EP2321728A2

EP2321728A2 - Method and system for generating a supervision device from specified feared behaviours

Info

Publication number: EP2321728A2
Application number: EP09782492A
Authority: EP
Inventors: Nicolas Rapin
Original assignee: Commissariat a lEnergie Atomique CEA; Commissariat a lEnergie Atomique et aux Energies Alternatives CEA
Current assignee: Commissariat a lEnergie Atomique et aux Energies Alternatives CEA
Priority date: 2008-09-02
Filing date: 2009-09-02
Publication date: 2011-05-18
Also published as: WO2010026150A3; FR2935500B1; WO2010026150A2; FR2935500A1

Abstract

The invention relates to a method for automatically generating a detector of specified feared behaviours in a metrical linear time logic with delimited memory, which can operate online during an arbitrarily long period. The method uses a time window for making an online calculation of the validity intervals of the formula that specifies the feared behaviour and also removes online the behaviours that have become irrelevant for detecting said behaviour. The method can be used for debugging models or as a component of a monitoring-control system.

Description

METHOD AND SYSTEM FOR GENERATING A CONTROL DEVICE FROM REDUCED BEHAVIOR

SPECIFIED

The invention relates to a method and a system for generating from the specification in a formal language of a dreaded behavior, automatically generating an observer agent, called monitor, capable, online, for an arbitrary duration and without loss of performance , to report any occurrence of said dreaded behavior specified during the operation of a system likely to produce this behavior. It allows the automatic generation of specified behavior detectors in metric linear time logic, with bounded memory, capable of operating online and for an arbitrarily long time. It is used in particular for the control and monitoring of simulated systems or even physical systems. It also makes it possible to carry out on-line diagnostics of control-command systems, monitoring of environments in home automation or robotics. It is also implemented for the proof of properties on finished executions / simulation. Different industries are concerned by the invention, such as: transport, telecom, Internet service, robotics and home automation industries.

In the industrial and consumer equipment market, demands for performance and functionality are continually increasing. To cope with these demands, industrialists have been led to design and produce so-called complex systems, that is to say made up of entities of different natures (mechanical, electronic, computer, etc.) operating in strong interaction . This increased complexity of systems goes hand in hand with the increased risk of errors made during the design and implementation phases. But these errors are often reflected in the form of malfunctions of the final product. It is therefore crucial, for obvious reasons of personal safety, economy and preservation of the brand image, to detect errors of design and / or realization before a product is placed on the market. Industrialists who produce complex systems are looking for methods and tools to minimize the number of errors made during the development cycle of their products, whether upstream during the design phases or downstream during the design phase. validation test phases. Formal methods known from the prior art allow, on a limited perimeter, to partially fulfill at least this objective. In general, they offer mathematically-based specification languages and modeling structures, which makes it possible to mathematically prove that a model close to the realization of a product conforms to the specification of that product. Primarily, two technical approaches have emerged at present.

First, the proof techniques, based on algebraic specifications. These techniques, if they make it possible to deal with complex, algorithmic functions, are not completely automatic. The dedicated tools are proof assistants and the subtle part of the evidence is entrusted to qualified experts.

The other type of technique, better known under the abbreviation Anglo-Saxon "model-checking" is completely automatic, but has the disadvantage of being limited to the treatment of a class of simple models, oriented control flow (without algorithms) . In addition, the models analyzed by the "model-checking" technique must be limited in size. Otherwise, the tools consume memory space resources and computing time inaccessible in practice.

In addition, formal methods also provide test techniques that automate the generation of tests from executable models. But often, the tests do not necessarily meet the objectives intuitive user. These tests therefore do not help the user to increase his confidence in the correction of the system he has achieved. Faced with these difficulties, so-called monitoring techniques make it possible to provide relevant answers. These techniques are called "black box" techniques in that they ignore the internal structure of a system, to be interested only in its observable productions. The advantage of such techniques is that they can be implemented regardless of the system since its intrinsic complexity is not taken into account. On the other hand, they are falsification techniques: they can prove that a system does not satisfy a requirement, but not that the system will always satisfy a requirement. Monitoring in the broadest sense is to observe a system, a process, to detect a more or less complex event. The formal monitoring is presented as a technique for automatically generating monitors from specifications in formal languages of dreaded behavior. Schematically, a formal monitoring tool is therefore a tool that accepts as input an expression specifying a dreaded behavior and outputs a monitor capable of detecting the occurrence of the dreaded behavior. In the prior art there are mainly two formal monitoring approaches known to the Applicant.

A first approach is due to Prasanna Thati and Grigore Rosu. This approach is described in the article titled "Monitoring Algorithms for Metric Temporal Logic Specifications". This approach proposes to generate a monitor that can operate online, from a linear metric logic. The Thati and Rosu process is based on the rewriting and dynamic evaluation of formulas and creates several limitations. The principle of this approach is to exploit the very expression of the problem of monitoring, namely "is observed behavior satisfied?" Where Φ is a formula that specifies a dreaded behavior. Problem that can be noted more briefly: C / = Φ?

(Read: Is the observed behavior C valid Φ?) Before observing the system, the problem is as follows:

0 / = Φ? where 0 denotes the empty behavior The process of Thati and Rosu works as follows: it maintains the expression of the problem of satisfaction as the observations arrive, taking into account these. If, at a certain stage, the monitoring problem is expressed as "C / = Φ _n ? And that a new observation o is available, it calculates Φ _{n +} i, a new formula, such that we have: C / = Φ _n "C.0 / = Φ _{n + 1} where Co is the behavior defined as C behavior followed by observation o. By transitivity:

0 \ = φ <£ => ... £ => C / = Φ _n <=> CO / = Φ _{n + 1} The principle consists in rewriting the expression of the dreaded behavior according to the events already observed in the system, while maintaining the initial problematic, namely "0 I = Φ? ". What writers "call to solve the past and derive the future". In order not to store the execution trace (so that the monitor keeps a bounded memory), it is necessary to permanently maintain a truth table of all the formulas that may potentially appear during the rewriting process. In this way, it is possible to calculate the truth value of the main formula using the values contained in the table. But, for the monitor to have bounded memory, this table must be finite and therefore the set of sub-formulas that can appear to be itself finite. However, this is only possible if the execution steps allowed are finite in number and known in advance. Thus this process has the following drawbacks:

• The specification logic only supports intervals whose bounds are natural numbers, • The execution steps allowed for the system must be in finite number and known in advance. In the aforementioned article, the allowed execution steps are natural numbers (as indicated by the definitions of F ⁺ (Φ) and F ^" (Φ)). • Finally, the algorithm is very time consuming since the estimated complexity is of the order of m ³ 2 ^3m where m is the total number of sub-formulas obtained from the main formula (the order of magnitude of m with respect to the main formula being in itself not given in the article) A second known approach of the Applicant is described in Oded Maler and Dejan Nickovic's "Monitoring Temporal Properties of Continuous Signals." The monitor of Oded Maler and Dejan Nickovic is based on the calculation of Validity intervals of a formula For a given formula, and a given behavior, the Maler and Nickovic process calculates a set of time intervals that denote the dates when the formula is true and outside which the formula is false. The calculation is done first for basic formulas (propositions) then for more complex formulas. For this, the authors define a correspondence between the operators of the specification logic and the usual operations on the sets of intervals (intersection, union ...). For example, by knowing the validity intervals of two formulas Φi and Φ ₂ , it is possible to deduce that an interval / is in the set of validity intervals of the formula Φi Λ Φ ₂ if and only if there exists an interval j of Φi and an interval k of Φ ₂ such that i = jn k. This technique allows the calculation of intervals for a temporal logic that supports intervals whose limits are no longer limited to integers and the analysis of executions whose step is free. In addition to the fact that there are no operators on the past in the logic presented, the approach suffers from an essential defect, indicated by the authors. Oded Maler and Dejan Nickovic's monitor works off-line on a recorded performance. This represents a significant limitation because, over a long execution time, the storage of the execution may not be practicable (autonomous system, embedded ...). This limits the monitoring time and also the applications. Definitions

In the remainder of the description, certain terms will be used to better understand and define the object of the invention, certain definitions are given below. Concept of process

The behavior of a system model or a physical system is represented by the evolution over time of a certain number of characteristic variables. For example, the behavior of a body, in solid state physics, is characterized by the evolution of its characteristic variables such as its position, its speed, its acceleration, its kinetic moment, etc. Proposal. With respect to a system the term "proposition" refers to any expression that refers to the characteristic variables of the system and may be true or false. For example "the speed of the body k is 10 m / s", "the speed of the body k is strictly positive", are classical proposals in solid physics. Mathematically, these propositions would be denoted "v _k == 10", "v _k >0". We see that these expressions can be true or false. For example, if the observed velocity of the body k is 5m / s, then the proposition "v _k == 10" is false since "5 == 10" is false. In the following, the term "proposition" designates any linguistic expression, relating to the characteristic variables of a system, which can be either true or false. Instantaneous.

Intuitively a snapshot gives the Boolean value of the defined propositions for a certain system. More formally we will speak of a snapshot relative to a set A of propositions to designate any pair (v, t) composed of a valuation v of the propositions of A and a date t (where t is element of the set of reals R). By evaluation of the propositions of A we mean any application of A in {0,1}, that is to say say an element of {0,1} ^A. By convention, if v G {0,1} ^A is a valuation and p is a proposition of A, if v (p) = 0 (respectively v (p) = 1) we say that p is false (resp. according to v. The set of all the snapshots relative to A, which will be noted U, is therefore {0,1} ^A x R. For convenience, if I is the instantaneous (v, t) relative to A and that p is a proposition of A, we note lp the value that I gives to p, v (p) and lt the date carried by I, let t.

For example ({p ₀ | → 1, pi \ → 1, P2 \ → 0}, 1 .3465) is a snapshot relative to A = {p ₀ , pi, p ₂ J- Such a snapshot can be read: the date 1 .3465, the propositions p ₀ and pi are true, p ₂ is false.

According to the notations introduced, we have Lp ₀ = 1 and lt = 1 .3465.

Process.

In the context of the present invention the term process is used relative to a set A of propositions to designate any sequence indexed by the natural numbers of snapshots relating to A. Mathematically a process is therefore an application of S in I _A where S c N, is an initial segment of N (for all i GS, if i> 0 then i -1 e S). The first snapshot will have a date that we will call Origin. In the examples we will often choose 0 as the value for T_origine. As a result of snapshots, a process is therefore intuitively a sort of "movie" of how the system works. intervals

In the following it will be question of intervals in the set of real numbers noted R. To note an interval two notations will be used: 1. the usual notation such as:] 4.32, 6.21]

2. the quadruplet notation (I, Ib, ub, u) where:

2.1. Ib: lower bound

2.2. ub: upper limit

2.3. 1 and u are elements of {0,1}. They denote the opening or closing of the interval on terminals Ib and ub. If I is 0 the interval is open on its lower bound Ib, closed if I is 1. Idem for u which specifies the opening / closing on the upper bounded ub

For example, the quadruplet (0, 4.32, 6.21, 1) represents the same interval as noted] 4.32, 6.21].

If i is an interval then i.l, i.lb, i.ub and i.u denote the parameters mentioned above. So, for example, if i is] 4.32, 6.21] then:

• i.lb is 4.32

• i.ub is 6.21 • i.u is 1

• i.l is 0

SM and j are two intervals, we say that i is strictly less than j and we will write i <j if: • their intersection is empty (i n j = 0) and

• i.ub ≤ j. Ib.

If i is an interval then:

• The interval noted i], called closed to the right of i, is (i.l, i.lb, i.ub, 1) or even, equivalently: i u [i.ub, i.ub].

• The interval noted [i, called closed to the left of i, is (1, i.lb, i.ub, i.u) or even, equivalently: [i.lb, i.lb] u i.

For an interval i to be well formed it must be either that i.lb <i.ub or that this interval be of the form [x, x] where x is a real. When an interval is not well formed it is supposed to be the empty interval (it will also be called "Nil").

If i and j are two intervals we will say that: • i overlap j to the left if inj ≠ 0 and that (inj) .lb = j.lb (in other words i covers j and exceeds it in the past). Example [0.4 [overlap [2,5] left because [0,4 [n [2,5] = [2,4 [≠ 0 and [2,4 [.Ib = [2,5]. Ib = 2.

• i overlap to the right if i n j ≠ 0 and i n j.ub = j.ub (that is, i covers j and exceeds it in the future).

• i adjoins to the left if i.ub = j.lb and i.u + j.l = 1. Examples: [0,1 [left [1, 2] on the left; [0.3] adjoins] 3.8] on the left.

• i adjoins to the right if i adjoins i to the left. Example:] 8,9] is adjacent [4,8] to the right because [4,8] is adjacent] 8,9] to the left.

The operator Θ:

Let i be an interval and [a, b] a closed interval on each of its bounds. Then the operation i θ [a, b] is defined and its result is (i.l, i.lb + a, i.ub + b, i.u). Examples: • [5.8 [Θ [1, 2] = [6.10]

• [5.8 [Θ [-3, -2] = [2.6 [

Validity list

A validity list is a list whose elements are well-formed intervals of the set of realities R, all disjoint, arranged in ascending (chronological) order. The notation (h, i ₂ , ..., in) will be used to designate a validity list containing the intervals H, i ₂ , ... i _n - The chronological order means that if i _k and i _{k + 1} are two consecutive intervals of a validity list we still have ik <ik ₊ i- For example: ([0, 2.43 [, [3.27, 5.04]) is a validity list that contains two intervals, [0, 2.43 [ and [3.27, 5.04]. They are arranged in ascending or chronological order.

To highlight the first or the last element of a validity list we will use the notations: • (i IL) to denote a list whose first element is i. L is also a list of validity (that of the elements which follow i in (i] L)). L can possibly be empty.

• (L I i) to denote a list whose last element is i. L is also a list of validity (that of the elements which precede i in (L | i)). L can possibly be empty.

It will be explained later that a validity list is by destination attached to an expression and allows to define, over a given time range, the dates when this expression is true and the dates when it is false, by conforming to the following convention: the dates that are within the intervals of the validity list are the dates when the expression is true; outside these intervals the expression is false.

Addition of an interval in a validity list. The result of this operation is a validity list. We distinguish between left addition and right addition. Nevertheless, for each, if L is an empty validity list, the addition in L of an interval i is the list (i).

Add on the left of the interval i to the list of validity (j | L): • if i is empty then the result is the empty list.

• If i <j then the result is (i | (j | L)). In other words, we add i to the head of (j | L).

• if i is adjacent to or overlapping to the left, then the result is ((U, i.lb, j.ub, j.u) | L). In other words, we extend the first element j in the past to the lower bound of i.

• In any other case the result is L itself. Addition to the right of the interval i to (L | j) is:

• if i is empty then the result is the empty list.

• If j <i then the result is ((L | j) | i). In other words, we add i at the end of (L | j). • if i adjoins or overlaps to the right, then the result is (L | (jl, j.lb, i.ub, Lu)). In other words, we extend the last element j in the future to the upper bound of i.

• In any other case the result is L itself.

Validity list connections

Connection on the right. Let (L1 | j) and (i | L2) be two validity lists. The connection of (i | L2) to the right of (L1 | j) results in:

• if j <i then ((L1 | j), (i | L ₂ )). Otherwise the list (i | L2) is placed at the end of (L1 | j)

• if i adjoins or overlaps j to the right then (M, L2) where M is the result of the addition on the right of i to (L1 | j)

• (L1 | j) in other cases

Connection example on the right. Let L = ([1, 2 [) and L '= ([2,3 [, [8,12 [). The right-hand connection from L 'to L is the list: ([1, 3 [, [8,12 [). This result is due to the fact that [2,3 [adjoins [1, 2 [right.

Connection on the left. The connection of a validity list The left of a validity list L is the result of the connection of L to the right of L '.

Notion of formal language, expression and height of a formal expression

Formal methods, like the mathematics from which they come, are used to define what are called formal languages. To define a formal language, we proceed in this way. We first define the basic expressions, which are indivisible, in other words the words. Then we give construction rules to get more complex expressions, all of these rules forming a grammar. For example, "schoolchild mathematics" implicitly rely on formal language. Basic words are composed of integers such as "3", "4", "10" and symbols such as "+", "-". A grammar rule is stated by example: if "a" and "b" are well-formed expressions then "a + b" is also a well-formed expression. Thus "3 + 4 + 10" is a well-formed word because "3 + 4" and "10" are well-formed expressions; on the other hand "+ 3 ++ 8" is not a lawful expression. We can then assign a height to a formal expression. That is, we can define an application H of expressions to the natural numbers so that if Φ is an expression, h (Φ) is the height of Φ. For example, to use the previous example, h can be defined as:

• h (Φ) is 0 if Φ is a base word • h (Φ ₁ + Φ ₂ ) = sup (h (Φ ₁ ), h (Φ ₂ )) + 1

According to this definition it follows that h ("3 + 4 + 10") = 2.

The object of the present invention relates to a method and a system for remedying at least the imperfections of the aforementioned methods. The invention particularly relates to a method for automatically generating, from the formal specification of a feared behavior written in metric linear time logic, an automatic agent, called monitor, with bounded memory, capable of analyzing "on-line" the simulating a system model or the operation of a physical system to detect the occurrence of the specified dreaded behavior. The method can therefore be used in the design phases to analyze a model, or in the test phases to analyze the operation of the realized system. Synthetically the present invention is based on the use of a formal language for specifying dreaded behaviors and a method for transforming any expression of this language into a powerful monitor, operating online, with no time limit. The object of the present invention relates to a method for generating a detector of feared behaviors specified in metric linear time logic of a system whose behavior is to be monitored, characterized in that it comprises at least the following steps: implemented by a processor (steps on which we will come back later in the description):

• define characteristic variables of the system to be monitored,

• to define a certain number of propositions Jp ₁ , ..., p _n } on these variables, • to allocate in memory of the detector a sufficient space to memorize a snapshot relative to these propositions that is to say to allocate a real variable noted lt and n boolean variables for each proposition of {pi, ..., p _n }. If p _k is a proposition, lp _k denotes the boolean variable associated with p _k , • define a principal formula Φ, built on the said propositions {pi, ..., p _n } expressing a dreaded behavior using a language composed of logical operators and temporal operators dealing with the future and the past and whose BNF grammar is the following: φ :: = p | -i φ | ⁽ pi Λ φ ₂ | φi v φ ₂ | F _[a , b] φ | ψi U _[a , b] ψ2 I ψi S _[a , bj (p ₂ | ψi S _[a ,>] φ2 | P [a , b] Φ IP [a,>] φ | (φ)

Where p G (P ₁ , ..., p _n )

• set the observation start date: Origin,

• choose an option on the initial certainty of the formulas (on which it depends whether or not one accepts that the validity of the formulas is defined earlier than the original one),

• for each sub-formula Ψ of Φ (including Φ itself), create a variable denoted Ψ.LV of type list of intervals, and initialize it empty,

• for every subformula Ψ of Φ (including Φ itself) create a Boolean variable Ψ.val, and initialize it to 0, • for any subformula Ψ of Φ (including Φ itself) create a variable of real type denoted Ψ.rel_cert, called relative certainty of Ψ, and assign it the value Cert (Ψ) where Cert is the function characterized as follows: o Cert (φ) = 0 if φ is a proposition of {pi, .. ., p _n } o Cert (-iφ) = Cert (φ) o Cert (φi Λ φ ₂ ) = sup (Cert (φi), Cert (φ ₂ )) o Cert (φi v φ ₂ ) = sup (Cert (φi), Cert (φ ₂ )) o Cert (F _[a , bi φ) = Cert (φ) + bo Cert (φi U [a, b] 92) = sup (Cert (φi), Cert (φ ₂ )) + bo Cert (P [a, b] φ) = Cert (φ) - ao Cert (P _[a , _> ] φ) = Cert (φ) - ao Cert (φi S [ _a , b] 92) = sup (Cert (φi), Cert (φ ₂ ) - a) o Cert (φi S [a, _> ] Φ ₂ ) = sup (Cert (φi), Cert (φ ₂ ) - a) for each sub-formula Ψ of Φ (including Φ itself) to define a real variable noted Ψ .abs_cert intended to store the absolute certainty of Ψ. According to the option chosen for the initial certainty of the formulas, for each Ψ sub-formula of Φ, its associated variable Ψ.abs_cert is initialized to:

• Option 1: Origin - Ψ.rel_cert - Option 2: sup (Origin, Origin - Ψ.rel_cert)

For each sub-formula Ψ of Φ (including Φ itself), create a variable denoted Ψ.w of interval type, called the continuation window of Ψ.w and initialize it empty,

• regularly or periodically acquire the value of the characteristic variables of the observed system and memorize the date of this acquisition,

• according to the values of the characteristic variables resulting from the acquisition carried out in the previous step, to evaluate the boolean value of the propositions and to refresh the snapshot I that is to say to assign the boolean value of p to lp for each ps {pi, ..., p _n } and assign the memorized acquisition date to 1.1.

• for each refresh of snapshot I as performed in the previous step, perform for each sub-formula Ψ of Φ (including Φ itself), and in an order that is such that any formula is processed after its direct sub-formulas, the following "continuation" calculation: o Update its continuation window Ψ.w:

• If Ψ.w is empty: «If (lt - Ψ.rel_cert)> Ψ.abs_cert then Ψ.w becomes: [Ψ.abs_cert, lt - Ψ.rel_cert] then set the value (lt - Ψ to Ψ.abs_cert) .rel_cert)

• If (l.t - Ψ.rel_cert) <Ψ.abs_cert then Ψ.w remains the empty interval and Ψ.abs_cert remains unchanged »If Ψ.w is not empty then:

• Ψ.w becomes:] Ψ.abs_cert, l.t - Ψ.rel_cert]

• Assign to Ψ.abs_cert the value (l.t - Ψ.rel_cert) o If Ψ is purely Boolean apply the continuation algorithm dedicated to purely Boolean formulas which is characterized as follows:

• calculate I.Ψ (value in {0,1} that snapshot I gives to Ψ) according to the following inductive definition:

• if Ψ is a proposition p then I.Ψ = l.p

•!. (-. ¥!) = L - (I.Ψi) • I. (Ψ ₁ Λ Ψ ₂ ) = I .ΨI ^* I.Ψ ₂

• 1.0P ₁ v Ψ ₂ ) = (1. ^ P ₁ + I.Ψ ₂ ) - (I.Ψi ^* I.Ψ ₂ )

- If I.Ψ = 0 and Ψ.val = 1 create the interval [l.t, l.t] and add it at the end of Ψ. LV

• If I.Ψ = 1 and Ψ.val = 1 then change the upper bound of the last interval of Ψ.LV so that it becomes l.t,

• If I.Ψ = 1 and Ψ.val = 0 change the upper bound of the last interval from Ψ.LV to lt and open this interval on this upper bound, - If I.Ψ = 0 and Ψ.val = 0 do not do anything (Ψ.LV is unchanged)

• Assign I.Ψ to Ψ.val o If Ψ is not purely Boolean: • refresh its continuation window Ψ.w as follows:

• If Φ.w is empty: o If (l.t - Φ.rel_cert)> Φ.abs_cert then Φ.w becomes: [Φ.abs_cert, l.t - Φ.rel_cert] then assign to Φ.abs_cert the value (l.t -

Si.rel_cert) o If (l.t - Φ.rel_cert) <Φ.abs_cert then Φ.w remains the empty interval

• If Φ.w is not empty then: o Φ.w becomes:] Φ.abs_cert, l.t - Φ.rel_cert] o Assign to Φ.abs_cert the value (l.t - Φ.rel_cert)

• depending on the operator of Ψ deduce validity intervals for Ψ on the window Ψ.w by browsing the validity lists of the direct sub-formulas of Ψ; store by adding the intervals produced either directly in Ψ.LV if the course is chronological or in an intermediate list Ll if the course is anti-chronological; then connect the intermediate list Ll to the right of Ψ.LV (in the case of the anti-chronological path). o use the information contained in the validity list of the main formula Φ and issue an associated signal.

The invention also relates to a system for generating a detector of dreaded behaviors specified in linear temporal logic. metric, with bound memory, characterized in that it comprises at least the following elements: An input receiving one or more parameter (s) characteristic (s) of the state of the system to monitor, and a clock H indicating the date acquisition of this parameter (s), A processor adapted to perform the steps of the method according to the invention using the measured parameter (s) and the associated date, A suitable memory storing the current snapshot storing the validity lists LV determined by the implementation of the method for the main formula and its sub-formulas, where one or more outputs emitting a signal S corresponding to the information contained in the validity list for the main formula and transmit said signal.

Other features and advantages of the device according to the invention will appear better on reading the description which follows of an example of embodiment given by way of illustration and in no way limiting attached to the figures which represent:

FIG. 1 is a block diagram of the method according to the invention and FIG. 1B is an example of a system architecture enabling it to be implemented,

FIG. 2, a representation of the notion of process, FIG. 3, an algorithm for calculating the validity list of a proposition or of a formula called a purely Boolean formula,

FIGS. 4, 5, 6A and 6B illustrate the calculation of the validity list of a formula according to those of its sub-formulas,

• Figure 7A, the illustration of the calculation of the certainty date of a formula according to that of its sub-formula (for the unary operator on the future), • Figure 7B illustrates the calculation of the certainty date of a formula according to that of its sub-formulas (for the binary operator on the past),

FIG. 8A, illustration of the definition of a zone of influence taken into account for the implementation of the method according to the invention,

• Figure 8B, illustration of the uselessness of the direct sub-formulas of a formula being given the date of uselessness fixed for this one, and

• Figure 9 an example of application for monitoring the behavior of a mass-spring system.

The idea of the present invention consists in particular in generating a monitor capable of observing the behavior of a system in a given environment and more particularly the evolution of a process as defined above at the beginning of the description. FIG. 1A is a block diagram of an example of the method according to the invention comprising a system 1 whose behavior is to be observed, a time clock H making it possible to determine the date on which a snapshot was acquired, a processor that will process the data coming from the system to be monitored, for example a variable observed at a given moment and which will be able to evaluate the value of the propositions where this variable appears, to then calculate the validity lists attached to these propositions then the validity lists more complex formulas up to the validity list of the main formula specifying the dreaded behavior. In Figure 1 B is shown an exemplary system according to the invention which comprises the system 1 whose behavior is monitored. The system includes one or more sensors 10 for determining the value of each parameter representative of the monitored behavior. For example, it is possible to have a temperature sensor and check if a temperature proposal is true. Examples are given below. The sensor or sensors of the parameters equipping the system 1 are connected to a device 11 comprising an input 12 and a processor 13 which will process the different data and a memory 14 storing the current snapshot and the validity lists of each formula. The device 11 also comprises an input 15 receiving a clock specifying a date associated with a measured parameter. The processor 13 will deliver via one or more outputs 16i a signal Sc containing data allowing, for example:

• the display of the results on a display device 17,

• Either the generation of a signal to a control device of the system,

• Either the generation of an alarm signal.

The signal obtained is transmitted to a device for generating an alarm and / or to a system control or regulation system under the supervision of a monitor generated by the method according to the invention. The system whose behavior is monitored may be a model executed in simulation. This model can be very complex and / or large because the monitor generated according to the invention does not depend on the internal structure of this model. In this case the method can be considered as a model debugging technique. The system can also be a device or a physical system which one wishes to control the behavior in operation and in particular to check its behavior. The process can then be considered as a subset of a larger control system.

Thus, the system according to the invention can be applied as a device making it possible to detect errors in the operation of a system, better known as the "debugger" of simulated systems, or as a monitor of physical systems for detecting malfunctions thereof. this in any industrial field (transport, home automation, robotics).

A monitor according to the invention consists in particular of several elements which will be explained below. The concepts of process, proposal, validity list and snapshot have been defined previously. One of the elements entering the generation of the monitor is the notion of validity list which is represented for example in Figures 4, 5, 6A, 6B. The way in which a validity list can be deduced from a process (in the sense defined above) is illustrated as follows. For this purpose, we examine the information that is delivered by a process to an observer or a sensor or monitoring device within a process. For this observer, the information delivered by a snapshot of the process remains until the snapshot following the _{i +} i refreshes this information. In other words, the information delivered by a snapshot of date t is equal to t 'where t' is the date of the next snapshot. If the last snapshot of the process has the date z, this principle makes it possible to define the validity of a proposition on any date of the interval [0, z] and thus a validity list on this range. To illustrate, the steps of creating a validity list for the proposition p such as would be an observer placed in front of the process of Figure 2 are carried out below. The process starts at 0 where snapshot I is refreshed. The observer notices that the proposition p is true (lp = 1). It adds to the list of validity of p a first interval is [0.0, 0.0]. The validity list of p is therefore ([0.0, 0.0]). Then the snapshot is refreshed in 1, py is always true. The date value is 1.71. The process extends the previous validity interval. The list becomes ([0.0, 1.71]).

When refreshing the snapshot at 2, p is false (l.p = 0). The value date l.t is 2.43. But having no information between 1.71 and 2.43 he must consider that p was true until then. So the observer or process modifies the previous interval which becomes [0.0, 2.43 [. Note that the interval is open to the right, since in 2.43 the proposition p is false. The validity list of p becomes ([0.0, 2.43 [).

At the refresh of the snapshot in 3, p becomes true again. The date value is 3.27. But it was wrong in the previous snapshot. The observer considers that until then it was false. He will therefore create a new validity interval for p. Thus, in 3, the validity list of p is ([0.0, 2.43 [, [3.27, 3.27]). This example shows that given a process it is possible to associate with a proposition p a list of intervals which denote the dates when the proposition is true. The method used in this example is formalized in the description of the algorithm below. Algorithm for calculating the validity list of a proposal

Any proposition p is associated with a boolean variable p. val and a variable list variable p.LV ("LV" for validity list). It is p.LV which represents the validity list for p. If I is a snapshot, then l.t is the date that I and l.p give to the truth value I assigns to proposition p. The algorithm is described by the diagram shown in Figure 3.

The first step, step 20, is a step of initializing the values of p. val and p.LV. The variable p.val is initialized to false and the variable p.LV is initialized by the empty list. The next step, step 21, is a refresh standby state of snapshot I. When this refresh occurs the algorithm goes to step 22 where the value of l.p is tested. If the truth value of l.p is true (is 1) the method tests, step 23, the value of p.val. If p.val is true then, step 24, the process extends the last interval of p.LV up to and including (closed interval on the value l.t). If the value p.val is false (worth 0) then, step 25, the process adds at the end of p.LV the new interval [l.t, l.t].

If, on the other hand, in step 22, lp is false, then the method tests p.val. If p.val is true, step 26, then the process extends the last interval of p.LV up to and excluding lt (open on lt) (step 28). If p.val is false, then the process leaves p.LV unchanged (step 27). Following steps 24, 25, 27 and 28, the method assigns p.val the value of lp (step 29). Then the process returns to the refresh standby step 21 of I, the calculation continuing as long as the process is kept running. As such, there is no stopping condition for this computation algorithm since it is waiting for a new snapshot. It can nevertheless be easily modified if the indication that a snapshot is the last is available. In this case the return to step 21 would be subject to the condition that the submitted snapshot is not the last. The stopping condition will be determined by a strategy of using the complete method, that is to say by a strategy of exploitation of the validity lists. From the algorithm for calculating validity lists for the proposals detailed above, the method can generate a simple monitor, for a language restricted to the proposals. A first example of implementation of the method is given without limitation, for a dreaded behavior specified by a single proposal. In this example, it is proposed to generate a monitor to observe the bank account of a customer, posing as dreaded behavior that the balance is negative in other words that the proposal (balance <0) is true at a given moment . Compared to the definitions, the process is considered relative to the set {(balance <0)}. The method then consists of the following algorithm: 1 - Allocate a boolean variable denoted I. (balance <0) to store the value of (balance <0) and a variable lt of real type to store the refresh date

2 - Refresh the snapshot I as soon as there is an account movement (that is to say, evaluate the truth value of I. (balance <0) according to the value of the variable "balance")

3 - Call the algorithm for calculating the validity lists for the proposal (balance <0) and given the snapshot I in order to establish a validity list for the proposal (balance <0).

4 - Test the validity list of the proposal (balance <0) (which has just been calculated). at. If the list is no longer empty, that is, it contains an interval i, this means that the dreaded behavior, (balance <0) has been observed. Edit a report for the account manager: (balance <0) detected, true for the dates of the interval i. END. b. Otherwise return in 2. This simple example shows that the memory used by the process is bounded. The current snapshot is represented by two variables I (balance <0) and lt, whose values are refreshed with each account movement. Only the validity list of the proposal (balance <0) is a dynamic element of the procedure. As the procedure stops, for example, as soon as this list includes only one interval, because the dreaded event has been observed, we see that the process consumes bounded memory. In the worst case we needed to create the variables lt, I (balance <0) and an interval variable.

For industrial applications a language restricted to the proposals may be in some cases too limited. The rest of the description introduces a language to describe more evolved behaviors, involving several propositions and making it possible to describe complex notions of order, concomitance, or occurrence within strict deadlines, on the propositions.

Formal specification of dreaded behavior

We first give the syntax of the language of the method according to the invention. The meaning of the operators introduced will be explained later, during the presentation of the semantics of this language. The syntax of said formal language for specifying the dreaded behaviors according to the invention is as follows:

• Any symbol of proposition is an expression of the language according to the invention • If Φ is an expression of this language, that a and b are positive reals such that b> a, then are also expressions of this language: o -i Φ

OF [a, b] Φ

OP [a,>] Φ O (Φ)

• If Φi and Φ ₂ are two expressions of this language and a and b two positive reals such that b> a then are also expressions of this language o Φi Λ Φ ₂ o Φ- _\ v Φ ₂ o Φi S _[a ,>] Φ2

In BNF (Backus-Naur Form) notation, the language is concisely written:

Φ :: = p | -1 Φ | Φ! Λ Φ ₂ | Φ1 V Φ ₂ | F _[a , b] Φ IP [a, b] Φ IP [a,>] Φ I Φi U _[a , b] Φ2 I Φi

S [a, b] Φ2 1 Φ1 S [a, _> ] Φ2 1 (Φ) where p denotes any symbol of proposition, a, b denote positive reals such that b> a, the meaning of the operators mentioned being given below. after.

In the following description, an expression of this language will be called a formula. Parentheses are used to disambiguate a formula. Indeed, if we write Φi Λ Φ ₂ U _[a , b] Φ3 we do not know whether to read (Φ1 Λ Φ ₂ ) U _[a , b] Φ ₃ or read Φ1 Λ (Φ ₂ U _[a , bi Φs) - But these formulas are not equivalent, hence the importance of parentheses. Some examples of formulas:

• P3 U [O, 12] ((-i (P [1 43.5 64] (pi Λ-ip ₂ )) Λ (-1 F _[2 43, 785] P2))

The operator → (implication) can also be used since it is only an expressible abbreviation in the language. Indeed Φi → Φ ₂ is an abbreviation

The set of sub-formulas of a formula is given by the SF function defined as follows: • SF (p) = {p} (for a proposition p there is only it)

• SF (Φ ₁ Λ Φ ₂ ) = {Φ _! Λ Φ ₂ } uSF (Φ ₁ ) uSF (Φ ₂ )

• SF (Φ ₁ v Φ ₂ ) = {Φi v Φ ₂ } u SF (Φ ₁ ) u SF (Φ ₂ )

• SF (F _[a , _b ] Φ) = {F _[a , b] Φ} uSF (Φ) • SF (P _[a , b] Φ) = {P [a, b] Φ} U SF (Φ )

• SF (P _[a ,>] Φ) = {P [a,>] Φ} USF (Φ)

• SF (Φi U _[a , b] Φ ₂ ) = {Φi U _[a , b] Φ ₂ } uSF (Φi) USF (Φ ₂ )

• SF (Φ! S _[a , b] Φ ₂ ) = {Φi S _[a , _b] Φ ₂ } USF ^ ₁ ) USF (Φ ₂ )

• SF (Φ ₁ S _[a , _>] Φ ₂ ) = {Φi S _[a , _> ] Φ ₂ } USFIΦO USF (Φ ₂ ) • SF ((Φ)) = SF (Φ)

For example: SF (- .p) = {-.p} uSF (p) = {-.p} u {p} = {-.p, p}

SF (F _[2 43, 785] (Pi Λ-ip ₂ )) = {F _[243 , _785] (pi Λ ^~ i P ₂ ), (pi Λ ^~ ip ₂ ), -> p ₂ , Pi, Ç > 2}

The direct sub-formulas of a formula are those placed directly under its operator. For example, for -iΦ it is Φ. For Φi U [ _a , b] Φ2 it is Φ ₁ and Φ ₂ .

A language formula is said to be purely Boolean if: • it is a proposition, or else

• its operator is boolean (hence in {-I, V, Λ, →}) and all its sub-formulas are also purely Boolean.

Height of a formula The height of a formula of the language defined above is given by a function h defined inductively as follows:

• h (p) = 0 (the proposals are of height 0)

• h (op Φ) = h (Φ) +1 where op is one of the unary operators of the language

• h (Φi op Φ ₂ ) = sup (h (Φ), h (Φ)) + 1 where op is one of the binary operators of the language Example: h (-1 F ₁₁₁₂₎ (pi Λ p ₂ )) = h (F ₁₁₁₂₎ (pi Λ p ₂ )) + 1 = h ((P ₁ Λ p ₂ )) + 1 + 1 = (SUp ( Ii (PO ₁ Ii (P ₂ )) + 1) + 2 = sup (0,0) +1 + 2 = 0 + 3 = 3

Semantics of the language of formal specification of the dreaded behaviors

Intuitive semantics:

• The operator -. is the negation. -> Φ is true at a date t if and only if Φ is false at this date t.

• The operator Λ is called conjunction. The formula Φi Λ Φ ₂ is true at a date t only if Φi and Φ ₂ are both true at this date t.

• The operator v is called disjunction. The formula Φi v Φ ₂ is true at a date t if Φ-i or Φ ₂ is true at this date t.

• The operator F _[a , b _] is about the future. This operator intuitively means "in the future, between a and b" or "there will be between a and b". More rigorously the formula F _[a , b] Φ is true at a date t if and only if there exists a date between t + a and t + b where Φ is true.

• The operator P _[a , b _] is about the past. This operator intuitively means "in the past, between a and b" or "there was between a and b". More strictly, the formula P [ _a , t _> ] Φ is true in t if and only if there exists a date between tb and ta where Φ is true.

• The operator P _[a>] deals with the past. This operator intuitively means "beyond -a in the past". More rigorously the formula P _[a,>] Φ is true in t if and only if there exists a date between 0 and ta where Φ is true.

• The operator U _[a , t _>] also relates to the future (the "U" comes from the Anglo-Saxon "Until"). This operator intuitively means: "Φ ₂ will be true between a and b and Φi will be everywhere in between". More rigorously the formula Φi U _[a , b] Φ2 is true t if and only if there exists a date t 'between t + a and t + b where Φ ₂ is true and Φi is everywhere true in the interval [t, t' [.

• The operator S _{ta, b]} also relates to the past (the "S" comes from the English expression "Since"). This operator means: "Φ ₂ will be true to the past between -b and -a and Φi will be everywhere in between". More rigorously the formula Φi S [ _a , b _] Φ2 is true in t if and only if there exists a date t 'between tb and ta where Φ ₂ is true and Φ1 is everywhere true in the interval] t', t].

• The operator S _[a>] also deals with the past. This operator means: "sera ₂ will be true to the past beyond -a and Φ ₁ will be everywhere in the meantime". More rigorously the formula Φ ₁ S [ _a , _> ] Φ ₂ is true in t if and only if there exists a date t 'between 0 and ta where Φ ₂ is true and Φ ₁ remains true in the interval] t ', t]. Formal semantics: The purpose of this definition is to give a mathematical meaning to the notion of validation of a formula by a process π (process in the sense defined above) at any date t. The notation π, t | = Φ reads: "the process π valid Φ at the date t", and is defined as follows:

• π, t | = p iff p is in the set of propositions of the snapshot π (k) where k is the largest row of snapshots whose dates are less than t (t is greater than or equal to the date carried by the snapshot π (k) and strictly less than the date of the snapshot π (k + 1)).

. π, t | = Φ ₁ v Φ ₂ ssi π, t | = Φ-i or π, t | = Φ ₂

• π, t | = F _{[a: b]} Φ iff there exists a date t 'of [t + a, t + b] such that π, t' | = Φ

• π, t | = P [a, _b ] Φ iff there exists a date t 'of [tb, ta] such that π, t' | = Φ • π, t | = P _[a , _> ] Φ iff there exists a date t 'of [0, ta] such that π, t' | = Φ. π, t | = Φi U _[a , b] Φ2 iff there exists a date t 'of [t + a, t + b] such that π, t'

| = Φ ₂ and for any date t "of [t, t '[π, t" | = Φ-i

. π, t | = Φ1 S [a, b] Φ2 if there exists a date t 'of [tb, ta] such that π, t' | = Φ ₂ and for every date t "of] t ', t] π , t "| = Φ1

. π, t | = Φ1 S [a, _> ] Φ2 if there exists a date t 'of [0, ta] such that π, t' | = Φ ₂ and for every date t "of] t ', t] π , t "| = Φ1

The concept of validity list previously explained was limited to the proposals. Without departing from the scope of the invention, this approach can be extended to any expression of our language (proposals forming only part of this language). For this we need to establish how language operators translate in terms of operations on validity lists.

Correspondence between language operators and validity list operations

It was previously explained how a validity list for proposals was constituted. Since complex formulas are constructed from propositions and language operators, to compute the validity intervals of complex formulas, it is necessary to establish a correspondence between the operators of the language and operations on the validity lists. For example, the validity list of the formula Φ ₁ Λ Φ ₂ results from the combination (particular to the operator Λ) of the validity lists of Φ1 and Φ ₂ . So we are going to establish some kind of algebra on the validity lists.

Two types of calculation will be explained. The first will be a calculation dedicated to purely Boolean formulas. The second will be a valid calculation for any language formula. First calculation of validity lists (valid only for purely Boolean formulas):

To compute the validity list of purely Boolean formulas, the calculation algorithm used is similar to that used for the propositions and requires only a minor adaptation. As for a proposition p we had defined the boolean variables p. val and l.p, for a purely Boolean formula nous we define the Boolean variables Φ.val and I.Φ:

• Φ.val is a Boolean variable associated with Φ. It is initialized to 0. • I.Φ is a boolean variable that represents the value that snapshot I assigns to Φ. Its calculation is defined inductively as follows: o If Φ is a proposition p then I. Φ is lp o If Φ is the formula -iΦ-i then I.Φ is the negation of the truth value of I. Φi. Formally: I. (-1Φ ₁ ) = 1 - I.Φi o If Φ is Φ1 Λ Φ ₂ then I.Φ is equal to 1 if both I.Φ1 and I.Φ ₂ are equal to 1, 0 otherwise. Formally: 1. (Φ ₁ Λ Φ ₂ ) = I.Φ-i ^* I.Φ ₂ o If Φ is Φ1 v Φ ₂ then IΦ is 0 if IΦ1 and IΦ ₂ are both 0, 1 otherwise. Formally: 1. (Φ ₁ v Φ ₂ ) = (I.Φ-i + I.Φ ₂ ) - (I.Φ1 ^* I.Φ ₂ )).

For example consider pi vp ₂ . Suppose a snapshot I such that lp-j = 0 and Lp ₂ = 1. Then 1. (P ₁ vp ₂ ) = Lp ₁ + Lp ₂ - (Lp ₁ ^* Lp ₂ ) = 0 + 1 - (OM) = L

With these definitions, the calculation of the validity lists of a purely Boolean formula is similar to that for a proposition. We will therefore be able to extend the latter to deal not only with the propositions but also with all the purely Boolean formulas. Simply call the calculation on the sub-formulas beforehand so that all the variables in play are defined (for example for Φ-i Λ Φ ₂ , must first do the calculation for Φi and for Φ ₂ so that I.Φi and I.Φ ₂ are defined). The generalized algorithm for pure Booleans (and therefore also propositions) is as follows:

Algorithm for calculating the validity list of a purely Boolean formula Φ:

• Φ.val is initialized to 0

• Φ.LV is initialized to the empty list

• With each refreshing of the snapshot I make: o calculate I.Φ as indicated above (we suppose that the sub-formulas of Φ were treated before) o If I.Φ = 0 and Φ.val = 1 create l interval [lt, lt] and add it at the end of Φ.LV o If I.Φ = 1 and Φ.val = 1 then change the upper bound of the last interval of Φ.LV so that it becomes lt: if (I, Ib, ub, u) is this last interval then it becomes (I, Ib, lt, u) o If I.Φ = 1 and Φ.val = 0 then change the upper bound of the last interval of Φ. LV to lt and open this interval on this upper bound: if (I, Ib, ub, u) is this last interval then it becomes (I, Ib, lt, 0) o If I.Φ = 0 and Φ.val = 0 do not do anything (Φ.LV is unchanged) o Assign I. Φ to Φ.val

Second calculation of validity lists (valid for any formula but less effective than the first if applied to a purely Boolean)

The calculation of the validity lists of non-purely Boolean formulas is now discussed. Unlike purely Boolean formulas that can be calculated simply by considering the value assigned to them by a snapshot I (ie I.Φ) and the value it had before (ie Φ.val), for a non-purely Boolean formula the calculation of its validity list is based on a composition of the validity lists of its direct sub-formulas, which composition is a function of the operator. We will give below some intuitions of this composition specific to each operator. These intuitions do not presage that the calculation is done "online" or "offline". This distinction will be considered later when we discuss the principles of certainty, continuation and zone of influence. We make the implicit assumption that the computation is done over a certain time range (which does not need to be specified to expose the principles). A formal description taking into account all aspects of the process is given in Annex 1.

Case of the operator -i.

Figure 4 illustrates the calculation of the validity list of -iΦ knowing that of Φ. The principle is as follows: two successive intervals i and i + 1 of Φ give rise to an interval for -iΦ which inserts between i and i + 1. (See Appendix 1 for a more detailed description).

Case of the operator Λ.

The validity list of Φi Λ Φ ₂ depends on those of Φi and Φ ₂ . The principle is: if h is an interval of Φi and i _{2 is} an interval of Φ ₂ and hni ₂ ≠ 0, then hni ₂ is an interval of Φ ^ Λ Φ ₂ . (See Appendix 1 for a more detailed description).

Case of the operator v. The validity list of Φ-ιv Φ ₂ depends on those of Φi and Φ ₂ . The principle is the following. First of all we make a choice of direction of the lists of validity of the lists of Φ-i and Φ ₂ . We will see that it is wiser to start from the end of the lists. We make this choice. Let J ₁ and i _{2 be} the last intervals of Φi.LV and Φ ₂ .LV, respectively. We make a first choice between it and i2 which consists of choosing the one that goes farthest in the future (where i "go further in the future than" j means either we have i.ub> j.ub or we have so i.ub = j.ub and iu = 1 and ju = O). If that choice is not possible as they both go as far in the future (that is to say i = -Ub J ₁ and J ₂ .ub _1. I ₂ = u .u) then we choose two who goes the furthest in the past. Let us take, without loss of generality, the case in which he would be the winner of this choice. We enter J ₁ in the validity list (Φiv Φ ₂ ) .LV of Φ _Ï V Φ ₂ by adding on the left. Then we look in the predecessors of i ₂ (i ₂ inclusive) for the first interval i which is such that i <ii or which overlaps J ₁ on the left. We assign it to i ₂ (even if i is Nil). We assign the predecessor of ii to ii. Then we reiterate the process by making a choice between the new U and i ₂ and so on until we exhaust the lists Φi.LV and Φ ₂ .LV. Thus, step by step, and according to a linear algorithm, we build the validity list of Φ-ιv Φ ₂ .

Case of the operator F _[a , b].

Figure 5 illustrates how an interval of F _[a , _b] Φ is produced as a function of an existing interval in the validity list of Φ. If i is an interval of Φ we deduce that the interval (i Θ [-b, -a]) contains the validity dates for F _[a , b] Φ according to the data of i. Indeed, let us choose a date t of i Θ [-b, -a]. Is Φ actually true in [t + a, t + b]? In other words, does [t + a, t + b] cut i? Suppose this is not the case. Then we would have [t + a, t + b] <i or else i <[t + a, t + b]. Consider the case [t + a, t + b] <i. For it to be verified there are only two cases. Let's show that there is a contradiction in both cases:

• Either we would have t + b <i.lb, so t <i.lb - b so t € i Θ [-b, -a]. Contradiction.

• Or we would have t + b = i.lb and il = 0 because [t + a, t + b] is closed on the right on t + b. Knowing that i Θ [-b, -a] is by definition (il, i.lb - b, i.ub - a, iu), with i.lb = t + b, we would then have i Θ [-b, -a] = (U, (t + b) - b, i.ub - a, iu) = (U, t, i.ub - a, iu). Thus t would be in this case the lower bound of i Θ [-b, -a]. Since we took t in i Θ [-b, -a], this means that i Θ [-b, -a] has its lower bound, so that it is closed on it. In other words, this implies (i Θ [-b, -a]). L = 1.

As by definition (i Θ [-b, -a]). I is U so we should have U = 1. Contradiction.

The case i <[t + a, t + b] leads in the same way to contradictions. This shows that (i Θ [-b, -a]) contains the validity dates for F _[a , b] Φ according to the data of i and therefore that it is an interval to be added in the validity list of F _[a , b] Φ. (See Appendix 1 for a more detailed calculation).

Case of the operator U [ _a , _b] - We distinguish according to that a> 0 or a = 0. Case a> 0.

Recall that Φ-i U _[a, b] Φ ₂ is valid at a date t if Φ ₂ is true at a date t 'of [t + a, t + b] and that Φ ₁ is true everywhere on [t, t [. It follows from this that an interval H of Φ ₁ and an interval I ₂ of Φ ₂ such that H] nor ₂ = 0 (reminder: h] is the closed to the right of h) can not give rise to an interval for Φ -i U _[a , b] ΦΣ- Indeed if h] nor ₂ = 0 it means that there is a separation between h] and i ₂ therefore Φ-i can not be everywhere true between a date of i- until a date of i ₂ . So ii] nor ₂ ≠ 0 is a necessary condition for ii and i _{2 to} generate an interval for Φ-, U _[a , b _] Φ ₂ - Let us consider, as in figure 6A, two intervals h and i ₂ such that J ₁ ] nor ₂ ≠ 0. Call this interval J ₁ ] or ₂ . Consider the interval j = i Θ [-b, -a]. From what we have seen previously for the operator F _[a , b], if we choose a date t in j it is clear that there exists a date t 'of [t + a, t + b] which either in i. Since all the dates of i are also dates of i ₂ (since i = h] nor ₂ ), this means that in t 'Φ ₂ is true. We deduce that if t is chosen in j then there exists a date t 'of [t + a, t + b] where Φ ₂ is true.

Now let us choose t in jn J ₁ ]. Then the date t, as the date of j, guarantees us as seen above that there exists a date t 'of [t + a, t + b] where Φ ₂ is true. Remember that t is also a date of i.

This implies that t 'is a date of H] (since i = ii] nor ₂ ). Moreover, as date of jn J ₁ ] date t is also a date of J ₁ ]. Finally, to synthesize, t and t 'are dates of h] and t' is in [t + a, t + b]. Gum a> 0 then t <t '. So t is in h and t 'in J ₁ ]. That is, t 'is either in h or not in J ₁ but is J ₁ . ub. In both cases the interval ii (which is continuous) thus ensures a continuity of validity of Φi over [t, t '[. Since Φ ₂ is true in t ', it follows that (Φi U _[a , b] Φ2) is valid in t. To conclude, when a> 0, the interval H] n (ii] and ₂ Θ [-b, -a] denotes the dates when (Φ1 U _[a , _b] Φ ₂ ) is true from the given from ii and i ₂ (it is possibly empty if j <h). This interval will therefore be added to the list (Φ1 U [a, b] Φ2) .LV of validity of Φ ₁ U _[a , b] Φ ₂ -

Case a = 0 (so case of: Φ1 U [o, b] Φ2)

In the case where a is 0, the set i ₂ is itself a set of dates that validate Φ ₁ U _[a , _b] Φ ₂ - The interval i ₂ must therefore also be adjoint to (Φ ₁ U _{[ a} , b] Φ ₂ ) .LV. But if, on the other hand, there exists ii of Φ-i.LV which overlaps i ₂ by the left as in figure 6B, the dates of ii which are also in i ₂ © [-b, 0] validate Φ-i U _[0 _b] Φ ₂ - Finally if there is such that overlaps i M ₂ by the left this is the interval (hn (i ₂ Θ [-b, 0])) es ₂ we attach instead of i ₂ only.

In Annex 1 a precise and formalized calculation is worth 0 or that a> 0. Case of the operator S _[a , _b ]. Symmetrical to U _[a , _b] in the past.

Case of the operator P _[a , _>] . The validity list of P _[a,>] Φ depends only on the first interval of the validity list of Φ. If it exists and is of the form [u, v] then the validity list of P _[a , _> ] Φ is composed of the single interval [u + a, ∞ [.

Case of the operator S _[a , _> ]. Consider the formula Φ-i S _[a,>] Φ ₂ . Again, for \ - _\ of Φi and i ₂ of Φ _{2 to} produce an interval for Φ-i S [ _a,>] Φ ₂ it is necessary that i ₂ n [J ₁ ≠ 0. Suppose this is the case. Suppose i ₂ is [u, v]. Let k = [u + a, ∞ [. Then kn ^" h is a validity interval for Φ-i S _[a,> ] Φ ₂ .

In the descriptions above we gave only one intuition for each operator, bases of calculation. There are multiple ways to compose validity lists with identical results. The point is that the calculation is consistent with the semantics given for the language. In Annex 1 we give a precise and complete description (in pseudocode) of a possible calculation method for each operator.

Relationship between the process and the calculation of the validity list of the main formula

In the foregoing we have described a simple version of the process where the dreaded behavior was reduced to a proposition, "balance <0". The process was based on the observation that detecting the occurrence of the feared behavior "balance <0" is equivalent to calculating the validity list attached to the proposal "balance <0" and to testing whether this list is empty or not. If it is not, it means that "balance <0" is true on certain dates and therefore the dreaded behavior has taken place. Then we introduced a richer language to express more advanced properties. To extend the process to this language it was then necessary to have a computation allowing to compute the list of validity of any formula expressible in this language so that one can apply the same principle namely: "to detect the behavior feared is to test that the validity list of the formula that expresses it is not empty ". But we have shown, through two types of calculation, that this calculation can be done, for any formula of the language. The only constraint to be respected is that when calculating the validity list of a formula it is necessary that one treated first its direct sub-formulas. This is not unusual: for example, in elementary arithmetic, if one asks to calculate a + b, it is necessary that the terms a and b are defined and have been calculated before one proceeds to the computation from a + b. This constraint suggests at least two calculation methods for the process: "A recursive type calculation (based on an algorithm that is called itself) • A calculation according to the height of the formulas

Schematically the recursive algorithm is the following (it takes as argument a formula, let's call it Φ):

A1 - If Φ is a purely Boolean formula, calculate the validity list according to the algorithm specific to this type of formula.

A2 - Otherwise identification of the operator of the formula Φ,

A2.1 - Call (recursive) of the present algorithm on Φi the first direct sub-formula of Φ

A2.2 - If Φ has a second direct subformula Φ ₂ recursive call on Φ ₂

A2.3 - Calculation of the validity list of Φ according to those of Φi (and Φ ₂ ) and according to the identified operator A3 - FIN The process, at each refresh of snapshot I, calls this algorithm with the main formula Φ as an argument.

According to another embodiment, the calculation of the validity list uses a non-recursive algorithm based on the height of the formulas. Schematically the algorithm is the following (Φ is the main formula): B1 -soit k = 0

B2 - "as long as" k <h (Φ) do B2.1 - for any sub-formula ψ of Φ such that h (ψ) = k do: a) If Ψ is a purely Boolean formula, calculate its validity list according to the algorithm specific to this type of formula b) Else calculation of the validity list of Ψ according to its direct formula or formulas (which have necessarily been already processed since of lower heights)

B2.2 - k = k + 1

B2.3 - return of "as long as" 2. B3 - END.

For the process this algorithm is called at each refresh of the snapshot I, without argument.

From an efficiency point of view, the calculation based on the height of the formulas will be preferred. In practice we will rank the sub-formulas of the principal Φ in an increasing list according to the function h (that is to say that if Ψi and Ψ ₂ are two consecutive formulas of this list we have either h (Ψ0 < h (Ψ ₂ ) is h (Ψ0 = h (Ψ ₂ )) Then, with each refresh of the snapshot, we go through this list from the beginning and for each formula encountered we proceed to calculate its validity intervals. every formula encountered we are sure that the sub-formulas have already been computed since, from lower heights, they were traversed before the current formula.

In the foregoing we have presented a calculation of the validity list without worrying about the time range that was necessary or possible to calculate. The principles of rigorous, optimized and online calculation will be discussed below. As it will be seen, it is a question of preserving the results already obtained when the process is assured that they will not be modified any more and to make, with each new refreshing of the snapshot, only the calculations necessary for the extension of these results. So the calculation can be seen as a sequence of local calculations that extend previously acquired results.

Principles of Online Calculation (Certainty, Continuation and Zone of Influence) The computation method according to the invention effective, online, and bounded memory, validity ranges based on original principles that will be exposed. These are the principles of certainty, continuation and zone of influence. Corollary of the concept of zone of influence, the notion of useless date makes it possible to endow the process with a mechanism essential to its operation without limit of duration, namely the elimination of the intervals become irrelevant from the point of view of the problem of detection of dreaded behavior.

Principle of certainty: This principle consists in determining, at any time and for any formula of language, the portion of its validity list which will remain unchanged, although it happens later.

To make this principle operational, the process defines a function, called Cert, which takes a formula as a argument and returns a real number so that if I is the last snapshot then lt - Cert (Φ) determines the last date to which Φ is certain. Then comes the question of the first date from which Φ is certain. From what precedes this should be Origin - Cert (Φ) since by convention the first refresh is done at T_originen, the start date of the observation. But it may be that T_origine - Cert (Φ) is earlier than T_origine (simply when Cert (Φ) is strictly greater than 0). We are then in front of two options. Either we accept, option 1, to compute validity dates prior to the original, in this case the certainty window will be, for any formula Φ, the interval [T_origin - Cert (Φ), lt - Cert (Φ)]. Option 2, we do not accept calculating dates of validity earlier than original (we affirm the character of Origin as the date of absolute origin), then in this case the certainty window will be, for any formula Φ, interval [sup (Origin, (Origin - Cert (Φ))), lt - Cert (Φ)]. Although both options are possible, in the rest of the presentation we will opt for option 2 where [sup (Origin, (Origin - Cert (Φ))), lt - Cert (Φ)] defines the interval at any time. certainty of Φ.

For a proposition p, its value can be determined until the date of the last snapshot. It is therefore clear that the validity list of a proposition is completely determined, fixed, over the time range [T_origine, l.t] where I is the last snapshot. We must therefore put Cert (p) = 0 so that [sup (T_origine, T_ohgine - Cert (Φ)), l.t - Cert (Φ)] is the certainty interval of p. Indeed, by putting Cert (p) = 0, we have [sup (Origin, T_origin - Cert (Φ)), lt - Cert (Φ)] = [sup (Origin, T_ohgine - 0), lt - 0] = [Origin, lt].

Before generalizing to all the operators and to all formulas, this principle is presented at first with the formula F _[a , _b i P, because this is particularly intuitive. Consider any date t. If we want to know if F _[a , b] P is true or false in t, according to the semantics defined for the operator F _[a , _b] we must know the value of p over the entire interval [t + a, t + b]. But to know p on [t + a, t + b] the list must be of validity of p is determined and fixed at least until t + b. If we reverse this reasoning, suppose that p is certain until a date r. Then F _[a , _b ] P can be determined only until r - b. Indeed consider a date t <r - b. So t + b <r. Can the validity of F _[ab ] p be determined in t? According to the definition of this operator this can be determined if the validity of p is certain on any date of [t + a, t + b]. Now this is the case since having t + b <r and a <b, it follows that all the dates of p on [t + a, t + b] are lower than r and therefore the validity of p known for each. To generalize to F [ _a , t _> ] Φ, if Φ is certain until we say r then F _[a , _b ] Φ is only certain until r - b. Figure 7 A illustrates this principle, the validity of F _[a , b] Φ is certain in ti and uncertain at t ₂ because [t ₂ + a, t ₂ + b] overlaps with an area of undetermined validity for Φ.

To formalize this idea we define the function Cert which takes as argument a formula Ψ and returns a real number so that if lt is the date of the last snapshot then lt - Cert (Ψ) is the largest date up to which Ψ be certain. It immediately follows that Cert (p) is 0 for any proposition p. Now let us examine the case of the formula F _{[a, b]} Φ, that is to say determine the value of Cert (F _[ab] Φ). By hypothesis lt - Cert (Φ) gives the greatest date of certainty for Φ. From what we have seen, F _{[a> b} ] Φ is only certain until (lt - Cert (Φ)) - b. This date is supposed to be lt - Cert (F _[ab ] Φ). So we have: lt - Cert (F _[a , b] Φ) = lt - Cert (Φ) - b " ^• - Cert (F _[a , bi Φ) = - Cert (Φ) - b <=> Cert ( F _[a , _b ] Φ) = Cert (Φ) + b

Finally: Cert (F _[ab ] Φ) = Cert (Φ) + b. The certainty function Cert of a formula is defined inductively from the propositions for which the function Cert is known (as we have seen it is worth O), then to the more complex formulas. In the end, this function takes a formula and returns a real number (this number depends only on the formula and can therefore be calculated statically). As it has been said this function is defined so that [sup (Origin, Origin)

- Cert (Φ)), t - Cert (Φ)] is the certainty interval of Φ, when lt is the date carried by the last observed snapshot I. By generalizing to all operators we obtain the following inductive definition of the Cert function:

• Cert (Φ) = 0 if Φ is a proposition

• Cert (^ Φ) = Cert (Φ)

• Cert (Φi Λ Φ ₂ ) = sup (Cert (Φi), Cert (Φ ₂ ))

• Cert (Φ! V Φ ₂ ) = sup (Cert (Φi), Cert (Φ ₂ )) • Cert (F _[a , b] Φ) = Cert (Φ) + b

• Cert (Φi U _[a , b] Φ ₂ ) = sup (Cert (Φi), Cert (Φ ₂ )) + b

• Cert (P _[a , b] Φ) = Cert (Φ) - a

• Cert (P _[a , _> ] Φ) = Cert (Φ) - a

• Cert (Φ ₁ S _[a , b] Φ ₂ ) = sup (Cert (Φi), Cert (Φ ₂ ) - a) • Cert (Φ ₁ S _[a , _> ] Φ ₂ ) = sup (Cert (Φi ), Cert (Φ ₂ ) - a)

Let's explain the certainty of (Φi U _[a , b] Φ2), with a> 0, which is not trivial. Refer to Figure 6A. This figure illustrates how an interval of Φ ₂ and an interval of Φ1 give rise to an interval for Φ-, U _[a! b] Φ ₂ . In Figure 6A, we need J ₁ ] or _{2 to} be certain. But the certainty of an intersection is given by the smallest date of the certainties attached to the intervening intervals. Now we are certain of only up to

- Cert (Φi), from i ₂ until lt - Cert (Φ ₂ ). The smaller of the two is therefore given by lt - sup (Cert (Φi), Cert (Φ ₂ )). Then the computation of (h] nor ₂ ) Θ [-b, - a] can not be certain (to review the arguments advanced for F _[a , _b ]) until (lt - sup (Cert (Φi), Cert (Φ ₂ ))) - b is lt - (sup (Cert (Φi), Cert (Φ ₂ )) + b). And finally h] nj only up to: lt - sup (Cert (Φ ₁ ), (sup (Cert (Φ ₁ ), Cert (Φ ₂ )) + b)) Let's show that this is equivalent to sup (Cert (Φi ), Cert (Φ ₂ )) + b which is the value of Cert (Φi U _[a , b] Φ ₂ ) in the definition. Two cases: • Cert case (Φi)> Cert (Φ ₂ ). o So on the one hand we have:

- lt - sup (Cert (Φ ₁ ), (sup (Cert (Φi), Cert (Φ ₂ )) + b))

- = lt - sup (Cert (Φi), Cert (Φi) + b)) o And by

- sup (Cert (Φ ₁ ), Cert (Φ ₂ )) + b o So the equality sought • Case Cert (Φi) <Cert (Φ ₂ ). o Then on the one hand:

- lt - sup (Cert (Φi), (sup (Cert (Φi), Cert (Φ ₂ )) + b))

- = lt - SUp (CeIt ^ ₁ ), (Cert (Φ ₂ ) + b))

- = Cert (Φ ₂ ) + bo And secondly

- sup (Cert (Φ ₁ ), Cert (Φ ₂ )) + b

- Cert (Φ ₂ ) + bo Hence the sought equality from where Cert (Φ ₁ U _[a , _b ] Φ2) = sup (Ceιt (Φi), Cert (Φ ₂ )) + b. For Cert (Φ ₁ S _[a , b] Φ ₂ ) the justification is illustrated in Figure 7B where it is shown that sup (Cert (Φ ₁ ), Cert (Φ ₂ ) -a) is suitable. For the other formulas, the Cert function is explained by analogous reasoning.

In practice, for each sub-formula Φ of the main formula, we will associate a variable of real type denoted Φ.rel_œrt, intended to store the value of Cert (Φ). A possible calculation mode of Φ.rel_cert is the following, illustrated by the recursive algorithm calcul_rel_cert:

calcul_rel_cert (Φ) C1 - If Φ is: C1.1 - a proposition p then Φ.rel_cert = 0

C1.2 - -Φι then Φ.rel_cert = calcul_rel_cert (Φi)

C1.3 - Φi Λ Φ ₂ then Φ.rel_cert = sup (calculation_rel_cert (Φi), calculation_rel_cert (Φ ₂ )) C1.4 - Φi v Φ ₂ then Φ.rel_cert = sup (calcul_rel_cert (Φi), calculation_rel_cert (Φ ₂ ))

C1.5 - F [ _a , b] Φ then Φ.rel_cert = calcul_rel_cert (Φ) + b

C1.6 - Φ-i U _[a , b] Φ2 then Φ.rel_cert = sup (calculation_rel_cert (Φi), calculation_rel_cert (Φ ₂ )) + b C1.7 - P [ _a , b] Φ then Φ.rel_cert = calculation_rel_cert (Φ) - a

C1.8 - P [ _a , _> ] Φ then Φ.rel_cert = calculation_rel_cert (Φ) - a

C1.9 - Φi S _[a , b] Φ2 then Φ.rel_cert = sup (calculation_rel_cert (Φi), calculation_rel_cert (Φ ₂ ) - a)

C1.10 - Φi S _[a , _> ] Φ ₂ then Φ.rel_cert = sup (calculation_rel_cert (Φ-ι), calculation_rel_cert (Φ ₂ ) - a)

C2 - END

For the process, each sub-formula Φ of the principal (including principal) is assigned a real variable named Φ.abs_cert intended to store the absolute certainty date of Φ. In accordance with what we said on the initial certainty date, the initialization depends on an option. For Φ this variable Φ.abs_cert will be initialized either to (option 1) T_origine -

Φ.rel_cert to (option 2) sup (Original_Type, Original_Type - Φ.rel_cert). Initial certainty is interpreted as the first date from which the validity of a formula will be defined. Some examples :

• Consider -i (P [3,5] p) with T_origine = 0. We have ( ^~ i (P [3,5] p)). Rel_cert = (P ^ ₅₁ p) .rel_cert = p.rel_cert - 3 = 0 - 3 = -3. So (-i (P [3.5i p)). Abs_cert will be initialized by (option 2) sup (0, 0 - (- 3)) = sup (0, 3) = 3 or by (option 1) 0 - (- 3) = 3. In other words, what regardless of the option chosen for the initial certainty, for this formula -i (P [3.5j p) and for a process starting on date 0, we will start making validity calculations only from the date 3. • Consider F _[3 , ₅ ] p with T_origine = 0. (F ^ ₅ ] p) .abs_cert will be initialized according to option 2 by sup (0,0 - 5) = sup (0, -5) = 0 or by, depending on option 1, 0 - 5 = -5. In other words, for this formula and for a process starting on date 0, according to option 2 we will start to make validity calculations only from date 0, or, depending on option 1, from from the date -5.

Principle of continuation

From the principle of certainty previously developed, follows the principle of continuation which governs the algorithms detailed above for calculating the validity lists. Suppose that I is the last snapshot, then the validity list of a formula Φ has been established up to t-Φ.rel_cert (its certainty zone being [sup (Origin, Origin - Φ.rel_cert), lt - Φ .rel_cert]). By definition this ensures that the validity list of Φ on [sup (Original_Type, Original_Type - Φ.rel_cert), l.t - Φ.rel_cert] can not be modified later. This portion is therefore an acquired result that must not be recalculated thereafter. If, therefore, a new snapshot I 'arrives after snapshot I, the calculation of the intervals for Φ must relate only to the so-called continuation window:

] I.t - Φ.rel_cert, I'.t - Φ.rel_cert]

It is thus a question of prolonging the results acquired on [sup (Origin, Origin - Φ.rel_cert), It-Φ.rel_cert] by a calculation on] lt - Φ.rel_cert, the .t - Φ.rel_cert] of so that in fine the result is obtained on [sup (Origin, T_origine - Φ.rel_cert), the .t - Φ.rel_cert] which is the certainty interval of Φ when I 'is the last snapshot. This is what is designated in this context, by principle of continuation. On the algorithmic level, for each formula Φ are associated two variables:

• the variable Φ.abs_cert which is initialized to o Option 1: (Origin_type - Φ.rel_cert) o Option 2: sup (Origin_Type, Origin_Type - Φ.rel_cert)

• an interval variable, initialized empty. Call this variable Φ.w for a formula Φ (w for "window" or window in French). It is this second variable which represents the continuation window of Φ. The continuation window Φ.w of Φ is thus calculated (it is assumed that the initialization Φ.abs_cert is carried out as described above):

• With each refresh of snapshot I:

• If Φ.w is empty: o If (lt - Φ.rel_cert)> Φ.abs_cert then Φ.w becomes: [Φ.abs_cert, lt - Φ.rel_cert] then set Φ.abs_cert to the value (lt - Φ .rel_cert) o If (lt - Φ.rel_cert) <Φ.abs_cert then Φ.w remains the empty interval

In order to optimize the computation of the validity list of a formula Φ on its continuation window, it is necessary to determine, in the sub-formulas of Φ, which intervals are likely to generate new intervals in this window of continuation of Φ. It is the purpose of the concept of zone of influence to target only these intervals.

The calculation steps given for the main formula Φ remain the same when one considers the sub-formulas ψ of a formula and its associated variable ψ.abs_cert. Notion of zone of influence

This notion intervenes in the object of the invention, in two ways:

• It defines, for a formula Φ, which intervals of the sub-formulas of Φ have an influence on the continuation window Φ.w of Φ defined previously,

• Reciprocally, it defines, for a formula Φ, which intervals of the sub-formulas of Φ have more influence only on the already certain zone of Φ

• This allows: o To optimize the online calculation of validity intervals, targeting only the intervals that affect the continuation window. o In a dual way, this will define the intervals that can no longer influence the continuation windows, and thus eliminate these intervals.

Here again the operator F _[a , _b] is particularly intuitive to present this principle before its generalization to any operator. FIG. 8A illustrates the zone of influence for F _[a , b] Φ. In this FIG. 8A, the last snapshot is I 'while the precedent is I. The continuation window (F _[a , b] Φ). w of F _[a , b] Φ is therefore] lt - (F _[a! b] Φ) .rel_cert, the .t - (F _[a , _b ] Φ) .rel_cert].

The first dates on the value of Φ which influence the continuation window of F _[aib ] Φ are the dates superior to lt - (F _[a! B] Φ) .rel_cert + a while the last one which influences this window of continuation is the .t - (F [a _ib ] Φ) .rel_cert + b. In other words, it is the interval F _[aib ] .w Θ [a, b]. This can be expressed and generalized as a function that accepts two formulas as arguments and returns an interval. If Ψ is a direct subformula formula of Φ, ZI (Ψ, Φ) is the time range of the validity list of Ψ to consider in calculating the continuation of Φ. By time range we simply mean an interval. Finally we say that an interval of the validity list of Ψ has an influence on the continuation window of Φ if and only if it has a non-empty intersection with ZI (Ψ, Φ). According to our analysis for F _[ab] Φ, we would thus have: ZI (Φ, F _[a , t>] Φ) = (F _[a , t>] Φ) -w Θ [a, b]. Definition of the Zl function:

• ZI (Φi, (Φi Λ Φ ₂ )) = ZI (Φ ₂ , (Φi Λ Φ ₂ )) = (Φi Λ Φ ₂ ) .W

• ZI (Φi, (Φi v Φ ₂ )) = Zl (Φ ₂ , (Φi v Φ ₂ )) = (Φi v Φ ₂ ) .w

• Zl (Φ, F _[a , _b ] Φ) = (F _ta , b] Φ) .w Θ [a, b] • Zl (Φ, P _[a , b] Φ) = (P _[a , b ] Φ) .w Θ [-b, -a]

• Zl (Φ, P _[a , _> ] Φ) = (P _[a , _> ] Φ) .w Θ [-a, -a]

• ZI (Φ _1; (Φ ₁ U _{[a, b]} Φ ₂ )) = (Φ ₁ U _{[a, b]} Φ ₂ ) .w Θ [a, b]

• ZI (Φ _2j (Φi U _{[a, b]} Φ ₂ )) = (Φ ₁ U _{[a, b]} Φ ₂ ) .w Θ [a, b]

• ZI (Φ _1; (Φ ₁ S _{[a, b]} Φ ₂ )) = (Φ ₁ S _{[a, b]} Φ ₂ ) Θ [-b, -a] • ZI (Φ ₂ , (Φi S _{[ a, b]} Φ ₂ )) = (Φ ₁ S _{[a, b]} Φ ₂ ) Θ [-b, -a]

• ZI (Φ _{1 s} (Φi S _[a , _> ] Φ ₂ )) = ((Φi S _[a , _> i Φ ₂ ) .w Θ [-a, -a])

• ZI (Φ ₂ , (Φ, S _[a , _> ] Φ ₂ )) = ((Φi S _[a , _> ] Φ ₂ ) .w Θ [-a, -a])

On-line calculation, by continuation, of validity lists

The principle of continuation online is as follows. For each formula the process produces new intervals only on its own continuation window. These new intervals are calculated from the validity lists of the sub-formulas, but considering only the intervals whose intersection is non-empty with the zone of influence calculated by means of the function Zl. These restrictions being made, the actual calculation is then performed according to the principles of the offline calculation (as described in the section Correspondence between logical operators and operations on the validity lists). To synthesize: the online calculation is a succession of Restricted local offline calculations for each formula at its own continuation window.

Note: for this calculation to be correct it is necessary that, for any formula, whatever the zone of influence which is attributed to it, it is included in its own certainty zone, as illustrated in FIG. 8A (FIG. zone of influence for Φ is in its zone of certainty). This is always the case. This is demonstrated from the definitions of the Cert and Zl functions.

The continuation calculation can again easily be illustrated for F _[a , t _> ] Φ- This is to consider only the intervals of the validity list of Φ located in the area of influence calculated for F _[a , b] Φ- Since these intervals are more likely to be at the end of the validity list of Φ the algorithm goes backwards. It goes up the validity list of Φ from the end until it determines the last and the first interval having a nonempty intersection with the zone of influence. This defines a sub-list of the validity list of Φ which is exploited according to the offline algorithm described above for the calculation of new intervals of the validity list of F [a, b] Φ- For each production we calculate its intersection with the continuation window of F _[a , _b] Φ- If it is not empty it is added to the left in a temporary list. Then when all the intervals of the zone of influence have been traveled, the temporary list is connected to the right of F _[a , b] Φ-LV (See Annex 1 for a detailed calculation of F _[a, t _> ] Φ). The continuation principle nevertheless has peculiarities for the operators P [ _a , _> ] and S [ _a , _> j. For a formula of type P [ _aj> ] Φ it is enough for Φ to be true only once at a date t so that P _[ai>] Φ is true beyond t + a. The process can be simplified. As soon as Φ is true, that is, Φ.LV has a first i, we create the interval (il, i.lb + a, ((P _[a , _> ] Φ) .w) .ub , ((P [a, _> j Φ) .w) .u) which is added to the empty validity list of P _[a,>] Φ; then this interval is systematically extended to its upper bound (which becomes so lt - (P _[ a, _> j Φ) .rel_cert at each refresh), without worrying about the value of Φ. For S _[a,>] , according to the semantics of this operator, the process must examine the truth value of Φ ₂ arbitrarily far in the past and thus also that of Φ-i. But this approach would require keeping in memory all the intervals of Φ ₂ and Φ-i. So the memory required by the monitor could grow indefinitely. One of the objectives of the present invention is that the memory required by the monitor is limited. In fact the information that Φ ₂ has been true is kept in the validity list of Φi S _[a , _> ] Φ ₂ . Indeed, considering the computation of Φi S _[a , _>] Φ ₂ on its continuation window, if the last interval of the validity list of Φ ₁ S [a, _> ] Φ2 is such that its upper bound is (Φ1 S [ _a , _>] Φ ₂ ) .w.ub then it means that it existed in the previous window (s) of continuation, an interval i of Φ ₁ having intersected an interval of Φ ₂ in the past and which lasted at least until (Φ ₁ S _[a , _> ] Φ ₂ ) .w.ub. If when calculating Φ1 S _[a , _> ] Φ2 the method finds in the validity list of Φ ₁ an interval which contains (Φ ₁ S [ _a , _>] Φ ₂ ) .w.ub, it means that it prolongs i without interruption, and therefore extends the validity of Φ ₁ S _[a,>] Φ ₂ - The memory that Φ ₂ has been true is therefore contained in the last interval of the validity list of Φi S _[a , _> ] Φ ₂ . That is why we will be able to eliminate the intervals of Φ ₁ and maintain bounded memory. This will be seen later with the notion of useless date.

To synthesize what has been seen previously:

• Thanks to the Cert function we are able to delimit, for each formula: o a time range where the validity is certain o a time range adjoining the certain range, called the continuation window, which limits the range of computation to be performed each time that the snapshot is refreshed • Thanks to the Zl function, we are able, when we perform the calculation of the continuation, to limit the intervals to be taken into account for this calculation.

Zone of influence and elimination of unnecessary intervals illustrated in Figure 8A, 8B

It has been explained above how to compute the validity list of the main formula. This calculation is based on the preliminary calculation of the validity lists of all its sub-formulas. This calculation on the sub-formulas thus appears as a necessary means to the process but not as an end in itself since only the validity list of the principal formula is decisive for the process (because it is the non-emptiness of this list which testifies the occurrence of the dreaded behavior). If Φ is the main formula, that lt is the date carried by the last snapshot I, we know that on [sup (Origin, Origin - Φ.rel_cert), lt - Φ.rel_cert] the computation of the validity list of Φ is certain, that is to say, can not be modified any more, whatever happens. Thus the intervals of the sub-formulas which can affect, at the level of the principal formula, only the zone [sup (original_T_, T_origine - Φ.rel_cert), lt - Φ.rel_cert] can not bring any new determining information. So they are useless. It is therefore to eliminate them from memory. For this it is necessary to be able to determine, for each sub-formula, below which date the intervals can be eliminated. For the principal formula Φ, this date of absolute uselessness, which we will call Φ.abs_di, is therefore: lt - Φ.rel_cert. In fact, if intervals in [sup (Origin, Origin_Tor - Φ.rel_cert), lt - Φ.rel_cert] have been obtained by the method, the following hypothesis can be emitted: these intervals have been exploited (to emit a signal alarm or system control signal ...). Having been exploited, they are no longer useful. The case of the conjunction is particularly intuitive (Figure 8B). In this figure consider the intervals h of Φi and \ z of Φ ₂ . According to their positions they can not help to form validity intervals for (Φi Λ Φ ₂ ) only in the already certain zone of (Φi Λ Φ ₂ ). Henceforth they are useless for deciding the validity of (Φi Λ Φ ₂ ). It would be the same with any other interval prior to lt - Cert (Φi Λ Φ ₂ ). In other words, if z is the absolute useless date of (Φi Λ Φ ₂ ) then the absolute useless date of Φi and Φ ₂ is also z. However, if (Φi Λ Φ ₂ ) is not the main formula, it is possible that Φi and Φ ₂ are also sub-formulas of other formulas. It may be that other formulas impose on them a useless date prior to z. Thus, what can be asserted from (Φi A Φ ₂ ) and its useless date z is that the useless dates of Φi and Φ ₂ must be less than or equal to z. A generalization of this to all language formulas is explained below.

To generalize, the process will take into account the constraints that a function, which we will call Dl, must satisfy to be a function of uselessness with the idea that a function of uselessness takes as argument a formula Φ _n supposed to be a sub-formula of a main formula Φ, and returns a real number DI (Φ _n ), so that the absolute useless date Φ _n .abs_di of Φ _n is: Φ.abs_di + DI (Φ _n ) .

DI (Φ _n ) is therefore a useless date relative to the date of absolute uselessness Φ.abs_di of the main formula. For the inductive definition we must also assign a value to DI (Φ). Since we want Φ _n .abs_di = Φ.abs_di + DI (Φ _n ) for any sub-formula Φ _n of Φ, if Φ _n is the main Φ itself we must have Φ.abs_di = Φ. abs_di + Dl (Φ), so be DI (Φ) = 0. Given a formula Φ and the set {Φi, ..., Φ _n } of its sub-formulas a function Dl of {Φ-i,. .., Φ _n , Φ} → R is a function of uselessness if it is such that all these constraints are verified:

• DI (Φ) = 0 (0 for the main formula) And for ij e [1, n]

• DΙ (Φi) <Dl (→ ï> ι) • DI (Φι) <DI (Φ _J Λ ΦJ) • DKΦ _j J≤DIfΦiΛΦ _j )

• DI (Φ,) ≤DI (F _[a , _b] Φ,) + a

• DI (Φ,) <DI (P _[a , _b] Φ,) - b

• DI (Φι) ≤DI (P _[a , _> ] Φι) -a • DI (Φι) <DI (Φι U [a, b] Φj) + a

• DI (Φj) <DI (Φ, U _[a , _b ] Φj) + a

• DI (Φι) <DI (Φι S _[a , b] Φj) - b

• DI (Φj) <Dl (Φ, S _ta , b] Φj) ~ b

• DI (Φ,) <DI (Φ | S _[ai>] Φj) -a • DI (Φj) ≤ DI (Φ | S _[ai>] Φj) -a

In practice, the chosen function will be the one that assigns the largest value possible for each sub-formula, so that the largest possible number of possible intervals can be eliminated. It is in fact to choose the greatest value given by the strongest constraint. For example, if, for a formula Φj, the strongest constraint is DΙ (Φi) <DI (P _[a , b] Φι) - b, then the choice for the function is DΙ (Φi) = DI (P _[a , b] Φι) - b.

Below we present a possible way of calculating the useless date of each sub-formula of the main formula.

1. For each subformula Ψ of the principal Φ (including Φ itself) create a variable of real type Ψ.rel_di and assign it the symbolic value ∞ (∞ is such that x <∞ is always true for x a real standard)

2. Assign 0 to Φ.rel_di (only the main one is set to 0)

3. Calculation call_di (Φ, 0) where calcul_di is the recursive algorithm presented below. calculation_di (Φ, r):

D1 - If r <Φ.rel_di then Φ.rel_di = r D2 - If Φ is:

D2.1 - a proposition p then END. D2.2 - -iΦi then call calcul_di (Φ-ι, Φ.rel_di) D2.3 - Φ _! Λ Φ ₂ then call calcul_di (Φi, Φ.rel_di) then calcul_di (Φ2, Φ.rel_di)

D2.4 - Φ ₁ v Φ ₂ then call calculation_di (Φi, Φ.rel_di) then calculation_di (Φ ₂ , Φ.rel_di) D2.5 - F [a, b] Φi then call calcul_di (Φi, Φ.rel_di + at)

D2.6 - P [a, b] Φi then call calculation_di (Φi, Φ.rel_di - b) D2.7 - P [a, _> ] Φi then call calcul_di (Φi, Φ.rel_di - a) D2.8 - Φi U [a, b] Φ2 then call calcul_di (Φi, Φ.rel_di + a) then calcul_di (Φ ₂ , Φ.rel_di + a) D2.9 - Φ1 S [a, b] Φ2 then call calcul_di (Φi, Φ.rel_di - b) then calcul_di (Φ ₂ Φ.rel_di - b)

D2.10 - Φ1 S [a, _> ] Φ ₂ then call calculation_di (Φ-ι, Φ.rel_di - a) then calculation_di (Φ ₂ , Φ.rel_di - a)

Given this method of calculation, for any sub-formula Ψ of the main formula Φ, it is possible to calculate its absolute uselessness date, denoted Ψ.abs_di:

Ψ.abs_di = Φ.abs_di + Ψ.rel_di Where Φ. abs_di = (Φ.w) .ub The elimination of unnecessary intervals consists in deleting, for each sub-formula Ψ of the main formula Φ, the intervals of its validity list strictly prior to its absolute uselessness date Φ. abs_di + Ψ.rel_di (an interval is strictly prior to a date if all its points are lower, in the sense of real numbers, on this date). The mechanism for eliminating unnecessary intervals makes it possible in particular to guarantee that the memory resource required by the monitor is bounded thereby ensuring the operation without limit of duration of the monitor generated by the method. Example of application of the method for monitoring a mass-spring system Figure 9 illustrates an example of practical application to control the behavior of a mass-spring system. A mass M moving without friction on a horizontal plane is connected to a vertical support S by a spring R and a damping system A. Several properties can be analyzed by the method according to the invention, during a simulation of this model.

For example, an expected property could be that the force f and the displacement x always vary in the same direction. In other words, what is feared is the proposition (df.dx <0). It is possible to release this property by asking that if it happens that (df.dx <0) then (df.dx> 0) is restored between 0.2 and 0.5 seconds later. In other words, the expected property is (df.dx <0) → F _[0 2, 05] (df.dx> 0). The formula expressing the dreaded behavior is therefore -1 (-1 ((df.dx <0) Λ -1 Fp 2, 05] (df.dx> 0))) that is to say simply: (df .dx <0) Λ -1 F _{[0 2} , 05] (-> (df.dx <O)).

Another expected property could be: we must have (df.dx> 0) globally but we tolerate that (df.dx <0) when df is close to zero (at plus or minus 0.5 newtons). The expected property is (df.dx> 0) v (- 0.5 <df <0.5). The dreaded property is its negation -1 ((df.dx> 0) v (-0.5 <df <0.5)) or simply ((df.dx <0) Λ (-0.5 <f v f> 0.5)).

To summarize, the properties considered for generating monitors for this model could be:

• df.dx <0

• (df.dx <0) Λ -1 F _{[o 2} , 0 if H (df.dx <O)) • (df.dx <0) Λ (-0.5 <fvf> 0.5)

To illustrate the process more fully, we will study its process by considering the property (df.dx <0) Λ -1 (F ₁₀₂ , 05] (-> (df.dx <0))). The date T_origine chosen is 0. The strategy of use is as follows: we stop the monitor from the occurrence of the dreaded behavior, that is, that is, when the validity list of our formula is not empty. The sub-formulas (classified by increasing heights) are:

• (df.dx <0) which is a proposition

• -. (df.dx <0) • F _{[o 2} , os] (-i (df.dx <O))

• - (F [O 2, o s] (i (df.dx <0)))

The calculation of certainty is as follows:

• (df.dx <O) .rel_cert = 0 • (-i (df.dx <O)). rel_cert = (df.dx <O) .rel_cert = 0

• (F [o 2, o 5] (-i (df.dx <0))) rel_cert = o (-i (df.dx <O)) rel_cert + 0.5 = o 0 + 0.5 = 0.5

• H (F ₁ O 2, os) (-i (df.dx <O)))). Rel_cert = o (F [o 2, o 5] H (df.dx <O))). Rel_crt = o 0.5

• Cert ((df.dx <0) Λ -. (F _{[0 2} , o _5] (- <(df.dx <0))) = o sup (Cert (df.dx <O), Cert (- i F _{[o 2} , o 5] (-> (df.dx <0)))) = o sup (0, 0.5) = 0.5

The table below summarizes the values assigned to each formula by the Cert function.

The table below illustrates the calculation of Φj.rel_di. In this table X _(i) means that the value X has been calculated because the formula considered is a sub-formula of the formula of the line i. For example, the notation 0.2 ₍₃₎ in line 2, means that 0.2 has been calculated for -i (df.dx <0) because this formula is a sub-formula of that found in line 3. It can be seen that (df.dx <0) is a sub-formula of two formulas (those in line 2 and 5, which is why there are two values for this formula).

From now on, the steps of the method according to the invention will be carried out by indicating the instantaneous and its effect on the monitor, which is represented in the form of a table. This table has in particular a "Validity list" column which allows to display the validity lists for each sub-formula.

^1st refreshing: 1. (df.dx <0) = 1, lt = 0.

For purely Boolean formulas the calculation is based on the direct algorithm. This is why the continuation window is not mentioned. With this first snapshot, the table below summarizes the state of the various aspects of our process: continuation window for each formula, absolute date of uselessness, validity lists.

The continuation window remains empty for certain formulas. For example, for Φ ₃ = F [o 2, os _] (-> (df.dx <0) because we have lt - Φ ₃ .rel_cert <Φ ₃ .abs_cert since lt - Φ ₃ .rel_cert = 0 - 0.5 = -0.5 and Φ ₃ .abs_cert = 0.

Refresh: I. (df.dx <0) = 0, I t = 0.3

φ, Expressions Φi.W Φi.LV

Φi (df.dx <0) ([0,0,3 [)

Φ ₇ (df.dx <0) ([0.3.0.3])

Φ, F [o 2, o s] (-i (df.dx <O))

Φ_! iF [ ₀ 2, o 5] (-i (df.dx <O)) φ _c (df.dx <0) ₂ , os] (-i (df.dx <O)) Here again, the continuation window remains empty for certain formulas. For example for Φ ₃ = F _[02 , os] (-> (df.dx <0) because we have lt - Φ ₃ .rel_cert <Φ ₃ .abs_cert since lt - Φ ₃ .rel_cert = 0.3 - 0.5 = -0.2 and Φ ₃ .abs_cert = 0.

^3rd refreshment: I. (df.dx <0) = 1, lt = 0.7

In this table we add a column for new ranges to add to the existing list. Remember that they are only added to the validity list after truncation by the continuation window.

Detail of the calculation of Φ ₃ .w. We have lt - Φ ₃ .rel_cert = 0.7 - 0.5 = 0.2. 0.2> Φ ₃ .abs_cert because Φ ₃ .abs_cert = 0. Since Φ ₃ .w was empty until now, this window becomes [Φ ₃ .abs_cert, lt - Φ ₃ .rel_cert] or [0,0.2].

_l th

4 ^th refresh. L (df.dx <0) = 0, I t = 1

5 -i ⁱ è ^e ^m e ^th refresh. L (df.dx <0) = 1, I t = 1.2

Observe that for Φ-, and Φ ₂ , intervals of their respective validity lists predate strictly their respective absolute useless dates. These are [0.0.3 [for Φi and [0.3.0.7 [for Φ ₂ . These intervals can be deleted from the respective validity lists (they no longer play any role in the detection of Φ ₅ which is the main one). As it was explained, it is this mode of suppression which makes it possible to ensure that the monitor requires a bounded memory resource.

6 ^th refresh. L (df.dx <0) = 1, lt = 1.8

At this point, an interval has appeared in the validity list of the main formula Φ ₅ of the process according to the invention. This interval [1.2, 1.3] indicates that the dreaded behavior occurs on this interval. Indeed (df.dx <0) is maintained on [1.2, 1.8]. Thus for the dates of [1.2, 1.3] the return to normal (that is (df.dx> O)) does not take place. That's what the monitor reveals.

The method and the system according to the invention have the following advantages in particular: An automatic method: the monitor is automatically calculated from the expression of the dreaded behavior and the operation of the monitor is automatic in normal operation. It is fast and inexpensive in memory.

The method can be applied to any model, unlike the proof or model-checking model approaches that analyze the model as defined in its internal structure. The monitor is only interested in executions of a system, to its observable productions. Whether the model is, in its internal structure, very simple or very complex, small or large, this has no impact on the generated monitor, since it does not depend on the structure of the model but only on the formula given in Entrance. The analysis is done online, which means that:

• Process monitoring is performed while the execution / simulation process is occurring,

• The surveillance is carried out without limit of duration,

• Monitoring is done without storing the run, • The memory consumed by the monitor is bounded (allowing unlimited time monitoring)

The method according to the invention does not suppose a particular regularity on the execution, the delay between two observations being any.

Annex 1

Ratings:

In the algorithms below "Buffer" is a variable of validity list type, initialized empty from each algorithm. "Nil" does not have a specific meaning. It intervenes to denote empty or undefined objects (lists, intervals ...)

Φ.LV: for list of validity of Φ (lists of disjoint intervals steadily increased)

Φ.LV.first and Φ.LV.Iast denote respectively the first and the last element of Φ.LV (are both Nil to denote that Φ.LV is empty)

For an interval two notations are used: the usual notation such as:] 4.32, 6.21] the quadruplet notation (I, Ib, ub, u) where:

I and u are elements of {0,1} which denote the opening or closing of the interval on terminals Ib and ub

Ib: lower bound ub: upper bound example: (0, 4.32, 6.21, 1) represents] 4.32, 6.21] if i is an interval then i.l, i.lb, i.ub and i.u denote the parameters mentioned above

Let i be an interval of a validity list LV: i.pred denotes its predecessor in LV (Nil if i is the first element) i.next denotes the following interval in LV (Nil if i is last element)

Calculation of Φ = ^ Ψ: o declare: iter = Ψ.LV.Iast o "As long as" it is not Nil do: o If iter is strictly inferior to Φ.w do: o create a virtual interval iv =] Φ.w.ub, Φ.w.ub + 1] o make the predecessor of iv to be that of iter: iv.pred = iter.pred o iter becomes this virtual interval: iter = iv o go to step 4 o If iter overlaps Φ.w to the right, that is to say if iter n Φ.w ≠ 0 and (iter n Φ .w) .ub = w.ub, then go to step 4 o iter = iter.pred o return "as long as" 2 o If iter is Nil (Ψ.LV is empty or all intervals of Ψ.LV are strictly superior to Φ.w): o create a virtual interval iv =] Φ.w.ub, Φ.w.ub + 1] o point the predecessor of iv to that of iter: iv.pred = iter .pred o iter becomes this virtual interval: iter = iv o "As long as" it is not Nil do: o if iter n ZI (Ψ, Φ) is empty: o if iter is empty or not empty but less than ZI (Ψ, Φ) then go to step 5 o else iter = iter.pred and return from "as long as" 4 o create the interval nv: o If iter.pred is not Nil then nv is (1 - iter.pred. u, iter.pred. ub, iter.lb, 1 - iter.l) o otherwise nv is (Φ.wl, Φ.w.lb, iter.lb, 1 - iter.l) o if nv n Φ.w is not nil add it to gau check in Buffer o iter = iter.pred o return of "as long as" 4 o Connect Buffer to the right of Φ. LV o FIN

Calculation of Φ = Ψi Λ Ψ ₂ : 1. we declare: iteri = Ψ! .LV.Iast and iter2 = Ψ ₂ .LV.Iast 2. "As long as" iteri and iter2 are different from Nil do

2.1. If iteri n ZI (Ψi, Φ) different from Nil a) "As long as" iteri n iter2 is not Nil

• add (iteri n iter2 n Φ.w) to the left in Buffer • iter2 = iter2.pred

• return of "as long as" 2.1.a)

2.2. If iteM n ZI (Ψi, Φ) is Nil and iteM <ZI (Ψi, Φ) then go to step 3

2.3. iteM = iteri .pred 2.4. return of "as long as" 2

3. Connect Buffer to the right of Φ.LV

4. END

Calculation of Φ = Ψ ₁ v Ψ ₂ : An additional notation is introduced. Let i and i be two intervals. We denote j Z i if one of the following conditions is satisfied:

• j is Nil and i is not Nil

^• i = j

• i.ub> j.ub • i.ub = j.ub and i.u = 1 and j.u = 0

• i.ub = j.ub and i.u = j.u and one of these conditions is satisfied: o i.lfcx j.lb o i.lb ≈ j.lb and i.l = 1 and j.l = 0

In other words, we have j Z i when i goes farther into the future or, if he goes as far as j, he goes farther into the past than j.

1. declare: itert = Ψ ₁ .LV.Iast and iter2 = Ψ ₂ .LV.Iast and tmp = Nil

2. "As long as" iteri or iter2 is different from Nil do: 2.1. if iter2 Z iteri then go to step 2.3 2.2. otherwise (we exchange iteri and iter2): a) tmp = iteri b) iteri = iter2 c) iter2 = tmp 2.3. If iteri <ZI (Ψ _1; Φ) then END

2.4. Add on the left iteri n Φ.w in Buffer

2.5. "As long as" iter2 is not Nil do: a) if iter2 overlaps iteri on the left, that is if iter2 n iteri

≠ 0 and (iter2 n iteri) .lb = iteri .Ib, then go to 2.6 b) if iter2 <iteri then go to 2.6 c) iter2 = iter2.pred d) back "as long as" 2.5.

2.6. iteri = iteri .pred

2.7. return "as long as" 2. 3. Connect Buffer to the right of Φ. LV

4. END

Calculation of Φ = F _[a , _b ] Ψ: 1. iter ≈ Ψ.LV.Iast 2. "as long as" it is not Nil do:

2.1. If iter n ZI (Ψ, Φ) is Nil a) If iter <ZI (Ψ, Φ) then go to step 3 b) Otherwise iter = iter.pred and return from "as long as" 2

2.2. Add on the left ((iter Θ [-b, -a]) n Φ.w) in Buffer 2.3. iter = iter.pred

2.4. return of "as long as" 2

3. Connect Buffer to the right of Φ.LV

4. END Calculation of Φ = P _[a , _b ] Ψ:

1. iter = Ψ.LV.Iast

2. "As long as" it is not Nil do: 2.1. If iter n ZI (Ψ, Φ) is Nil a) If iter <ZI (Ψ, Φ) then END b) Otherwise iter = iter.pred and return of "as long as" 2

2.2. Add on the left ((iter Θ [a, b]) n Φ.w) in Buffer

2.3. iter = iter.pred

2.4. return "as long as" 2 3. Connect Buffer to the right of Φ. LV

4. END

Calculation of Φ = P _[a , _> ] Ψ:

1. If Φ.LV is not empty, then be i its unique interval. This interval is modified so that it becomes (i.l, i.lb, w.ub, w.u) and FIN.

2. If Ψ.LV is empty then do nothing and END.

3. If Ψ.LV is not empty and i is its first element then add (il, i.lb + a, w.ub, wu) to P _[a , _> ] Φ.LV and FIN.

Calculation of Φ = Ψ! U _[0 , _b ] Ψ ₂ :

1. iteri = Ψi.LV.Iast and iter2 = Ψ ₂ .LV.Iast and tmp = Nil

2. "as long as >> iter2 is not Nil 2.1. If iter2 n ZI (Ψ ₂ , Φ) is Nil a) If iter2 <ZI (Ψ ₂ , Φ) then END. b) Otherwise iter2 = iter2.pred

2.2. return of "as long as" 2

3. "As long as" iter2 is not Nil

3.1. If iter2 <ZI (Ψ ₂ , Φ) then END.

3.2. Add iter2 on the left in Buffer (since a = 0 there is all iter2) 3.3. "As long as" iteri is not Nil a) If iteri] n iter2 is not Nil then tmp = iteri b) If iteri] <iter2 then go to step 3.4 c) iteri = iteri .pred d) back "As long as" 3.3

3.4. iteri = tmp (iteri is the older one that extends iter2 to the past)

3.5. If iteri] overlaps iter2 on the left, that is, itert] n iter2 ≠ 0 and (iteri] n iter2) .lb = iter2.lb, then: a) Add on the left ((iteri .I, iteri .Ib, iter2, lb, iter2.l) n (iter2.l, iter2.lb -b, iter2, lb, iter2.l) n Φ.w) in Buffer

3.6. iter2 = iter2.pred

3.7. return of "as long as" 3

4. Connect Buffer to the right of Φ.LV 5. END

Calculation of Φ = Ψ ₁ U _[a , b] Ψ2 with a> 0:

1. iteri = Ψi.LV.Iast and iter2 = Ψ ₂ .LV.Iast

2. "as long as" iter2 is not Nil do: 2.1. If iter2 n ZI (Ψ ₂ , Φ) is Nil a) If iter2 <ZI (Ψ ₂ , Φ) then END. b) Otherwise iter2 = iter2.pred 2.2. back "as long as" 2

3. "as long as" iter2 is not Nil do: 3.1. If iter2 <ZI (Ψ ₂ , Φ) then END.

3.2. "As long as" iteri is not Nil do: a) If iteri] n iter2 (reminder: i) is the closed to the right of i) is not Nil then add to left (((iteri] n iter2) Θ [-b, -a]) n iteri]) n Φ.w in Buffer b) Otherwise go to step 3.3 c) iteri = iteri .pred d) return of 'as long as' 3.2

3.3. iter2 = iter2.pred

3.4. return of "as long as" 3 4. Connect Buffer to the right of Φ.LV

5. END

Calculation of Φ = Ψi S _[0 , _b ] Ψ ₂ :

1. iteri = Ψi.LV.Iast and iter2 = Ψ ₂ .LV.Iast 2. "as long as" iter2 is not Nil

2.1. If iter2 n ZI (Ψ ₂ , Φ) is Nil a) If iter2 <ZI (Ψ ₂ , Φ) then END. b) Otherwise iter2 = iter2.pred

2.2. return of "as long as" 2 3. "as long as" iter2 is not Nil

3.1. If iter2 <Zl (Ψ ₂ , Φ) then FIN.

3.2. "As long as" iteri is not Nil a) If [iteri n iter2 is not Nil then go to step 3.3 b) If iteri <iter2 then END. c) iteri = iteM .pred d) back "as long as" 3.2

3.3. If [iteri overlaps iter2 on the right: a) then add on the left ((iter2.l, iter2.lb, iteri .ub, iteri .u) n (iter2.l, iter2.lb, iter2, ub + b, iter2. l) n Φ.w) in Buffer b) else add left iter2 in Buffer

3.4. iter2 = iter2.pred

3.5. return of "as long as" 3

4. Connect Buffer to the right of Φ.LV

5. END Calculation of Φ = Ψi S _[a , _b ] Ψ2 with a> 0:

1. iteri = Ψi.LV.Iast and iter2 = Ψ ₂ .LV.Iast

2. "as long as" iter2 is not Nil do: 2.1. If iter2 n ZI (Ψ ₂₎ Φ) is Nil a) If iter2 <ZI (Ψ ₂ , Φ) then END. b) Otherwise iter2 = iter2.pred

2.2. back "as long as" 2

3. "as long as" iter2 is not Nil do:

3.1. If iter2 <ZI (Ψ ₂ , Φ) then END. 3.2. "As long as" iteri is not Nil do: a) If [iteri n iter2 (reminder: [i is the closed to the left of i) is not Nil

• then add on the left ((([iteri n iter2) Θ [a, b]) n [iteri)) n Φ.w in Buffer • otherwise go to step 3.3 b) iteri = iteM .pred c) return from "As long as" 3.2

3.3. iter2 = iter2.pred

3.4. return of "as long as" 3 4. Connect Buffer to the right of Φ.LV

5. END

Calculation of Φ = Ψ1 S _[a , _> ] Ψ ₂ with a> 0:

1. iteri = Ψi.LV.Iast and iter2 = Ψ ₂ .LV.Iast 2. "as long as" iter2 is not Nil do:

2.2. return "as long as" 2 3. "as long as" iter2 is not Nil do: 3.1. If iter2 <ZI (Ψ ₂ , Φ) then END.

3.2. «As long as» iteri is not Nil do: a) Φ.lb e iteri then add iteri on the left in Buffer and go to step 4 b) If iter2 n [iteri (reminder: [i is the closed on the left of i) is not Nil then add (1, iteri .Ib + a, iteri .ub, iteri .u) n Φ.w on the left in Buffer c) Otherwise proceed to step 3.3 d) iteri = iteri. pred e) return of "as long as" 3.2

3.3. iter2 = iter2.pred

3.4. return of "as long as" 3

4. Connect Buffer to the right of Φ.LV

5. END

Calculation of Φ = W ₁ S _[o , _> ] Ψ ₂ :

1. iteri = Ψj.LV.Iast and iter2 = Ψ ₂ .LV.Iast

2. "as long as" iter2 is not Nil

2.2. return of "as long as" 2

3. "as long as >> iter2 is not Nil

3.1. If iter2 <ZI (Ψ ₂ , Φ) then END. 3.2. "As long as" iteri is not Nil a) If iter2 n [iteri is not Nil then go to step 3.3 b) If iteri <iter2 then END. c) iteri = iteri .pred d) back "as long as" 3.2 3.3. If [iteri overlaps iter2 on the right: a) then add on the left (iter2.l, iter2.lb, iteM .ub, iteri .u) n Φ.w on the left in Buffer b) else add iter2 n Φ.w on the left in Buffer

3.4. iter2 = iter2.pred

3.5. return of "as long as" 3

4. Connect Buffer to the right of Φ. LV

5. END

Claims

1 - Method for generating a detector of feared behaviors specified in metric linear time logic of a system whose behavior is to be monitored, characterized in that it comprises at least the following steps implemented by a processor:

• define characteristic variables of the system to be monitored,

• define a certain number of propositions (P ₁ , ..., p _n ) on these variables,

• define the observation start date: Origin, • choose an option on the initial certainty of the formulas

• allocate in memory of the detector a sufficient space to memorize a snapshot relative to these propositions, that is to say, to allocate a real variable denoted Lt and n boolean variables for each proposition of {pi, ..., p _n }, if P _k is a proposition, I. p _k denotes the Boolean variable associated with PR,

• define a principal formula Φ, built on the aforementioned propositions (pi, ..., pn) expressing a dreaded behavior by using a language composed of logical operators and temporal operators dealing with the future and the past and whose BNF grammar is the following: φ :: = p | -i φ | φ! Λ φ ₂ | Cp ₁ v φ ₂ | F _[a , _b ] φ I ψi U _[a , _b ] ς> 2 I ψi S _[a , b]

Φ2 | Cp1 S _[a ,>] ψ2 | P [a, b] ψ IP [a,>] ψ | (ψ)

Where pe (pi, ..., p _n } and whose meaning is as follows: o The operator -i is the negation, -iΦ is true at a date t if and only if Φ is false at this date t, o The operator Λ is called conjunction, the formula Φi Λ Φ ₂ is true at a date t only if Φi and Φ ₂ are both true at this date t, o The operator v is called disjunction, the formula Φi v Φ ₂ is true at a date t if Φ ^ or Φ ₂ is true at this date t, o The operator F _[a , t _> ] means "in the future, between a and b" or "there will be between a and b", the formula F _[a , bj Φ is true at a date t if and only if there is a date between t + a and t + b where Φ is true, o The operator P _[ab] means "in the past, between a and b" or "there was between a and b », The formula P [ _a , bj Φ is true in t if and only if there exists a date between tb and ta where Φ is true, o The operator P _[a>] means:« beyond -a in the past ", the formula P [a _,>] Φ is true in t if and only if there exists a date between T_origine and ta where Φ is true, o The operator U _[ab] means:" Φ ₂ will true between a and b and Φi will be everywhere true in the meantime ", the formula Φi U [ _a , b] Φ2 is true in t if and only if there exists a date t 'between t + a and t + b where Φ ₂ is true and that Φi is everywhere true in the interval [t, t '[, o The operator S _{[a, b]} means: "Φ ₂ will be true in the past between -b and -a and Φi s everywhere in the meantime ", the formula Φi S _[ab]

Φ ₂ is true in t if and only if there exists a date t 'between tb and ta where Φ ₂ is true and Φi is everywhere true in the interval] t \ t], o The operator S _{[a, >]} means: "Φ ₂ will be true to the past beyond -a and Φi will be everywhere true in the meantime", the formula Φi S _[a , _> ]

Φ ₂ is true in t if and only if there exists a date t 'between 0 and ta where Φ ₂ is true and Φi remains true in the interval] t', t], • for each sub-formula Ψ of Φ (including Φ itself), create a variable denoted Ψ.LV of type interval list, and initialize it empty, • for any sub-formula Ψ of Φ (including Φ itself) create a Boolean variable Ψ.val, and initialize it to 0, • for any subformula Ψ of Φ (including Φ itself) create a variable of real type denoted Ψ.rel_cert, called relative certainty of Ψ, and assign it the value Cert (Ψ) where Cert is the function characterized as follows: o Cert (φ) = 0 if φ is a proposition of {pi, ..., p _n } o Cert (φi Λ φ ₂ ) = sup (Cert (φ-ι), Cert (φ ₂ )) o Cert (φi v φ ₂ ) = sup (Cert (φ-ι), Cert (φ ₂ )) o Cert (F _[a , b] φ) = Cert (φ) + bo Cert (φi U [ _a , b] Ψ2) = sup (Cert (φi), Cert (φ ₂ )) + bo Cert (P [a, b ] φ) = Cert (φ) - ao Cert (P _[a , _> ] φ) = Cert (φ) - ao Cert (φi S [a, b _] 9 ₂ ) = sup (Cert (φ ₁ ), Cert ( φ ₂ ) - a) o Cert (φi S _[a , _>] φ ₂ ) = sup (Cert (φ ₁ ), Cert (φ ₂ ) - a) • for each subformula Ψ of Φ (including Φ it itself) define a real variable denoted Ψ.abs_cert intended to store the absolute certainty of Ψ. Depending on the option chosen for the certainty of the formulas, for each formula Ψ sub-formula of Φ, its associated variable Ψ.abs_cert is initialized to: o Option 1: Origin_t - Ψ.rel_cert o Option 2: sup (Origin, Origin - Origin Ψ.rel_cert)

• for each sub-formula Ψ of Φ (including Φ itself) create a variable denoted Ψ.w of type interval, called continuation window of Ψ and initialize empty • regularly or periodically acquire the value of the characteristic variables of the observed system and memorize the date of this acquisition,

• depending on the values of the characteristic variables resulting from the acquisition carried out in the previous step, evaluate the Boolean value proposals and refresh snapshot I that is to say assign the Boolean value of p to lp for each ps {pi, ..., p _n } and assign the memorized acquisition date to 1.1.

• for each refresh of the snapshot I as performed in the previous step, for each sub-formula Ψ of Φ (including Φ itself), and in an order that is such that any formula is treated after its under -formulas: o Update its continuation window Ψ.w as follows:

• If Ψ.w is empty: • If (lt - Ψ.rel_cert)> Ψ.abs_cert then Ψ.w becomes: [Ψ.abs_cert, lt - Ψ.rel_cert] then set Ψ.abs_cert to the value (lt - Ψ .rel_cert)

• If (l.t - Ψ.rel_cert) <Ψ.abs_cert then Ψ.w remains the empty interval and Ψ.abs_cert remains unchanged - If Ψ.w is not empty then:

• Ψ.w becomes:] Ψ.abs_cert, l.t - Ψ.rel_cert]

• Assign Ψ.abs_cert the value (lt - Ψ.rel_cert) o calculate new validity intervals for Ψ on its continuation window Ψ.wo use the information contained in the validity list of the main formula Φ and send a signal associated. o Wait for a new refresh of the snapshot

2 - Process according to claim 1, characterized in that, if Ψ is a purely Boolean formula, the step of calculating its new intervals comprises at least the following steps: to any proposition or purely Boolean formula Ψ is associated a Boolean variable Ψ. val if I is the snapshot, lt corresponds to the date carried by I and I. Ψ to the truth value that I assigns to Ψ, which is calculated in the following inductive way: if Ψ is a proposition p then I.Ψ = lp If Ψ is -1Ψ1 then I.Ψ = 1 - I.Ψ1 If Ψ is ΨI Λ Ψ ₂ then I.Ψ = I.Ψ ₁ ^* I.Ψ ₂

If Ψ is Ψ1 v Ψ ₂ then I.Ψ = (I.Ψ1 + I.Ψ ₂ ) - (I.Ψ1 ^* I.Ψ ₂ ) initialize (20) the values of Ψ.val and Ψ.LV, respectively to 0 and empty list, wait for refresh of snapshot I (21), then test (22) the truth value I.Ψ:

If I.Ψ is at 1 the process tests, step (23), the value of Ψ.val:

If Ψ.val is at 1 then, step (24), the process replaces the last interval j of Ψ.LV by (j.l, j.lb, l.t, j.u)

If Ψ.val is at 0 then, step (25), the process adds at the end of Ψ.LV the new interval [l.t, l.t].

If I. Ψ is 0, then the process tests the value of Ψ.val:

If Ψ.val is at 1, step (26), then the method replaces the last interval j of Ψ.LV with (j.l, j.lb, l.t, 0) (step 28). If Ψ.val is at 0, then the process leaves Ψ.LV unchanged (step 27). following the steps (24, 25, 27 and 28), assign to Ψ.val the current value of I.Ψ (29), then return to the refresh standby step (21) of I, the calculation continuing as long as the process is maintained in operation.

3 - Process according to claim 1 characterized in that the calculation of new intervals for a formula that is not purely Boolean is based on an operation specific to each operator, to compose the validity lists. 4 - Process according to claims 1 and 3 characterized in that, for non-purely Boolean formulas, the calculation of the new intervals on the continuation window may be performed more quickly by a Zl function which allows to determine, when calculating new intervals of a non-purely Boolean formula Φ the time ranges to be considered in the validity lists of the direct sub-formulas.

5 - Process according to claim 1 characterized in that, if Ψ is direct subformula of a formula Φ, the intervals of Ψ having an influence on the calculation of the validity list of Φ on its continuation window Φ.w are those that have a nonempty intersection with the interval ZI (Ψ, Φ) calculated using the Zl function defined as follows:

• ZI (Φ. ^ Φ) = (-Φ) .w

• ZI (Φ- |, (Φ- | Λ Φ ₂ )) = ZI (Φ ₂ , (Φi Λ Φ ₂ )) = (Φi Λ Φ ₂ ) .W • ZI (Φ- |, (Φ- | V Φ ₂ )) = ZI (Φ ₂ , (Φ- | V Φ ₂ )) = (Φ- | V Φ ₂ ) .W

• ZI (Φ, F _[a , _b ] Φ) = (F _[a , b] Φ) .w Θ [a, b]

• Zl (Φ, P _[a , _b ] Φ) = (P _[a , b] Φ) .w Θ [-b, -a]

• Zl (Φ, P _[a , _> ] Φ) = (P _[a , _> ] Φ) .w Θ [-a, -a]

• ZI (Φi, (Φi U _Ia , b] Φ2)) = (Φi U [a, b] Φ ₂ ) .w Θ [a, b] • ZI (Φ ₂ , ^ ₁ U _[a , b] Φ ₂ )) = (Φi U _[a , bl Φ ₂ ) -W Θ [a, b]

• Zl (Φi, (Φi S _[a , b] Φ ₂ )) = (Φi S _[a , b] Φ ₂ ) θ [-b, -a]

• ZI (Φ _2j (Φi S _[a , _b] Φ2)) = (Φi S _[a , _b] Φ ₂ ) Θ [-b, -a]

• ZKΦL (ΦI S _[a , _>] Φ ₂ )) = ((Φi S _[a , _> ] Φ ₂ ) .w Θ [-a, -a])

• ZI (Φ ₂ , (Φ ₁ S _[a , _>] Φ ₂ )) = ((Φi S _[a , _> ] Φ ₂ ) .w Θ [-a, -a])

6 - Method according to one of claims 1 to 5 characterized in that it further comprises the following steps, after refresh of the snapshot and calculation of the continuation: • set the absolute useless date Φ.abs_di of the main formula to the upper bound of its continuation window Φ.w. If Φ.w is empty then Φ.abs_di is not defined,

• If the date Φ. abs_di is defined: o assign to each sub-formula Ψ of the main formula

Φ its absolute uselessness date Ψ.abs_di which is equal to Φ.abs_di + DI (Ψ) is the sum of the date fixed for the main formula and the value returned by a useless function Dl applied to Ψ, o eliminate, for any sub-formula Ψ of the main Φ

(including principal), the intervals of its own validity list Ψ.LV which are prior to its date of absolute uselessness Ψ.abs_di.

7 - Process according to claim 1 characterized in that it assigns a useless date relative to all the sub-formulas {Φ _1; ..., Φ _n } of the main formula Φ (including itself). This date is calculated thanks to a function of uselessness Dl which must satisfy all the following constraints:

• DI (Φ) = 0 (0 for the main formula) And for i, j e [1, n]

• DI (Φι) <DIHΦi)

• DI (Φi) ≤ DI (ΦiΛΦj)

• DI (Φj) <DI (ΦiΛΦj)

• DI (Φi) <DI (ΦiVΦj) • DI (Φj) <DI (ΦiVΦj)

• DΙ (Φi) <DI (F _{[a, b]} Φ,) + a

• DI (Φ |) ≤ DI (P _[a, b] Φι) -b

• DI (Φ |) <DI (P _[a,> ] Φι) -a

• DI (Φ |) ≤ DI (Φ | U _[a , _b] Φj) + a • DI (Φj) <DI (ΦiU [a, b] Φj) + a • DI (Φ,) <DI (Φ, S _[a , b] Φj) - b

• DI (Φj) <Dl (Φι S _[a , _> ] Φj) - a To eliminate the maximum of intervals we will be able to choose as function Dl the one which assigns for each sub-formula the greatest the value allowed by the stress the stronger.

8 - Process according to claim 1 characterized in that the transmitted signal is a signal triggering an alarm and / or a trigger signal of a command to control a process, or the issuing of a report signaling the detected anomaly .

9 - System for generating a detector of feared behaviors specified in metric linear time logic, with bounded memory, characterized in that it comprises at least the following elements: An input receiving one or more parameter (s) characteristic (s) of the state of the system to be monitored, and a clock H indicating the date of acquisition of this parameter (s), • A processor adapted to perform the steps of the method according to one of claims 1 to 10 using the measured parameter (s) and the associated date,

A memory (14) adapted to store the instantaneous snapshot memory of the validity lists LV determined by the implementation of the method for the main formula and its sub-formulas,

• An output (1 6) transmitting a signal SC corresponding to the information contained in the validity list for the main formula and outputting said signal. 10 - System according to claim 9 characterized in that it comprises a display device controlled by the signal corresponding to the information contained in the validity list for the main formula.

11 - System according to claim 9 characterized in that the signal obtained is transmitted to a device for generating an alarm and / or a system control or regulation system under the supervision of a monitor generated according to the method according to one of claims 1 to 10.