We present a formal speciÿcation and veriÿcation of the automatic circuit-breaking behavior of an electric power transformer station, using the synchronous approach to reactive real-time systems implemented by the data-ow language SIGNAL. Synchronous languages have a mathematical model that supports the various phases of the development of a control system: speciÿ-cation, veriÿcation, simulation, code generation, and implementation. The complex hierarchical, state-based and preemptive behavior of the power station controller is speciÿed in SIGNALGTÃ, an extension of SIGNAL with notions of time intervals and preemptive tasks. To validate the speciÿcation, a graphical simulator is generated using SIGNAL's execution environment, and the required behavior is proven to be satisÿed, using its proof method.
Introduction
This paper presents an experiment in the synchronous approach to specifying and formally verifying reactive real-time systems [5] . It applies the declarative language SIGNAL to the design of a complex, state-based, discrete event behavior for a power transformer station controller.
SIGNAL is a real-time synchronized data-ow language [19] , and is related to the family of synchronous languages [13] . Its declarative style is based on equations deÿn-ing the values and the synchronizations of ows of data called signals. Processes are represented by systems of equations, and compiling a SIGNAL program involves transforming the speciÿcation into an executable code that solves this system at each reaction. Compilation also veriÿes the causal and temporal consistency of the speciÿcation, and optimizes. The SIGNAL programming environment features a graphical editor and simulation tools, a compiler and optimizer, code generation in several target languages, and a proof tool for the analysis of dynamical systems. SIGNAL's synchronous data ow model of time is based on instants, and its actions are performed within the instants;. SIGNALGTÃ is an extension that provides constructs for the speciÿcation of hierarchical preemptive tasks on time intervals [26] .
The compiler veriÿes the causal and temporal consistency of the speciÿcation and proves some static invariant properties. This part of the veriÿcation is only brie y mentioned in this paper; see [3, 19] for details. SIGNAL's equational formal model uses polynomial dynamical equation systems, with a proof method based on the theory of algebraic geometry. It is capable of proving a wide variety of dynamical properties, including liveness, invariance, reachability and attractivity [16, 17] .
In this paper we apply SIGNAL and SIGNALGTÃ to the speciÿcation, simulation and veriÿcation of the automatic control system of a power transformer station. The controller determines the response to electric defects on the lines traversing the station, including interrupting the current, redirecting supply sources, and re-establishing current following an interruption. Its objectives are safety and uninterrupted service. It involves complex interactions between communicating automata, interruption and preemption behaviors, timers and timeouts, reactivity to external events, etc. Electrical defects are detected by sensors; the controller has to distinguish between several types of defects, and between transient and persistent ones. This selection involves a protocol, with a cycle of attempts at treating the defect in reaction to perceived events.
2. The synchronous data-ow language SIGNAL and its model 2.1. The SIGNAL equational data-ow real-time language SIGNAL [19] is built around a minimal kernel of operators. It manipulates signals X, which denote unbounded series of typed values (x t ) t∈T , indexed by time t in a time domain T . An event is a signal characterized only by its presence, that always takes the value true (hence, its negation by not is always false). The clock of a signal X is obtained by applying the operator event X. It determines the set of instants at which values are present, called the clock of X. The constructs of the language can be used in an equational style to specify relationships between the values or the clocks of signals. Systems of equations on signals are built using a composition construct, thus deÿning processes. Data-ow applications are activities executed over a set of instants in time. At each instant, input data is acquired from the execution environment; output values are produced according to the system of equations considered as a network of operations.
Kernel of the SIGNAL language
This is based on four operations deÿning primitive processes or equations, with a composition operation to build more elaborate processes in the form of systems of equations:
• Functions are instantaneous transformations of their inputs. Given a function f, the SIGNAL deÿnition Y := f{X1, X2,: : :, Xn} means that ∀t; Y t = f(X 1t ; X 2t ; : : : ; X nt ). The signals Y, X1; : : : ; Xn are constrained to have the same clock.
• Selection of a signal X according to a boolean condition C is written as follows:
Y := X when C. If C is present and true, then Y has the presence and value of X. The clock of Y is the intersection of (i.e., included in) that of X and that of C at the value true.
• Deterministic merge denoted: Z := X default Y has the value of X when it is present, or otherwise that of Y if it is present and X is not. Its clock is the union of (i.e., includes) or contains those of X and Y.
• Delay gives access to past values of a signal, e.g., the equation Z X t = X t−1 , with initial value V 0 deÿnes a dynamical process. It is encoded by: ZX := X$1 with initialization ZX init V0. X and ZX have equal clocks.
• Composition of processes is denoted "|" (for processes P 1 and P 2 , with parentheses: (| P 1 | P 2 |)). It consists in the composition of the equation systems; it is associative and commutative. It can be interpreted as parallelism between processes; communication between them is carried by the broadcasting of signals.
Derived features and example
Several derived processes have been deÿned using the primitive operators, to provide programming comfort and modularity. The instruction synchro{X,Y} speciÿes that signals X and Y are synchronous (i.e., have equal clocks); this is a synchronization constraint: the compiler will take it into account when analyzing the system of constraint equations on clocks. The unary operation when B gives the clock of true-valued occurrences of logical signal B. X cell B memorizes values of X and also outputs them when B is true. The expression C := # S is a counter of occurrences of event S behaving like the example given just below. Arrays of signals and of processes have been introduced as well. Hierarchy and re-use of the deÿnition of processes are supported by the possibility of deÿning process models that can be invoked by instantiation.
An example of a SIGNAL process is given in Table 1 (counter COUNT) which is the expanded form of the derived operation C := # S:
There is one input signal S, and an output C. The value of the counter C is deÿned as the previous value ZC incremented by one. ZC is declared locally, and deÿned using the delay operator on signal C with initial value V0. C is synchronized with the input event S, and hence counts its occurrences.
Programming environment
The SIGNAL compiler analyzes the consistency of the equation system and determines whether the synchronization constraints between the clocks of signals are obeyed. It is based on an internal representation featuring a graph of data dependencies between operations, augmented with temporal information from the clock calculus. If the program is constrained so as to compute a deterministic solution, then executable code (in C or FORTRAN) can be produced automatically. The complete programming environment also contains a graphical, block-diagram oriented user interface where processes are boxes linked by wires representing signals, see Fig. 1 .
Time intervals and preemptive tasks
An extension to SIGNAL, SIGNALGTÃ, handles tasks executing on time intervals and their sequencing and preemption [26] . The motivation is to provide ways of representing behaviors that switches between di erent modes of continuous interaction with their environment. These modes are identiÿed by time intervals delimited by discrete start and end events, within which tasks are executed. The application domain is the control of physical processes, e.g. signal processing or robotics, featuring both computations on ows of sensor data, and discrete transitions in a control automaton. In SIGNALGTÃ, data ow and sequencing aspects are encompassed in the same language framework, and rely on the same model for their execution and analysis (compilation and veriÿcation). In this approach, a data-ow application is considered to be executed starting from an initial state of its memory at an instant before the ÿrst event of the reactive execution. A data-ow process has no termination speciÿed in itself: therefore its end at instant ! can only be decided in reaction to external events or the reaching of given values. Hence, ! is part of the execution, and the time interval on which the application executes is the left-open, right-closed interval ] ; !].
Time intervals are introduced in order to allow the structured decomposition of ] ; !] into left-open, right-closed intervals as illustrated in Fig. 2 , and their association with processes [26] . An interval I is delimited by occurrences of bounding events at the beginning B and at the end E. It has the value inside between the next occurrence of B and the next occurrence of E, and outside otherwise. It has an initial value I0 (inside or outside). This is written: I := ]B, E] init I0. Like ] ; !], sub-intervals are left-open and right-closed. This choice is coherent with the behavior expected from reactive automata or sequential circuits: a transition is made according to an input event occurrence and a current state, which results in a new state. Hence, the instant where the event occurs belongs to the time interval. The operator compl I deÿnes the complement of an interval I, which is inside when I is outside and reciprocally. Operators open I and close I, respectively, give the opening and closing occurrences of the bounding events. Occurrences of a signal X inside interval I can be selected by X in I, and reciprocally outside by X out I. In this framework, open I is B out I, and close I is E in I.
With this extension, we can deÿne the notion of task on an interval, which is a SIGNAL process active when the interval is inside, and inactive outside. A suspensive task is written P on I: it re-starts at its current state when re-entering I (see Fig. 3(a) ).
An interruptible task is written P each I: it re-starts at its initial state (as deÿned by the declarations of its state variables) (see Fig. 3(b) ). Processes can themselves be decomposed into sub-tasks: this way, the speciÿcation of hierarchies of preemptive behaviors is possible.
This extension is implemented as a pre-processor to the SIGNAL compiler [28] , and is fully compatible with the environment, including the veriÿcation tools. In particular, the intervals are coded by a boolean state variable, true when the interval is inside and false when outside. Occurrences of a signal X inside an interval I are coded by X when I. This kind of speciÿcation, using tasks and intervals, is useful for specifying properties such as "two process are not active at the same time". An example is given in Section 4.3.
In brief, our approach features an integration of preemptive and data-ow programming constructs in the language, and its direct connection to a complete programming environment, with simulation and veriÿcation. Comparable multi-paradigm approaches have also been explored in relation with combinations of ARGOS and LUSTRE [14] , and recently with Mode Automata [20] . We try to remain closer the declarative style of SIGNAL. The constructs in GTÃ deÿne quite a simple extension to SIGNAL, which could be transported immediately to the LUSTRE framework. The preemption structures in these approaches are not as rich as in ESTEREL [6] . It is possible to combine ESTEREL with a data-ow processes going through separate compilation and exchange formats [11] . The advantage is to have ESTEREL's richness, but it is a complex and low-level technique. Separation of concerns is indeed fundamental in designing language constructs. However, from a programmer's point of view, sequencing and data ow do occur in the same applications. Our approach is to make convenient programming constructs available, while retaining the underlying data-ow or equational model.
Veriÿcation tools for SIGNAL programs
The veriÿcation of a SIGNAL program can concern invariant properties (to be satisÿed at all instants of its execution) or dynamical ones (to be satisÿed on the histories of the program). Invariant properties are addressed by the compiler, which checks the consistency of constraints between the clocks and proves static properties. Several phases occur during the compilation of a SIGNAL program. One of these resolves a system of boolean equations, that encodes the constraints among the di erent clocks. This clock calculus relies on an algebra on sets of instants detailed in [3] . By composing the speciÿcation with the SIGNAL expression of static (i.e., temporally invariant) properties, the compiler checks whether they are mutually consistent. If so, their composition constitutes a correct controller that satisÿes the property. An example is given in Section 4.3.
Dynamical properties are proved by a formal method based on a model of the behavior of the program. The SIGNAL environment contains a dynamical veriÿcation and controller synthesis tool-box, SIGALI. The equational nature of the SIGNAL language leads naturally to the use of a method based on polynomial dynamical equation systems over Z=3Z = {−1; 0; 1} (integers modulo 3) as a formal model of program behavior. The model deals essentially with boolean and synchronization properties, i.e. control. Polynomial equation systems characterize sets of solutions, which represent states and events. The method manipulates equation systems rather than solution sets, thus avoiding enumeration of the state space. More precisely, a set of states and=or events can actually be represented by a unique polynomial called the principal generator. Operations on sets are performed within the domain of polynomial functions. The tool SIGALI implements the basic set theoretic operators, ÿx-point computation and quantiÿers [21] . It relies on an implementation of polynomials by ternary decision diagrams (TDD) (for three valued logics). These are in the same spirit as BDDs [9] , but the paths in the data structures are labeled by values in {−1; 0; 1} instead of {0; 1}.
An equational model of the behavior of SIGNAL programs
To model its behavior, a SIGNAL process is translated into a system of polynomial equations over Z=3Z [15] . The three possible states of a boolean signal X (i.e., present and true, present and false, or absent) are coded in a signal variable x by (present and true → 1, present and false → −1, and absent → 0). For the non-boolean signals, we only code the fact that the signal is present or absent: (present → 1 and absent → 0).
Each of the primitive processes of SIGNAL can be encoded in a polynomial equation. This encoding is natural in the sense that SIGNAL involves the equational speciÿcation of constraints on the relative presence and synchronizations of signals. The encoding itself [16, 17] may not be particularly intuitive, but it is not meant to be visible to users. The essential point is that it leads to equations on variables which represent the presence of signals, and their values for Boolean ones. Delays must be treated specially as there is a distinction between current values (e.g., x, which was acquired in a previous instant) and next values (x , which is computed in terms of values of variables at the present instant). There are thus equations deÿning (i.e., having as solutions) the set of initial states, the set of admissible signals (i.e., respecting the constraints on clocks), and the next values of delayed signals.
Any SIGNAL speciÿcation can be translated into a set of equations called a polynomial dynamical system (PDS), which can be organized as follows:
where X is a vector of n variables in Z=3Z, called state variables, Y is a vector of m variables in Z=3Z, called event variables. The ÿrst equation is the state transition equation; the second equation is called the constraint equation and speciÿes which events may occur in a given state; the last equation gives the initial states. Such a PDS behaves as follows: at each instant t, given a state x t and an admissible y t such that Q(x t ; y t ) = 0, the system evolves into state x t+1 = P(x t ; y t ).
Thus, we have a mathematical model characterizing the behavior of dynamical systems in terms of polynomial systems. Note that for a boolean relation=function we have an exact coding of the relation=function as a polynomial function, while for a numerical function=relation, the encoding retains only the synchronization constraints between the signals involved in this relation=function. Therefore, SIGALI has reasoning capabilities only on the synchronization and logic properties of SIGNAL programs.
Verifying and controlling SIGNAL programs
Veriÿcation of a SIGNAL program (in fact, the corresponding PDS) can be carried out using algebraic operations. It is possible to check properties such as invariance, reachability and attractivity [21] . Here we just give here the basic deÿnitions of each of the properties that will be used in this paper.
Liveness: If saying that a system is alive means that it can always make a move, i.e. if deadlock cannot occur, then this property states that no trajectory of the system ends in a sink state. In terms of polynomial dynamical systems, this deÿnition can be formalized as follows: Deÿnition 1. A state x is alive if there exists a signal y such that Q(x; y) = 0 (i.e. a transition can be taken); a set of states V is alive if and only if every state of V is alive; a system is alive, if and only if ∀(x; y) such that Q(x; y) = 0, P(x; y) is an alive state (i.e., from live states, only live states can be reached).
Safety: In terms of our formalism, it corresponds to the set of states which remains invariant for that property. If we characterize a property by the set of states which have it, the property is guaranteed to remain true if and only if the set of states is invariant for the dynamical system. The formal deÿnition is as follows: Deÿnition 2. A subset E of states is invariant for a dynamical system, if and only if for every state x ∈ E and for every event y admissible in the state x, the state x = P(x; y) is in E.
If a property characterizing a set of states E is not invariant, we can compute the largest invariant subset included in E. This subset is evaluated using a ÿx-point computation.
Another safety property is control-invariance.
Deÿnition 3.
A set E of states is control-invariant for a dynamical system if and only if for every state x ∈ E, there exists an event y admissible in the state x, such that the state x = P(x; y) is in E.
It is also possible to compute the largest control invariant subset of a given set E of states.
Other kinds of properties may be derived from liveness, invariance and control invariance.
Deÿnition 4.
Using the deÿnition above, we can prove that F is attractive for E if the set E is not included in the greatest control-invariant of the complement of F.
For a more complete review of the theoretical foundation of this approach, the reader may refer to [18, 21] . Let us now see how we can apply this methodology to the power transformer station controller veriÿcation. The French national power network operated by Ã ElectricitÃ e de France (EDF) contains a large number of transformer stations. For each high-voltage line, a transformer lowers the voltage, so that it can be distributed to end-users in urban centers [22] . In the course of operation, several kinds of electrical defects can occur, due to causes internal or external to the station. Three types of electrical defects are considered: phase (PH), homopolar (H), or wattmetric (W). In order to protect the device and the environment, several circuit breakers are placed in di erent parts of the station. These circuit breakers are alerted by sensors at di erent locations, and controlled by local control systems called cells (arrival cell, link cells, and departure cells) and by an operator in a remote control center. Each circuit breaker controller deÿnes a behavior beginning with the conÿrmation and identiÿcation of the type of the defect. If the defect is conÿrmed, the circuit breaker is opened for a given period, then closed again. If the defect is still present after another delay, these operations are repeated for a certain number of cycles. The purpose of this is to treat transient defects. If the defect is still present at the end of the cycle, the circuit breaker is opened deÿnitively, and control is given to the remote operator. One of the problems is to know which of the circuit breakers must be opened. If the defect appears on the departure line, it is possible to open the circuit breaker at departure level, or at link level, or at arrival level. Obviously, it is preferable for the circuit to be broken at the departure level, so that as few as possible users are deprived of power. This requires coordination between the di erent circuit breaker cells.
Functional description of a departure cell
We will focus on the departure cell, because it illustrates all of the interesting aspects of the controller behavior, even in this simpliÿed presentation. The other cells have a behavior which is a subset of this one. The behavior is decomposed into a conÿrmation phase, which sequentially tests for the di erent types of defect, followed by a treatment phase, which tries to remove the defect. These behaviors feature sub-tasks which are interrupted in a nested way, and repeated in a series of activity intervals. Their speciÿcation makes use of the corresponding constructs of SIGNALGTÃ. Here we describe only the details needed to understand the veriÿcation presented below.
The conÿrmation phase detects the occurrence of First Defect and from then on, for each defect type (PH, H, or W), it waits to let transient defects ÿnish naturally, and then checks for their continued presence. The defect types are tested in sequence in nested intervals. From First Defect, interval I PH is entered, in which the conÿr-mation task ÿrst waits Delay PH, and then enters interval I H in which a task ÿrst waits Delay H, and then enters interval I W in which a task waits Delay W. In the meantime if a defect is conÿrmed (i.e., PH, H or W is present at the end of the corresponding delay), the sequence is interrupted (interval I PH is ended), and the defect is conÿrmed by emission of the boolean Def Conf with value true. I PH is also exited if the defect disappears and the last delay elapses without defect (with Def Conf at value false), or if another external defect occurs with emission of event Ext Def.
Three properties can be veriÿed . Firstly, if a defect is detected after the end of its corresponding delay, then the defect is conÿrmed by emission of Def Conf. Secondly, conÿrmation never overlaps with treatment (i.e., the controller cannot be in states where both intervals I PH and I Treat are inside). Thirdly, if a defect appears then the defect will either be conÿrmed, or disappear, or an external defect will occur.
The treatment phase I Treat begins when the defect is conÿrmed with the occurrence of Def Conf. The task alternately breaks the circuit for varying delays, and closes it again to check whether the defect has disappeared. This continues for a certain number of cycles. Circuit breaking begins with emission of the command to open the circuit breaker, followed by the reception of an Open event, upon which the current delay is started. Upon completion of the delay, the circuit breaker is told to close, and this is conÿrmed by the reception of Closed. Once the circuit is re-established, if the defect has disappeared, the cell goes into its normal state. Otherwise, the treatment phase goes into the next cycle after a 0:5 s delay, or if this was the last cycle, the circuit breaker is deÿnitively broken, a Def Break signal is emitted, and the management is left to a remote human operator. The series of delay values (in the ÿrst cycle: 0:3 s, in the second: 15 s, in the third: 30 s) is treated as a signal, and the cycle is repeated as a series of activation intervals. A property to be veriÿed is that if a defect is conÿrmed, either it disappears and the circuit breaker is closed, or it does not and Def Break is emitted.
Design in SIGNAL and SIGNALGTÃ
The conÿrmation phase: an interruption hierarchy: Fig. 5 illustrates the Confirmation process speciÿed in SIGNALGTÃ. The three constant parameters Delay PH, Delay H, and Delay W correspond to each of the three kinds of electrical defects. The input event Time is the base clock, i.e., it is the clock of the logical inputs PH, H, and W (presence of the defects) and contains the clocks of the two other input events Ext Defect and First Defect. The process emits the output event Def Conf when the defect is conÿrmed and the output logical signal Defect which gives the state of the cell. The logical Defect is true when an external defect is detected (reception of Ext Defect) or when the defect is conÿrmed (Def Conf), otherwise it is false when a defect is not present (i.e., when the disjunction of the three types is false). The interval I PH is entered when a defect is detected (First Defect). It is closed until the next defect by the occurrence of Defect at the value true, causing the interruption of the conÿrmation task executed each I PH (and also of its sub-tasks).
The interruption hierarchy, illustrated in Fig. 5 , is as follows. Each time I PH is entered, a counter of Time is ÿred during Delay PH. At the end of this delay:
• If the logical PH is true, or if PH becomes true during the sub-interval I H or if the defect is conÿrmed at a lower level (Def Conf H), then the defect is conÿrmed at this level (Def Conf). This closes I PH, thereby terminating the conÿrmation task.
• If PH is false, I H (a sub-interval of I PH) is entered with a sub-task that behaves in a similar way: a counter of Time is ÿred, and at Delay H:
• if H is true, or becomes so during interval I W, or if the defect is conÿrmed at a lower level (Def Conf W), the defect is conÿrmed at this level (Def Conf H) causing the interval to close.
• If H is false, I W (a sub-interval of I H) is entered, and a last sub-task counts
Delay W and tests for W.
This structural decomposition is re ected in the actual speciÿcation in SIGNALGTÃ shown in Table 2 , where the di erent levels of tasks and sub-tasks are underlined by boxes. The treatment phase: a series of intervals: The treatment phase is another task. We will only sketch it here. It is forced to follow the conÿrmation phase simply by specifying its interval begins on the occurrence of a defect conÿrmation Def Conf, which also exits the conÿrmation task (schematically: Treatment each I Treat where I Treat = ]Def Conf,End Treat]).
The main feature of the treatment phase is its cyclical aspect. The same circuitbreaking procedure is applied, starting with Req Open the request to open, and ending with the reception of Closed. The only thing that changes is the value of the delay ÿred on reception of Open. This suggests an implementation based on a signal carrying the series of delay values at a clock synchronous with Open, with sub-tasks on a series of intervals as in: One Cycle each ]Req Open,Closed].
The complete behavior: Finally, the two processes presented above are assembled into a complete treatment behavior. The logical inputs corresponding to the defects are processed in order to produce the logical Def and the event First Defect which signals rising edges of Def. The process Confirmation is invoked, and is composed with the process Treatment, which is active each time I Treat is entered, and is interrupted by Def Break (when the cycle has reached its end without achieving the defect treatment) or by End Defect (when the defect disappears while the breaker is closed). The opening of the breaker is requested by Req Open, in the absence of Table 2 The Confirmation process in SIGNALGTÃ, with code formatted to underline the hierarchical structure Def Break, when entering the treatment phase and when a request is emitted inside the cycle.
Validation by graphical simulation
Simulation is useful for the validation of speciÿcations for which formal veriÿcation would be di cult, e.g., for insu cient knowledge of the environment, or for complex behaviors where the expression of properties would become either too di cult or too dependent on values which the DSP model abstracts away like complex schedulings. Other examples of graphical simulation of speciÿc SIGNAL programs include a generic production cell controller [1, 2] , a speech processing system [19] and a robot vision system [27] .
The simulation environment
The SIGNAL programming environment now includes a generic graphical simulation environment for SIGNAL speciÿcations. It automatically constructs graphical input reading and oscilloscope-like output displaying windows for any of the interface signals of a program, as illustrated in Fig. 7 .
We now display the presence and values of some of the intervals of the behavior, for some events. The oscilloscope-like display encodes intervals as 1 when inside, −1 when outside and 0 when absent. Events are encoded as 1 when present (which lasts only one instant), and 0 when absent. The logical input signals are always present, and are displayed as 1 when true and 0 when false. We will only focus on the simulation of the conÿrmation phase.
Simulation of the conÿrmation phase
The left column of Fig. 7 shows traces of the inputs (i.e. the three kinds of logical defects PH, H and W, and the event input Ext Defect). The right column shows the hierarchical preemptive structure of the intervals during the conÿrmation phase, as well as the output event Def Conf.
In the particular simulation trace illustrated in Fig. 7 , the ÿrst event occurs at time 20 when the logical input W becomes true. Consequently, the interval Int PH (the I PH of Section 4.1.2) is opened, and Int H is in its initial state outside. At time 60, after a Delay PH of 40, open Int H occurs, and the interval I W is in its initial value outside. At time 90, after a Delay H of 30, open Int W occurs. At time 110, before the end of Delay W, the defect PH becomes true. This interrupts the conÿrmation of the other defects, and emits B Def Conf. Even though simulation is useful for partially validating a speciÿcation, formal analysis is still needed to prove that the system has good behavior, because all possible schedulings cannot be simulated.
Formal veriÿcation of the power transformer station
In this section, we apply the tools presented in Section 3.2 to check various properties of our SIGNAL implementation of the power transformer station. Translation of the SIGNAL program takes 10 s, during which the causal and temporal coherency of the program are checked and an executable code for the dynamical system is produced. The polynomial dynamical system obtained contains 12 state variables and 22 event variables, representing an automaton of 500 000 possible states. In fact, we must consider only the reachable states. For this, we have to compute the orbit of the system, which corresponds to the set of all states that can be reached from the initial ones. Using our representation by ideals and varieties, this set is characterized by a single polynomial. To obtain the number of di erent states, we have to count the number of solutions of the polynomial. In our case, the system contains 7000 reachable states and more than 55 million transitions.
We will now describe some of the properties that have been proved:
(1) If a defect PH is detected after the end of its corresponding delay; in interval I H; then the defect is conÿrmed by the emission of Def Conf: Two di erent methods can be used to prove this property.
The ÿrst method uses the SIGNAL compiler, which can prove static (i.e., time invariant) properties as mentioned in Section 2. We express the property in SIGNAL as an inclusion between clocks as follows:
(| synchro{(when PH in I_H), ((when PH in I_H) when Def_Conf)} |)
(where A ⊂ B is expressed in the form A = A ∩ B, with when as intersection, and synchro as equality for clocks). We compose this constraint with the controller, and the compilation of the whole checks the consistency of all the constraints on clocks in the speciÿcation including this one.
For the second method, in the treatment of the PH defect (i.e., inside the process that is active each I H) we add the following lines to the original speciÿcation:
(| Error := not ( when Def_Conf when (PH in I_H)) default when ( not Def_Conf when (PH in I_H)) | Sigali(Reachable(B_true(Error))) |)
The Error signal is a boolean which takes the value true when the property is violated. In order to prove the property, we have to check that there does not exist any trajectory of the system which leads to the states where the Error signal is true. Using a new extension of the SIGNAL language, named SIGNAL +, it is now possible to express the property to be checked directly in the SIGNAL program. The keyword Sigali means that the sub-expression must be evaluated by our symbolic calculus system SIGALI. The function Reachable means that SIGALI has to check the reachability of the set of states where error is true (B true(Error)), as described in Section 3.2. Thus, the compiler produces a ÿle which can be read by SIGALI, in which can be found the polynomial dynamical system and the property to be checked. This ÿle is interpreted by SIGALI, which sends back the answer as in the following trace:
=> loading of the polynomial dynamical system > Prop : B_true(Error); => Compute the set of states where Error is true > Reachable(Prop);
=> Check for the reachability of this set of states from the initial states
The controller cannot be in states where both intervals I PH and I Treat are inside: This property can be established by proving that the set of states corresponding to the situation where the treatment phase and the conÿrmation phase are both active, cannot be reached from the initial states of the controller (given by the declarations in the program). For that, we consider the two intervals I Treat and I PH, encoded by logical signals which are true when the system is in the corresponding phase, and we add to the SIGNAL program the following line:
(| SIGALI(Reachable(And(B_true(I_Treat),B_True(I_PH)))) |)
The sub-expression And(B true(I Treat),B True(I PH)) deÿnes in the polynomial dynamical system, the set of states where I Treat=1 and I PH=1 at the same instant. Then, the proof veriÿes that this set of states is not reachable from the initial states of the polynomial dynamical system. In our example the result obtained is false. To verify this property we build an observer. This is a process composed with the controller, which evaluates a boolean signal OUT which is present when any of the three possibilities occurs, true when (a) or (c) occur, and false, when (b) occurs. The property can be proved by checking the attractivity of the set of states where OUT is present, from the set of states where the defect appears (i.e. in which the event First Defect occurs). The compiler produces a ÿle, which is interpreted by SIGALI, by applying the proof system function computing attractivity, as in the following trace: => OUT^2 means the set where the boolean OUT is present > Attractivity (Prop_1,Prop_2) ;
4) If Def Conf occurs; then the controller will necessarily evolve in such a way that: (a) either the defect does not disappear and the signal Def Break will be emitted; (b) or the defect does disappear; with the circuit-breaker closed.
To prove this property we use the same method as for (3) . We compute the set of states E, where the defect is conÿrmed (i.e., Def Conf=1), and the set of states F, where (a) or (b) are veriÿed. Using the function that computes attractivity, we prove that F is an attractive set of states from the set of states E.
By combining formal veriÿcation with SIGALI and simulation, the most important requirements on the behavior of the departure cell (and also the link and arrival cells) have been validated.
Conclusion
This paper presents the synchronous approach to the speciÿcation and veriÿcation of discrete event control systems, applied to the preemptive controller of a circuit breaker for a power transformer station.
The speciÿcation, validation and implementation of complex control systems, implying permanent interaction with an environment, is treated by the data-ow language SIGNAL in a discrete event system framework. The possibility of formal veriÿcation makes SIGNAL particularly suitable for safety-critical applications. Transitions between di erent modes of activity, e.g. the sequencing of hierarchical data-ow tasks, are handled by the extension SIGNALGTÃ [28] , which is a language-level integration of the data ow and task preemption frameworks. In this way, the whole application can be speciÿed in SIGNAL from the discrete event driven state-based behavior down to the servoing loops.
The veriÿcation of the power transformer station is based on the model underlying SIGNAL i.e. systems of polynomial dynamical equations over Z=3Z [18] . These characterize a set of solutions which encodes the states and events. The method manipulates equation systems rather than solution sets, so that enumeration of the state space is avoided. The operations used on the equation systems are based on algebraic geometry (varieties, ideals and morphisms). They allow the treatment of safety, liveness, reachability properties. The SIGNAL approach to the veriÿcation of control systems has also been tested on other applications, such as a robotic production cell [1] .
The equational nature of the SIGNAL language makes it natural to use an equational framework for modeling behaviors and proving their properties. This description of dynamical systems using equations is quite common in the ÿelds of control theory and digital circuits, but not in veriÿcation and model checking. This aspect is an originality of the SIGNAL approach compared to others based on explicit transition systems. For example, the reactive languages ESTEREL [8] and LUSTRE [12] are compiled into ÿnite state automata; hence they naturally interface with tools based on these formalisms like AUTO and AUTOGRAPH. The compilation of ESTEREL has recently also gone to Boolean equations-based representations of automata instead of explicit ones [7] . In principle, the two methods are equivalent, but in practice each is suited to a certain class of problems. In particular, compact representations based on systems of equations avoid the combinatorial explosion of explicit state-based representations. Both models support veriÿcation by the methods of model checking and comparison (bisimulation or behavioral equivalence), and as in the case of LUSTRE, some properties or observers can be speciÿed in the language [12] . Given that polynomial dynamical systems are an implicit description of transition systems, it is possible to give a semantics of temporal logic formulae (for example the computational tree logic CTL) in terms of the algebraic operators, and perform symbolic model checking by evaluating them on a polynomial model. Note that the synchronous language LUSTRE uses the same methodology for verifying its programs, using Binary Decision Diagrams to encode the formulae [12] .
Another possible use of the polynomial model is the automated synthesis of controllers, where algebraic methods are used to derivate, from a model of the system, a controller satisfying given properties and objectives such as invariance or attractivity [4, 10, 24, 25] . In our application, this method is used to synthesize the interaction controller linking the various cells of the transformer station controller [23] . Another possible extension would be to prove properties that depend on the behavior of numerical variables, or in general on data other than the presence=absence and Boolean values which are currently handled.
