Polychrony for refinement-based design by Talpin, Jean-Pierre et al.
Polychrony for refinement-based design
Jean-Pierre Talpin, Paul Le Guernic, Sandeep Shukla, R.K. Gupta, Fre´de´ric
Doucet
To cite this version:
Jean-Pierre Talpin, Paul Le Guernic, Sandeep Shukla, R.K. Gupta, Fre´de´ric Doucet. Poly-
chrony for refinement-based design. Design, Automation and Test in Europe Confer-
ence and Exposition (DATE 2003), Mar 2003, Munich, Germany. pp.11172-11173, 2003,
<10.1109/DATE.2003.1253786>. <hal-00542167>
HAL Id: hal-00542167
https://hal.archives-ouvertes.fr/hal-00542167
Submitted on 1 Dec 2010
HAL is a multi-disciplinary open access
archive for the deposit and dissemination of sci-
entific research documents, whether they are pub-
lished or not. The documents may come from
teaching and research institutions in France or
abroad, or from public or private research centers.
L’archive ouverte pluridisciplinaire HAL, est
destine´e au de´poˆt et a` la diffusion de documents
scientifiques de niveau recherche, publie´s ou non,
e´manant des e´tablissements d’enseignement et de
recherche franc¸ais ou e´trangers, des laboratoires
publics ou prive´s.
Polychrony for renement-based design
Jean-Pierre Talpin
1
, Paul Le Guernic
1
, Sandeep Kumar Shukla
2
, Rajesh Gupta
3
, Frederic Doucet
3
1
Inria/Irisa,
2
Virgina Tech,
3
UC San Diego,
4
UC Irvine
Abstract
The polychronous (i.e. multi-clocked) model of the
Signal design language oers formal support for the
capture of behavioral abstractions for both very high-
level system descriptions (e.g. SystemC/SpecC) and
behavioral-level Ip components (e.g. Vhdl). Its plat-
form, Polychrony, provides models and methods for
a rapid, renement-based, integration and a formal
conformance-checking of Gals hardware/software ar-
chitectures. Its companion desynchronization tech-
niques allow to model high-level, functional, specica-
tions and formally verify successive design renements
yielding a distributed implementation. The present ar-
ticle demonstrates the eectiveness of this approach in
renement-based design by the experimental, compar-
ative, case study of an even-parity checker design in
SpecC. It highlights the benets of the formal models,
methods and tools provided in Polychrony, in rep-
resenting functional, architectural, communication and
implementation abstractions of the design, and the suc-
cessive renements.
1 Introduction
Rising complexities and performances of integrated
circuits and systems, shortening time-to-market de-
mands for electronic equipments, growing installed
bases of intellectual property, requirements for adapt-
ing existing Ips with new services, all stress high-level
design as a prominent research topics and call for the
development of appropriate methodological solutions.
In this aim, system design based on the so-called \syn-
chronous hypothesis" consists of abstracting the non-
functional implementation details of a system away and
let one benet from a focused reasoning on the logics
behind the instants at which the system functionali-
ties should be secured. From this point of view, syn-
chronous design models [9] and languages [3] provide
intuitive models for integrated circuits. This aÆn-
ity explains the ease of generating synchronous cir-
cuits and verify their functionalities using compilers
and related tools that implement this approach. The
relational model of the Signal/Polychrony design
language/plateform [9, 12] goes beyond the domain
of purely synchronous circuits to embrace the context
of architectures consisting of synchronous circuits and
desynchronization protocols: Gals architectures. The
unique features of this model are to provide the notion
of polychrony: the capability to describe multi-clocked
(or partially clocked) circuits and systems; and to sup-
port formal design renement, from the early stages of
requirements specication, to the later stages of syn-
thesis and deployment, and by using formal verication
techniques. In practice, a multi-clocked system descrip-
tion is often the representation or the abstraction of
an asynchronous system or of a Gals architecture. In
system-level design, the asynchronous implementation
of a system is obtained through the renement of its de-
scription towards hardware-software co-design. How-
ever, clocks are often left unspecied at the functional
level, and no choice on a master clock made at the ar-
chitectural level. As communication and implementa-
tion layers are reached, however, multiple clocks might
be a way of life. In the polychronous design paradigm,
one can actually design a system with partially or-
dered clocks and rene it to obtain master-clocked com-
ponents integrated within a multiply-clocked architec-
tures, while preserving the functional properties of the
original high-level design, thanks to the formal ver-
ication methodology provided by the formal theory
(model and theorems) of polychronous signals. In the
present article, we put the principles of polychronous
design to work in the context of the emerging high-
level languages such as SystemC/SpecC [7, 13, 14]
by studying the renement of a high-level specica-
tion, the even-parity checker (Epc) towards its imple-
mentation. Our goal is to derive conditions on speci-
cations under which our design principles works. In
other words, we seek towards tools and methodologies
to allow to take a high-level SystemC/SpecC speci-
cation and to rene it in a semantic-preserving manner
into a Gals implementation. We focus on a simple
1
case study to illustrate our methodology and we show
how the specication of the Epc in SpecC can be re-
ned towards a Gals implementation with the help of
Polychrony.
2 An informal introduction to Signal
In Signal (gure 1), a process P consists of the
composition of simultaneous equations over signals.
A signal x 2 X describes a possibly innite ow of
discretely-timed values v 2 V . An equation x = fy
denotes a relation between a sequence of operands y
and a sequence of results x by a process f 2 F . Syn-
chronous composition P j Q consists of considering a
simultaneous solution of the equations P and Q at
any time. Signal requires three primitive processes:
pre , to reference the previous value of a signal in time;
when , to sample a signal; and default , to determin-
istically merge two signals (and provides, e.g. nega-
tion not , equality eq , identity id , etc). The equation
x = pre v y initially denes x by v and then by the pre-
vious value of y in time (tags t
1
; t
2
; t
3
denote instants).
The equation x = y when z denes x by y when z is
true. The equation x = y default z denes x by y when
y is present and by z otherwise. We exemplify the
equational/relational design model of Signal by con-
sidering the denition of a counting process: Count. It
accepts an input event reset and delivers the integer
output val. A local counter, initialized to 0, stores the
previous value of val (equation counter := val$1 init 0).
When the event reset occurs, val is reset to 0 (i.e. (0
when reset). Otherwise, counter is incremented (i.e.
(counter + 1)). The activity of Count is governed by
the clock of its output val, which diers from that of
its input reset: Count is multi-clocked.
process Count = (? event reset ! integer val)
(| counter := val$1 init 0
| val := (0 when reset)
default (counter + 1)
|) where integer counter;
end;
3 A model of polychronous signals
Starting from the model of tagged signals of Lee et
al. [8, 4], we give the tagged model of polychronous
signals [9] for the formal study of protocol properties.
We consider a set of boolean and integer values v 2 V
to represent the operands and results of a computa-
tions. A tag t 2 T, denotes an instant. The dense
set is equipped with a partial order relation  to de-
note synchronization and causal relations. The sub-
set T  T of a given process is chosen to be a semi-
lattice (T ;; 0). A chain C 2 C is a totally ordered
subset of T. An event e 2 E = T  V relates a tag
and a value. A signal s 2 S = T * V is a par-
tial function relating a chain of tags to a set of val-
ues. We write tags(s) for the domain of s. A behavior
b 2 B = X * S is a partial function from signal names
x 2 X to signals s 2 S. We write vars(b) for the
domain of b and tags(b) = [
x2vars(b)
tags(b(x)) for its
tags. Hence, the informal sentence \x is present at t in
b" is formally dened by t 2 tags(b(x)). We write bj
X
for the projection of a behavior b on a set X  X of
names (i.e. vars(bj
X
) = X and 8x 2 X; bj
X
(x) = b(x))
and b
=X
for its complementary of bj
vars(b)nX
. A process
p 2 P = P(B) is a set of behaviors that have the same
domain X (written vars(p)). Synchronous composition
p jq is dened by the set of behaviors that extend a
behavior b 2 p by the restriction c
=vars(p)
of a behavior
c 2 q if the projections of b and c on vars(p) \ vars(q)
are equal.
p jq =

b ] c
=vars(p)
j (b; c) 2 p q;
bj
vars(p)\vars(q)
= cj
vars(p)\vars(q)

Scalability is a key concept for engineering systems
and reusing components in a smooth design process.
A formal support for allowing time scalability in de-
sign is given in our model by the so-called stretch-
closure property. The intuition behind this relation is
to consider a signal as an elastic with ordered marks
on it (tags). If it is stretch, marks remain in the
same order but have more space (time) between each
other. If it is un-stretched, marks appear closer from
each other and some are no longer observable. The
same holds for a set of elastics: a behavior. If elas-
tics are equally stretched, the partial order between
marks is unchanged. A behavior c is a stretching of
b, written b  c, i vars(b) = vars(c) and there ex-
ists a function f : T ! T that - 1/ is strictly in-
creasing - 2/ is monotonic along all chains - 3 sat-
ises tags(c(x)) = f(tags(b(x))) for all x 2 vars(b),
and b(x)(t) = c(x)(f(t)) for all x 2 vars(b) and all
t 2 tags(b(x)). Stretching is a partial-order relation.
It gives rise to an equivalence relation between behav-
iors. The behaviors b and c are stretch-equivalent, writ-
ten b 7 c, i there exists a behavior d s.t. d  b and
d  c. Both relations extend to processes. A process p
is stretch-closed i for all b 2 p, c 7 b) c 2 p. A non-
empty, stretch-closed process p admits a set of strict
behaviors, written (p)
7
, s.t. (p)
7
 p (for all b 2 p,
there is a unique c 2 (p)
7
s.t. c 7 b).
Distributed design To model asynchrony, we con-
sider a weaker relation which discards synchronization
relations and allows for comparing behaviors w.r.t. the
2
P ::= x = f y j P j Q j P =x f 2 F  f pre v j v 2 Vg [ fwhen ; default ; not ; eq ; id ; : : :g
y : (t
1
; v
1
) (t
2
; v
2
) (t
3
; v
3
) : : :
pre v y : (t
1
; v) (t
2
; v
1
) (t
3
; v
2
) : : :
y : (t
1
; v
1
) (t
2
; v
2
) (t
3
; v
3
) : : :
z : (t
2
; tt) (t
3
; ff) (t
4
; tt) : : :
y when z : (t
2
; v
2
) : : :
y : (t
2
; v
2
) (t
3
; v
3
) : : :
z : (t
1
; v
1
) (t
3
; w
3
) : : :
y default z : (t
1
; v
1
) (t
2
; v
2
) (t
3
; v
3
) : : :
Figure 1. Core-Signal
sequences of values signals hold. The relaxation re-
lation allows to individually stretch the signals of a
behavior. A behavior c is a relaxation of b, written
b v c, i vars(b) = vars(c) and for all x 2 vars(b),
b
jx
 c
jx
. Relaxation is a partial-order relation that
denes the ow-equivalence relation. Two behaviors
are ow-equivalent i their signals hold the same val-
ues in the same order. The behaviors b and c are ow-
equivalent, written b  c, i there exists a behavior d
s.t. d v b and d v c. The equivalence class of a behav-
ior b is a semi-lattice: it admits a strict behavior, writ-
ten (b)

. We use relaxation to dene the meaning of
asynchronous composition p k q (we note X = vars(P ),
Y = vars(Q) and I = X \ Y ).
p k q =

d




9b 2 p; d
jXnY
7 b
jXnY
; bj
I
v dj
I
9c 2 q; d
jY nX
7 c
jY nX
; cj
I
v dj
I

Polychronous design properties The model of
polychronous signals allows to dene formal proper-
ties that are essential for the component-based de-
sign of Gals architectures. Endochrony is a key de-
sign property design. A process is endochronous i,
given an external (asynchronous) stimulation of its in-
puts I , it reconstructs a unique synchronous behav-
ior (up to stretch-equivalence). Endochrony denotes
the class of processes that are insensitive to (internal
and) external propagation delays. A process p is en-
dochronous on its input signals I i 8b; c 2 p; (bj
I
)

=
(cj
I
)

) b
7
c. Flow-equivalence oers the right met-
ric for checking the renement of a high-level system
specication with distributed communication protocols
correct. For instance, it is considered in [2] for the
renement-based design of the Ltta protocol in Sig-
nal. Flow-invariance is the property that ensures that
the renement of a functional specication p jq by an
asynchronous implementation p k q preserves ow-
equivalence. Formally, p and q are ow-invariant i,
for all b 2 p jq, for all c 2 p k q, (bj
I
)

= (cj
I
)

implies
b  c for I the inputs of p jq. In Signal, Gals archi-
tectures are modeled as endo-isochronously communi-
cating endochronous components. We say that two en-
dochronous processes p and q are endo-isochronous i
(pj
I
) j(qj
I
) is endochronous (with I = vars(p)\vars(q)).
Endo-isochrony implies ow-invariance.
Capturing high-level design with polychrony
In the polychronous design paradigm, one can give a
functional-level specication of a system in terms of re-
lations and partially-ordered clocks. A renement, at
the architecture-level, consists of isolating the master-
clock of components and of integrating them within a
multi-clocked architectures, while preserving the func-
tional properties of the original design, thanks to the
formal verication of ow-invariance. The main ben-
et of considering the model of polychronous signals
for high-level C-like design languages lies in the for-
mal semantics backbone/platform it provides, on which
verication and optimization techniques can then be
plugged in. There are several ways to envisage ap-
plying the Polychrony model to high-level Gals ar-
chitectures modeling in C-like design languages. A
validation-based approach consists of associating every
component to a description of its invariants (a behav-
ioral type) and then to automate test-case generation
to validate them. By contrast, a program analysis ap-
proach consists of automatically synthesizing this be-
havioral type and of representing it in an algebra in
which deciding properties about these types (equiva-
lence, bisimulation, etc) is decidable. Hence, our ap-
proach: abstract a component by a temporal formula
or a Signal process.
4 A case study: the even parity checker
The polychronous model of the Signal de-
sign language oers formal support for the cap-
ture of behavioral abstractions for both very high-
level system descriptions (e.g. SystemC/SpecC) and
behavioral-level Ip components (e.g. Vhdl). Its plat-
form, Polychrony, provides formal methods for
a rapid, renement-based, integration and a formal
conformance-checking of Gals hardware/software ar-
chitectures. The model of polychrony being quite
elaborate, we focus on a case study that illus-
trate our methodology by showing how the spec-
ication of the Epc in SpecC can be rened
towards a Gals implementation with the help
of the tool Polychrony, showing in what re-
spects and at which critical design stages formal
3
Vhdl
behavioral
description
High-level
SpecC/SystemC
design
interfaceinterface
Polychrony


-


-








6


6
analysis
abstraction
transformation
distribution
code
generation
control
synthesis
verication
simulation
Figure 2. A polychronous component-based design platform
methods matter for engineering such architectures.
ones even
IO

-

-

-

-
data
ocount
istart
idone
Inport
Outport
start
done
The Epc consists of three functional units: an
IO interface process, an even test process and a
main ones counting process. The behavior ones
determines the parity of an input data received along
Inport. Upon receipt of the start notication, it
repeatedly shifts the data until it is 0ed. The output
count ocount is sent along Outport and done notied.
behavior ones(...) f
void main(void) f
unsigned int data, ocount, mask, temp;
while (1) f wait(start);
data = Inport;
ocount = 0;
mask = 1;
while (data != 0) f temp = data & mask;
ocount += temp;
data >>= 1;
g
Outport = ocount;
notify(done);
gg
g;
The translation of the behavior ones in Signal consist,
rst, of decomposing the syntactic structure of the
SpecC program into an intermediate representation
that renders the imperative structure of the original
program together with its most characteristic features
(use of locks, interrupts, etc). In this structure,
each thread consists of a sequence of blocks (critical
sections) delimited by wait and notify synchronization
statements. Within such blocks, basic control struc-
tures are then encoded. A method call or a basic
operation, e.g. x = y + 1, is encoded by an equation,
e.g. either x = y$1 + 1when c (when y references a
value computed during the previous transition in this
block) or x = y + 1when c (if it has already been
computed in the same transition), conditioned by
an activation clock c. A conditional statement, e.g.
if x thenP elseQ, is encoded by constraining the clock
of P by x and that of Q by notx. Internal while
loops are encoded by over-sampling. Interrupts are
rendered by boolean signals that tell whether or not
they are raised during a computation. An interrupt
conditions the activation clock of subsequent equations
in the control ow graph; if it escapes the scope of the
method in which it is raised, it becomes an output
signal of the process that encodes the method in order
to propagate in the context of use of that method.
The encoding of the behavior ones in Signal yields
a process in which the clock of input/output signals
are synchronized to input/output notication events.
The process ones consists of one critical section. The
internal while loop is encoded by an over-sampling
sub-process.
process ones = (? integer Inport; event start
! integer Outport; event done)
(| start
^
= Inport
| Outport := ocount when data=0
| data := Inport default rshift (data$1 init 0xffff)
| ocount := (ocount$1 init 0) + xand (data, 1)
| done
^
= Outport
|) where integer data, ocount end;
Architecture layer design renement The en-
coding of the event-parity checker demonstrates the ca-
pability of Signal to give a synchronous model of com-
ponents for specication-level SpecC designs. This
level of abstraction (synchrony) allows for decoupling
the specication of the system under design from (too)
early architecture mapping choices. It additionally al-
lows for an optimized recombination of behaviors (e.g.
the Signal compiler could for instance be used to
merge the other IO and even behaviors into a single
SpecC fsm, using clock hierarchization techniques [1]
4
(i.e. the core engine of the Signal compiler). Suppose
we have done so and consider the architecture layer
of the SpecC even-parity checker example. We now
have two behaviors, ones and even+io that communi-
cate asynchronously via the ChMP channel.
channel ChMP() implements iSend, iRecv f
unsigned int data; event eReady, eAck;
bool ready flag = false, ack flag = false;
void send(unsigned int v) f
data = v;
ready flag = true;
notify(eReady);
while(!ack flag) wait(eAck);
ready flag = false;
notify(eReady);
while (ack flag) wait(eAck);
g
.
.
.
gg;
Modeling the architecture layer in Signal requires
an abstraction of the virtual simulation kernel seman-
tics for the wait/notify statements. This kernel can
be simulated in a way similar to the Signal library
that implements the Arinc 653 specication [6]. It
arbitrates the suspension (by a wait statement) and
resumption (by a notify) of scheduled processes by in-
hibiting/releasing their main clock (clk in the exam-
ple). The send/receive wrappers use a lock eReady
and boolean ags to prevent concurrent accesses to the
shared data. Focus on method send (receive is its dual).
It consists of two critical sections that end with a wait
statement. The Signal translation renders each sec-
tion by a sub-process whose activity is governed by an
event (s0 or s1).
process send = (? unsigned v, event clk ! )
(| % controller
s := (0 when (s$1=1) ^* (not ack flag) ^* clk)
default (1 when (s$1=0) ^* (ack flag) ^* clk)
| % critical section 1
(| s0 := when s=0
| data := v when s0
| ready flag := true when s0
| notify(eReady when s0)
| wait(eAck when (s0 ^* (not ack flag)))
|)
| % critical section 2
(| s1 := when clk
| ready flag := true when s1
| notify(eReady when s1)
| wait(eAck when (s1 ^* ack flag))
|)
|) where event s0, s1; integer s init 1;
Showing that the renement of the Epc architec-
ture layer preserves ow-equivalence w.r.t. the speci-
cation level amounts to a model checking problem (im-
plemented by using, e.g., the tool Sigali). Its overall
principle is illustrated below. Consider two processes
p and q sharing a signal x. Showing p's x and q's x
ow-equivalent can be implemented by installing an
observer connected to p and q by a one-place buer of
a Fifo queue. The observer repeatedly checks whether
its copy x
00
of the nth. value of p matches the copy y
00
of the nth. value of q. Verifying p and q ow-invariant
amounts to checking that the value of the observer is
invariantly true.
p jx
0
= x q jy
0
= x
buer
x
0
= y
0 ?
buer
6 6
- 
x
0
y
0
x
0
y
0
Communication and Rtl layers The communica-
tion layer of the Epc mainly consists of a data-type
renement of the ChMP channel and of the decompo-
sition of the renamed methods send and receive into
sub-procedures. It intends to make the implementa-
tion of the ChMP as a bus explicit.
channel cBus() implements iBus f
.
.
.
void write(unsigned bit[31:0] wdata) f
ready.assign(1);
data = wdata;
ack.waitval(1);
ready.assign(0);
ack.waitval(0);
gg;
The Rtl layer of the Epc consists of the introduc-
tion of a master clock clk and of a reset signal rst to-
gether with the convertion of the Epc communication-
layer specication into nite-state machine code. This
translation closely corresponds the Signal's encoding
of the Epc into blocks (critical sections). Checking
the Rtl-level renement correct amounts to proving
it bisimilar to the encoding of the communication-
layer, i.e., showing that ow-equivalence along the in-
put/output signals istart, idone, data, ocount is pre-
served.
behavior ones(...) f void main(void) f
unsigned bit[31:0] data, ocount, mask, temp;
enum state fS0, S1, S2, S3, S4, S5, S6, S7g state;
state = S0;
while (1) f
wait(clk);
if (rst == 1b) state = S0;
switch (state) f
case S0: done = 0b;
ack istart = 0b;
if (start == 1b) state=S1
else state=S0;
break;
case S1: ack istart = 1b;
data = inport;
state = S2;
break;
5
case S2: ocount = 0;
state = S3;
break;
case S3: mask = 1;
state = S4;
break;
case S4: temp = data & mask;
state = S5;
break;
case S5: ocount = ocount + temp;
state = S6;
break;
case S6: data = data >> 1;
if (data == 0) state=S7
else state=S4;
break;
case S7: outport=ocount;
done = 1b;
if (ack idone == 1b) state=S0
else state=S7;
break;
gggg;
Toward an integration platform In the aim of au-
tomating the above process within a versatile compo-
nent integration platform, the use of Sigali [11] as a
renement (model) checking tool directly provides the
required support for automating this process by using
controller synthesis techniques [10]. Whereas model-
checking consists of proving a property correct w.r.t.
the specication of a system, controller synthesis con-
sists of using this property as a control objective and
to automatically generate a coercive process that wraps
the initial specication so as to guarantee that the ob-
jective is an invariant.
5 Conclusion
We have put a polychronous design model to work
for the renement of a high-level even-parity checker in
SpecC from the early stages of its functional specica-
tion to the late stages of its hardware/software Gals
implementation. We demonstrated the eectiveness
of this approach by showing in what respects and at
which critical design renement stages formal verica-
tion and validation support was needed, highlighting
the benets of using the tool Polychrony in that de-
sign chain. The novelty of integrating Polychrony in
a high-level design tool-chain lies in the formal support
oered by the former to automate critical and com-
plex design verication and validation stages yielding
a correct-by-construction system design and renement
in the latter.
References
[1] Amagbegnon, T. P., Besnard, L., Le Guernic, P. \Im-
plementation of the data-ow synchronous language Sig-
nal". In Conference on Programming Language Design
and Implementation. ACM Press, 1995.
[2] Benveniste, A., Caspi, P., Le Guernic, P., Marchand,
H., Talpin, J.-P., Tripakis, S. \A protocol for loosely
time-triggered architectures". In Embedded Software Con-
ference. Springer Verlag, October 2002.
[3] Berry, G., Gonthier, G. \The Esterel synchronous pro-
gramming language: design, semantics, implementation".
In Science of Computer Programming, v. 19, 1992.
[4] Carloni, L. P., McMillan, K. L., Sangiovanni-
Vincentelli, A. L. \Latency-Insensitive Protocols". In
Proceedings of the 11th. International Conference on
Computer-Aided Verication. Lecture notes in computer
science v. 1633. Springer Verlag, July 1999.
[5] F. Doucet, M. Otsuka, R. Gupta and S. Shukla "Ef-
cient System Level Co-Design Environment using Split
Level Programming". Technical Report 01-34, CECS/UCI,
June 2001.
[6] A. Gamati, T. Gautier "Modeling of modular avionics
architectures using the synchronous language Signal". In
proceedings of the Euromicro conference on real-tile sys-
tems. June 2002.
[7] D. Gajski, F. Vahid, S. Narayan, and J. Gong. "Speci-
cation and Design of Embedded Systems". Prentice Hall,
1994.
[8] Lee, E. A., Sangiovanni-Vincentelli, A. \A framework
for comparing models of computation". In Ieee transac-
tions on computer-aided design, v. 17, n. 12. Ieee Press,
December 1998.
[9] Le Guernic, P., Talpin, J.-P., Le Lann, J.-L. Polychrony
for system design. In Journal of Circuits, Systems and
Computers. Special Issue on Application Specic Hardware
Design. World Scientic, 2002.
[10] Marchand, H., Bournai, P., Le Borgne, M., Le Guer-
nic, P. Synthesis of Discrete-Event Controllers based on
the Signal Environment. In Discrete Event Dynamic Sys-
tem: Theory and Applications, v. 10(4), pp. 325{346, 2000.
[11] H. Marchand, E. Rutten, M. Le Borgne, M. Samaan.
Formal Verication of Signal programs: Application to
a Power Transformer Station Controller. Science of Com-
puter Programming, v. 41(1), pp. 85{104, 2001.
[12] Espresso project. http://www.irisa.fr/espresso
[13] SpecC. http://www.specc.org
[14] SystemC. http://www.systemc.org
6
