertion of required Simulink
ports and dataflow connections, in order to generate a synthesizable Simulink CAAM model
according to the design flow proposed in [6].
The process of translation is illustrated in Figure 6. It starts by constructing the initial
graph from sequence and deployment diagrams (which must respect Definitions 12, 13 and
14). The specification of this graph is elaborated in the AGG tool [15] according to Definition
15. Using the AGG simulator and applying the defined rules, the initial graph is transformed
RITA • Volume 20 • Número 1 • 2013 125
From UML to SIMULINK CAAM: Formal Specification and Transformation Analysis
into a graph representing the corresponding Simulink CAAM model. The final graph is then
described in the input language of Simulink. The process is still semi-automatic, where only







Figure 6. Process of transformation of UML diagrams into Simulink models.
In the following, we present the process of translating UML diagrams into Simulink
models.
5.1 Initial graph
In order to translate a set of UML diagrams into a Simulink diagram, a graph grammar
that models such transformation must be defined. The translation rules used in this grammar
are those defined in Section 5.2, but the initial graph changes according to the diagrams to be
translated. For instance, in order to illustrate the graph grammar specification, we translate
the UML sequence and deployment diagrams detailed in Figure 7 into the Simulink block
diagram depicted in Figure 8. This example describes a hypothetical system.
According to the mapping proposed in [8], the deployment diagram from Figure 7
defines the processing elements used in the multiprocessor system (nodes decorated with the
〈〈SAEngine〉〉 stereotype), which are CPU1 and CPU2, besides the threads (indicated by
the 〈〈SASchedRes〉〉 stereotype) allocated for each CPU . The sequence diagram represents
the behavior of threads (T3, T1 and T2 in this order) using message exchanges according to
the object-oriented approach. In this diagram, rectangles represent objects, as for instance,
the threads T1, T2 and T3. Communications between threads are represented by set and
get messages, as well as data input and output are represented respectively by get and set
messages sent to 〈〈IO〉〉 objects. Other messages can represent invocations of methods from
a library (e.g. mult) or user-defined methods (e.g. calc and dec), which represent parts of
tasks behavior.
The initial graph (initial state of the grammar) that represents the UML specification
is illustrated in Figure 9. The construction of this graph is straightforward. All objects, all
called methods and all communications between threads are represented by vertices. The ar-
guments and results of method calls are also represented by vertices. The mapping of threads
to processors is captured from the deployment diagram and represented by in edges in the
corresponding graph. The direction of communications between threads is represented by
126 RITA • Volume 20 • Número 1 • 2013
From UML to SIMULINK CAAM: Formal Specification and Transformation Analysis
Figure 7. Deployment and Sequence Diagrams
source (src) and target (tgt) edges, and the result (in case of a get operation) or the argument
(in case of a set operation) determine the respective creation of result and arg edges, con-
necting the method to the respective variable. The arguments and results of the remaining
function calls are also represented by arg and result edges, respectively, connecting the func-
tions to the corresponding variables. At last, an in edge from a function to a thread indicates
RITA • Volume 20 • Número 1 • 2013 127
From UML to SIMULINK CAAM: Formal Specification and Transformation Analysis
Figure 8. Generated Simulink CAAM model
which thread invokes the respective method.
Figure 9. Initial graph.
Applying the specified rules in the initial graph (Figure 9), we obtain a graph corre-
sponding to a Simulink diagram (Figure 16). These rules are applied to the graph until no
more rules can be applied, and, thus, we get a graph that describes the Simulink diagram
equivalent to the original UML diagrams.
5.2 Rules
The rules, which define the translation, can be sorted in three groups: rules IntraC,
InterC, getIO and setIO with priority 1 (Figure 10); rules prefixed by Fun, Lib, or Thr with
priority 2 (Figure 13); and rules prefixed by arg or res with priority 3 (Figure 15).
128 RITA • Volume 20 • Número 1 • 2013
From UML to SIMULINK CAAM: Formal Specification and Transformation Analysis
Rules are specified with a priority order. This feature, though not very common in
graph grammar specifications, is available in the AGG system [14]. Rule priorities provide
a way to schedule the application of rules: as long as a low-priority rule is enabled, no
higher-priority rules can be scheduled for application. In general, this strategy simplifies
rules specification, avoiding the creation of extra components (flags) necessary to enforce the
order of rule applications.
Figure 10. Rules for gets and sets with Priority 1
Rule IntraC depicted in Figure 10 identifies send and receive operations between two
threads that are in the same CPU. That is, one of the threads invokes a set method from the
RITA • Volume 20 • Número 1 • 2013 129
From UML to SIMULINK CAAM: Formal Specification and Transformation Analysis
other thread, whose argument is a variable var, while the second thread invokes a get method
from the first one, whose result is stored in the same variable. In this case, an Intra CPU-
COMMUN subsystem is instantiated for the corresponding variable and connections from the
thread responsible for the send operation to CPUCOMMUN and from CPUCOMMUN to the
receive thread are created. Rule InterC illustrated in Figure 10 is analogous, but now recog-
nizing send and receiving operations between threads that are in different CPUs. Now, an
Inter CPUCOMMUN subsystem is instantiated, besides the connections from one thread to
the other. When a thread invokes a get or a set method from an IO component, rules getIO or
setIO, respectively, must be applied (see Figure 10). The application of getIO creates connec-
tions from the IO component to the thread, while setIO application establishes connections
from the thread to the IO subsystem. After the application of any of these rules, the get result
remains available for the thread which invoked the get method (represented by creation of
edge result in rules) and the set argument remains available as argument of the thread which
invoked the set method (represented by creation of edge arg in rules). Figure 11 emphasizes
the components of the Simulink model created from the UML diagrams in Figure 7 after the
application of the IntraC rule (links connecting T1, Intra, and T2), and Figure 12 highlights
the components created after application of the setIO rule (links connecting T2 output to the
IODevice).
Figure 11. Simulink components created by IntraC rule (links connecting T1, Intra, and T2)
Figure 12. Simulink components created by setIO rule (links connecting T2 to IODevice)
Rules detailed in Figure 13 create connections between blocks of functions (SFunction
and lib) and other functions or threads. These rules are applied when the result of a function
(or thread) is used as argument of another function (or thread). Rules prefixed by Fun create
130 RITA • Volume 20 • Número 1 • 2013
From UML to SIMULINK CAAM: Formal Specification and Transformation Analysis
connections between the output of blocks of type SFunction and the input of other blocks.
Rules prefixed by Lib create connections between the output of blocks of type lib and the
input of other blocks. Finally, rules prefixed by Thr create connections between the output
of blocks of type SASchedRes (thread) and functions. Simulink components created by this
class of rules from the UML diagrams in Figure 7 are highlighted in Figure 14 (see links
inside threads).
Figure 13. Rules with Priority 2
Remaining rules, illustrated in Figure 15, just execute garbage collection, deleting
result and arg edges. For instance, if a result is used as an argument of more than one function,
RITA • Volume 20 • Número 1 • 2013 131
From UML to SIMULINK CAAM: Formal Specification and Transformation Analysis
Figure 14. Simulink components created by rules with priority 2 (links inside threads)
it is not possible to delete this edge until all connections have been created. Because of that,
these rules have the highest priority.
Figure 15. Rules with Priority 3
5.3 Final graph
The final graph obtained from the UML diagrams in Figure 7 (automatically through
AGG) after all rule applications is depicted in Figure 16. It is important to observe that, for
each UML graph, just one final Simulink graph is obtained (see discussion in Section 6).
The translation of this graph to a Simulink block diagram is straightforward. Vertices
IO, SAengine, CPUCOMMUN, SASchedRes, SFunction and lib represent the corresponding
Simulink blocks with the same identifier in Figure 8. The hierarchy of blocks is captured by in
edges. The connections and data flow between blocks are represented by vertices X together
with their connections (edges with source in X in the graph). Edges with prefix o indicate
the source of the connection, and edges prefixed with d indicate the destination (target) of
132 RITA • Volume 20 • Número 1 • 2013
From UML to SIMULINK CAAM: Formal Specification and Transformation Analysis
Figure 16. Graph representing a Simulink CAAM model
the connection. Edges labeled with var determine the variable that is being transmitted. For
example, var with identifier a is being transmitted from the IODevice to CPU2 and from CPU2
to thread T3.
Finally, it is important to notice that the use of graph grammars to specify the transla-
tion, besides allowing the automatic translation from a UML graph to a Simulink graph, also
provides a precise and formal definition for the mapping.
6 Transformation Analysis
Besides the automatic translation and precise definition of the mapping, the use of a
formal language also allows the verification of some properties about the translation.
Important features that are required, when graph grammars are used to specify model
transformations, are termination and confluence. Only under these conditions the existence
and uniqueness of the outcoming model may be guaranteed. Now we discuss why our graph
grammar specification for the mapping from UML to Simulink models satisfies such require-
ments. We used the AGG tool [15, 14] to proceed with the termination and confluence anal-
ysis.
RITA • Volume 20 • Número 1 • 2013 133
From UML to SIMULINK CAAM: Formal Specification and Transformation Analysis
6.1 Termination
The transformation process finishes when there is no rule that can be applied in the
current state. For instance, a transformation does not finish when there is a rule that creates
new components and is always active (that is, it can always be applied in the state graph).
Another situation is when rules can be applied in a cycle, that is, components are created by
rules that are deleted by others, in a situation where the application of rules that consume
the items activate rules that create them. In the UML to Simulink mapping we have the
following characteristics. The initial state graph is always finite. Rules with priority 1 only
delete components of the initial graph. And rules with priority 2 delete arg edges (created
by rules with priority 1), which will not be created again. This is because rules with priority
1 require get and set components to be applied. Such components are deleted in the first
application of these rules and are not created by any other rule. Then, for each UML graph,
one final Simulink graph is always obtained.
Termination was also guaranteed by the AGG tool. In AGG termination criteria are
implemented for Layered Graph Transformation Systems (LGTS) with injective rules, injec-
tive matches and injective negative application conditions. A graph grammar with produc-
tions P and graph components (graph vertices and graph edges, named types) T is called lay-
ered graph grammar if for each rule r ∈ P we have a rule layer rl(r) = k with 0 ≤ k ≤ k0
(k, k0 ∈ N) where k0 is the number of layers. Moreover, for each graph vertex or graph edge
t ∈ T we have a creation and a deletion layer cl(t), dl(t) ∈ N and each layer k is either a
deletion layer or a nondeletion layer satisfying the following conditions for all r ∈ P with
rl(r) = k:
If k is a deletion layer If k is a nondeletion layer
Deletion Layer Conditions Nondeletion Layer Conditions
1. r is deleting at least one item 1. r is nondeleting, i.e. r : L→ R
is total and injective
2. 0 ≤ cl(t) ≤ dl(t) ≤ k0 for all t ∈ T 2. r has NAC n : L→ N and there is an
injective n′ : N → R with n′ ◦ n = r
3. r deletes t⇒ dl(t) ≤ rl(t) 3. t ∈ L is a graph component⇒
cl(t) ≤ rl(r)
4. r creates t⇒ cl(t) > rl(r) 4. r creates t⇒ cl(t) > rl(r)
If we have an initial graph G0, for each graph component t ∈ T the creation and
deletion layers are assigned as follows:
cl(t) = if t ∈ G0 then 0 else max{rl(r)|r creates l}+ 1
dl(t) = if t is deleted by some r then min{rl(r)|r deletes l} else k0
134 RITA • Volume 20 • Número 1 • 2013
From UML to SIMULINK CAAM: Formal Specification and Transformation Analysis
The deletion layer conditions ensure that the last creation of a graph component of a certain
type should precede the first deletion of a component with the same type. On the other hand,
nondeletion layer conditions ensure that if a component of a certain type occurs in the LHS
of a rule then all elements of the same type were already created in the same or a previous
layer. Each layered graph grammar with injective matches terminates (for details see [18]).
In AGG, the rule layer can be set or generated. In case of the graph grammar defined
in Section 5, the rule layer of each rule is determined by its priority. The creation and deletion
type layer is generated automatically by AGG. And, for each layer, one set of layer conditions
is proved. In fact, we do not have any layer of nondeleting rules and all three layers of our
specification satisfy the deletion layer conditions. Figure 17 shows the result of the analysis
of AGG for our graph grammar. As illustrated in Figure 17, AGG assigns the creation and
deletion layer for each graph component and checks if the termination criteria are satisfied.
Figure 17. AGG Termination Analysis
6.2 Confluence
A model transformation is confluent if for each source model the process of transfor-
mation results in a unique target model. Critical pair analysis [14] is generally used to check
if a transformation is confluent. A critical pair is a pair of transformations both starting at
a common graph G such that both transformations are in conflict, and graph G is minimal
according to the rules applied (that is, G only contains elements that are in the image of the
matches of both rules). There exists a critical pair like above if, and only if, one rule may dis-
RITA • Volume 20 • Número 1 • 2013 135
From UML to SIMULINK CAAM: Formal Specification and Transformation Analysis
able the other one. There are three reasons why rule applications can be conflicting: (i) one
rule application deletes a graph component which is in the match of another rule application;
(ii) one rule application generates graph components in a way that a graph structure would
occur which is prohibited by a NAC of another rule application; (iii) one rule application
changes attributes being in the match of another rule application. A graph grammar system is
confluent if it is locally confluent and terminates. A system is locally confluent if all critical
pairs are confluent, that is, all critical pairs can be derived by a sequence of transformations
that leads them to a common successor graph.
We have also used the AGG tool [15] to proceed with the critical pair analysis. After
computation, the set of critical pairs represents precisely all potential conflicts in the grammar.
In order to detect all potential conflicts of type (i) or (iii) described above, for each pair of
rules p1 : L1→ R1 and p2 : L2→ R2, AGG computes graph G by overlapping L1 and L2
in all possible ways, such that the intersection of L1 and L2 contains at least one item that is
deleted or changed by one of the rules and both rules are applicable to G at their respective
occurrences. Potential conflicts of type (ii) are found by gluing the right-hand side of the first
rule and the left-hand side together with NAC elements of the second rule.
In fact, we have no critical pairs in our graph grammar. Figure 18 shows the absence
of potential conflicts between each pair of rules computed by AGG. It is possible to observe
that the potential conflicts are generated just for pairs of rules with the same priority. The
reason for this is that we can never apply rules with different priorities to the same graph.
Rules are not in conflict because they may always be applied to disjoint portions of the state
graph. Then, for each UML graph, just one final Simulink graph is obtained.
Figure 18. AGG Minimal Conflicts
136 RITA • Volume 20 • Número 1 • 2013
From UML to SIMULINK CAAM: Formal Specification and Transformation Analysis
7 Concluding Remarks
In this paper we formally define a mapping from UML to Simulink models. Our trans-
lation considers only Simulink discrete-time blocks and generates an extension of Simulink
(named CAAM), which combines algorithmic and architectural aspects into a single model.
We use graph grammars as specification language, which allowed the use of the AGG tool
set to automate the translation. This approach allows designers to employ UML to model the
whole system and reuse this specification to generate a Simulink graph representation. The
generated graph is easily converted to a Simulink CAAM model that can be used as input for
a Simulink-based MPSoC design flow, which generates hardware and software for an MP-
SoC platform. The use of graph grammars also allowed the verification of some properties
about the translation. Particularly, existence and uniqueness of the outcoming model can be
assured.
In order to have a fully automatic design flow from UML to Simulink, we still have
to automate the transformation from UML diagrams to their corresponding graph represen-
tation and the transformation from the graph representation of Simulink to the corresponding
Simulink block diagram. We also intend to explore the verification of other types of prop-
erties, like consistency in connections of the generated Simulink graph. That is, it could be
important to assure that all arguments of method calls are previously produced and all results
are used.
Acknowledgement
The authors gratefully acknowledge financial support received from CNPq, FAPERGS
(ARD-10/0348-8, ARD-11/0764-9) and NESS project (PRONEX-10/0043-0).
References
[1] OMG, “Omg unified modeling language infrastructure version 2.4,” tech. rep., 2011.
[2] L. B. Brisolara, M. E. Kreutz, and L. Carro, “UML as front-end language for embedded
systems design,” in Behavioral Modeling for Embedded Systems and Technologies: Ap-
plications for Design and Implementation (L. Gomes and J. M. Fernandes, eds.), ch. 1,
pp. 1–23, Hershey, PA: Information Science Reference - Imprint of: IGI Publishing,
2009.
[3] J. Vidal, F. de Lamotte, G. Gogniat, P. Soulard, and J.-P. Diguet, “A co-design ap-
proach for embedded system modeling and code generation with UML and MARTE,”
RITA • Volume 20 • Número 1 • 2013 137
From UML to SIMULINK CAAM: Formal Specification and Transformation Analysis
in DATE’09, (Belgium), pp. 226–231, European Design and Automation Association,
2009.
[4] G. Martin, “UML for embedded systems specification and design: Motivation and
overview,” in Proceedings of the conference on Design, automation and test in Europe,
DATE’02, (Washington, DC, USA), pp. 773–, IEEE Computer Society, 2002.
[5] Mathworks, “Simulink.” http://www.mathworks.com/. Last access: December, 2011.
[6] K. Huang, S.-i. Han, K. Popovici, L. Brisolara, X. Guerin, L. Li, X. Yan, S.-l. Chae,
L. Carro, and A. A. Jerraya, “Simulink-based MPSoC design flow: case study of
Motion-JPEG and h.264,” in DAC’07, (NY, USA), pp. 39–42, ACM, 2007.
[7] Y. Vanderperren and W. Dehaene, “From UML/SysML to Matlab/Simulink: current
state and future perspectives,” in Proc. of the conference on Design, automation and
test in Europe, DATE’06, (Belgium), pp. 93–93, European Design and Automation As-
sociation, 2006.
[8] L. B. Brisolara, M. F. S. Oliveira, R. Redin, L. C. Lamb, L. Carro, and F. Wagner,
“Using UML as front-end for heterogeneous software code generation strategies,” in
Proc. of the conference on Design, automation and test in Europe, DATE’08, (NY,
USA), pp. 504–509, ACM, 2008.
[9] C.-J. Sjöstedt, J. Shi, M. Törngren, D. Servat, D. Chen, V. Ahlsten, and H. Lönn, “Map-
ping Simulink to UML in the Design of Embedded Systems: Investigating Scenarios
and Structural and Behavioral Mapping,” in OMER4 Post-proceedings, 2008.
[10] T. Farkas, C. Neumann, and A. Hinnerichs, “An integrative approach for embedded soft-
ware design with UML and Simulink,” in Proceedings of the 2009 33rd Annual IEEE
International Computer Software and Applications Conference - Volume 02, COMP-
SAC’09, (Washington, DC, USA), pp. 516–521, IEEE Computer Society, 2009.
[11] G. Rozenberg, ed., Handbook of graph grammars and computing by graph transforma-
tion: volume I. foundations. NJ, USA: World Sci. Pub. Co., 1997.
[12] N. N. Bisi, V. Pazzini, L. Foss, S. A. C. Cavalheiro, and L. B. d. Brisolara, “Utilizando
gramática de grafos para o desenvolvimento de sistemas embarcados baseado em mode-
los UML,” in WEIT 2011 - I Workshop-Escola de Informática Teórica - Anais, pp. 242–
253, 2011.
[13] L. Foss, S. Costa, N. Bisi, L. Brisolara, and F. Wagner, “From UML to Simulink:
a Graph Grammar Specification,” in 14th Brazilian Symposium on Formal Methods:
Short Papers, pp. 37–42, 2011.
138 RITA • Volume 20 • Número 1 • 2013
From UML to SIMULINK CAAM: Formal Specification and Transformation Analysis
[14] C. Ermel, M. Rudolf, and G. Taentzer, “The agg approach: language and environment,”
Handbook of graph grammars and computing by graph transformation: vol. 2: appli-
cations, languages, and tools, pp. 551–603, 1999.
[15] “Agg: The homebase.” http://user.cs.tu-berlin.de/∼gragra/agg/. Last access: November,
2011.
[16] H. Ehrig, K. Ehrig, U. Prange, and G. Taentzer, Fundamentals of Algebraic Graph
Transformation (Monographs in Theoretical Computer Science. An EATCS Series). Se-
caucus, NJ, USA: Springer-Verlag New York, Inc., 2006.
[17] S.-I. Han, S.-I. Chae, L. Brisolara, L. Carro, K. Popovici, X. Guerin, A. A. Jerraya,
K. Huang, L. Li, and X. Yan, “Simulink R©-based heterogeneous multiprocessor soc
design flow for mixed hardware/software refinement and simulation,” Integr. VLSI J.,
vol. 42, pp. 227–245, February 2009.
[18] H. Ehrig, K. Ehrig, J. de Lara, G. Taentzer, D. Varró, and S. Varró-Gyapay, “Termination
criteria for model transformation,” in Proc. of Internation Conference on Fundamental
Approaches to Software Engineering, FASE’05 (M. Cerioli, ed.), vol. 3442 of LNCS,
(Edinburgh, UK), pp. 49–63, Springer, April 2005.
RITA • Volume 20 • Número 1 • 2013 139
