Deploy SIGNAL to Europe β Pierre Le Guernic π«π· (IRISA Rennes 1986), the Polychronous Language That Completes the French Synchronous School on EU Infrastructure in 2026
The French Synchronous School is one of the most cohesive intellectual achievements in European programming language research. Three languages β Esterel, Lustre, and SIGNAL β emerged from three French research institutions during the 1980s, each articulating a different facet of the same fundamental insight: that reactive real-time systems, where correctness depends on the timing of interactions with the physical world, require a programming model where time is a first-class concept in the language semantics rather than an afterthought in the runtime.
Esterel (GΓ©rard Berry π«π·, INRIA Sophia-Antipolis + CMA Γcole des Mines de Paris, 1983) approached this through synchronous reactive programming β imperative control flow in which parallel threads execute instantaneously within each logical tick, producing deterministic concurrent behaviour. Lustre (Nicolas Halbwachs π«π· + Paul Caspi π«π·, IMAG Grenoble / VERIMAG, 1984) approached it through synchronous dataflow β stream transformations where every signal runs at the same clock rate, enabling compositional reasoning and certified code generation via SCADE. SIGNAL (Pierre Le Guernic π«π·, IRISA Rennes, 1986) approached it through polychrony β a synchronous model that explicitly allows multiple different clock rates to coexist in the same system, connected by algebraic clock relations.
That third perspective β polychrony β fills a gap that Esterel and Lustre leave open. Both assume (or enforce) a single global clock: all components of a Lustre program run at the same rate or at rationally related sub-rates, and all Esterel threads execute within the same logical instant. SIGNAL generalises this. In a SIGNAL program, different components can run at entirely different, unrelated clock rates, and the language provides a clock calculus that statically verifies whether the clock constraints imposed by the program are consistent.
IRISA Rennes: France's Eastern Research Axis
The institutional home of SIGNAL is IRISA β the Institut de Recherche en Informatique et SystΓ¨mes AlΓ©atoires β located in Rennes, the capital of Brittany in northwestern France. IRISA is a joint research unit (UnitΓ© Mixte de Recherche) bringing together CNRS (Centre National de la Recherche Scientifique, the French national research centre), INRIA (Institut National de Recherche en Informatique et en Automatique), UniversitΓ© de Rennes 1, INSA Rennes (Institut National des Sciences AppliquΓ©es), and ENS Rennes (Γcole Normale SupΓ©rieure de Rennes).
Founded in 1975, IRISA is one of France's largest computer science research laboratories, with research covering algorithms, distributed systems, networks, security, robotics, and programming languages. Its location in Rennes β a university city of roughly 200,000 with significant concentrations of defence electronics (Thales π«π·, formerly Thomson-CSF), telecommunications (Orange π«π·, the former France TΓ©lΓ©com), and automotive systems β gave IRISA researchers direct industrial collaborators for the safety-critical embedded systems that SIGNAL was designed to address.
Pierre Le Guernic π«π·, the principal designer of SIGNAL, was a researcher at IRISA in the Rennes-based INRIA team that developed the language. Le Guernic's work began in the mid-1980s, producing the first publications on SIGNAL in 1986 and 1987 in collaboration with Thierry Gautier and Michel Le Borgne, fellow IRISA researchers. The team included Jean-Pierre Talpin π«π·, who later became one of the principal maintainers of the Polychrony toolset and a key figure in the theoretical foundations of polychronous models of computation.
The choice of Rennes as the incubator for the third synchronous language was not coincidental. The proximity of Thales (then Thomson-CSF) and other defence electronics companies in the Rennes area created a direct pipeline from academic research to industrial application in exactly the domain β safety-critical embedded avionics and defence systems β where synchronous languages showed their greatest advantages.
The Synchronous Model of Computation
All three French synchronous languages rest on a common theoretical foundation: the synchronous hypothesis.
The synchronous hypothesis states that a reactive program's response to an input is instantaneous β it takes zero time relative to the timescale at which inputs arrive. This is obviously a mathematical idealisation: real hardware takes nonzero time to compute. But the hypothesis is valid precisely when the computation time is negligible compared to the period between inputs β which is the design goal of real-time systems. A flight control system that samples sensors at 100 Hz needs to complete its computation well within 10 milliseconds; the program is designed to make the computation fast enough that the instantaneous-computation approximation is valid.
Under the synchronous hypothesis, time in a reactive program is discrete: it proceeds in a sequence of instants (or ticks). At each instant, the program receives a set of input values, computes, and produces a set of output values. Between instants, nothing happens. This makes the semantics deterministic: given the same sequence of inputs, a synchronous program always produces the same sequence of outputs, regardless of scheduling, memory layout, or timing jitter in the underlying hardware.
Lustre realises this model as a functional dataflow language: programs are networks of stream transformations, where each signal is a infinite stream of values indexed by discrete time. All signals in a Lustre program are defined at the same base clock (or at sub-rates obtained by sampling).
Esterel realises it as an imperative control-flow language: programs are hierarchical state machines with synchronous parallel composition, preemption, and event-driven control flow.
SIGNAL realises it as a relational language over signals and their clocks. This is the key distinction.
SIGNAL's Clock Algebra: Polychrony
In Lustre and Esterel, every signal has a clock, but the single-clock assumption means that composing components with different natural rates requires explicit clock conversion β subsampling (taking every nth value) or upsampling (repeating values). The programmer must manually manage the boundaries between components running at different rates.
SIGNAL takes a different approach: clocks are first-class values in the language, and the language includes an algebraic clock calculus that reasons about clock relations automatically.
A clock in SIGNAL is a signal whose values are Booleans: the clock is present (true) at instants when an associated signal carries a value, and absent at other instants. Every signal in a SIGNAL program carries a clock; the clock defines when the signal is defined.
Clock expressions in SIGNAL include:
-- Clock of signal x (x is defined exactly when its clock is present)
^x
-- Boolean clock combination
c1 default c2 -- c1 when present, else c2
c1 when c2 -- c1 restricted to instants when c2 is present
c1 cell c2 -- sample-and-hold: last value of c1 at c2 instants
-- Synchrony relation: assert that c1 and c2 are the same clock
c1 = c2
-- Event detection
event x -- true exactly when x changes value
A SIGNAL program is a set of equations over signals, defining relations between their values and their clocks. The SIGNAL compiler's clock calculus β a type-theoretic analysis β statically determines whether the clock constraints imposed by all the equations are simultaneously satisfiable. If they are, the program is coherent: its multi-rate concurrent behaviour is well-defined. If they are not, the compiler reports a clock error before any code is generated.
This static clock analysis is the key innovation of SIGNAL over its synchronous siblings. Where Lustre checks clock compatibility at each composition boundary and requires explicit clock conversion operators, SIGNAL infers clock relations globally and verifies their consistency as a system of algebraic constraints.
-- Simple rate-divider: output y at half the rate of x
process HalfRate =
(? integer x)
(! integer y)
|
y := x when (event x default false)
;
In this example, event x has a clock that is present at every other instant of x's clock (when x changes), creating a derived clock at half the rate.
Polychrony: Multi-Rate Systems
The industrial motivation for polychrony is that complex embedded systems are inherently multi-rate. An automotive embedded system might combine:
- A 100 Hz sensor sampling loop reading accelerometers and gyroscopes
- A 50 Hz control loop computing actuator outputs from sensor data
- A 10 Hz diagnostic loop logging system health data
- A 1 Hz communication bus sending data to other ECUs via CAN
Each of these components has a natural clock. The system as a whole is a composition of components running at different rates, connected by clock-domain crossings. Managing these crossings correctly β ensuring that data is consistently transferred between clock domains without race conditions or metastability β is one of the central engineering challenges of real-time embedded systems.
In Lustre, expressing this system requires explicit clock conversions at every interface. In SIGNAL, the components are written at their natural rates, and the clock calculus verifies that the overall composition is coherent. The compiler automatically generates the synchronisation code for clock-domain crossings.
Polychrony is the name both for this multi-rate model of computation and for the Polychrony toolset β the integrated development environment for SIGNAL developed and maintained at IRISA/INRIA Rennes. The Polychrony toolset includes:
- The SIGNAL compiler: Checks clock consistency and generates C or VHDL from SIGNAL specifications.
- Syndex: A companion tool for mapping SIGNAL specifications onto distributed multi-processor architectures, generating communication code for each processor and the bus. Developed at INRIA Rennes in collaboration with the Rocquencourt INRIA team.
- SME (Signal Model Editor): A graphical environment for SIGNAL specification.
- Verification tools: Integration with model checkers for safety property verification of SIGNAL specifications.
Polychrony is available as open-source software from INRIA, and has been used in several industrial contexts.
Industrial Applications: Thales, Dassault, Airbus
SIGNAL and the Polychrony toolset have found industrial application primarily in French aerospace and defence, consistent with the Rennes industrial ecosystem.
Thales Group π«π· (formerly Thomson-CSF, headquartered in Courbevoie with major sites in Rennes, Bordeaux, and Toulouse) is the principal French defence electronics company, producing avionics, radar, sonar, and electronic warfare systems. Thales researchers at the Rennes site collaborated with IRISA on SIGNAL development and application in avionics embedded systems. Thomson-CSF's avionics division used synchronous languages β including SIGNAL β for specification and verification of flight management and electronic warfare signal processing systems.
Dassault Aviation π«π· (Paris, Saint-Cloud, Bordeaux-MΓ©rignac) β the manufacturer of the Rafale fighter aircraft π«π· and the Falcon business jet family β has used synchronous approaches including SIGNAL for avionics software development. The Rafale's fly-by-wire flight control system and digital avionics require the kind of safety certification (DO-178C Level A in modern form) that synchronous language toolchains facilitate.
Airbus π«π·π©πͺπͺπΈ (Toulouse headquarters), while its primary synchronous tool dependency is SCADE (derived from Lustre), has been part of the broader ecosystem of French synchronous language research and has collaborated with INRIA on formal methods for avionics certification.
Space and satellite systems: CNES π«π· (Centre National d'Γtudes Spatiales, Toulouse) has collaborated with INRIA Rennes on SIGNAL-based specification of satellite on-board software β an application domain where multi-rate real-time behaviour (sensor sampling, attitude control, communication) and formal verification for safety are both critical.
Hardware/Software Co-Design: SIGNAL and VHDL
One of the distinctive capabilities of the SIGNAL toolchain is generation of VHDL (VHSIC Hardware Description Language) from SIGNAL specifications. VHDL is the standard language for describing digital hardware β FPGAs, ASICs, and similar.
This SIGNAL-to-VHDL path enables hardware/software co-design: a single SIGNAL specification can be compiled to either C (for software implementation on a processor) or VHDL (for hardware implementation on an FPGA or ASIC). The same formal specification serves both targets, ensuring that hardware and software implementations are provably consistent.
For embedded signal processing applications β real-time radar signal processing, cryptographic accelerators, communications baseband processing β where algorithms may initially be prototyped in software and later migrated to FPGA for performance, this dual-compilation path is particularly valuable. A SIGNAL specification of a digital filter, for example, can be compiled to C for simulation and to VHDL for FPGA synthesis, with the same formal semantics guaranteeing that the hardware implementation matches the software model.
This capability differentiates SIGNAL from Esterel and Lustre, both of which target software implementation primarily (Esterel to C; Lustre via SCADE to C with DO-178C qualification).
Formal Verification and Safety Certification
Like Esterel and Lustre, SIGNAL supports formal verification workflows that are relevant to safety-critical certification.
DO-178C (Software Considerations in Airborne Systems and Equipment Certification) β the aerospace software standard that governs avionics development β requires, at its highest assurance levels (Levels A and B), evidence that the software correctly implements its requirements and contains no undocumented functions. Model-based development using synchronous languages, combined with formal verification tools, provides this evidence.
For SIGNAL-based development:
- The clock consistency check performed by the SIGNAL compiler is itself a formal verification: it proves that the multi-rate concurrent behaviour of the specification is well-defined.
- The Polychrony verification tools can check safety properties of SIGNAL specifications using model checking, generating formal proof obligations.
- The code generator (SIGNAL β C or SIGNAL β VHDL) provides a qualified code generation path: if the generator is qualified under DO-330 (Software Tool Qualification Considerations), the generated code inherits the formal properties of the specification.
EN 50128 (Railway applications β Software for railway control and protection systems) β the rail safety standard used by SNCF π«π· (TGV), Deutsche Bahn π©πͺ, and other European railways β places similar demands on safety-critical software. Synchronous language toolchains including SIGNAL-based approaches have been applied to railway interlocking and train control systems.
EU AI Act (Regulation EU 2024/1689), Article 15, requires that high-risk AI systems demonstrate accuracy, robustness, and cybersecurity. For embedded AI components in safety-critical systems (aviation, automotive, medical devices), formal verification workflows analogous to those enabled by SIGNAL provide the mathematical guarantees that EU AI Act conformity assessment requires.
The French Synchronous School: Three Languages, One Paradigm
SIGNAL, Esterel, and Lustre represent three syntactically and semantically distinct realisations of the same underlying synchronous paradigm. Their co-existence was not competitive fragmentation but productive intellectual diversity: each language made different design choices that illuminated different aspects of the design space.
Esterel excels at control-dominated reactive systems: sequential protocols, mode-switching logic, preemption and exception handling. The Esterel compiler's formal verification of absence of race conditions and determinism provides safety guarantees by construction.
Lustre excels at data-flow systems: signal processing, filter networks, control laws. Its purely functional semantics makes reasoning about data transformation straightforward, and the SCADE industrial toolchain has made it the dominant synchronous language in certified avionics.
SIGNAL excels at multi-rate systems where components naturally run at different clock rates. Its clock algebra and polychronous model are uniquely suited to systems where clock-domain crossing is a central engineering concern β heterogeneous embedded platforms, hardware/software co-design, and multi-processor distributed real-time systems.
The three languages have cross-pollinated throughout their history. Lustre borrowed ideas from SIGNAL's clock calculus to add sub-clocking; Esterel's industrial successor SCADE incorporated data-flow features from Lustre. The French Synchronous School produced a family of tools β Heptagon (INRIA Paris, an open-source Lustre dialect in OCaml), CADP (INRIA Grenoble, for process algebra including LOTOS), Polychrony (INRIA Rennes) β that collectively provide a comprehensive formal methods ecosystem for safety-critical reactive systems, entirely sourced from EU academic research institutions.
GDPR, EU AI Act, and Polychronous Formal Methods
The regulatory relevance of SIGNAL extends across several EU frameworks.
GDPR Article 25 (Data Protection by Design and by Default) requires that controllers implement data minimisation and purpose limitation by default. A SIGNAL specification of a data processing system can formally verify that sensor data from one clock domain (collected at high rate) is correctly reduced to an anonymised aggregate at a lower-rate output clock β providing formal evidence that the system does not inadvertently propagate raw personal data at rates where it could be identified.
EU AI Act Article 9 (Risk Management System) requires that providers of high-risk AI implement systematic risk management throughout the lifecycle. For AI components embedded in real-time safety-critical systems (autonomous vehicle perception, avionics decision support), SIGNAL's formal clock consistency proofs and safety property verification provide technical evidence for the risk management documentation that Article 9 requires.
NIS2 Directive (EU) 2022/2555 requires operators of essential services to ensure the security and resilience of their network and information systems. For real-time communication systems with multi-rate data flows β where timing attacks exploit clock domain boundaries β formal clock analysis via SIGNAL provides a level of assurance about temporal isolation that informal testing cannot achieve.
Deploying SIGNAL-Derived Systems to Europe with sota.io
The Polychrony toolset compiles SIGNAL specifications to C, producing code that implements the polychronous behaviour described in the specification. This C code β or a service that incorporates it β can be containerised and deployed to European infrastructure.
# Install Polychrony toolset (INRIA Rennes)
# Available from http://www.irisa.fr/espresso/Polychrony/
# Compile SIGNAL specification to C
signal2c my_system.sig
# Build and containerise
cat > Dockerfile << 'EOF'
FROM debian:bookworm-slim
COPY signal_system /usr/local/bin/
CMD ["/usr/local/bin/signal_system"]
EOF
docker build -t my-signal-service .
Whether you are deploying a SIGNAL-derived embedded system backend, a polychronous model verification service, or a modern distributed system whose architecture draws on the clock-domain analysis principles that SIGNAL pioneered, you need EU infrastructure that satisfies the regulatory requirements of European customers.
sota.io is the EU-native platform-as-a-service built precisely for this. Your services run on German infrastructure, in data centres that comply with ISO 27001 and the data sovereignty requirements of the EU General Data Protection Regulation. Managed PostgreSQL is included β no configuration, no cross-border data transfers, no Schrems II risk. The same EU-native philosophy that drove Pierre Le Guernic and IRISA Rennes to build SIGNAL β rigorous formal guarantees for safety-critical systems, accountable to European standards β is the philosophy that sota.io brings to European cloud infrastructure.
# Deploy your SIGNAL-derived service to EU infrastructure
curl -fsSL https://cli.sota.io/install.sh | sh
sota login
sota deploy --region eu-central-1
The Polychrony toolset compiles SIGNAL to C. sota.io deploys C-based services to EU infrastructure. The formal properties proven by the SIGNAL clock calculus β coherence of multi-rate concurrent behaviour, absence of clock inconsistencies β carry through to the deployed system. EU-native research, EU-native infrastructure, EU-native regulatory compliance.
See also: Deploy Esterel to Europe β β GΓ©rard Berry π«π· (INRIA Sophia-Antipolis), synchronous reactive programming, SCADE and Airbus A320 fly-by-wire. Deploy Lustre to Europe β β Nicolas Halbwachs π«π· (IMAG Grenoble/VERIMAG), synchronous dataflow, Airbus DO-178C Level A and EDF nuclear. Deploy LOTOS to Europe β β Francis Boudol π«π· + Ed Brinksma π³π±, ISO 8807 process algebra, OSI protocol formal specification.