simon Collart-dutilleul - Academia.edu (original) (raw)

Papers by simon Collart-dutilleul

Research paper thumbnail of Formalizing Railway Signaling System ERTMS/ETCS Using UML/Event-B

Model and Data Engineering, 2018

Critical systems like railway signaling systems need to guarantee important properties such as sa... more Critical systems like railway signaling systems need to guarantee important properties such as safety. Formal methods have achieved considerable success in designing critical systems with verified desirable properties. In this paper, we propose a formal model of ERTMS/ETCS (European Rail Traffic Management System/European Train Control System) which is an innovative railway signaling system. This work focuses on Hybrid ERTMS/ETCS Level 3 which is currently under design, by studying and modeling the functionalities and relations of its different sub-systems. The proposed model is based on model transformation from UML (Unified Modeling Language) class diagrams to the Event-B formal language. UML is used as the primary modeling notation to describe the structure and the main characteristics of the studied system. The generated Event-B model is enriched by the formalization of safety properties. We verify and validate the correctness of the proposed formalization using the ProB model-checker and animator.

Research paper thumbnail of Synthèse de contrôle de systèmes à événements discrets temporisés : application au passage à niveau

Notre travail se situe dans une problematique generale de securite dans les transports ferroviair... more Notre travail se situe dans une problematique generale de securite dans les transports ferroviaires et plus particulierement autour de l'utilisation de methodes discretes et formelles visant a evaluer et valider certaines exigences de securite. Le passage a niveau est un composant critique du reseau ferre. Ainsi, des specifications temporelles precises sont utilisees pour verifier les exigences de securite. Dans ce contexte, nous avons porte notre interet sur l'analyse et le controle des systemes a contraintes de temps de sejour. L'approche que nous proposons pour la synthese de la commande par supervision est basee sur les reseaux de Petri p-temporels.

Research paper thumbnail of Checking the European Railways Traffic Management System (ERTMS) operating rules using UML and the B method

Computers in Railways XIV, 2014

Interoperability is a critical factor for cost cutting and performance increasing in European rai... more Interoperability is a critical factor for cost cutting and performance increasing in European railway exchanges. The European Railways Traffic Management System (ERTMS), which is both a specification and a technological framework, aimed at providing an answer to the above interoperability needs. Considering the implementation of ERTMS in a particular national context, operating rules must be compliant with the ERTMS specification, whereas the whole system has to provide some safety properties. Moreover, the management of railway signalling in ERTMS is based on "not on board rules" pertaining to each country and not on global rules. In consequence, it is difficult to evaluate the system in terms of safety. Thus, one of the main propositions of this study is to supply methodological tools for the evaluation of the global consistency between the specification and the operating rules, with regard to safety. This issue is crucial and yet it has scarcely been covered by scientific literature.

Research paper thumbnail of Integration of B Activity into a Global Design Process of Critical Software

Procedia - Social and Behavioral Sciences, 2012

Research paper thumbnail of A set of design oriented scientific tools to assist abstract B machine specification

3rd IEEE International Symposium on Logistics and Industrial Informatics, 2011

... simon.collarCdutilleul@ec-lille.fr F-59650 Villeneuve d' Ascq, France Email: philippe.bon... more ... simon.collarCdutilleul@ec-lille.fr F-59650 Villeneuve d' Ascq, France Email: philippe.bon@ifsttar. fr F-59300 Valenciennes, France Email: dorian.petit@univ ... It comes from the merger of main object oriented methods, such as GMT or Booch & Jacobson, and was normalised by the ...

Research paper thumbnail of Formal Validation of Interlocking Under Signaling Rules

Operating Rules and Interoperability in Trans-National High-Speed Rail, 2021

Research paper thumbnail of Industrial needs concerning the safety analysis of a French implementation of ERTMS

2015 International Conference on Industrial Engineering and Systems Management (IESM), 2015

The study is based on an industrial expression pointing as usual way of performing a safety analy... more The study is based on an industrial expression pointing as usual way of performing a safety analysis: one consults the national railway accident database in order to evaluate the defense capacity of the system against scenarios of real past accidents. This first analysis can be complemented by considering the quasi accident scenarios. The data corresponding to this second step are critical because they correspond to industrial data which are not public. A first result of this study is the identification of a class of accident. The main argument is that the similarities of two accidents or quasi accident allow defining some critical elements of a typical class of accidents. A case study of an analysis of the accident that occurred in “St Romaine en Giers” is proposed. The corresponding documentation may be found in [1]. A second step towards a safe implementation assessment is the definition of a typical railway infrastructure. The idea is to play the scenario on an infrastructure embedding the main design assumptions which are used in the considered railway line. The specification of this infrastructure has to be detailed such a way that the simulation can be considered as realistic. Then, we are facing a security problem related to industrial confidentiality. It may be dangerous and consequently forbidden, to communicate safety critical information corresponding to an industrial infrastructure. The proposed solution is to identify a virtual infrastructure which is fully documented in order to be able to communicate. This infrastructure was named an “academic benchmark”, as it allows testing some technologies and scenarios avoiding all problems mentioned above [2]. The result of the study is the specification of a typical scenario that can be played on a typical infrastructure. Then, this system can be modelled using various modelling tools in order to assess various safety related aspect of the system [3]. Anyway, this academic benchmark is one of the main deliverable embedding most of the safety related industrial needs.

Research paper thumbnail of Formal Specification of Environmental Aspects of a Railway Interlocking System Based on a Conceptual Model

Conceptual Modeling, 2019

Relay-based Railway Interlocking Systems (RIS) are developed with the objective of controlling th... more Relay-based Railway Interlocking Systems (RIS) are developed with the objective of controlling the movement of trains in a safe manner. However, these systems are generally specified by informal languages whose analyses are made by human inspection, which are error prone. A previous work presented an approach for specifying these systems in a formal language in order to automatically prove safety properties. Nevertheless, despite the impact of the environment over the system operation, the approach allows only the specification of the electrical components behaviour. Hence, the environment must be considered in the system specification in order to guarantee its safety. This paper presents the application of a higher level of modelling abstraction, conceptual modelling, which may provide a conceptual clarification of the RIS environment. This proposed conceptual model allows a semantic analysis of the environmental impact over the system and the description of other safety properties that have not been considered in the formal specification. In this work, an ontology built for the critical systems modelling is used in order to provide a terminological harmonisation between the physical elements of the system and the environment. The conceptual model allows a safety-oriented improvement of the RIS formal specification as well as it provides a common, shared and unambiguous view of both system and environment.

Research paper thumbnail of Designing Operating Rules for ERTMS Transnational Lines

Operating Rules and Interoperability in Trans-National High-Speed Rail, 2021

Research paper thumbnail of Model transformation from coloured Petri nets with prioritized transitions to B machines

2015 International Conference on Industrial Engineering and Systems Management (IESM), 2015

In model driven engineering, model transformation is the “heart and soul ”. The purpose of using ... more In model driven engineering, model transformation is the “heart and soul ”. The purpose of using a model transformation is to save efforts and reduce errors by automatically building the models that conform to different modelling languages. In the French railway industry, the Petri nets and the B method are two recognized formal methods for safety critical systems, having their own successful applications. The Petri nets are a mathematical modelling language for describing the distributed systems, and they offer superior graphical notations for stepwise processes. The B method is a software development method based on abstract machine notations and the concept of refinement. There are already some tools supporting B language. The Petri nets are accepted by the French railway specialists, because they have user-friendly notations. Consequently, various railway systems and key components have been specified by Petri nets and have been validated by railway experts. For a better model representation, the “prioritized transitions” can be a useful mechanism in such models. In order to produce the final executable codes and to make use of all the existing valid models, this paper introduces a transformation method, which could take advantage of both formal languages and transform a valid Petri net model to an abstract B machine. This transformation is presented with a systematic mapping process and illustrated by a case study.

Research paper thumbnail of Integrated approach using formal models and simulation environment

2015 International Conference on Industrial Engineering and Systems Management (IESM), 2015

The approach of this study which is the third step of the Perfect project is based on the ERTMS s... more The approach of this study which is the third step of the Perfect project is based on the ERTMS simulation framework compliant with the official European specifications. The aim of this study is triple.

Research paper thumbnail of Identifying Alterability States of a Single Track Railway Line Control System

INTERNATIONAL JOURNAL OF COMPUTERS COMMUNICATIONS & CONTROL

In the context of automation and deployment of computer based control systems, a specific applica... more In the context of automation and deployment of computer based control systems, a specific application on French railway line is proposed on low traffic single track railway lines. The issue of updates requires thorough consideration. In the case of low traffic single track railway lines, handling the removal of a shunting track, which role is to allow trains to circulate in both directions of a same line, the issue of timing the update to the control system is particularly critical. Indeed, a wrongly timed update could lead to a deadlock, while one or more trains are expected to travel while respecting safety constraints on the blocked infrastructure. This paper studies the application of works from the field of dynamic software updating, specifically the works of Panzica La Manna et al. [12]. Using their results on a graph based model of a single track rail line, it identifies alterability states that ensure safety constraints are respected at all times without causing deadlocks. T...

Research paper thumbnail of Ato Over Etcs: A System Analysis for Freight Trains

WIT Transactions on The Built Environment

Automatic train operation under the supervision of a human driver is sometimes presented as a fir... more Automatic train operation under the supervision of a human driver is sometimes presented as a first step toward autonomous trains. This paper provides a system analysis of the available norms dealing with automatic train operation under driver supervision. Clarifications that have to be introduced to make it compatible with an autonomous train module are highlighted. Then, the work focuses on the collaboration between an automatic software for braking and accelerating in the European normative and technological context, known as ATO over ETCS. The study of the available documents allows proposing an architectural model of this global system containing on board automation and on track automated specific devices. The main motivation behind using this technical architecture is to trace a future implementation that preserves the high-level goals. This technical contribution is a first step for building an integrated approach to specify a correct system by construction, conforming to the industrial norms of automated train. In this paper, we explain how it is relevant to use a norm based technical architecture, providing intellectual references that allows drivers to identify various functioning phases where, depending on the overall context, they can let an automatic system drive the train or not.

Research paper thumbnail of Vérification parallélisée de propriétés temporelles sur des traces d'exécution, par analyse dynamique formelle

HAL (Le Centre pour la Communication Scientifique Directe), Jun 9, 2015

Les méthodes de vérification peuventêtre classées suivant deux critères : une méthode peutêtre st... more Les méthodes de vérification peuventêtre classées suivant deux critères : une méthode peutêtre statique ou dynamique, ainsi que formelle ou informelle. Ce papier poursuit des travaux de thèse sur la vérification de propriétés temporelles sur des traces d'exécution par analyse dynamique formelle. L'approche proposée consisteà transformer une propriété LTL en automate de Büchi età exécuter ce dernier sur une trace pour l'analyser. Le problème de fin de trace liéà l'utilisation de LTL sur des traces finies peutêtre contourné par le calcul d'informations statistiquesà condition que la propriété suive un patron prédéfini. Pour des traces de très grande taille, cette approche est bien adaptée, mais nécessite que la trace soit vérifiée séquentiellement. Cet article propose de remédierà ce problème, en découpant la trace en plusieurs sous-traces analysables séparément, suivant une stratégie définie, ce qui permet un gain de temps significatif.

Research paper thumbnail of An Automated Method for the Study of Human Reliability in Railway Supervision Systems

IEEE Transactions on Intelligent Transportation Systems, 2018

This paper presents an original experimental protocol which aims to study human reliability in ra... more This paper presents an original experimental protocol which aims to study human reliability in railway systems by computing the human error probability (HEP) of human operators. The experiment is conducted on a railway traffic management system that places operators in simulated situations involving railway failures. The obtained experimental result is analyzed firstly by two classical Human Reliability Analysis methods to estimate the HEP of each subject. Then, a model of human operators using Valuation-Based System (VBS) is proposed. Finally, a methodology automatically populates the proposed model by allowing the verification of temporal properties on the simulation trace.

Research paper thumbnail of Accident Root Causes Identification Using a Taxonomy

WIT Transactions on The Built Environment, 2020

Railway accidents are rare, but for the sake of safety improvement they are all investigated by e... more Railway accidents are rare, but for the sake of safety improvement they are all investigated by experts. Whereas this solution has proven its correctness to increase the overall safety in transportation, the lack of a methodological analysis formalization in case of similar accidents may lead to the non-detection of common root causes and to forfeit their removals. The aim of this work is to propose a formalized taxonomy based on the accident causes, classified by main categories such as "technical causes", "human causes" or "organizational causes". This classification is then used as a seed for safety analysis, like fault tree analysis, to detect and quantify possible common root causes for similar railway accidents. Along with this paper, the methodology is exemplified on a specific accident type: the derailments caused by over-speed in curves.

Research paper thumbnail of Démonstration de la sécurité opérationnelle de la téléconduite des trains : contexte, méthodologie et défis

Dans cette communication, nous presentons le contexte general ainsi que la methodologie mise en o... more Dans cette communication, nous presentons le contexte general ainsi que la methodologie mise en oeuvre pour realiser la demonstration de la securite operationnelle de la teleconduite des trains fret. En complement, nous presentons une synthese des resultats, soutenue par une discussion de la methodologie.

Research paper thumbnail of From a Solution Model to a B Model for Verification of Safety Properties

J. Univers. Comput. Sci., 2013

In the context of safety requirement engineering, model transformation is a task of interest. Ind... more In the context of safety requirement engineering, model transformation is a task of interest. Indeed, it allows us to keep all the requirements while switching from one point of view to another. The presented work assumes that a valid solution has been found and proposes an approach in order to build a valid implementation. As some fine dynamic properties are integrated into the specification, high-level Petri nets are used to specify and verify the solution. Then, considering an industrial railway context, the transformation of the Petri net model in order to provide an input to a B process is considered. This last consideration leads to a proposition of a systematic direct transformation of the Petri net model into abstract B machines. The approach is illustrated by a theoretical railway example. The limitations of this approach are discussed at the end of the paper and some prospects are detailed.

Research paper thumbnail of Cas d'étude de mission ferroviaire télé-opérée

Lors de la conception d'un nouveau systeme, une analyse preliminaire des risques est requise.... more Lors de la conception d'un nouveau systeme, une analyse preliminaire des risques est requise. Une fois les risques bien identifies, le but est de formaliser une defense a chaque defaillance vraisemblable. Imaginons par exemple, que dans le cadre d'un nouveau systeme, on souhaite piloter un train a partir d'un poste de conduite a distance en s'appuyant sur des moyens de telecommunications modernes et un dispositif technique de perception de l'environnement embarque dans le train ; le nouveau systeme integrant ces dispositifs particuliers de perception de l'environnement et de tele-operation necessite une analyse de securite globale. Cette analyse de securite doit considerer l'aspect socio-technique du systeme et son environnement. Dans cette etude, on va s'interesser a un aspect particulier de la vie du conducteur de train : les operations a effectuer lors d'une mission de conduite qui ne sont pas directement des actes de conduite. Dans cette categ...

Research paper thumbnail of Conceptual Modelling of the Dynamic Goal-oriented Safety Management for Safety Critical Systems

Proceedings of the 14th International Conference on Software Technologies, 2019

In the context of Safety Critical Systems (SCSs), safety measures derived from the dysfunctional ... more In the context of Safety Critical Systems (SCSs), safety measures derived from the dysfunctional analysis are generally expressed in an informal way. However, in an early phase of SCSs design, there is a need to link these safety measures to Goal-Oriented Requirements Engineering (GORE) concepts. Moreover, the current practice of the safety measures development is not based on a specific goal-oriented control model. Since there are different knowledge domains, there is a lack of a common vocabulary aiming to avoid the semantic heterogeneity between them. Consequently, a common model for an unambiguous knowledge sharing and a full semantic interoperability assurance is missing. In this paper, we propose the Goal-Oriented Safety Management Ontology (GOSMO), a domain ontology, which is grounded in the Unified Foundational Ontology (UFO) and provides a conceptualization and a real-world semantic interpretation of the knowledge matching for SCSs. Furthermore, the proposed safety measures development process is performed using a reinterpretation from the safety point of view of the Organization-Based Control Access (Or-BAC), which was initially developed for the Information Systems (IS) security. The GOSMO aims to capture the alignment between the considered domains concepts through the reference models reuse and the proposed taxonomy based on standards definitions. The proposed ontology is evaluated by the formalization of two cases studies from the railway domain, since it is the target application domain. Finally, the evaluation results show that GOSMO covers and analyses several real critical situations and fulfils its intended purpose.

Research paper thumbnail of Formalizing Railway Signaling System ERTMS/ETCS Using UML/Event-B

Model and Data Engineering, 2018

Critical systems like railway signaling systems need to guarantee important properties such as sa... more Critical systems like railway signaling systems need to guarantee important properties such as safety. Formal methods have achieved considerable success in designing critical systems with verified desirable properties. In this paper, we propose a formal model of ERTMS/ETCS (European Rail Traffic Management System/European Train Control System) which is an innovative railway signaling system. This work focuses on Hybrid ERTMS/ETCS Level 3 which is currently under design, by studying and modeling the functionalities and relations of its different sub-systems. The proposed model is based on model transformation from UML (Unified Modeling Language) class diagrams to the Event-B formal language. UML is used as the primary modeling notation to describe the structure and the main characteristics of the studied system. The generated Event-B model is enriched by the formalization of safety properties. We verify and validate the correctness of the proposed formalization using the ProB model-checker and animator.

Research paper thumbnail of Synthèse de contrôle de systèmes à événements discrets temporisés : application au passage à niveau

Notre travail se situe dans une problematique generale de securite dans les transports ferroviair... more Notre travail se situe dans une problematique generale de securite dans les transports ferroviaires et plus particulierement autour de l'utilisation de methodes discretes et formelles visant a evaluer et valider certaines exigences de securite. Le passage a niveau est un composant critique du reseau ferre. Ainsi, des specifications temporelles precises sont utilisees pour verifier les exigences de securite. Dans ce contexte, nous avons porte notre interet sur l'analyse et le controle des systemes a contraintes de temps de sejour. L'approche que nous proposons pour la synthese de la commande par supervision est basee sur les reseaux de Petri p-temporels.

Research paper thumbnail of Checking the European Railways Traffic Management System (ERTMS) operating rules using UML and the B method

Computers in Railways XIV, 2014

Interoperability is a critical factor for cost cutting and performance increasing in European rai... more Interoperability is a critical factor for cost cutting and performance increasing in European railway exchanges. The European Railways Traffic Management System (ERTMS), which is both a specification and a technological framework, aimed at providing an answer to the above interoperability needs. Considering the implementation of ERTMS in a particular national context, operating rules must be compliant with the ERTMS specification, whereas the whole system has to provide some safety properties. Moreover, the management of railway signalling in ERTMS is based on "not on board rules" pertaining to each country and not on global rules. In consequence, it is difficult to evaluate the system in terms of safety. Thus, one of the main propositions of this study is to supply methodological tools for the evaluation of the global consistency between the specification and the operating rules, with regard to safety. This issue is crucial and yet it has scarcely been covered by scientific literature.

Research paper thumbnail of Integration of B Activity into a Global Design Process of Critical Software

Procedia - Social and Behavioral Sciences, 2012

Research paper thumbnail of A set of design oriented scientific tools to assist abstract B machine specification

3rd IEEE International Symposium on Logistics and Industrial Informatics, 2011

... simon.collarCdutilleul@ec-lille.fr F-59650 Villeneuve d' Ascq, France Email: philippe.bon... more ... simon.collarCdutilleul@ec-lille.fr F-59650 Villeneuve d' Ascq, France Email: philippe.bon@ifsttar. fr F-59300 Valenciennes, France Email: dorian.petit@univ ... It comes from the merger of main object oriented methods, such as GMT or Booch & Jacobson, and was normalised by the ...

Research paper thumbnail of Formal Validation of Interlocking Under Signaling Rules

Operating Rules and Interoperability in Trans-National High-Speed Rail, 2021

Research paper thumbnail of Industrial needs concerning the safety analysis of a French implementation of ERTMS

2015 International Conference on Industrial Engineering and Systems Management (IESM), 2015

The study is based on an industrial expression pointing as usual way of performing a safety analy... more The study is based on an industrial expression pointing as usual way of performing a safety analysis: one consults the national railway accident database in order to evaluate the defense capacity of the system against scenarios of real past accidents. This first analysis can be complemented by considering the quasi accident scenarios. The data corresponding to this second step are critical because they correspond to industrial data which are not public. A first result of this study is the identification of a class of accident. The main argument is that the similarities of two accidents or quasi accident allow defining some critical elements of a typical class of accidents. A case study of an analysis of the accident that occurred in “St Romaine en Giers” is proposed. The corresponding documentation may be found in [1]. A second step towards a safe implementation assessment is the definition of a typical railway infrastructure. The idea is to play the scenario on an infrastructure embedding the main design assumptions which are used in the considered railway line. The specification of this infrastructure has to be detailed such a way that the simulation can be considered as realistic. Then, we are facing a security problem related to industrial confidentiality. It may be dangerous and consequently forbidden, to communicate safety critical information corresponding to an industrial infrastructure. The proposed solution is to identify a virtual infrastructure which is fully documented in order to be able to communicate. This infrastructure was named an “academic benchmark”, as it allows testing some technologies and scenarios avoiding all problems mentioned above [2]. The result of the study is the specification of a typical scenario that can be played on a typical infrastructure. Then, this system can be modelled using various modelling tools in order to assess various safety related aspect of the system [3]. Anyway, this academic benchmark is one of the main deliverable embedding most of the safety related industrial needs.

Research paper thumbnail of Formal Specification of Environmental Aspects of a Railway Interlocking System Based on a Conceptual Model

Conceptual Modeling, 2019

Relay-based Railway Interlocking Systems (RIS) are developed with the objective of controlling th... more Relay-based Railway Interlocking Systems (RIS) are developed with the objective of controlling the movement of trains in a safe manner. However, these systems are generally specified by informal languages whose analyses are made by human inspection, which are error prone. A previous work presented an approach for specifying these systems in a formal language in order to automatically prove safety properties. Nevertheless, despite the impact of the environment over the system operation, the approach allows only the specification of the electrical components behaviour. Hence, the environment must be considered in the system specification in order to guarantee its safety. This paper presents the application of a higher level of modelling abstraction, conceptual modelling, which may provide a conceptual clarification of the RIS environment. This proposed conceptual model allows a semantic analysis of the environmental impact over the system and the description of other safety properties that have not been considered in the formal specification. In this work, an ontology built for the critical systems modelling is used in order to provide a terminological harmonisation between the physical elements of the system and the environment. The conceptual model allows a safety-oriented improvement of the RIS formal specification as well as it provides a common, shared and unambiguous view of both system and environment.

Research paper thumbnail of Designing Operating Rules for ERTMS Transnational Lines

Operating Rules and Interoperability in Trans-National High-Speed Rail, 2021

Research paper thumbnail of Model transformation from coloured Petri nets with prioritized transitions to B machines

2015 International Conference on Industrial Engineering and Systems Management (IESM), 2015

In model driven engineering, model transformation is the “heart and soul ”. The purpose of using ... more In model driven engineering, model transformation is the “heart and soul ”. The purpose of using a model transformation is to save efforts and reduce errors by automatically building the models that conform to different modelling languages. In the French railway industry, the Petri nets and the B method are two recognized formal methods for safety critical systems, having their own successful applications. The Petri nets are a mathematical modelling language for describing the distributed systems, and they offer superior graphical notations for stepwise processes. The B method is a software development method based on abstract machine notations and the concept of refinement. There are already some tools supporting B language. The Petri nets are accepted by the French railway specialists, because they have user-friendly notations. Consequently, various railway systems and key components have been specified by Petri nets and have been validated by railway experts. For a better model representation, the “prioritized transitions” can be a useful mechanism in such models. In order to produce the final executable codes and to make use of all the existing valid models, this paper introduces a transformation method, which could take advantage of both formal languages and transform a valid Petri net model to an abstract B machine. This transformation is presented with a systematic mapping process and illustrated by a case study.

Research paper thumbnail of Integrated approach using formal models and simulation environment

2015 International Conference on Industrial Engineering and Systems Management (IESM), 2015

The approach of this study which is the third step of the Perfect project is based on the ERTMS s... more The approach of this study which is the third step of the Perfect project is based on the ERTMS simulation framework compliant with the official European specifications. The aim of this study is triple.

Research paper thumbnail of Identifying Alterability States of a Single Track Railway Line Control System

INTERNATIONAL JOURNAL OF COMPUTERS COMMUNICATIONS & CONTROL

In the context of automation and deployment of computer based control systems, a specific applica... more In the context of automation and deployment of computer based control systems, a specific application on French railway line is proposed on low traffic single track railway lines. The issue of updates requires thorough consideration. In the case of low traffic single track railway lines, handling the removal of a shunting track, which role is to allow trains to circulate in both directions of a same line, the issue of timing the update to the control system is particularly critical. Indeed, a wrongly timed update could lead to a deadlock, while one or more trains are expected to travel while respecting safety constraints on the blocked infrastructure. This paper studies the application of works from the field of dynamic software updating, specifically the works of Panzica La Manna et al. [12]. Using their results on a graph based model of a single track rail line, it identifies alterability states that ensure safety constraints are respected at all times without causing deadlocks. T...

Research paper thumbnail of Ato Over Etcs: A System Analysis for Freight Trains

WIT Transactions on The Built Environment

Automatic train operation under the supervision of a human driver is sometimes presented as a fir... more Automatic train operation under the supervision of a human driver is sometimes presented as a first step toward autonomous trains. This paper provides a system analysis of the available norms dealing with automatic train operation under driver supervision. Clarifications that have to be introduced to make it compatible with an autonomous train module are highlighted. Then, the work focuses on the collaboration between an automatic software for braking and accelerating in the European normative and technological context, known as ATO over ETCS. The study of the available documents allows proposing an architectural model of this global system containing on board automation and on track automated specific devices. The main motivation behind using this technical architecture is to trace a future implementation that preserves the high-level goals. This technical contribution is a first step for building an integrated approach to specify a correct system by construction, conforming to the industrial norms of automated train. In this paper, we explain how it is relevant to use a norm based technical architecture, providing intellectual references that allows drivers to identify various functioning phases where, depending on the overall context, they can let an automatic system drive the train or not.

Research paper thumbnail of Vérification parallélisée de propriétés temporelles sur des traces d'exécution, par analyse dynamique formelle

HAL (Le Centre pour la Communication Scientifique Directe), Jun 9, 2015

Les méthodes de vérification peuventêtre classées suivant deux critères : une méthode peutêtre st... more Les méthodes de vérification peuventêtre classées suivant deux critères : une méthode peutêtre statique ou dynamique, ainsi que formelle ou informelle. Ce papier poursuit des travaux de thèse sur la vérification de propriétés temporelles sur des traces d'exécution par analyse dynamique formelle. L'approche proposée consisteà transformer une propriété LTL en automate de Büchi età exécuter ce dernier sur une trace pour l'analyser. Le problème de fin de trace liéà l'utilisation de LTL sur des traces finies peutêtre contourné par le calcul d'informations statistiquesà condition que la propriété suive un patron prédéfini. Pour des traces de très grande taille, cette approche est bien adaptée, mais nécessite que la trace soit vérifiée séquentiellement. Cet article propose de remédierà ce problème, en découpant la trace en plusieurs sous-traces analysables séparément, suivant une stratégie définie, ce qui permet un gain de temps significatif.

Research paper thumbnail of An Automated Method for the Study of Human Reliability in Railway Supervision Systems

IEEE Transactions on Intelligent Transportation Systems, 2018

This paper presents an original experimental protocol which aims to study human reliability in ra... more This paper presents an original experimental protocol which aims to study human reliability in railway systems by computing the human error probability (HEP) of human operators. The experiment is conducted on a railway traffic management system that places operators in simulated situations involving railway failures. The obtained experimental result is analyzed firstly by two classical Human Reliability Analysis methods to estimate the HEP of each subject. Then, a model of human operators using Valuation-Based System (VBS) is proposed. Finally, a methodology automatically populates the proposed model by allowing the verification of temporal properties on the simulation trace.

Research paper thumbnail of Accident Root Causes Identification Using a Taxonomy

WIT Transactions on The Built Environment, 2020

Railway accidents are rare, but for the sake of safety improvement they are all investigated by e... more Railway accidents are rare, but for the sake of safety improvement they are all investigated by experts. Whereas this solution has proven its correctness to increase the overall safety in transportation, the lack of a methodological analysis formalization in case of similar accidents may lead to the non-detection of common root causes and to forfeit their removals. The aim of this work is to propose a formalized taxonomy based on the accident causes, classified by main categories such as "technical causes", "human causes" or "organizational causes". This classification is then used as a seed for safety analysis, like fault tree analysis, to detect and quantify possible common root causes for similar railway accidents. Along with this paper, the methodology is exemplified on a specific accident type: the derailments caused by over-speed in curves.

Research paper thumbnail of Démonstration de la sécurité opérationnelle de la téléconduite des trains : contexte, méthodologie et défis

Dans cette communication, nous presentons le contexte general ainsi que la methodologie mise en o... more Dans cette communication, nous presentons le contexte general ainsi que la methodologie mise en oeuvre pour realiser la demonstration de la securite operationnelle de la teleconduite des trains fret. En complement, nous presentons une synthese des resultats, soutenue par une discussion de la methodologie.

Research paper thumbnail of From a Solution Model to a B Model for Verification of Safety Properties

J. Univers. Comput. Sci., 2013

In the context of safety requirement engineering, model transformation is a task of interest. Ind... more In the context of safety requirement engineering, model transformation is a task of interest. Indeed, it allows us to keep all the requirements while switching from one point of view to another. The presented work assumes that a valid solution has been found and proposes an approach in order to build a valid implementation. As some fine dynamic properties are integrated into the specification, high-level Petri nets are used to specify and verify the solution. Then, considering an industrial railway context, the transformation of the Petri net model in order to provide an input to a B process is considered. This last consideration leads to a proposition of a systematic direct transformation of the Petri net model into abstract B machines. The approach is illustrated by a theoretical railway example. The limitations of this approach are discussed at the end of the paper and some prospects are detailed.

Research paper thumbnail of Cas d'étude de mission ferroviaire télé-opérée

Lors de la conception d'un nouveau systeme, une analyse preliminaire des risques est requise.... more Lors de la conception d'un nouveau systeme, une analyse preliminaire des risques est requise. Une fois les risques bien identifies, le but est de formaliser une defense a chaque defaillance vraisemblable. Imaginons par exemple, que dans le cadre d'un nouveau systeme, on souhaite piloter un train a partir d'un poste de conduite a distance en s'appuyant sur des moyens de telecommunications modernes et un dispositif technique de perception de l'environnement embarque dans le train ; le nouveau systeme integrant ces dispositifs particuliers de perception de l'environnement et de tele-operation necessite une analyse de securite globale. Cette analyse de securite doit considerer l'aspect socio-technique du systeme et son environnement. Dans cette etude, on va s'interesser a un aspect particulier de la vie du conducteur de train : les operations a effectuer lors d'une mission de conduite qui ne sont pas directement des actes de conduite. Dans cette categ...

Research paper thumbnail of Conceptual Modelling of the Dynamic Goal-oriented Safety Management for Safety Critical Systems

Proceedings of the 14th International Conference on Software Technologies, 2019

In the context of Safety Critical Systems (SCSs), safety measures derived from the dysfunctional ... more In the context of Safety Critical Systems (SCSs), safety measures derived from the dysfunctional analysis are generally expressed in an informal way. However, in an early phase of SCSs design, there is a need to link these safety measures to Goal-Oriented Requirements Engineering (GORE) concepts. Moreover, the current practice of the safety measures development is not based on a specific goal-oriented control model. Since there are different knowledge domains, there is a lack of a common vocabulary aiming to avoid the semantic heterogeneity between them. Consequently, a common model for an unambiguous knowledge sharing and a full semantic interoperability assurance is missing. In this paper, we propose the Goal-Oriented Safety Management Ontology (GOSMO), a domain ontology, which is grounded in the Unified Foundational Ontology (UFO) and provides a conceptualization and a real-world semantic interpretation of the knowledge matching for SCSs. Furthermore, the proposed safety measures development process is performed using a reinterpretation from the safety point of view of the Organization-Based Control Access (Or-BAC), which was initially developed for the Information Systems (IS) security. The GOSMO aims to capture the alignment between the considered domains concepts through the reference models reuse and the proposed taxonomy based on standards definitions. The proposed ontology is evaluated by the formalization of two cases studies from the railway domain, since it is the target application domain. Finally, the evaluation results show that GOSMO covers and analyses several real critical situations and fulfils its intended purpose.