SCHON Walter

The recent need for connectivity in railways introduces new security threats that are managed separately from traditional safety risks. We establish a state of the art around the combination Safety/Security their interactions and methods to manage these risks jointly.

The recent need for connectivity in railways introduces new security threats that are managed separately from traditional safety risks. We establish a state of the art around the combination Safety/Security their interactions and methods to manage these risks jointly.

This article explains why current dependability techniques are not suitable for neural networks (NN). It also shows with an experiment that we need to justifiably trust neural networks modeling before formal verification can be used for critical applications.

The graphical representation of the expert system in the form of a valuation-based system enables an easy use of variables and their relationships, and consequently simplifies their use for analysts and non-experts. This chapter begins with an overview of the Performance shaping factor based human Reliability assEssment using vaLUation-baseD systEms (PRELUDE) methodology. PRELUDE is a human reliability analysis methodology. The chapter introduces a case study where the suggested methodology is used for the retrospective analysis of a real railway accident scenario. The complete methodology is made up of a qualitative section that considers human factors specifically related to one type of field or application, as well as a quantitative section that builds an expert system, formalizing expert knowledge and providing a frame for formal decision-making. Human reliability analysis provides decision-making skills by presenting quantitative results as probability intervals – the estimation of the probability of human failure error.

Safety arguments, also called safety cases, are commonly used to demonstrate that adequate efforts have been made to achieve safety goals. Assessing the confidence of such arguments and decision-making is usually done manually and is heavily dependent on subjective expertise. Therefore, there is an urgent need for an approach that can assess confidence in the arguments in order to support decision-making. We therefore propose a quantitative approach, based on Dempster-Shafer (D-S) theory, to formalize and propagate confidence in safety cases. Goal Structuring Notation is adopted. The proposed approach focuses on the following issues regarding argu-mentation assessment: 1) formal definitions of confidence measures based on belief functions from D-S theory. and 2) the development of confidence aggregation rules for structured safety arguments with the help of Dempster's rule. Definitions of confidence measures and aggregation rules are deduced for single, double, and n-node arguments. Finally, a sensitivity analysis of aggregation rules is used to preliminarily validate this approach.

No summary available.

This paper presents an original experimental protocol, which aims to study human reliability in railway systems by computing the human error probability (HEP) of human operators. The experiment is conducted on a railway traffic management system that places operators in simulated situations involving railway failures. The obtained experimental result is analyzed first by two classical human reliability analysis methods to estimate the HEP of each subject. Then, a model of human operators using valuation-based system is proposed. Finally, a methodology automatically populates the proposed model by allowing the verification of temporal properties on the simulation trace.

No summary available.

No summary available.

In recent years, there have been significant technological advances in autonomous transportation. Urban rail transportation has a significant advantage in operating fully automated commercial transportation. Mainline rail transportation also aims to benefit from the advantages of automation. This work is carried out within the framework of the TAS project at IRT SystemX, with the partners SNCF, Alstom Systra and the University of Technology of Compiègne. This paper presents the context of rail transport automation for main lines. The challenges of demonstrating security mainly for application software are discussed. In addition, a risk analysis of some functions of a complete automation (GoA 3/4) is performed. The objective of this analysis is to identify the challenges of determining the safety objectives of such a stand-alone system for further development and demonstration of compliance.

Deep Neural Networks are achieving great success in various fields. However, their use remains limited to non critical applications because their behavior is unpredictable and unsafe. In this paper we propose some fault tolerant approaches based on diversifying learning in order to improve DNNs dependability and particularly safety. Our main goal is to increase trust in the outcome of deep learning mechanisms by recognizing the unlearned inputs and preventing misclassification.

No summary available.

Deep Neural Networks are achieving great success in various fields. However, their use remains limited to non critical applications because their behavior is unpredictable and unsafe. In this paper we propose some fault tolerant approaches based on diversifying learning in order to improve DNNs dependability and particularly safety. Our main goal is to increase trust in the outcome of deep learning mechanisms by recognizing the unlearned inputs and preventing misclassification.

No summary available.

No summary available.

Railway standard EN50129 clarifies the safety acceptance conditions of safety-related electronic systems for signalling. It requires using a structured argumentation, named Safety Case, to present the fulfilment of these conditions. As guidance for building the Safety Case, this standard provides the structure of high-level safety objectives and the recommendations of development techniques according to different Safety Integrity Levels (SIL). Nevertheless, the rationale connecting these techniques to the high-level safety objectives is not explicit. The proposed techniques stem from experts belief in the effectiveness and efficiency of these techniques to achieve the underlying safety objectives. So, how should one formalize and assess this belief? And as a result how much confidence can we have in the safety of railway systems when these standards are used? To deal with these questions, the paper successively addresses two aspects: 1) making explicit the safety assurance rationale by modelling the Safety Case with GSN (Goal Structuring Notation) according to EN5012x standards . 2) proposing a quantitative framework based on Dempster-Shafer theory to formalize and assessing the confidence in the Safety Case. A survey amongst safety experts is carried out to estimate the confidence parameters. With these results, an application guidance of this framework is provided based on the Wheel Slide Protection (WSP) system.

Autonomous vehicles are critical systems. Indeed, their failures can cause catastrophic damage to humans and to the environment in which they operate. The control of robotic autonomous vehicles is a complex function with many potential failure modes. In the case of experimental platforms that have not followed the development methods and certification cycle required for industrial systems, the probability of failure is much higher. Indeed, these experimental vehicles face two problems that hinder their dependability, i.e. the justified confidence that one can have in their correct behavior. First of all, they are used in open environments, with a very large execution context. This makes their validation very complex, since many hours of testing would be necessary, without any guarantee that all the faults of the system are detected and then corrected. Moreover, their behavior is often very difficult to predict or to model. This may be due to the use of artificial intelligence software to solve complex problems such as navigation or perception, but also to the multiplicity of systems or components interacting and complicating the behavior of the final system, for example by generating emergent behaviors. One technique to increase the safety of these autonomous systems is the implementation of an independent safety component, called "Safety-Bag". This system is integrated between the control-command application and the vehicle's actuators, allowing it to check online a set of safety requirements, which are properties necessary to ensure the system's safety. Each safety requirement consists of a triggering condition and a safety intervention applied when the triggering condition is violated. This intervention consists of either a safety inhibition that prevents the system from evolving to a risky state or a safety action to return the autonomous vehicle to a safe state. The definition of safety requirements must follow a rigorous method to be systematic. To do this, we have carried out in our work a study of operational safety based on two methods of fault prediction: FMECA (Failure Modes, Effects and Criticality Analysis) and HazOp-UML (Hazard and Operability Study) which focus respectively on the internal hardware and software components of the system and on the road environment and the driving process. The result of these risk analyses is a set of safety requirements. Some of these safety requirements can be translated into safety requirements that can be implemented and verified by the safety bag. Others cannot, so that the Safety-Bag system remains a relatively simple and validatable component. Then, we performed experiments based on fault injection in order to validate some safety requirements and evaluate the behavior of our Safety-Bag. These experiments were done on our Fluence type robotized vehicle in our laboratory in two different settings, first on the real SEVILLE track and then on the virtual track simulated by the Scanner Studio software on the VILAD bench. The Safety-Bag remains a promising but partial solution for industrial autonomous vehicles. On the other hand, it meets most of the needs to ensure the safety of experimental autonomous vehicles.

This work presents a study to improve the safety of experimental autonomous vehicles in the Heudiasyc laboratory. This work presents risk analyses showing that the use of our vehicles involves significant risks during experiments, and that integrating an Independent Safety Component called Safety-Bag in the vehicle architecture can significantly reduce these risks. The Safety-Bag carries out the on-line verification of safety necessities by checking the vehicle's current state with safety rules and taking or disabling actions to ensure a safe behavior. In our work, we present and we apply two methods for risk analysis (FMEA and HazOp-UML) to design these safety necessities in the case of experimental autonomous vehicles. We also present the validation of two safety necessities through fault injection experiments with a robotized Fluence vehicle and a vehicle in the loop testbed.

Humans continue to be one of the critical elements of modern transportation operations. Human Reliability Analysis (HRA) methods provide a multidisciplinary approach to evaluate the interaction between humans and the system.

Human reliability assessment (HRA) is an aspect of risk analysis concerned with identifying, analyzing, and quantifying the causes, contributions, and occurrence of human failures. Applications of existing HRA methods are often domain-specific, and difficult to implement even for experts. Also, due to the lack of empirical data, managing uncertainty is important, if not essential. In view of such limitations, we propose a new and comprehensive HRA methodology acronymed “PRELUDE” (Performance shaping factor-based human REliability assessment using vaLUation-baseD systEms). It is a quantitative and qualitative HRA methodology, applied to railway operations. The qualitative part characterizes a safety critical situation using performance shaping factors (PSFs). The PSFs are identified from domain specific human factors and PSF-based studies. The quantitative proposition is a framework of a graphical model (Valuation-based System) and belief functions theory. Appropriate representation and handling of all types of uncertainties, and combination of conflicting expert opinions is considered in this framework. To aid in the choice of appropriate combination method, combined expert data are discussed and compared using quantitative metrics. PRELUDE allows quantifying a human failure event given an operational context. Sensitivity analysis is used to establish a priority ranking among the PSFs. Finally, application on a railway accident scenario describes usage and applicability of our proposition.

No summary available.

No summary available.

No summary available.

No summary available.

Due to the rapid progress that artificial neural networks are currently experiencing, their implementation is extending to several domains. However, their use is not allowed in critical applications because their behavior is considered unpredictable and unsafe. In this paper, we present two approaches to provide software fault tolerance in neural networks in order to improve their safety-insecurity. Our goal is to develop neural networks capable of detecting unknown situations that differ from the learned ones. One approach is to use diversified redundancy at the network level, and the second is to add a new output to the network capable of recognizing outliers.

No summary available.

No summary available.

No summary available.

No summary available.

No summary available.

No summary available.

No summary available.

No summary available.

In reliability analysis, comparing system reliability is an essential task when designing safe systems. When the failure probabilities of the system components (assumed to be independent) are precisely known, this task is relatively simple to achieve, as system reliabilities are precise numbers. When failure probabilities are ill-known (known to lie in an interval) and we want to have guaranteed comparisons (i.e., declare a system more reliable than another when it is for any possible probability value), there are different ways to compare system reliabilities. We explore the computational problems posed by such extensions, providing first insights about their pros and cons.

No summary available.

This work presents a study concerning the dependability of experimental autonomous vehicles in the Heudiasyc laboratory. This study confirms that the use of these vehicles involves significant risks during experiments, and that integration of a Safety-Bag component in the vehicle architecture can significantly reduce these risks. In this paper, we define a severity scale and propose a FMEA (Failure Mode Effects Analysis) of an autonomous vehicle. We also present the implementation of our safety-bag component and how it can reduce risks.

This work presents a study concerning the dependability of experimental autonomous vehicles in the Heudiasyc laboratory. This study confirms that the use of these vehicles involves significant risks during experiments, and that integration of a Safety-Bag component in the vehicle architecture can significantly reduce these risks. In this paper, we define a severity scale and propose a FMEA (Failure Mode Effects Analysis) of an autonomous vehicle. We also present the implementation of our safety-bag component and how it can reduce risks.

No summary available.

Structured arguments are commonly used to communicate to stakeholders that safety, security or other attributes of a system are achieved. Due to the growing complexity of systems, more uncertainties appear and the confidence in arguments tends to be less justifiable by reviewing. In this paper, we propose a quantitative method to assess the confidence in structured arguments, like safety cases. We adopt the Goal Structuring Notation (GSN) to model the safety case and propose to add annotations to identify uncertainties in this model. Three inference types of arguments are proposed according to their impact on confidence. Definition and quantification assessment of confidence are based on the belief function theory. The proposed approach is illustrated with several GSN examples.

The objective of this thesis is to build a framework that represents random and epistemic uncertainties based on probabilistic approaches and uncertainty theories, to compare methods and to find own applications on large systems with rare events. In the thesis, an asymptotic normality method has been proposed with Monte Carlo simulation in the binary cases as well as a semi-Markovian model in the cases of dynamic multi-state systems. Random ensemble theory has also been applied as a basic model to evaluate reliability and other performance indicators in binary and multi-state systems with bootstrap technique.

An important issue in Hazardous Material (hazmat) transportation risk assessment is to evaluate the probability bounds of accidents occurrence, whose values are difficult to be estimated due to its low frequency and the related lack of statistical data. This paper presents an original approach to integrate uncertainty in the quantitative analysis of hazmat transportation accidents. The proposed approach is based on the use of Valuation-Based Systems (VBSs) and belief functions theory. Furthermore, we propose to identify the factors for which the reduction of epistemic uncertainty (imprecision) gives the greatest impact on the uncertainty of the final results by using some proposed measures. The applicability and generality of the proposed approach is demonstrated on a case study.

Humans are and will remain one of the critical constituents of a technological system. The study of human factors is a broad domain with equally varying applications. Furthermore, with the advent of new technologies in safety-critical systems there is always a need to ensure system safety and reliability in accordance with increasingly demanding certification standards. Human reliability is a cause of concern as hardware becomes increasingly reliable and relatively human error is rising in its share of causing an accident. Human Reliability Analysis (HRA) provides a way to quantify the risk associated with a human. This paper presents a discussion on the development of a HRA model for the domain of transportation, rail transport in particular. Railway specific human factors studies are analyzed to identify safety relevant factors in order to create a relevant and relatively applicable Performance Shaping Factor list. This list of factors is compared with railway specific studies to address domain specific concerns, further augmenting it with quantification levels for each. A discussion on our proposition towards the integration of HRA for obtaining human induced system-level risk taking into account uncertainty in data and current work's positioning in proposed methodology is also included.

Humans are and will remain one of the critical constituents of a technological system. The study of Human Factors is a broad domain with equally varying applications. Quantification thereof, with a Human Reliability Analysis (HRA) poses considerable challenges and advantages. In increasingly complex modern systems where large resources are allocated towards ensuring system's operational safety, it becomes necessary to analyze the actions of human operator who directly or indirectly influences system reliability. This paper envisages establishing a base towards a HRA model, to address existing issues. Railway systems and Advanced Driver Assistance Systems for automobiles are our application domains. we aim to identify the need of and usability in both. Human considered as a component of the System of Systems for risk assessment allows us to study its impact on system reliability and give feedback to improve system safety.

This paper has three main objectives. The first objective is to summarize the requirements for RAM (Reliability, Availability, and Maintainability) parameters of European Rail Traffic Management System (ERTMS) defined in the railway standards. The second objective is to emphasize that the RAM requirements should be considered at the ERTMS SoS level. The third objective is to highlight major issues, when dealing with ERTMS SoS, which are not treated or clearly defined in the railway standards. Indeed, the RAM parameters definitions do not take into account all types of uncertainty in failure data and human failures, and do not propose specific methods to obtain failure data from experts' opinion. In this work, a number of methods have been proposed to deal with these issues.

This paper presents an experimental protocol which aims to study human reliability in railway systems. The experiment is conducted on a railway traffic management system that places operators (experimental subjects) in simulated situations involving failures. Some classical HRA (Human Reliability Analysis) models are used to interpret the experimental results and to evaluate the probability of human error.

.

No summary available.

The technology for controlling the distance between two trains is shifting from traditional fixed red, yellow and green signals on the infrastructure track circuits towards more and more dynamic systems, which are based on moving blocks, where the distance is computed according to real-time positioning, and the control of the distance is computed on-line. This is the case, for example, in the European Rail Traffic Management System (ERTMS), which proposes three different levels, from 1 to 3. This paper addresses the time-honoured problem of scheduling trains on a single track, in the light of recent results in robust team decision theory. The control model can be used in two modes: as a decision support tool for train dispatchers to evaluate the distance between trains in the current schedule, and as a planning tool to evaluate the effects of timetable changes. The main contribution of the paper is the application of a recent result in robust team decision theory to control noncritical train distances in moving blocks, such as in ERTMS Level 3. The case study is related to real data from an ERTMS simulation and controller software tool.

We present an efficient method based on the inclusion-exclusion principle to compute the reliability of systems in the presence of epistemic uncertainty. A known drawback of belief functions and other imprecise probabilistic theories is that their manipulation is computationally demanding. Therefore, we investigate some conditions under which the measures of belief function theory are additive. If this property is met, the application of belief functions is more computationally efficient. It is shown that these conditions hold for minimal cuts and paths in reliability theory. A direct implication of this result is that the credal state (state of beliefs) about the failing (working) behavior of components does not affect the credal state about the working (failing) behavior of the system. This result is proven using a reliability analysis approach based on belief function theory. This result implies that the bounding interval of the system's reliability can be obtained with two simple calculations using methods similar to those of classical probabilistic approaches. A discussion about the applicability of the discussed theorems for non-coherent systems is also proposed.

This paper presents and compares two model-based approaches to ensure the dependability of a rail system in the context of ERTMS (European Rail Traffic Management System). V&V activities against safety properties are carried out by simulating train operations on State machine models of railway infrastructures. This paper presents this approach by means of a comparative study between two tools which analyze the models with various verification strategies. The tools used are Matlab Simulink environment and the DIVERSITY symbolic execution tool from CEA LIST.

An important issue in Hazardous Material (hazmat) transportation risk assessment is to evaluate the probability bounds of accidents occurrence, whose values are difficult to be estimated due to its low frequency and the related lack of statistical data. This paper presents an original approach to integrate uncertainty in the quantitative analysis of hazmat transportation accidents. The proposed approach is based on the use of Valuation-Based Systems (VBSs) and belief functions theory. Furthermore, we propose to identify the factors for which the reduction of epistemic uncertainty (imprecision) gives the greatest impact on the uncertainty of the final results by using some proposed measures. The applicability and generality of the proposed approach is demonstrated on a case study.

No summary available.

In this paper, we present a localization architecture for mobile robots. This architecture is fault tolerant in hardware in the perception sensors and software in the data fusion mechanisms. It implements two independent localization systems using two diversified Kalman filters, and provides error detection by the comparison technique and system recovery by the compensation method. An evaluation environment of the proposed architecture is set up, using real data acquisition with the Heudiasyc PACPUS laboratory platform, and then replaying these data with fault injection under Matlab.

.

The technology for controlling the distance between two trains is shifting from traditional fixed red, yellow and green signals on the infrastructure track circuits towards more and more dynamic systems, which are based on moving blocks, where the distance is computed according to real-time positioning, and the control of the distance is computed on-line. This is the case, for example, in the European Rail Traffic Management System (ERTMS), which proposes three different levels, from 1 to 3. This paper addresses the time-honoured problem of scheduling trains on a single track, in the light of recent results in robust team decision theory. The control model can be used in two modes: as a decision support tool for train dispatchers to evaluate the distance between trains in the current schedule, and as a planning tool to evaluate the effects of time table changes. The main contribution of the paper is the application of a recent result in robust team decision theory to control noncritical train distances in moving blocks, such as in ERTMS Level 3. The case study is related to real data from an ERTMS simulation and controller software tool.

The context of this thesis is the monitoring of man-machine systems, where the operator is the driver of a railway transport system. Our objective is to improve the safety of the system by preventing and avoiding factors that can increase the risk of human error. Two major problems are identified: the characterization aspect, or how to determine the indicative and discernible phases of the driving activity, and the representation aspect, or how to describe and codify the operator's driving actions and their repercussions on the railway system in a mathematical formalism allowing an unequivocal analysis. To solve these problems, we first propose a behavioral model of the human operator allowing to represent his control behavior in continuous time. In order to take into account the inter- and intra-individual differences of human operators, as well as the changes of situations, we propose a transformation of the initially presented behavioral model, in a new representation space. This transformation is based on the theory of hidden Markov chains, and on the adaptation of a particular pattern recognition technique. Then, we define a discrete time behavioral model of the human operator, allowing at the same time to represent his actions and to take into account errors and unexpected events in the work environment. This modeling is inspired by cognitive operator models. Both aspects allow the interpretation of observables in relation to reference situations. In order to characterize the global state of the human operator, different information is taken into consideration. This information is heterogeneous and subject to measurement uncertainties, requiring a robust data fusion procedure that is performed using a Bayesian network. Finally, the proposed modeling and fusion methodologies are used to design a reliable and non-intrusive vigilance system. This system allows the interpretation of driving behaviors and the detection of risky states of the driver (e.g. hypovigilance). The theoretical study was tested in simulation to verify its validity. Then, a feasibility study was carried out on experimental data obtained during experiments on the COR&GEST railway driving platform of the LAMIH laboratory. These results allowed to plan and to set up the experiments to be carried out on the future multimodal driving simulator "PSCHITT-PMR".

Over the past twenty years, public transportation issues in the Paris region have become a major concern. The French national railway company, which operates most of the rail network in this region, plays a central role in the organization of transportation. However, in contrast to the expectations placed on this sector, rail traffic is experiencing a number of dysfunctions. This thesis is part of a global approach to question the principles of rail operations in dense areas, and provides a new perspective on the origin of delays affecting trains. A simple model is proposed to study rail traffic congestion under the influence of random disturbances. Inspired by road traffic tools and especially the fundamental network diagram, we define for railways the fundamental railroad line diagram which allows to represent the flow as a function of the concentration on a portion of railroad line. This tool is then used to compare the results of our model to a data set measured on two railway lines in the Paris area. This comparison shows that our model allows to qualitatively reproduce the traffic congestion phenomena observed on real cases.

This article presents a safety study conducted on the autonomous robotic vehicles of the ASER team in the Heudiasyc laboratory. This study confirms that the use of these vehicles involves important risks during experiments, and that the insertion of a Safety-Bag component in the architecture of the vehicle makes it possible to considerably reduce the gravity of these risks.

In this paper, we propose a software fault tolerant architecture for data fusion mechanisms. Our work is motivated by the difficulty to validate fusion mechanisms, either through formal approaches or testing. The proposed mechanism is based on functional diversification using the well known N-versions Programming approach, to tolerate faults in data fusion models. The general principle of our approach is to implement three diversified data fusion mechanisms, each with forcibly diversified models and independent inputs. With this diversification and a voting mechanism, our architecture provides the following fault tolerance services: software error detection, software error diagnosis and system recovery. To demonstrate the efficiency of our approach, we present a real case study consisting in estimating a mobile robot’s yaw angle using odometers and gyroscopes with a Kalman Filter. We present a fault tolerance evaluation that is based on real data acquisition by an intelligent sensor equipped vehicle (Citroen C5), this real data offline replay, and fault injection techniques. In our opinion, the main original contribution of this paper is to propose software fault tolerance mechanisms in data fusion, which are rarely considered in the literature. Indeed, we believe that these faults can have an important impact on the system’s behavior, are difficult to detect and eliminate through validation, and are prone to appear considering that empirical values (such as gains or belief mass functions) are used in data fusion.

No summary available.

Systems of Systems (SoS) are large systems whose components are themselves systems that interact to perform certain functions, and for which the malfunction of a single system can have serious consequences on the operation of the entire SoS. It is therefore important that the design of these SoSs takes into account the requirements of Dependability and in particular their reliability and availability when they are solicited. Moreover, it is necessary that it ensures, through quantitative analysis, that these requirements are met. Uncertainty is also an important part of the thesis, because there are always differences between a system and its representation by a model. The objective of this thesis is to propose a methodology for the safe design of SoSs. The first step is to propose a dysfunctional model of the global SoS integrating the hardware aspects, the network aspects and the human factor. In a second step, we evaluate the SoS requirements. In a third step, it is about taking into account different types of uncertainties in the models. Concerning the application part, the subject would be articulated around the safe design of a railway system. The main contribution of this thesis lies in three aspects. First, a general methodology for modeling SoSs is proposed. Second, we consider ERTMS Level 2 as a SoS and evaluate its SoF requirements taking into account the unavailability of the SoS as an emergent property. Third, different types of uncertainties are quantitatively modeled in the proposed models using probabilistic and non-probabilistic theories.

The work presented in this paper aims to model a railway infrastructure composed of tracks, switches and signal lights to verify certain safety properties related to the exploitation of this infrastructure. The modeling will be done using statecharts formalism. The verification approach of the safety properties will be carried out by simulating the operation of the infrastructure. This approach is based on a reachability analysis of dangerous states related to the operation of the infrastructure. The reachability analysis of dangerous states allows to detecting a near accident. Finally, the Statechart model is used to simulate a scenario of a near accident between two trains.

This paper proposes a UML based approach for the modeling and the verification of Railway signalling Systems specifications. Particularly, we consider the European Rail Traffic Management System (ERTMS) and the European Train Control System (ETCS) specifications. First, the architecture of ERTMS/ETCS is described. The validation and verification procedure is also introduced. Then, class, sequences and use case diagrams related to the technical specifications of ERTMS/ETCS are presented. Finally, a case study from the technical specification of ERTMS/ETCS which represents the operation of "Establishing a communication session" between ERTMS/ETCS On-board equipment and RBC (Radio Block Center) to initiate a communication session is proposed.

This paper describes dynamic Valuation-Based System (VBS) for reliability assessment of systems under uncertainty. The reliability data and dependencies between components are represented using variables, sample spaces of variables, a set of valuations represented by probabilities, and basic probability assignments (bpas) that map sample spaces of sets of variables to the set of valuations. The uncertainties considered here are related to the states of components and their dependencies. The imprecise reliability of systems under uncertainty is estimated by an interval composed of upper and lower bounds. The proposed dynamic VBS approach is finally applied on a valve system and compared to the classical Bayesian Network approach.

In this paper, we propose an original simulation approach to evaluate the availability of systems in the presence of state uncertainty which arises from incompleteness or imprecision of knowledge and data. This approach is based on a simulation method combining the belief functions theory and the Statecharts. Then we propose a Statechart model of a railway signalling system, European Rail Traffic Management System (ERTMS) Level 2 considering state uncertainty, and evaluate its availability according to the RAMS requirements defined in the railway standards. Finally we propose a sensitivity analysis to estimate the state uncertainty of which constituent system has the most significant influence on the state uncertainty of the entire ERTMS Level 2.

The objective of the work presented in this article is to model a railway infrastructure composed of tracks, switches and traffic lights in order to verify some safety properties related to the operation of this infrastructure. The modeling will be done using the Statecharts formalism and the Stateflow tool. The approach to verify the safety properties will be done by simulating the operation of the infrastructure. This approach is based on an attainability research of the dangerous states related to the operation of the infrastructure. The attainability analysis of the dangerous states allows the detection of a near miss. Finally, the Statechart model will be used for the simulation of a near miss scenario between two trains.

In this paper, we consider the European Rail Traffic Management System (ERTMS) as a System-of-Systems (SoS) and propose modeling it using Unified Modeling Language statecharts. We define the performance evaluation of the SoS in terms of dependability parameters and average time spent in each state (working state, degraded state, and failed state). The originality of this work lies in the approach that considers ERTMS Level 2 as an SoS and seeks to evaluate its dependability parameters by considering the unavailability of the whole SoS as an emergent property. In addition, human factors, network failures, Common-Cause Failures (CCFs), and imprecise failure and repair rates are taken into account in the proposed model.

The deployment of the European Rail Traffic Management System (ERTMS) is mandatory along European railway corridors, but it will follow a long and expensive process. Thus, there is a need for faster roll-out and reduction in cost for the certification and authorization necessary to put equipment into service. One of the solutions to accelerate the process relies on making intensive use of lab-testing before real deployment. The ANR VEGAS project, labeled by i-Trans will design, develop and evaluate a virtual laboratory based on co- simulation by connecting an ERTMS functional simulator with a simulator dedicated to telecommunication technologies evaluation. In this way, the co-simulation will allow evaluating the functional subsystem behavior while taking into account the impairments related to the telecommunication subsystem (radio propagation impairments such as bad radio links and cuts, electromagnetic interferences or attacks). This paper presents the ongoing work on this virtual laboratory, the preliminary results and interesting prospective work in this context.

This paper presents a fault tolerance architecture for data fusion mechanisms that tolerates hardware faults in the sensors and software faults in the data fusion. After introducing the basic concepts of fault tolerance and data fusion, we present first the generic architecture before detailing an implementation using Kalman filters for mobile robot localization. Finally fault injection is used on real data from this implementation to validate our architecture. Under a single fault hypothesis, we detect hardware and software faults and recover from hardware faults. With more redundancies, it would be possible to consider multiple faults and recover from software ones.

Perception is a fundamental input of robotic systems, in particular for localization, navigation and interaction with the environment. However, the data perceived by robotic systems are often complex and subject to significant inaccuracies. To remedy these problems, the multi-sensor approach uses either several sensors of the same type to exploit their redundancy, or sensors of different types to exploit their complementarity in order to reduce inaccuracies and uncertainties on sensors. The validation of this data fusion approach poses two major problems: first, the behavior of fusion algorithms is difficult to predict, which makes them difficult to verify by formal approaches. Moreover, the open environment of robotic systems creates a very large execution context, which makes testing difficult and expensive. The aim of this thesis is to propose an alternative to validation by implementing fault tolerance mechanisms: since it is difficult to eliminate all faults from the perception system, we will try to limit their impacts on its operation. We have studied the fault tolerance intrinsically allowed by data fusion by formally analyzing data fusion algorithms, and we have proposed detection and recovery mechanisms adapted to multi-sensor perception. We then implemented the proposed mechanisms for a vehicle localization application using Kalman filtering data fusion. We finally evaluated the proposed mechanisms using real data replay and fault injection technique, and demonstrated their effectiveness against hardware and software faults.

Nowadays, in order to meet economic and social requirements, rail transport systems need to be operated with a high level of safety and reliability. In particular, there is a growing need for monitoring and maintenance support tools to anticipate failures of railway rolling stock components. To develop such tools, commercial trains are equipped with intelligent sensors that send real-time information on the status of various subsystems. This information is in the form of long time sequences consisting of a succession of events. The development of automatic analysis tools for these sequences will allow the identification of significant associations between events in order to predict the occurrence of serious failures. This thesis addresses the problem of time sequence mining for the prediction of rare events and is part of a global context of development of decision support tools. We aim at studying and developing various methods to discover association rules between events on the one hand and to build classification models on the other hand. These rules and/or classifiers can then be used to analyze online a stream of incoming events in order to predict the occurrence of target events corresponding to failures. Two methodologies are considered in this thesis: The first one is based on association rule mining, which is a temporal approach and a pattern recognition based approach. The main challenges faced by this work are mainly related to the rarity of the target events to predict, the important redundancy of some events and the very frequent presence of "bursts". The results obtained on real data collected by sensors onboard a fleet of commercial trains show the effectiveness of the proposed approaches.

Accurate localization is an important functionality in autonomous robots and intelligent vehicles. It uses different sensors to determine a position, which is fundamental for navigation and control. In this paper, we propose a fault-tolerant architecture suitable for data fusion and the details of its application for localization of a mobile robot. We use two types of sensors to perceive the state of the robot and the environment: an inertial measurement unit (IMU) that gives the accelerations and angular velocities of the robot, and a camera that provides image sequences for a visual odometry algorithm. A Kalman filter uses these inputs to estimate the robot's position. Fault tolerance is provided in this application by a duplication / comparison of appropriate diagnostic algorithms. The fault injection technique is used to evaluate the performance of our architecture on a simulated case study.

In the literature, different methods of classi- fication of uncertainties and their sources are proposed. The most common distinction being to divide uncertainties into two types: random uncertainty and epistemic uncertainty. The first being irreducible and due to the natural variability of random phenomena. The second is due to a lack of knowledge that can be reduced by making more efforts (data collection, expert consultation, accelerated testing, etc.). In this paper, we will propose a discussion of the validity of this distinction and show that it has implications for the choice of theory to be used to represent the different types of uncertainties.

No summary available.

In this paper, we first propose the modeling of an ERTMS level 2 railway signaling system using Statecharts. Then, we propose the performance evaluation of this system in terms of availability and average time spent in each state (nominal operation mode, degraded mode and failure mode). The originality of this work lies in the attempt to model the whole ERTMS level 2 signalling system by considering it as a System of Systems. Moreover, human factors and network failures are also taken into account in the proposed model.

Currently, a high percentage of accidents in railway systems are accounted to human factors. As a consequence, safety engineers try to take into account this factor in risk assessment. However, human reliability data are very difficult to quantify, thus, qualitative methods are often used in railway system's risk assessments. Modeling of human errors through probabilistic approaches has shown some limitation concerning the quantification of qualitative aspects of human factors. The proposed paper presents an original method to account for the human factor by using Evidential Networks and fault tree analysis.

During the past decades, the scientific community has provided different frameworks for classifying uncertainty and its sources. The most common distinction -or at least, the one that is widely accepted in the reliability and risk analysis community- is the distinction between aleatory and epistemic uncertainty. The former is considered irreducible because it is due to the natural variability of random phenomena. The latter is attributed to the lack of knowledge, thus, it is reducible as long as we are able to gather more information. In this paper, we propose a discussion about this distinction from an historical point of view and we introduce some alternative theories to deal with uncertainty.

In this paper, extended component importance measures (Birnbaum importance, RAW, RRW and Crit- icality importance) considering aleatory and epistemic uncertainties are introduced. The D-S theory which is considered to be a less restricted extension of probability theory is proposed as a framework for taking into account both aleatory and epistemic uncertainties. The epistemic uncertainty defined in this paper is the total lack of knowledge of the component state. The objective is to translate this epistemic uncertainty to the epistemic uncertainty of system state and to the epistemic uncertainty of importance measures of components. The Affine Arithmetic allows us to provide much tighter bounds in the computing process of interval bounds of importance measures avoiding the error explosion problem. The efficiency of the proposed measures is demonstrated using a bridge system with different types of reliability data (aleatory uncertainty, epistemic uncertainty and experts' judgments). The influence of the epistemic uncertainty on the components' rankings is described. Finally, a case study of a fire-detector system located in a production room is provided. A comparison between the proposed measures and the probabilistic importance measures using two-stage Monte Carlo simulations is also made.

This paper presents an original method for evaluating reliability indices for Multi-State Systems (MSSs) in the presence of aleatory and epistemic uncertainties. In many real world MSSs an insufficiency of data makes it difficult to estimate precise values for component state probabilities. The proposed approach applies the Transferable Belief Model (TBM) interpretation of the Dempster-Shafer theory to represent component state beliefs and to evaluate the MSS reliability indices. We use the example of an oil transmission system to demonstrate the proposed approach and we compare it with the Universal Generating Function method. The value of the Dempster-Shafer theory lies in its ability to use several combination rules in order to evaluate reliability indices for MSSs that depend on the reliability of the experts' opinions as well as their independence.

No summary available.

No summary available.

In this paper we will estimate the fiability of a binary system and obtain its confiance interval by the asymptotic normal approximation. This method can be applied to complex and large systems reducing the width of the confiance interval.

In this paper, firstly, we propose a modeling of a Railway Signalling System in Statechart and the system's dynamic behavior is analyzed in this model. This system is the ERTMS/ETCS (European Rail Traffic Management System/European Train Control System) Level 2 whose performance is evaluated in terms of the availability. Secondly, the epistemic uncertainties (imprecision) are introduced into the transition rates of the system and handled by a methodology based on two-phase Monte Carlo simulation. In the two-phase Monte Carlo simulation, epistemic variables are sampled in the outer loop and the model of the system is executed in the inner loop. The originality of this work lies in modeling the dynamic behavior of the ERTMS/ETCS Level 2 and proposing a methodology based on two-phase Monte Carlo simulation to evaluate the availability of the system considering epistemic parametric uncertainties.

No summary available.

No summary available.

Multi-sensor perception systems are beginning to appear in mission-critical applications, such as ADAS systems in automobiles. These systems, which are complex and based on artificial intelligence methods, are difficult and expensive to validate. In this paper, we study an alternative method of dependability: fault tolerance. We study fault tolerance as directly enabled by data fusion, and then propose detection and recovery mechanisms suitable for multi-sensor perception. By analyzing some parameters related to data fusion, we propose different services for the dependability of perception systems, such as detection, recovery by compensation, and fault hiding.

There are different ways to classify uncertainty or its sources. The most common distinction is to divide uncertainty into two types: random uncertainty and epistemic uncertainty. The first type is irreducible and due to the natural variability of random phenomena. The second type is reducible and due to a lack of knowledge that can be reduced by making more efforts (collecting more data, consulting experts, accelerated testing. . . ). Recently, several authors have begun to challenge the use of classical probabilities to deal with these two types of uncertainties. New theories that deal with the different types of uncertainties have appeared. These theories are able to represent and propagate both random and epistemic uncertainty. Among these theories, the theory of belief functions is exploited in this manuscript to handle uncertainties in system reliability studies. Various issues related to reliability studies in the presence of epistemic uncertainties, as well as reasons why probability theory should not be used in this case, are discussed. The manuscript introduces methods for representing reliability data and combining expert opinions. Then, it presents several methods for propagating uncertainty about the reliability of components at the system level. An important result of these methods is that the lower (upper) bound on system reliability depends only on the lower (upper) bounds on component reliability, and that the belief and plausibility functions are additive for the collection of minimal paths and minimal cuts.

The rapid development of embedded systems and the increasing requirements to which they are subjected create a need for innovative techniques in terms of design, verification and validation. Formal methods provide interesting approaches to the design of these systems, especially for dependability studies. The chosen formalism is based on Colored Petri nets (CPN). The advantage of these models, in addition to being very expressive and formal, is that they can express the dual character of the systems studied: static and dynamic. The challenge of this thesis is to use established models, describing the architecture and/or the behavior of systems, to extract SoF information in general and failure diagnosis in particular. The proposed approach is a structural analysis by backward accessibility of RdPC. It can be decomposed into two parts. The first is the proposal of a tool to perform this analysis: the reverse RoPc. It is obtained through the application of structural transformations on the original RdPC. The second part is the implementation of the analysis. This part requires complementary mechanisms, the most important of which is the enrichment of the marking. The proposed approach is studied from two complementary points of view: algorithmic and theoretical. The algorithmic point of view consists in proposing models of transformations for the inversion of the RoPc and the implementation of the analysis. The theoretical aspect aims at providing a formal basis for the approach by applying two methods (linear algebra and linear logic) to prove our approach.

The present thesis is part of the project of full automation of the line 1 of the Paris metro. This project consists in transforming the line 1 (line with drivers) into a fully automatic line (without driver or staff on board) without stopping the operation. The result is a mixed phase of cohabitation between trains in manual driving and trains in full automatic driving. In this context, my research work consists first of all in continuing the development of a software allowing to study and analyze the mixed phase of operation on line 1. Once operational, the model was used to carry out two studies that I conducted in a second phase. These two studies answer problems concerning the mixed management of trains with and without drivers in the terminals. They take into account two opposite constraints: the safety of agents and passengers on the one hand and the quality of service offered to passengers on the other hand. The analysis and results of these two studies will be presented in this thesis report.

Although currently considered as not safe (the safety functions being ensured by other subsystems), rail traffic supervision systems can contribute to safety in certain crisis scenarios where an adapted decision of a supervision operator could significantly reduce the severity of accident scenarios. It is therefore of utmost importance to identify such scenarios in order to consider future supervision systems with a view to further improving traffic safety. Since supervision involves decisions made by humans, it is essential to take the human factor into account. The study focuses on the evaluation of the human-machine interaction and its impact on safety. Specific studies of the human factor were carried out on a railway traffic supervision platform installed in the premises of the UTC. The objective of the experiments is to obtain information on the general cognitive processes involved in the management of a dynamic environment of mobile traffic and to contribute to the evaluation of the supervision system in a situation of use by operators confronted with the management of a nominal, normal and degraded situation. An interdisciplinary approach has been proposed in order to have a common model between specialists of human and social sciences and specialists of operational safety. This frame of reference was drawn from a systemic perspective of the study of safety thanks to the Functional Resonance Accident Model method. Two case studies illustrate the proposed approach.

Within the framework of our research activities, we are interested in the security of so-called critical systems (which, in case of failure, can cause serious damage to people or property). The security of such systems requires the expression of recommendations related to security. These recommendations can come from a client's request (clauses in the specifications), from the state of the art, from a legal reference (standards, decrees, orders, etc.) or from studies on the consequences of system failures on the environment, people, the company's brand image, etc. From the recommendations introduced in the customer's specifications, it is therefore possible to identify "requirements". It will then be necessary to demonstrate that these requirements are taken into account during the entire system realization cycle. In this thesis, we propose a method and examples of implementation based on the identification, expression and verification of security-related requirements.

In order to minimize the sanitary and financial risks due to the distribution of drinking water that does not comply with the legislation, it is necessary to define an efficient treatment process, without increasing the production cost. This thesis proposes an approach to help the design of a treatment system, based on the quantification of the risk of producing non-compliant water. In a first step, classical methods of operational safety (FMECA, Fault Trees,. . . ) are used to calculate the probability of non-conformity of the water at the plant outlet. This approach takes into account the quality of the raw water to be treated, the technical characteristics of the planned treatment process and the possible failures. In a second step, and in order to overcome the uncertainties and the lack of data of this model, the theory of belief functions is applied, and allows to define the degree of credibility in the respect of the legislation.