EP3827368A1

EP3827368A1 - Tool and method for designing and validating a data flow system by a formal model

Info

Publication number: EP3827368A1
Application number: EP19774160.6A
Authority: EP
Inventors: Paul DUBRULLE; Stéphane LOUISE; Christophe GASTON; Nikolay KOSMATOV; Mathieu JAN; Arnault LAPITRE
Original assignee: Commissariat a lEnergie Atomique CEA; Commissariat a lEnergie Atomique et aux Energies Alternatives CEA
Current assignee: Commissariat a lEnergie Atomique et aux Energies Alternatives CEA
Priority date: 2018-08-31
Filing date: 2019-08-30
Publication date: 2021-06-02
Also published as: US11610041B2; FR3085513A1; WO2020043999A1; US20210279393A1; JP7463346B2; JP2021535492A

Abstract

The present invention concerns a method and a tool for designing and validating a data flow system comprising a set of software and/or hardware actors (a_i, a_j) interconnected with each other by unidirectional communication channels (c_i, c_j), the tool comprising: - a modelling interface (11) configured to generate an instance of the system by specifying, in a formal manner, a real-time and reconfigurable data flow, the reconfiguration of the data flow being carried out dynamically by propagating reconfiguration data from one actor to another through the communication channels, - an analysis module (13) configured to prove a predetermined set of behavioral properties of the system by means of a static analysis of the instance, - a refinement interface (15) designed to allocate resources to the instance, thus establishing a configured instance, the allocation of resources being carried out in such a way that an implementation of the system complies with the configured instance, and - a conformity test module (17) configured to verify the conformity of the behaviour of an implementation of the system with respect to the configured instance.

Description

Title of the invention: Tool and method for designing and validating a data flow system using a formal model

The present invention relates to a tool for designing and validating a system comprising a set of actors interconnected with one another by unidirectional communication channels.

State of the art

The present invention applies to systems commonly called “data flow systems” comprising a set of software and / or hardware actors exchanging quantifiable information between them, through unidirectional communication channels. Each actor waits to have received a statically specified amount of data on its input channels in order to consume this amount of data, to process this data, and to produce a statically specified amount of data on its exit channels for new players. This behavior is repeated indefinitely by each of the actors. An example of such a data flow system is a real-time on-board system which can be used in an autonomous vehicle or with a driver.

The specification of these systems, taking into account all the constraints, is a complex technical problem in itself. Next comes the task of allocating resources for an implementation of the specified system, and verifying that these resources are sufficient for the implementation to work in accordance with its specification. Finally, for a given implementation, it is necessary to test this implementation and make sure that it respects the specified behavior. Automatic tools are used to carry out these various tasks of specifying and verifying a data flow system which may include a large number of actors with numerous constraints and possible reconfigurations.

Currently, there are algorithms based on formal models to specify reconfigurable real-time data flow systems. Such a method is for example described in document [1]. This method makes it possible to check the resources necessary for the implementation as well as the absence of inter-blocking between the actors. However, it does not make it possible to check the conformity of the behavior of an implementation of the specified system with respect to its specification and does not make it possible to check the absence of an unknown state in the system for all the specified reconfigurations.

There are other formal model-based specification methods for testing the conformance of data stream implementations. Such a method is for example described in document [2]. However, the only constraints that this method takes into account are those of real-time. Furthermore, it only gives a verdict on the conformity of the system output values and not on the conformity of the system behavior. However, in some cases, a system can provide a correct output value without respecting the behavior specified.

Currently, there are no formal model-based methods that take into account both real-time constraints and reconfiguration constraints. Each of the known methods only partially covers part of the steps and properties necessary for specifying and verifying a system. None of these methods completely covers the design and validation of a system by taking into account all the constraints that may exist in the system.

In addition, there are currently no known methods for operating actors in the system at different frequencies. Indeed, the methods according to the state of the art do not allow formal verification of the feasibility of the dimensioning of a connection channel between two actors operating at different frequencies without loss of communication data.

The object of the present invention is to provide a tool and a method for designing and validating a data flow system overcoming the aforementioned drawbacks, in particular by taking into account the complete set of behavioral properties of the system, thus allowing a careful and precise design and validation of the system whatever the reconfiguration while optimizing the computing and memory resources of the system.

Presentation of the invention The present invention relates to a design and validation tool implemented by computer of a data flow system modeling a device fitted with equipment, said data flow system comprising a set of actors ( a ,, a _j ) software and / or hardware interconnected by unidirectional communication channels (c _i; q), said tool comprising: - a modeling interface (11) configured to generate an instance of said system by specifying so formal a real-time and reconfigurable data stream, the reconfiguration of the data stream being carried out dynamically by the propagation of reconfiguration data from one actor to another through the communication channels,

- an analysis module (13) configured to prove a predetermined set of behavioral properties of said system by a static analysis of said instance comprising the construction of a matrix defining the state of activation of the actors and the state of the channels of communication and the determination of a vector of natural integers whose product with said matrix is zero, the determination of said vector confirming the feasibility of the data flow system independently of the allocated resources, a refinement interface (15) adapted to allocate resources to said instance respecting said predetermined set of behavioral properties, thereby establishing an instance called configured instance, and

a compliance test module (17) comprising unit test tools (171) and integration tools (173), the unit test tool (171) simulating the production of data on input channels of the implementation of an actor, and verifying that the quantities consumed and produced by this implementation correspond to those specified for the actor implemented, the integration test tool (173) constructing the set of traces which correspond to the expected behavior of the configured instance and ensuring that the trace supplied belongs to this valid set, thus verifying the conformity of the behavior of an implementation of said system with respect to said configured instance.

This embodiment by a formal model makes it possible to automate a meticulous and precise design and validation of a data flow system whatever the reconfiguration and without the need to have centralized control. More particularly, the reconfiguration in a distributed manner according to the invention makes it possible to take into account the complete set of behavioral properties while optimizing the computation and memory resources of the system thus minimizing the computation time and the errors, and facilitates the processes. certification.

Advantageously, the system instance includes rational rates of consumption and data transmission. This gives the possibility of taking into account actors who must operate at different frequencies without any loss of communication data between these actors. Thus, the verification of the feasibility of lossless communication, and if necessary the scheduling of operations and the synchronization between tasks, can be easily carried out whatever the constraints on the frequencies associated with the actors.

Advantageously, the system instance includes: - maximum frequency constraints for certain players,

- minimum frequency constraints for certain players.

Thus, unlike the state of the art, frequency constraints can be taken into account in the formal model and in the verification of the properties. Advantageously, the system instance includes:

- all of the actors including generic actors configured to process data and mode actors configured to process data and / or select configuration modes,

- the set of unidirectional communication channels connecting all the actors to each other, each actor being associated with at least one input or output channel,

- the rational or whole number of data produced or consumed per actor for each of its input and output channels, and

the set of modes associated with each mode actor, each mode actor being configured to dynamically choose for each of its activations one and only one mode from said set of modes.

This makes it possible to optimize the topology of the system and more particularly, the dynamic choice of configurations makes it possible to minimize the number of mode actors and connection channels.

Advantageously, the system instance also includes, for each generic actor, a corresponding set of execution modes in which it executes as well as an implicit set of all the other modes in which it passes, an execution mode being able to be either a nominal mode common to the whole system, or a specific mode chosen by a mode actor.

This facilitates the propagation of modes from actor to actor. Advantageously, the system instance further comprises an implicit set of feedback channels, a feedback channel being a channel connecting a generic actor producing data to a generic actor consuming data, each running in at least one of the chosen modes. by the same fashion actor, and in that there is a path without repetition starting from the same fashion actor and ending with the generic producer actor passing by the generic consumer actor.

The feedback channels allow an actor in a processing chain to send the result to a previous actor in the chain so that this previous actor can do a new processing taking into account the old result. The identification of these feedback channels thus makes it possible to describe iterative processes in the system without introducing indeterminate modes due to the propagation of modes.

Advantageously, the system instance further comprises an initial state of the system composed by channel of a rational number and a sequence of modes of length equal to a lower rounding of said rational number, and by generic actor of its initial mode.

This makes it possible to avoid inter-blocking in certain situations such as for example in the case of a feedback loop and also makes it possible to initialize delays to allow the start of certain types of processing by the actors such as for example the calculation of a convolution product.

Advantageously, the predetermined set of behavioral properties includes first, second, third and fourth following properties:

- the first property verifies that the resources necessary for the implementation of communications between actors without loss of data are limited for a periodic execution of the specified system,

- the second property verifies that the frequency and / or period constraints can be respected without calling into question the first property, - the third property verifies the non-existence of inter-blocking for any number of activations of the actors, and

- the fourth property checks the non-existence of an unknown state in the system for all the specified reconfigurations and none of the other properties being called into question by dynamic configuration changes.

Thus, by verifying the four properties completely, the tool according to the present invention ensures that the system is in a known and consistent state for all the reconfigurations and for all the constraints of frequency, period and dimensioning of resources. . Unlike the state of the art, the present invention expresses the reconfiguration so as to be able to prove exhaustively that the four properties are verified.

According to an embodiment of the present invention, said system is a real-time embedded system of equipment, configured to receive measurements specific to said equipment and to deliver results actuating operations for the proper functioning of said equipment.

The present invention also relates to a real-time embedded system of equipment, comprising a set of software and / or hardware actors interconnected with one another by unidirectional communication channels, said embedded system being designed and validated by the tool. according to any one of the preceding characteristics, said on-board system being configured to receive measurements specific to said equipment and its environment, and to deliver results actuating operations for the proper functioning of said equipment.

Advantageously, said equipment is an autonomous or non-autonomous vehicle of land, rail, aerospace or naval type.

The present invention also relates to a system of a real-time industrial process, designed and validated by the tool according to any of the preceding characteristics, said system being configured for the industrial production of objects according to specific flow constraints and according to a reconfigurable process.

The present invention also relates to a design and validation method implemented by computer of a data flow system modeling an on-board device of an item of equipment, said data flow system comprising a set of interconnected software and / or hardware actors. between them by unidirectional communication channels, said method using a computer to implement the following steps:

- generate an instance of said system by formally specifying a real-time and reconfigurable data stream, the reconfiguration of the data stream being carried out dynamically by the propagation of reconfiguration data from one actor to another through the channels Communication,

- prove a predetermined set of behavioral properties of said system by a static analysis of said instance including the construction of a matrix defining the activation state of the actors and the state of the communication channels and the determination of a vector of natural integers whose product with said matrix is zero, the determination of said vector confirming the feasibility of the data flow system independently of the allocated resources,

allocate resources to said instance respecting said predetermined set of behavioral properties, thereby establishing an instance called configured instance, and

- simulate the production of data on input channels of the implementation of an actor,

- check that the quantities consumed and produced by said implementation correspond to those specified for the actor implemented,

- construct the set of traces which correspond to the expected behavior of the configured instance, and - ensure that the trace provided belongs to this valid set, thus verifying the conformity of the behavior of an implementation of said system vis-à-vis said configured instance.

The present invention also relates to a non-transient computer storage medium tangibly storing code instructions configured for the design and validation of a data flow system modeling an on-board device of an item of equipment, said data flow system comprising a set of software and / or hardware actors interconnected with one another by unidirectional communication channels, characterized in that said code instructions can be executed by a processor to implement the following steps:

allocating resources to said instance respecting said predetermined set of behavioral properties, thereby establishing an instance known as a configured instance, and

- check that the quantities consumed and produced by said implementation correspond to those specified for the actor implemented, - construct the set of traces which correspond to the expected behavior of the configured instance, and

- ensure that the trace provided belongs to this valid set, thus verifying the conformity of the behavior of an implementation of said system vis-à-vis said configured instance.

Brief description of the figures

Other particularities and advantages of the device and the method according to the invention will emerge more clearly on reading the description given below, by way of indication but not limitation, with reference to the appended drawings in which:

Fig.l schematically illustrates the hardware means used in the design and validation tool of a data flow system, according to one embodiment of the invention;

Fig.2A-2C show examples of data flows not respecting the behavioral properties as defined according to the present invention;

Fig.3 schematically illustrates a method of designing and validating a data flow system, according to an embodiment of the invention; and

Fig.4 illustrates schematically an example of a data flow system modeled by a graph according to an embodiment of the invention.

Detailed description of the invention

The invention is based on a formal model to describe real-time constraints and dynamic reconfigurations in a data flow system, allowing the verification of a set of properties necessary for the proper functioning of the system. The result of this static analysis coupled with configuration data for a system implementation allows automatic allocation of the resources necessary for its execution, as long as such allocation is feasible. Finally, a formal compliance relationship and a test environment allow obtaining a verdict on the conformity of such an implementation with the initially specified model.

This invention can be applied to any data flow system comprising independent actors exchanging quantifiable information with one another, through unidirectional communication channels. The actors can be software (for example, applications) and / or hardware (for example, sensors, cameras, probes, microprocessors, etc.) entities. Each actor is configured to wait to have received a statically specified quantity of data on its input channels in order to consume this quantity of data, to perform (or not) a processing of this data, and to produce a quantity statically specified data on its output channels to new players, and each repeating this behavior indefinitely. The consumption / treatment / emission process is commonly called activation.

Each activation takes place according to predefined reconfigurations, and for a given reconfiguration, the activation will either consume / process / produce (we say then execute), or do nothing (we say then pass), and the choice to change configuration is unpredictable.

Each actor is activated according to the predefined reconfigurations in time windows (called real-time) with possibly frequency constraints (or in an equivalent manner with period constraints).

In particular, the invention applies to a system embedded in equipment where compliance with the expected behavior is considered to be very important for the safety and proper functioning of the equipment provided with such a system.

The recent real-time embedded systems for autonomous vehicles are an example of such systems where entities offer generic interfaces to allow concrete applications to exchange data with each other, each application being independent and running on a distributed architecture calculator. The connections between applications can be reconfigured according to the current operating mode of the vehicle, and / or the availability of services. Finally, for the proper functioning of the vehicle, time constraints are imposed on the operation of the applications.

Fig. 1 schematically illustrates the hardware means used in the design and validation tool of a data flow system, according to one embodiment of the invention.

The tool 1 for designing and validating a system 3 data flows implements hardware means comprising an information processing machine such as a computer or computer 5 comprising a microprocessor 7 and memories 9. The microprocessor 7 is configured to execute one or more computer programs comprising program code instructions, stored in the memories 9 of the computer 5 and designed to implement the system design and validation tool 3 stream data.

The design and validation tool 1 comprises a modeling interface 11, an analysis module 13, a refinement interface 15, and a conformity test module 17.

The modeling interface 11 is graphical software which is configured to interact with software describing the system 3 data flow. The graphics software and the software describing the system 3 are adapted to be executed by the computer 5.

The modeling interface 11 is configured to generate an instance of the system 3 by formally specifying a stream of real-time and reconfigurable data. By “instance”, we mean the specification of the data flow described in the modeling interface 11. The modeling interface 11 is thus used to specify the data flow based on a formal calculation model, independently of any implementation of this data flow. In addition, the reconfiguration of the data stream is carried out dynamically by the propagation of reconfiguration data from one actor a, to another a _j through communication channels q. This way of expressing the reconfiguration makes it possible to exhaustively check all the behavioral properties (described below) of the system 3.

The specification made by the modeling interface 11 aims to be able to prove the behavioral properties of the system. Indeed, the analysis module 13 includes verification tools 131 which are configured to prove a predetermined set of behavioral properties of the system by a static analysis of the instance. Static analysis includes the construction of a state matrix defining the state of activation of the actors and the state of the communication channels and the determination of a vector of natural integers whose product with said matrix is zero . The existence of such a vector confirms the feasibility of the data flow system regardless of the resources allocated. This analysis will be described in more detail later in the description.

The refinement interface 15 is configured to allocate sufficient resources to the instance respecting the predetermined set of behavioral properties and thus establishing an instance called in the following “configured instance”. Resource allocation is carried out in such a way that an implementation of system 3 respects the configured instance.

The refinement interface 15 is thus used to specify additional time constraints for the instance. It will be noted that the refinement interface 15 can specify several instances configured for the same instance. A conversion tool 19 adapts the result of the static analysis of an instance to provide inputs allowing the allocation of resources for a configured instance.

The compliance test module 17 is configured to verify the compliance of the behavior of an implementation of the data flow system 3 with the configured instance. More particularly, for an actor a, of a configured instance, we call an “implementation of this actor” any concrete entity which achieves the behavior specified for this actor a ,. Note that there can be several implementations for the same actor. In addition, for a configured instance, an “implementation of this configured instance” is called any collection of implementations of the actors composing the instance, associated with the concrete means enabling them to carry out the behavior specified for this instance. Note also that there can be several implementations for the same configured instance. Furthermore, for an implementation of a configured instance, a sequence of significant events that occurred during the execution of this implementation is called “trace”.

Advantageously, the compliance test module 17 is composed of a unit test tool 171 and an integration test tool 173. The unit test tool 171 simulates the production of data on the input channels of the implementation of an actor a _i; and verifies that the quantities consumed and produced by this implementation correspond to those specified for the actor implemented, while respecting all the constraints. The integration test tool 173 constructs the set of traces which correspond to the expected behavior of the configured instance and ensures that the trace provided belongs to this valid set.

According to an advantageous embodiment of the present invention, the instance of the system 3 comprises rational rates of consumption and transmission of data. Thus, the instance includes a rational or whole number of data produced or consumed by each actor a, and for each of its input and output channels c.

This embodiment makes it possible to integrate frequency constraints at the level of the formal model and in the verification of the properties and, consequently, allows two actors a, and a _j communicating with each other via a channel c, to operate according to frequencies different without any loss of communication data between these two actors (see the example in Fig. 4). The design and validation tool 1 according to the present invention guarantees the feasibility and consistency of the data flow system 3 by allowing verification of the predetermined set of behavioral properties covering all the reconfigurations and all the frequency and period constraints. and sizing of resources. This predetermined set of behavioral properties has the following four properties.

The first PI property verifies that the resources necessary for the implementation of communications between actors without loss of data are limited for periodic execution of the specified system. This allows for example to size the memories necessary to store data without loss.

Fig. 2A shows an example of a data flow not respecting the first property. This example shows a system comprising first and second actors ai and a ₂ exchanging data with each other through the channels Ci and c ₂ . The first actor ai specifies that it produces and consumes data at each activation. The second actor has ₂ specifies that he produces two data and consumes one on each activation. However, the resources necessary to store the data on the output channel c ₂ of the second actor a ₂ cannot be limited for an indefinite number of activations of these actors. Thus, in this situation the first PI property is not checked.

The second property P2 verifies that the frequency and / or period constraints can be respected without the first property being called into question.

Fig. 2B shows an example of a data flow not respecting the second property. This example also shows a system with two actors ai and a ₂ , the first actor producing a data by activation which will be consumed by each activation of the second actor. The frequency constraints are such that the first actor ai must activate at 100Hz and the second has ₂ at 10Hz. However, the resources necessary to store data on the channel Ci connecting the two actors ai and a ₂ cannot be limited for an indefinite number of activations, although they are limited if the frequency constraints are removed.

The third property P3 verifies the non-existence of inter-blocking for any number of activations of the actors. Interlock can result in a situation where a set of actors exchange data cyclically. Using the example of FIG. 2A, in the absence of data initially present on one of the two channels ci and c ₂ , none of the actors ai and a ₂ can activate. Thus, the third property P3 makes it possible to take into account the case of cyclic data flow.

The fourth property P4 checks the non-existence of an unknown state in the system for all the specified reconfigurations, there is no actor in the system which does not execute in any of the specified reconfigurations, and none of the other properties not being challenged by dynamic configuration changes.

Fig. 2C shows an example of a data stream not respecting the fourth property. This example shows a system with three actors a _1; a ₂ and a ₃ and according to two possible reconfigurations. A first actor has produced a data by activation, which is consumed by each activation of a second actor a ₂ , and this second actor has ₂ produced himself a data by activation, consumed by each activation of a third actor has ₃ . In a first configuration only the first and second actors at ₃ and a ₂ execute and the third actor at ₃ passes. In a second configuration R ₂ only the second and third actors a ₂ and a _{3 are} executed and the first actor has ₃ passes. In such a system, if the reconfiguration mode chosen is always the first configuration Ri, then the resources necessary to store the data on the channel c ₂ between the second actor a ₂ and the third actor a ₃ are not bounded for a number indefinite activations. Conversely, there is an interlock if the second configuration R ₂ is always chosen. Finally, if we modify the example such that any of these actors has ₃ , a ₂ and a ₃ does not activate in any configuration, we end up with similar situations. So the fourth property P4 allows to verify the consistency of the system for all the reconfiguration modes specified, ensuring that there is no contradictory information.

It will be noted that, unlike the methods of the state of the art, the way in which the concept of reconfiguration is expressed according to the present invention makes it possible to prove exhaustively the four properties P1-P4.

Fig. 3 schematically illustrates a method of designing and validating a data flow system, according to an embodiment of the invention.

It will be noted that the steps which are on the same level can be linked in parallel following the previous step. In addition, the steps illustrated with a spiral (ie steps E22, E41-E43, and E52) denote the possibility of applying this step several times for different configurations of the same instance, or different implementations of the same configured instance, or different traces of the same implementation.

Step E1 concerns the generation of an instance by specifying a system 3 real-time reconfigurable data flow in order to be able to prove all of the four behavioral properties P1-P4 of this system 3 defined above. .

The instance of system 3 includes all the elements defining the formalism of the calculation model. These elements include all of the actors a ,, a _j including the so-called generic actors who process data and the so-called fashion actors who are in charge of signaling reconfigurations and / or of processing data; the set of channels c _i; q connecting these actors to each other; the number of data produced or consumed per actor for each of its input or output channels, with the possibility for a channel to have only one of these numbers which is a rational number; the set of reconfiguration modes; maximum frequency constraints for certain generic or fashion players; minimum frequency constraints for certain generic or fashion players; and the initial state of the system. Step E21 concerns the verification by a static analysis of the set of behavioral properties P1-P4 for this instance. This allows the feasibility of the system to be verified independently of the resources allocated.

Step E22 relates to obtaining time constraints for this instance.

Step E3 concerns the construction of the scheduling constraints and the valid traces (i.e. set of valid states) for the instance configured in the previous steps. This step makes it possible to define the order in which the actors must make their operations according to the data and the time constraints.

In step E41 resources are allocated to respect the scheduling constraints of the configured instance.

In step E42, an implementation of an actor of the configured instance is obtained.

In step E43, an implementation of the configured instance is obtained.

In step E51, the conformity of the implementation of step E42 is tested.

In step E52, a trace of the implementation of step E43 is obtained.

Finally, in step E6, the conformity of the trace obtained in step E43 is tested, thus making it possible to verify the conformity of the implementation with the specified model.

The method according to FIG. 3 thus covers the specification of a system 3 real-time reconfigurable data flow, the configuration of a resource allocation and the verification of the conformity of the behavior of a system implementation, taking into account the four properties P1- P4 above as a whole.

Fig. 4 schematically illustrates an example of a data flow system modeled by a graph according to an embodiment of the invention.

The graph models a data flow with frequency constraints, different reconfiguration modes and initial data available for initial consumption. The circles aa ₅ represent so-called generic actors who carry out data processing. These generic actors ai-a ₅ are thus adapted to consume data, make calculations to transform the data and produce results. The triangles a ₆ and a ₇ represent actors called "clock" at ₆ or "deadline" at ₇ which produce and consume data with frequency constraints. The square a ₈ represents a so-called mode ₈ actor responsible for signaling reconfigurations. The Ci-Cio directed arcs are unidirectional channels each indicating a stream of data between two actors and the associated numerical values giving the amount of data produced or consumed on the channel.

According to this example, the modeled system 3 is composed of five generic actors aa ₅ , two time actors a ₆ and a ₇ (clock and deadline) and a mode actor a ₈ . A first generic actor ai (acquisition actor) acquires data supplied by a clock actor at ₆ at 30Hz. A second generic actor a ₂ (control actor) sends a command to an actuator actor at ₇ at 10 Hz. The command is determined according to the result of a reconfigurable processing chain consisting of a third generic actor a ₃ (preprocessing actor) performing a preprocessing of the data produced by the acquisition actor ai in all possible reconfigurations. In a first configuration (mode noted by l- ^), a fourth generic actor a ₄ (fast actor) performs a fast and low definition processing of the data pretreated by the pretreatment actor a ₃ . In the second reconfiguration (mode noted by / l ₂ ), a fifth generic actor a ₅ (slow actor) performs a slow but high definition processing. Thus, the data processing path of the first configuration l _ί is the path connecting the acquisition actor to ₃ to the preprocessing actor to ₃ , to the fast processing actor to ₄ and then finally to the command actor has ₂ . The second configuration l ₂ is defined by the path connecting the acquisition actor ai to the preprocessing actor a ₃ , to the slow processing actor a ₅ and then finally to the control actor a ₂ . Thus, the configuration propagates from one actor to another and therefore, no centralized synchronization on these reconfiguration modes is necessary. Each actor will communicate to his neighbor the configuration mode in which it must work. The choice of the current configuration is made by the mode actor a ₈ who preferably uses high definition processing when available.

According to this example, the rapid processing actor has ₄ each time he activates consumes data on his input channel c ₃ (represented on channel c ₃ by a "1") and produces data on its output channel c ₄ (represented on channel c ₄ by a “1”). Likewise for the slow processing actor a ₅ which consumes data on its input channel c ₅ and produces data on its output channel c ₆ . The control actor has ₂ each time it activates consumes data on its first input channel c ₄ or on its second input channel c ₄ (depending on the configuration mode) and produces data on its output channel c ₂ . The pretreatment actor a ₃ each time he activates consumes a datum on its first input channel Ci and a datum on its second input channel c ₉ and produces a datum on its first output channel c ₃ or on its second output channel c ₅ (depending on the configuration mode).

On the other hand, the acquisition actor ai consumes a rational number of data on its input channel c ₂ (represented on the input channel c ₂ by the value "1/3") and produces a rational number of data on its output channel Ci (represented on the output channel Ci by the value "1/3"). This means that the acquisition actor ai consumes or produces a data item every three activations. The example in Fig. 4 shows that in the initial state, there is a token Tl (ie a datum) available on the channel c ₂ (between the control actor a ₂ and the acquisition actor ai. Then, the actor of acquisition ai will consume this existing data on this channel c ₂ and will produce a data on its output channel c ₃ (ie channel c ₃ connecting the acquisition actor to ₃ to the pretreatment actor to ₃ ) Thus, the acquisition actor has ₃ consumed a data and produced a data. On the other hand, on his next two activations, he will consume zero data and produce zero data. In other words, the acquisition actor has ₃ consumes a datum and produces a datum every three activations. This allows synchronization of the data between two actors operating at different frequencies without any loss of data. Indeed, according to this example, the acquisition appears three times for each command thus allowing the transfer of data between the acquisition actor ai operating at 30 Hz and the control actor a ₂ operating at 10 Hz without any loss of data.

In the following, we summarize the essential elements of the formal definition of the calculation model (i.e. formalism) with reference, as an example, to system 3 in Fig. 4. According to this formalism, the specification of a data stream consists of the following F1-F9 elements:

Fl: We define the set of generic actors ai-a ₅ which process data, as well as the set of mode actors a ₆ and a ₇ which process data and / or select configuration modes.

F2: We define the set of channels c _Ci o connecting the actors to each other, each actor being associated with at least one input or output channel.

F3: We define the number of data produced or consumed by actor for each of its input or output channels, with advantageously the possibility for a channel to have only one of these numbers which is a rational number. These numbers are represented by the values on the Ci-Cio arcs connecting the actors of the example in FIG. 4.

F4: For each mode actor a ₈ of a non-empty set of modes, the mode actor a ₈ being in charge of choosing dynamically for each of his activations one and only one of these modes (These modes are noted l and l ₂ ). The choice of the current configuration is advantageously made by a single _8- mode actor and this current configuration is propagated in a distributed manner from one actor to another.

F5: For each generic actor ai-a ₅ , we define the set of modes in which it is executed, and the implicit set of all the other modes in which it passes. It will be noted that the set of modes in which a generic actor is executed is either a nominal mode common to the whole system, or a subset of the modes chosen by mode actors. In the example of FIG. 4, all the actors except the actors of preprocessing at ₃ , fast processing at ₄ and slow processing at _{5 are} executed in the mode nominal knowing that the preprocessing actor has ₃ runs in modes l and l ₂ , the fast processing actor has ₄ runs in mode À _lf and the slow processing actor has ₅ runs in l mode ₂ .

F6: Given the different modes, an implicit set of feedback channels is defined as the set of channels connecting two generic actors each running in at least one of the modes chosen by the same mode actor, and such that There is a path without repetition starting from the fashion actor and ending with the producer actor on this channel, passing by a consumer actor.

F7: We define maximum frequency constraints for certain generic or fashion players. One possible way of expressing them is by so-called ₆ clock actors with which a frequency is associated. In the example of FIG. 4, the acquisition actor ai has a maximum frequency constraint of 30 Hz, expressed by the clock actor at ₆ with the frequency 30 Hz, the arc c ₇ connecting them, and the quantities of associated data.

F8: We define minimum frequency constraints for certain generic or fashion players. One possible way of expressing them is by so-called actors with maturity a _{7 to} which a frequency is associated. In the example of FIG. 4, the control actor at ₂ has a minimum frequency constraint of 10 Hz, expressed by the expiry actor at ₇ with the frequency 10H z, the arc c ₈ connecting them, and the quantities of associated data. It will be noted that the same actor can be forced to operate at a minimum and maximum frequency, in this case it is an exact frequency constraint. In other words, a frequency constraint is either maximum (no more than so many times per second), or minimum (at least so many times per second), or exact (exactly so many times per second).

F9: An initial state of the system composed by channel of a rational number and a sequence of modes of length equal to the lower rounding of this rational number, and by generic actor of its initial mode. In the example of FIG. 4, all actors have for initial mode nominal mode, and the channels marked by a small circle Tl and T2 have an initial state of value "1". Of course, the initial state can be expressed by any rational number (for example, 2/5; 4/3; etc.) and this follows from the fact that the production and consumption rhythms are rational according to an advantageous embodiment. of the invention.

In addition, for a given specification, the behavior specified for the system has the following characteristics C1-C7:

Cl: The channel production policy is a non-blocking first-in-first-out (FIFO) policy.

C2: The consumption policy from the channels is blocking FIFO. Thus, when an actor will produce data on a channel, it will not be blocked by the consumer actor.

C3: The channels contain elementary quantities of data (i.e. tokens Tl, T2). A token is an arbitrary unit that indicates the number of data on a channel at a given time. The tokens are all made up of a mode and either of significant data produced by an execution, or of no data. These latter tokens advantageously represent the absence of data produced when the producer or the consumer goes into a given mode. Advantageously, this makes it possible to preserve the synchronization between the tasks without the need to send effective data.

C4: At any time, the state of a channel is a rational number, and the whole number of tokens it contains is the lower rounding of this number. Advantageously, this makes it possible to determine when the token will be consumed. In the example of FIG. 4, we initially have a token Tl (ie the rational number 1/1) on a channel c ₂ . The acquisition actor ai will consume 1/3 which will transform the state of channel c ₂ from 1/1 to 2/3 (ie 1-1 / 3) rounded to zero. However, the state of channel c ₂ is 2/3 which will allow the acquisition actor ai when activated to remove 1/3 again which will transform the state of channel c ₂ from 2 / 3 to 1/3 (ie 2/3 -1/3) rounded to zero. Finally, on his third activation the actor of acquisition ai again withdraws 1/3 which will transform the state of channel c ₂ from 1/3 to zero. Thus, a Tl token is consumed by the acquisition actor for all three activations.

C5: The atomic activation of each actor (regardless of whether it executes or passes), removes the specified rational number from the state of each of its input channels and adds the specified rational number to the status of each of its output channels. It should be noted that an atomic process is an indivisible process of production and consumption which has a clearly identified beginning and end. The number of tokens consumed or produced is the absolute value of the difference between the lower rounding of the channel state before activation and the lower rounding of the channel state after activation. C6: Each time a mode actor is activated, it executes and chooses one and only one of the modes associated with it in an arbitrary manner. He associates with each product token the mode chosen by this activation. For its consumers who will potentially run in this chosen mode, and only for those, it associates with each token significant data. It will be noted that in the state of the art, the quantity of data produced is changed to prevent the activation of a successor. On the other hand, the propagation mode according to the invention makes it possible to systematically produce tokens, potentially empty according to the mode chosen, which does not prevent activation of the successor, and therefore makes it possible to preserve the properties (see below). ).

C7: Before each activation of a generic actor, its current mode is determined by the set L of modes associated with a token which will be consumed for each channel, the channels for which no token is consumed in this activation being ignored. The token considered (for example the last consumed) on each channel is chosen in a deterministic manner. In a possible embodiment, the determination rule can be performed according to the following points (a) - (f): (a): if the set L is empty (ie the actor has no predecessors), the mode current is systematically nominal; (b): if the set is a singleton, the current mode is then this unique element of L

(c): if the set has more than one element, and it contains the indeterminate mode (see below), the mode is indeterminate;

(d): if the set has more than one element, and the actor only executes in nominal mode, the current mode is nominal mode; and

(e): if the set has more than one element, and the actor is executed in one or more of the modes A selected by a mode actor, then if LPL is empty, the current mode does not change, if LPL is a singleton, the current mode is the only element of LPL, and the mode is undetermined in all other cases.

The activation of each generic actor is done in its current mode. The current mode is associated with all the tokens produced by this activation, except those produced on a feedback channel, with which the nominal mode is associated. The data associated with the tokens produced are determined by the current mode. If the actor goes into his current mode, the tokens produced contain no data. If the actor executes in his current mode, for his consumers who will potentially execute in this chosen mode, his consumers who are connected to him by a feedback channel, and only for these, he associates with each token produces meaningful data. For all its other consumers it does not associate any data.

If an actor has a maximum frequency constraint, then two successive activations cannot take place faster than this frequency.

If an actor has a minimum frequency constraint, then two successive activations cannot take place less quickly than this frequency.

In the following, we give by way of example, methods for proving the four properties P1-P4.

First PI property: One possible way of proving the first property for any instance is based on known methods for data flows. However, this proof stands out by taking into account the rational quantities: This proof is defined by the following two steps Pli and P12:

First step Fold: Construct a matrix, denoted G, with one row per channel and one column per actor, and for each entry in this matrix we have: el: the value 0 if the actor is not connected to this channel; e2: the number (potentially rational) added to the state of the channel for each activation of the actor if he is a producer on this channel; e3: the opposite of the number (potentially rational) cut off from the channel state for each activation of the actor if he is a consumer on this channel; and e4: the difference between the numbers (including one potentially rational) added and subtracted from the channel state for each activation of the actor if he is both producer and consumer on this channel.

Second step P12: Solve the system of equations allowing to find a vector of natural integers x ¹ 0 such that G. x = 0. Finding such a vector x proves the first property PI. This vector is then used to prove the other properties.

Second property P2: In an embodiment in which the time constraints are described as in FIG. 4, the ability to verify the second property for instances can be done according to the following innovative steps P21-P25:

First step P21: Check that if an actor has maximum and minimum frequency constraints, they are equal.

Second step P22: Calculate the greatest common divisor Î of all the frequency constraints in the system, and their smallest common multiple p.

Third step P23: Given the vector x, arbitrarily choose an actor from column i in G with a noted frequency constraint and with the element x _t of x. Fourth step P24: Calculate the following whole number:

Fifth step P25: Check that for any actor of column i in G with a frequency constraint noted tO _j and with the element x _t of x we have: k. had

Xi = -

The

Third property P3: One possible way of proving the third property P3 is based on a method known for data flows in general but by distinguishing itself by taking into account rational quantities. Given x and the initial state of the channels, this method consists in carrying out a symbolic activation of the system in which each actor in column i in G is activated at least x _t times, and ensuring that this execution ends.

Fourth P4 property: The method of proving the fourth P4 property follows from the way the modes and the data are associated with the tokens to propagate the modes according to the innovative embodiment of the present invention. The method which follows is a nonlimiting example of the verification of this property P4 according to the following steps P41-P47:

First step P41: Check that the sets of modes chosen by the mode actors are disjoint two by two (one mode is chosen by one and only one mode actor).

Second step P42: Also verify that the set of modes associated with each generic actor is either the singleton containing the nominal mode of the system, or a subset of the set of modes chosen by a mode actor. It will be noted that the modes associated with a generic actor are all selected by the same mode actor.

Third step P43: Check that if a generic actor has an associated set of modes which is a subset of those chosen by a mode actor, then: either this actor de mode is a direct predecessor of this generic player; or there is at least one of the direct predecessors of this actor such that the set of modes associated with this predecessor is a subset of the set of modes chosen by this mode actor.

Fourth step P44: For all the actors of column i in G which are executed in at least one mode chosen by the same mode actor of column j in G, and who are on a path starting from this mode actor, and passing only by actors who execute themselves in at least one of the modes chosen by this mode actor, then:

(a) Given the initial state of the channels, calculate the initial delay noted d _t such that for the first d _j activations of the actor i its current mode is known; (b) For each input channel (except feedback channel) with for actor a column actor k in G which is either executed in a mode chosen by the column mode actor j in G, or is the column mode actor j in G, calculate the local mode change period denoted p _ik such that:

(c) Calculate the mode change period noted p _t as the maximum of the local periods previously calculated:

Pi = m Vafcx (Pi _f e)

(d) Check that for any local period previously calculated, the mode change period is a multiple of this local period:

VPi _f e, 3n _fc e N, n _k . p _ik = p _t

Fifth step P45: Given x, and the greatest common divisor of the components of x denoted by g, calculate a vector y. x with k a natural integer such that for

each of the actors considered in the previous step, we have:

Sixth step P46: Perform a symbolic execution of the data flow with at least y _t activations for all the actors, considering that the way in which the mode actors choose a mode on each activation is a tourniquet selection (rou nd-robin) of whatever modes they choose.

Seventh step P47: Ensure that no mode was undefined in the symbolic execution.

The time constraints for an instance are made up of the following elements: a time budget for all the actors; an initial deadline for all actors; a symbol associated with each actor declaring it to be either persistent or ephemeral; a symbol associated with each actor with a minimum frequency constraint declaring its constraint as being strict or relaxed; and an initial deadline associated with each actor with a minimum frequency constraint.

For a configured instance, the behavior specified is the same as described above for a single instance, but with the following additional constraints: A clock measures the flow of the time from an initial date. The time between the start and end of the activation of any actor is less than or equal to the budget associated with that actor. No activation of an actor begins before its initial delay has elapsed. The start of an activation of an ephemeral actor always takes place after the start of the previous activation of this same actor. The start of an activation of a persistent actor always takes place after the end of the previous activation of this same actor. For an actor with a minimum frequency constraint, each of its activations is associated with a deadline. For the first activation, this deadline is equal to the initial deadline, and for the following ones, their deadline is equal to the deadline for the previous activation of this same actor plus the inverse of the minimum frequency (ie the minimum period ). The end of the activation of an actor with a minimum frequency constraint always takes place before its expiration. For an actor with a maximum frequency constraint, a delay is associated with each of its activations; for the first activation, this deadline is equal to the initial delay, and for the following ones, their delay is equal to the delay for the previous activation of this same actor plus the inverse of the maximum frequency (ie the maximum period). The start of the activation of an actor with a maximum frequency constraint always takes place after its delay.

The process of constructing scheduling constraints (entries for existing methodologies for resource allocation) includes the following steps:

Step 1: Given x, associate with each actor of column i in G a sequence of at least 2. x _t elements where the j ^th element is defined by: a variable s _tj for the start date of the j ^th activation of i a variable e _tj for the end date of the i ^th activation of i and a variable d _tj for the expiration of the i ^th activation of i.

Step 2: Define a set of linear constraints such as: If according to the matrix G and the initial state of the channels the j ^th activation of an actor i consumes at least one token from a channel and this same token is produced by the ^th activation of an actor k then we have _kt £ Si _j . If the j ^th activation of a persistent actor i is the activation directly following the k ^th activation of this same actor (ie k = j— 1), then we have _ik £ s _tj . If the j ^th activation of an ephemeral actor i is the activation directly following the k ^th activation of this same actor (ie k = j— 1), then we have _ik £ s ^. For the ^1st activation of an actor i with an initial delay noted f, we have _tl . For the j ^th activation of an actor with a maximum frequency constraint noted w and an initial delay noted f, we have af + (j— 1) / w <s ^. For each variable e _tj , we have _tj £ d _tj .

Step 3: Iteratively, until all the variables s _tj are affected: For each variable s _tj not yet affected and such that all the variables involved in the linear constraints concerning it are affected, assign the minimum value authorized by linear constraints. For each variable e _tj corresponding to a variable s _tj assigned to this iteration, with the budget of the actor i noted b, assign the value s _tj + b to e _tj . Step 4: For each variable if the actor has a minimum frequency constraint noted w and an initial deadline noted d, assign the value d + (j— 1) / w.

Step 5: For each variable e _j , if the actor has a strict minimum frequency constraint, ensure that the constraint e _tj £ d _tj is respected.

Step 6: For each variable e ÿ, if the actor has a relaxed minimum frequency constraint, and if the constraint e _tj £ d _tj is not respected, assign the value

Step 7: Iteratively, until all the variables d _tj are assigned: For each variable d _tj not yet assigned, if all the variables d _ki have already been assigned such as according to the matrix G and l initial state of the channels the j ^th activation of the actor i produces at least one token in a channel and that this same token is consumed by the l ^th activation of the actor k, then assign e + min (d _fe ; - e _ki ).

^J Vkl

For the allocation of resources respecting the scheduling constraints of a configured instance, if Step 5 above of this process has passed successfully, then the variables s _j , d of each activation as well as the budget b of each actor are sufficient inputs for the allocation of execution resources and the dimensioning of communication channels for the storage of tokens. For the management of reconfigurations, the fact that this information is available for the actors of mode allows to use for example the scheduling methodology described in [3]. In addition, we are assured that this allocation is feasible on a finite quantity of these resources.

To check the conformity of an implementation of an actor, we also use the variables s _tj , d _tj of each activation as well as the budget b of this actor. A test environment for an implementation of an actor makes it possible to test different scenarios S1-S6:

SI: Simulate the production of tokens by activations j of the predecessors i of this implementation under test, on dates e _tj , these activations being dependent on the scenario tested. A non-exhaustive list of possible scenarios is as follows: (a) Underproduction: activations are chosen so that there are not enough tokens for the activation of this implementation, (b) Exact production: activations are chosen so that there is the minimum number of tokens necessary for the activation of this implementation, (c) Overproduction: activations are chosen so that there is a sufficient number of tokens for several successive activations of this implementation.

52: Observe the activity time of this implementation.

53: Observe the productions resulting from this implementation.

54: Check that the quantities consumed by this implementation are those provided by the specification, namely for the examples of scenarios given above: (a) Underproduction: this implementation does not activate and does not consume anything, (b) Production exact: this implementation activates exactly once and consumes the quantities specified on each input channel, (c) Overproduction: this implementation activates exactly the number of successive times planned by the scenario, and consumes each time the quantities specified on each input channel.

55: Check that the quantities produced by this implementation are those provided by the specification, namely for the examples of scenarios given above: (a) Underproduction: this implementation does not activate and produces nothing, (b) Production exact: this implementation is activated exactly once and produces the quantities specified on each output channel, (c) Overproduction: this implementation is activated exactly the number of successive times forecast by the scenario, and produces each time quantities specified on each output channel.

56: Check that the activity time is correct vis-à-vis the configuration of the instance, namely for the examples of scenarios given above: (a) Underproduction: this implementation does not activate and its activity time is zero. (b) Exact production: this implementation is activated exactly once and its activity time is less than or equal to the time budget of the actor corresponding to the implementation tested, and occurs within the limits defined by the corresponding variables s _tj and e _tj , (c) On production: this implementation activates exactly the number successive times predicted by the scenario, and for each of these activations, its activity time is less than or equal to the time budget of the actor corresponding to the implementation tested, and occurs within the limits defined by the variables s _tj and e _tj corresponding.

To check the conformity of an implementation of a configured instance, one can use for example the “Timed Input Output Transition Systems” (TIOTS) as described in [4]. The present invention is differentiated by the fact that instead of considering the values of the data produced in response to input values, we consider the state of the communication channels. For example, if an actor produces a token containing a character string as given, in the state of the art we would observe the character string, on the other hand in the present invention, we will observe the value "1", being the number tokens available in the channel. Thus the method for constructing valid traces is as follows: Constructing an automaton for each actor corresponding to the specified behavior of this actor in the formalism described in [4], in which the values produced / consumed on the channels are numerical values indicating l condition of the channel. Then, evaluate all the possible paths in a symbolic execution of the system as described in [4] so as to observe the periodic behavior described by the vector x.

Traces of an execution of an implementation of an instance can be provided by an observer of an execution of the implementation. Each entry in a trace provides information about the status of the implementation whenever this state changes. For example: the current date of the implementation instance clock configured, the number of tokens available for consumption for all channels, and the mode associated with tokens available for consumption. Given such a trace, one can check the conformity of the execution of the implementation with respect to the specified behavior of the corresponding instance, as described in [4].

The present invention applies to all data flow systems. A first application concerns critical real-time distributed systems. In particular, a real-time embedded system of equipment, configured to receive specific measurements of the equipment and its environment and to deliver results actuating operations for the proper functioning of this equipment. The equipment can be an autonomous or non-autonomous vehicle of land, rail, aerospace or naval type.

In particular, in the context of a vehicle data flow system, it is advantageously possible, according to the present invention, to have sensors and processors operating at different frequencies and according to several configurations. For example, the vehicle system may include cameras to detect pedestrians. The sampling frequency of the cameras can be different from that of the microprocessor which will process the signals and the processing must be fast enough to warn the driver or the automaton early enough to trigger braking or another action to avoid the pedestrian. This consumption and production at different frequencies without loss of data is possible thanks to the use of rational numbers of data on the channels according to the invention. In addition, it can be considered by way of example that for a car with a driver, the detection of pedestrians is advantageous from a certain speed. Thus, different reconfiguration modes can be used so that the pedestrian detection processing takes place from a certain speed or over a certain range of speeds allowing the microprocessor not to consume execution resources unnecessarily outside of this beach.

A second application concerns FPGA systems for critical real time: an FPGA system is a stream of data clocked by clocks which trigger the processing units, and in which the routing of data can change dynamically. A third application concerns a system of an industrial process configured for the industrial manufacture of objects according to particular flow constraints and according to a reconfigurable process. Indeed, an industrial manufacturing process can be seen as a stream of data, with flow constraints for technical reasons. In addition, the present invention allows the reconfiguration of the process to adapt for example to the evolution of the order book.

BIBLIOGRAPHICAL REFERENCES

1. X. K. Do, S. Louise and A. Cohen, Transaction Parameterized Dataflow: A model for context-dependent streaming applications, 2016 Design, Automation & Test in Europe Conférence & Exhibition (DATE), Dresden, 2016, pp. 960-965. 2. Y. N. Timo, H. Marchand and A. Rollet, Automatic test generation for data-flow reactive Systems modeled by variable driven timed automata, Research report HAL-00503000, 2010.

3. R. Henia and R. Ernst, Scenario Aware Analysis for Com plex Event Models and Distributed Systems, 28th IEEE International Real-Time Systems Symposium (RTSS 2007), Tucson, AZ, 2007, pp. 171-180.

4. Boutheina Bannour, José Escobedo, Christophe Gaston, Pascale Gall. Off-Line Test Case Génération for Timed Symbolic Model-Based Conformance Testing. Brian Nielsen; Carsten Weise. 24th International Conference on Testing Software and Systems (ICTSS), Nov 2012, Aalborg, Denmark. Springer, Lecture Notes in Computer Science, LNCS-7641, pp. 119-135, 2012, Testing Software and Systems.

Claims

claims

1. Tool design and validation set computer by performing a dataflow system modeling an onboard device of a device, said data flow system having a plurality of players (a ,, a _j) Software and / or materials interconnected with one another by unidirectional communication channels (c _i; q), said tool being characterized in that it comprises:

- a modeling interface (11) configured to generate an instance of said system by formally specifying a stream of real-time and reconfigurable data, the reconfiguration of the data stream being carried out dynamically by the propagation of reconfiguration data one actor to another through communication channels,

- an analysis module (13) configured to prove a predetermined set of behavioral properties of said system by a static analysis of said instance comprising the construction of a matrix defining the state of activation of the actors and the state of the channels of communication and the determination of a vector of natural integers whose product with said matrix is zero, the determination of said vector confirming the feasibility of the data flow system independently of the allocated resources,

a refinement interface (15) adapted to allocate resources to said instance respecting said predetermined set of behavioral properties, thereby establishing an instance called configured instance, and

2. Tool according to claim 1, characterized in that the system instance includes rational consumption and data transmission rhythms.

3. Tool according to claim 1 or 2, characterized in that, in addition, the system instance comprises:

- maximum frequency constraints for certain players, - minimum frequency constraints for certain other players.

4. Tool according to any one of the preceding claims, characterized in that the system instance includes:

5. Tool according to any one of the preceding claims, characterized in that, in addition, the system instance comprises for each generic actor a corresponding set of execution modes in which it is executed as well as an implicit set of all the other modes in which it passes, an execution mode which can either be a nominal mode common to the whole system, or a specific mode chosen by a mode actor.

6. Tool according to any one of the preceding claims, characterized in that, in addition, the system instance includes an implicit set of feedback channels, a feedback channel being a channel connecting a generic actor producing data to an actor generic data consumer each running in at least one of the modes chosen by the same mode actor, and in that there is a path without repetition starting from said same mode actor and ending with the generic producer actor by the way by the generic consumer actor.

7. Tool according to any one of the preceding claims, characterized in that, in addition, the system instance comprises an initial state of the system composed by channel of a rational number and of a sequence of modes of length equal to one lower rounding of said rational number, and by generic actor of its initial mode.

8. Tool according to any one of the preceding claims, characterized in that said predetermined set of behavioral properties comprises first, second, third and fourth following properties:

- the first property verifies that the resources necessary for the implementation of communications between actors without loss of data are limited for a periodic execution of the specified system, - the second property verifies that the frequency and / or period constraints can be respected without calling into question the first property, - the third property verifies the non-existence of inter-blocking for any number of activations of the actors, and

9. Tool according to any one of the preceding claims, characterized in that said system is a real-time on-board system of equipment, configured to receive measurements specific to said equipment and to deliver results actuating operations for proper operation of said equipment.

10. Embedded real-time system of an item of equipment, comprising a set of actors (a _i; a _j ) software and / or hardware interconnected by unidirectional communication channels (c _i; q), said embedded system being designed and validated by the tool according to any one of the preceding claims, characterized in that said on-board system is configured to receive measurements specific to said equipment and its environment and to deliver results actuating operations for the proper functioning of said equipment.

11. System according to claim 10, characterized in that said equipment is an autonomous or non-autonomous vehicle of land, rail, aerospace or naval type.

12. System of a real-time industrial process, designed and validated by the tool according to any one of claims 1 to 9, characterized in that said system is configured for the industrial manufacture of objects according to specific flow constraints and according to a reconfigurable process.

13. Design and validation process implemented by computer of a data flow system modeling an on-board device of an item of equipment, said data flow system comprising a set of software and / or hardware actors interconnected with one another. unidirectional communication channels, said method being characterized in that it uses a computer to implement the following steps:

14. Non-transient computer storage medium tangibly storing code instructions configured for the design and validation of a data flow system modeling an on-board device of an item of equipment, said data flow system comprising a set of actors software and / or hardware interconnected with one another by unidirectional communication channels, characterized in that said code instructions can be executed by a processor to implement the following steps: