Content uploaded by Juliette Marais
Author content
All content in this area was uploaded by Juliette Marais on Sep 24, 2015
Content may be subject to copyright.
Dependability evaluation of a GNSS and ECS based
localisation unit for railway vehicles
Khanh NGUYEN, Julie Beugin, Juliette MARAIS
To cite this version:
Khanh NGUYEN, Julie Beugin, Juliette MARAIS. Dependability evaluation of a GNSS and
ECS based localisation unit for railway vehicles. ITST 2013, 13th International Conference on
ITS telecommunications, Nov 2013, Finland. 6p. <hal-00930588>
HAL Id: hal-00930588
https://hal.archives-ouvertes.fr/hal-00930588
Submitted on 14 Jan 2014
HAL is a multi-disciplinary open access
archive for the deposit and dissemination of sci-
entific research documents, whether they are pub-
lished or not. The documents may come from
teaching and research institutions in France or
abroad, or from public or private research centers.
L’archive ouverte pluridisciplinaire HAL, est
destin´ee au d´epˆot et `a la diffusion de documents
scientifiques de niveau recherche, publi´es ou non,
´emanant des ´etablissements d’enseignement et de
recherche fran¸cais ou ´etrangers, des laboratoires
publics ou priv´es.
Dependability evaluation of a GNSS and ECS based
localisation unit for railway vehicles
T.P.K.Nguyen, J. Beugin, J. Marais
Univ Lille Nord de France
IFSTTAR - COSYS
The French Institute of Science and Technology for Transport, Development and Networks,
COmponents and SYStems Department, Villeneuve d’Ascq, France
Emails: khanh.nguyen, julie.beugin, juliette.marais@ifsttar.fr
Abstract—Today, GNSS-based solutions (Global Navigation
Satellite Systems) facilitate the implementation of the train
localisation function on-board the vehicle. In the railway context,
as a train has to travel different zones on its itinerary, multiple
obstacles in these environments can cause different signal per-
turbations: multipaths, signal delays and masking phenomena
that lead to negative consequences on the position accuracy. To
reinforce the position quality, a localisation system, developed in
the GaLoROI european Project and based on the combination of
sensors such as a GNSS receiver and an Eddy Current Sensor,
is studied. In this paper, we present a procedure and a model,
which aims at evaluating the dependability of this system under
local impacts of different railway environments. It allows us
analysing complex behaviours of the sensor fusion component
on the availability and accuracy of data provided by GNSS &
ECS sub-systems and also to take into account the reliability
parameters of hardware components.
I. INT ROD UC TI ON
One of the keys in automatic train control systems is
localisation of railway vehicles. It generally relies on track side
components. However, such devices lead to high maintenance
costs and also expensive investment costs for infrastructure
deployment. For several years, the evolution of the localisation
from trackside to trainborne side is a promising solution for
this issue. In fact, no infrastructure installation has to be in
relation with the on-board system and its maintenance can be
easily done during the frequently checks of the trains.
By offering an interoperable worldwide solution, Global
Navigation Satellite System (GNSS) becomes an advantageous
solution for on-board localisation units. That is the reason
why, numerous articles analysed if the performances of GNSS
systems satisfy the railway requirements, in particular for
safety-related applications. Indeed, using experimental results,
[4] concluded that a standalone GPS/GLONASS satellite nav-
igation system and also its combination with inertial navi-
gation systems (INS) do not meet the strong safety-related
requirements mentioned in railway standards. This point of
view is reinforced in [3]. The authors showed the unavail-
ability probability of the GNSS-based train localisation unit in
different zones like tunnels, urban, wooded and railway cutting
environments is far to attain the expected safety integrity level
and needs to be augmented by other navigation sensors in
order to overcome GNSS outage situations. In a recent study,
authors of [13] performed numerous test runs on the High Tatra
mountain railway line in order to evaluate RAMS parameters
of a GNSS based localisation unit. They showed that the
performances of GNSS cannot meet the railway requirements
in a forest zone and suggested to integrate other on-board
localisation sensors.
These above studies emphasized the necessity of rein-
forcing the performances of GNSS localisation unit by other
sensors when they are used in safety applications. However,
identifying an appropriate configuration associated to a data
combination strategy that meet railway requirements remains
an issue. This question is considered in [1]. From the dis-
cussion about a short-listing of data fusion options between
GNSS signals and other sensors, the authors highlighted one
of the advantages of the Eddy Current Sensor (ECS) compared
to INS, which is the avoidance of velocity errors due to
slip/slide. In fact, the combination between GNSS signals and
ECS signals permits to overcome the disadvantages of each
component taken separately and to increase the accuracy and
robustness of the global localisation unit.
In this context, the GaLoROI project (Galileo Localisation
for Railway Operation Innovation), which aims at developing
a certifiable, safety-relevant, and satellite-based localisation
unit for low density railway lines, is ongoing. The operation
principle of GaLoROI is to combine satellite positioning data
with satellite-independent data, here provided by an ECS,
in order to provide a safe, accurate and continuous train
position. The development process of this new localisation
system requires to evaluate performances and dependability
parameters according to EN50126-1, 2 & EN 50129 ( [5]–[7]).
The dependability parameters, i.e. the Reliability, Availability,
Maintainability (RAM) parameters are used in the railway
domain to characterize the conditions that maintain the system
in a state to deliver a correct required service during operations.
In this paper, we present the first step of the dependability
assessment process for GNSS & ECS based localisation unit,
the core part of the GALOROI system. The quality of GNSS
signals degraded by local phenomena in railway environment
and also, the complex behaviours of the sensor fusion, pose
multiple challenges for analysing failure causes of the localisa-
tion service and for evaluating its dependability. In this article,
we propose a new methodology that meets these challenges.
The paper is structured as follow: in Section II, we will de-
scribe the system and its components under the dependability
aspects. The issues, which concern qualitative and quantitative
evaluations of the system dependability, will be presented in
Fig. 1. System concept
Section III. Finally, Section IV presents the conclusion and the
future research works.
II. DE SC RI PT IO N OF T HE O N-BOAR D LO CA LI SATI ON U NI T
AN D IT S ER ROR C ON DI TI ON S
Figure 1 presents the working principle of the localisation
unit. Every data from both GNSS and eddy current sensors
contain information about the position and the velocity of the
train and are combined in a fusion component. This process is
implemented in a computer that integrates a digital track map.
With a data fusion algorithm that includes a map-matching
process, an accurate train position can be calculated in real-
time.
Satellite based localisation unit
The GNSS antenna is used to collect the data that are
emitted from satellites. These data, which contain the satellite
ephemeris, a set of parameters that describe the satellite orbit,
are sent to the receiver. Based on measurements of the signal
propagation time between a satellite and a receiver, a pseudo-
distance can be calculated. Using the ephemeris and pseudo-
measurements, the receiver position is generally obtained in
real-time. Normally, 3 visible satellites are required for the
position estimation. However, in order to overcome errors due
to a clock deviation between a satellite and a receiver, the
localisation is performed if there exists at least 4 satellites.
The advantage of GNSS localisation unit is to provide
worldwide available and highly accurate measurements that
are not prone to drifts in contrast to the INS. However, for
the dependability analysis of the satellite navigation, multiple
error sources can lead to a poor positioning:
•errors in space such as satellite failure, ephemeris
errors, orbit errors,
•errors in propagation environment such as ionospheric
& atmospheric delays, meteor impact, multipath devi-
ations, interference impacts, satellite shadowing,
•failures in user hardware equipment, in particular an-
tenna failures or receiver failures (their corresponding
failure rates are hereafter called αaand αr).
Eddy current sensor
The second localisation device, the ECS, gives a speed
value, a distance value and the direction of the vehicle. In
the sensor unit, there are two coil systems that are placed
along the rail direction with a fixed distance between them
of Lm. Each coil system generates a time varying signal that
represents the variation of the eddy currents along the rail.
By an analysis of electromagnetic signal correlation, the time
delay (∆T) between the signals from the two coil system is
obtained. The actual speed with which the train runs along the
track is then calculated: v=L/∆T. Furthermore, the direction
of the movement can be detected. Thus the ECS measurements
are totally independent of the slipping or slidding errors.
The ECS is not affected by weather conditions such as rain,
snow, ice, etc, or by pollution. The impact of interferences
due to electrical conductors near rails is also non-significant.
Therefore,the dependability of ECS device is considered using
only its hardware failure rate called αe.
Digital track map
The digital track map is stored in a computer that performs
the data fusion function. It comprises all relevant track infor-
mation such as length of track sections, geo-coordinates to the
track elements, hazard areas. These information are customised
and updated for particular application area.
The consistency checks for track map information are
performed only at the program start of the localisation unit.
If any errors are detected, the program is stopped. Therefore,
when the program starts successfully, we do not consider the
possibility of errors caused by the digital track map.
Fusion component
The position information coming from the GNSS receiver
and from the ECS are sent to the fusion component every T
s. Then the fusion component combines these data to ensure
reliable positioning results. In [2], an example of data fusion
approach for a satellite-based localisation unit is provided and
is based on an Extended Kalman Filter. By discussing about
the approach limits, the author also suggests an idea that is
to use the digital track map as a further source in order to
overcome the lack of information in the case of sensor faults.
In fact, a data fusion approach combined with a map-matching
algorithm is being currently developed in the GaLoROI project
[12]. For the dependability analysis in this paper, we do
not mention the algorithm and we are only interested in the
position results at the fusion component output. By analysing
the fusion component behaviours, we find that an estimated
position in output of the system is considered as incorrect if
one of the following states occurs:
•Unavailable ECS and GNSS data: If there is no ECS
and GNSS data for more than T1s, the output of the
fusion can be considered as false.
•Unavailable GNSS data: If GNSS data are missing for
more than T2s the confidence interval linked to output
data will increase quickly. In that case, the position is
not trustworthy and considered as false.
•Unavailable ECS data: If the ECS data are missing
but GNSS measurements are available, the system can
estimate the train position and the process goes on.
Note that the inaccurate measurements of the ECS are
not considered because no reliable criterion allows us
to judge whether a ECS measurement is invalid.
•Inaccurate GNSS data:
◦At least kconsecutive position errors of the
receiver that are greater than xmeters (P Er>
x) can lead to a position error in output of
the fusion component that exceeds the user
tolerance limit.
◦If the ECS data are missing, at least lcon-
secutive position errors of the receiver that
are greater than xmeters (P Er> x) can
lead to a position error in output of the fusion
component that exceeds the tolerance limit.
Note that due to the efficiency of the fusion,
the impact of position errors at the receiver
output on the global position result will be
reduced if there exists valid ECS data, thus
k > l.
On the other hand, we also consider material failures of the
fusion component using the failure rate αf.
III. FIR ST S TE P OF T HE D EP ENDAB IL IT Y EVAL UATIO N OF
TH E LO CA LI SATI ON U NI T
The first step of the dependability evaluation is to define,
analyse and evaluate the service failures of the system. From
railway user’s point of view, the positioning function is con-
sidered as failed in the following cases:
•Case A - unavailable output of the fusion component.
In this case, the localisation service expected by the
user is interrupted.
•Case B - untrustworthy position, i.e. the position result
has a large estimated confidence interval. In this case,
the service is still delivered. However, the position
result with its large confidence interval cannot be used
in safety-relevant train control applications.
•Case C - estimated position is outside accuracy bound-
aries. In this case, the localisation service expected by
the user is failed but is not recognized by the system
or the user.
The combinations of causal events leading to each above
mentioned case will be identified by the qualitative analysis
presented in the next subsection. The probability of each case
will be evaluated in the subsection related to the quantitative
analysis.
Qualitative analysis of dependability of the positioning service
As mentioned previously, the qualitative analysis of the
GNSS and ECS-based localisation system encounters multiple
challenges because of specific properties of the GNSS signals
and because of complex behaviours of the fusion component.
On the one hand, common analyses of dependability cannot
adaquately take all perturbations affecting GNSS signals into
account, especially local impacts of railway environments. In
order to overcome this difficulty, we model the GNSS receiver
output using 4 states:
1) Correctly estimated position, i.e. when the difference
between the true position, unknown for the user, and
the estimated position is inferior than a tolerance limit
laid down by user requirements: P Er≤xm.
2) Incorrectly estimated position, i.e. when the estimated
position is outside accuracy boundaries: P Er> x
m. Consecutive position errors can lead to a failed
service of the global localisation unit.
3) Position is not delivered because, at the receiver
input, the number of valid signals received are in-
sufficient (Missing-GNSS-signal).
4) Position is not delivered because of an hardware
failure.
In the next subsection, the transition probabilities between
these states can be identified using data collected from:
•simulations [3],
•real tests [13].
Note that in both articles [3], [13], the authors only focus on
the important impact of local phenomena and do not consider
the hardware failures. This aspect is also examined in our paper
with relevant hardware failure rates.
On the other hand, a new approach that allows the analysis
of the dynamic behaviours of the fusion component is required.
This approach has to consider at each sampling instant if sensor
data are available and accurate, and has also to handle temporal
dependencies.
In reliability and safety studies, the traditional fault tree
method (FT) [8] is widely used because it is suitable for both
qualitative and quantitative analyses. In fact, it provides an
ideal framework for deductive analyses that look for various
possible combinations of causal events leading to the top event
(feared event). It also allows the calculation of probabilities
related to the combinatorial logic gates. However, this method
is not sufficient to capture behaviours and interactions of
components of complex and hybrid systems that integrate both
continuous and discrete dynamic behaviours. The Dynamic
Fault Tree method (DFT) [14] is an extension of the FT method
by defining additional dynamic gates in order to attain a higher
level of systems’ dependability analysis. This method allows
the analysis of failure sequences, functional dependent failures
or priorities on failure events. Moreover, the FT method with
time dependencies between events (TdFT) [10] is also useful. It
allows duration conditions leading to hazards to be considered
inside logic gates. In order to combine advantages of the above
methods aiming at capturing the fusion component behaviours,
we present in this subsection a hybrid fault tree model.
Let us consider the FT in Figure 2, which analyses failed
outputs of the fusion component, those failures intervene in
the three cases A, B and C. The unavailable output (Case A)
is caused by a material failure (Basic Event 1 - BE1) or by a
software error in the fusion component (Undeveloped Event -
UE). The material failure occurs with a failure rate αfwhile
the software error is not analysed in the framework of this
paper.
The untrustworthy position (Case B) can be caused by a
lack of both GNSS and ECS data for more than T1s(called
Intermediate Event 1 - IE1) or by missing GNSS data for more
than T2s(Intermediate Event 2 - IE2).
Fig. 2. Hybrid Fault Tree of service failure
BE1: material failure of the fusion component
BE2: ECS failure
BE3: antenna failure
BE4: receiver failure
BE5: missing GNSS signal (signal in space)
BE6: position error at the receiver output > x m
IE1: lack of both GNSS and ECS data for more than T1s
IE2: missing GNSS data for more than T2s
IE3: missing GNSS data
IE4: GNSS hardware failure
IE5: at least kconsecutive position errors of the receiver > x m
IE6: at least lconsecutive position errors of the receiver > x m|
ECS fails
UE: software error in the fusion component
Next, the IE1 is the output of a causal AND gate (defined
in [10]) having in input ECS failure (Basic Event 2 - BE2) and
missing GNSS data (Intermediate event - IE3) with a duration
greater than T1s. The output of the causal AND gate only
happens when its inputs occur together during the given period
of time. The IE3 has in input the BE5 - Missing of GNSS signal
(state 3 of receiver output) or IE4 - GNSS hardware failure
(state 4 of receiver output) caused by an antenna failure (BE3)
or receiver failure (BE4). Similarly, the IE2 is a duration gate
output (DUR gate) having in input the IE3 for more than T2
s. The DUR gate is defined by the occurrence duration of the
input during a given period of time.
The case C is caused by IE5 - at least kconsecutive P Er>
xmor IE6 - at least lconsecutive P Er> x m when ECS
fails. We define in this paper the consecutive gate (CON gate).
Its output only happens when its input consecutively occurs at
least Ntimes. The IE5 is the CON gate output of kconsecutive
events P Er> x m(BE6, state 2 of the receiver output). Next,
the IE6 is characterized by the priority-AND gate (PAND gate
defined in [14]) of a ECS failure (BE2) and a CON gate of l
consecutive events P Er> x m(BE6). The PAND gate output
only happens when its inputs occur from left to right.
With a dynamic gate (PAND gate) and time dependency
gates (Causal AND gate, DUR gate, CON gate), the proposed
hybrid fault tree allows the complex behaviours of the fusion
component to be captured and characterized. Then, the causes
Fig. 3. DSPN structure for hardware states of components
that lead to failed outputs can be studied. However, the
analytical evaluation of the system availability in terms of a
structure function is a complex issue and is not performed
within the framework of this article. For the quantitative
analysis, the service failure probability will be evaluated by
another approach presented in the next subsection.
Quantitative analysis of dependability of the positioning ser-
vice
Based on the hybrid fault tree presented before, the Dy-
namic Stochastic Petri Net (DSPN) is used to quantitatively
analyse service failures. This method is widely employed in de-
pendability assessments and allows time dependent behaviours
in a system to be taken into account. An event transition in a
DSPN can occur according to the three following ways:
•immediately when all guard conditions are satisfied
(type 1)
•after a constant delay (type 2)
•after an exponentially distributed probabilistic delay
(type 3)
The quantitative analysis is performed according to the
three following steps:
•Step 1 - model the evolution of sub-system states over
time.
The hardware states of ECS, antenna, receiver, fusion
component is modelled by two PN places: OK and
Failure places (Figure 3 illustrates the receiver exam-
ple). Their failure events and reparation actions are
characterized by two transitions of type 3 associated
to the corresponding failure rates (see values in Table
I) and with a reparation rate of 1/24 h.
Based on the qualitative analysis, the 4 states of the
receiver output are modelled in the DSPN illustrated
in Figure 4. The transitions between the states 1/2/3
only occur when no material failure exists. Their
probabilities are calculated from the simulation data
used in [3]. The transitions from these three states
to state 4 (hardware failure state) immediately occur
Fig. 4. DSPN structure for position results of GNSS receiver
Fig. 5. DSPN structure for CON gate of N consecutive events
when there exists at least a material failure of a
component. Finally, after a reparation action, if all
components are OK, the transition from state 4 to
one of the three states 1/2/3 is fired after the time to
first fix (TTFF) of the receiver.
•Step 2 - model dynamic logic gates.
The translation of OR, PAND, DUR gates to the
corresponding DSPN structure is proposed in [11].
The Causal AND gate is modelled by a combination
of AND and DUR gate. Finally, we propose in this
paper the CON gate model. It is described in Figure 5.
•Step 3 - model and evaluate the global behaviour of
the system.
The probability of the top event of the hybrid fault
tree is evaluated using the DSPN simulation results.
TABLE I. IN PUT PA RAM ET ERS F OR EVAL UATIN G TH E FAIL URE
SE RVIC E OF SY ST EM
Missing time & Number T1T2k l
of consecutive PE 3 s 60 s 2 6
Failure rate (/10−6h) αaαrαeαf
4 4.08 2 6.06
TABLE II. PRO BAB ILI TY O F SERV ICE FA IL URE I N DI FFER EN T
EN VIRO NM ENT S
Urban Tunnel Woody Railway
Cutting
Service failure 1.65E−41.53E−27.59E−27.17E−4
Fusion
component 3.42E−6
failure
Missing GNSS
during 60s
4.1E−61.53E−24.1E−64.1E−6
Missing ECS &
GNSS during 3s
8.34E−11 6.63E−77.4E−10 3E−9
Failed ECS &
2 consecutive
P Er>50 m
1.63E−802.73E−72.95E−8
6 consecutive
P Er>50 m
1.57E−407.59E−27.1E−4
TABLE III. CO MPAR AIS ON O F THE AVE RAG E AVAIB IL ITY O F EC S AND
GNSS LO CAL IS ATION U NI T AND S IN GLE G NSS LOC AL ISATI ON U NIT [ 3]
Environment ECS & GNSS unit Single GNSS unit
Railway Cutting 99.93% 87.76%
Urban 99.98% 93.88%
Woody 92.41% 60.23%
Tunnel 98.45% 15.57%
There are numerous tools to create and evaluate a DSPN. In
this paper, we use the Petri Net module of GRIF platform [9]
to illustrate the performance of our model. The dependability
assessment of the global localisation unit on a mission of 1
hour is based on the following assumptions:
•The system is considered to be fault free at the start
of the mission.
•Failed components are repaired after the tests (µ=
1/24 h) and the TTFF of the global system is 180 s.
•Consecutive position errors of GNSS receiver output
of more than 50 m can lead to a position error of the
global system (estimated position is outside accuracy
boundaries).
•Other parameters that characterize system behaviours
are given in Table I.
Table II gives the results of the quantitative analysis for the
GNSS and ECS based localisation system. The probabilities
of intermediate events (IE) that directly lead to the Top event
(TE) are respectively presented in the right part of the Table.
By considering the probability of TE (service failure) and IEs,
we see that the principal cause of a service failure is the
impact of the operational environment on the GNSS output.
For example, in woody environment, the IE5 (more-than-
6-consecutive-GNSS-PEs) with an occurrence probability of
7.59E−2is the critical event that leads to the global service
failure. In tunnel environment, the occurrence probability of
IE5 is reduced and is non significant while the IE2 (missing-
GNSS-data-for-more-than-60s) with its occurrence probability
of 1.53E−2becomes the principal cause of TE.
By considering Table III, the service availability of global
system are improved significantly when compared with a
single GNSS-based localisation unit at the accuracy level of 50
m [3], especially in areas of low GNSS signals. For example, in
tunnel environment, the service availability is reinforced from
15.57% to 98.47%.
IV. CON CL US IO N
On-board localisation equipment in railway systems can
beneficially evolve using GNSS. Moreover, the combination
of GNSS sensors to ECS sensors can improve significantly
the positioning quality in case of GNSS outage situations.
However, such configuration poses numerous challenges when
analysing and evaluating the system dependability. We have
presented in this paper a hybrid fault tree model aiming at
performing the dependability assessment of a GNSS-based
and ECS-based localisation unit. Using dynamic gates (PAND
gates) and new time dependency gates (Causal AND gates,
DUR gates and CON gates), the hybrid fault tree method
is powerful for analysing complex behaviours of numerous
systems.
For the qualitative evaluation of dependability of the stud-
ied system, the method analysed dynamic and time-dependent
behaviours of the data fusion. Additionaly, the model of the
receiver outputs considers local impacts of different railway
environments and the hardware failure probability.
The quantitative analysis was implemented by translating
the elements of the hybrid fault tree toward DSPN. Then, we
used an existing tool -the Petri net module of GRIF platform -
in order to evaluate the probability of the global service failure.
The results illustrated the efficiency of integrating an ECS
into a satellite-based localisation unit. However, for a safety
application ensuring a safe railway traffic, this configuration
is not sufficient as the safety requirement for the localisation
function is not met. It has to be reinforced by a redundant
equipment. This principle is adopted for the GaLoROI system.
These above results are preliminary conclusions obtained
using the illustrated numerical example of [3] based on simu-
lation data. As the system is totally new and is still developing,
real data are not yet available to tune the model of the
system. In future work, after the system tests in operational
environments will be completed, we will analyse experimental
data and will apply them into the model for RAMS assess-
ments. Furthermore, a more efficient algorithm to improve the
implementation time of Petri Net for quantitative evaluation
could also be developed.
V. ACKNOWLEDGEMENTS
This research was conducted as part of the GaLoROI
project (Galileo Localisation for Railway Operation Innova-
tion) supported by the European commission. GaLoROI is an
integrated research project within the European 7th Framework
Programme.
REF ER EN CE S
[1] A. Acharya, S. Sadhu & T.K. Ghoshal, Train localization and parting
detection using data fusion, Transportation Research Part C 19, 2011,
75-84
[2] F. Boehringer, Train location based on fusion satellite and train-borne
sensor data, Proc. SPIE 5084, Location Services and Navigation Tech-
nologies, 76 (August 6, 2003); doi:10.1117/12.487062
[3] J. Beugin, J. Marais, Simulation-based evaluation of dependability and
safety properties of satellite technologies for railway localization, Trans-
portation Research Part C 22, 2012, 42-57.
[4] A. Filip, L. Bazant, H. Mocek & J. Cach, GPS/GNSS based train position
locator for railway signalling, Computers in Railways VII, 2000, ISBN
1-85312-826-0
[5] EN 50126-1, 2000. Railway applications specification and demonstration
of reliability, availability, maintainability and safety (RAMS) Part 1.
CENELEC European standard (European Committee for Electrotechnical
Standardization).
[6] EN 50126-2, 2007. Railway applications specification and demonstration
of reliability, availability, maintainability and safety (RAMS) Part 2:
Guide to the application of EN50126-1. CENELEC European technical
report (European Committee for Electrotechnical Standardization).
[7] EN 50129, 2003. Railway applications communication, signalling and
processing systems safety related electronic systems for signalling.
CENELEC European standard (European Committee for Electrotechnical
Standardization).
[8] Fault Tree Handbook, U.S. Nuclear Regulatory Commission, Washing-
ton, DC, 1981, NUREG-0492.
[9] GRIF - GRaphical Interface for reliability Forecasting, http://grif-
workshop.com/grif/petri-module/
[10] J. Magott, P. Skrobanek, A Method of Analysis of Fault Trees with Time
Dependencies, Computer Safety, Reliability and Security Lecture Notes
in Computer Science Volume 1943, 2000, pp 176-186.
[11] B. Kaiser, C. Gramlich, State-Event Fault Trees - A Safety Analysis
Model for Software Controlled Systems, Computer Safety, Reliability,
and Security Lecture Notes in Computer Science Volume 3219, 2004,
pp 195-209.
[12] M. Lauer, D. Stein, Algorithms and Concepts for an Onboard Train
Localization System for Safety-Relevant Services, IEEE ICIRT - Inter-
national Conference on Intelligent Rail Transportation, Beijing, China,
2013, 6p.
[13] D.Lu, F. G. Toro and E. Schnieder, RAMS Evaluation of GNSS for
Railway Localisation, ICIRT 2013 - IEEE International Conference on
Intelligent Rail Transportation, Beijing, China, August 2013.
[14] G. Merle, Algebraic modelling of Dynamic Fault Trees, contribution
to qualitative and quantitative analysis, PhD thesis of Ecole Normal
Sup´
erieur de Cachan, 2010.