Philippe Bon’s research while affiliated with Gustave Eiffel University and other places

What is this page?


This page lists works of an author who doesn't have a ResearchGate profile or hasn't added the works to their profile yet. It is automatically generated from public (personal) data to further our legitimate goal of comprehensive and accurate scientific recordkeeping. If you are this author and want this page removed, please let us know.

Publications (70)


Figure 1. Le modèle fonctionnel 
Figure 2. Permissions associées à la classe ETCSOrder 
Modélisation et validation formelle des règles d'exploitation ferroviaires
  • Conference Paper
  • Full-text available

June 2014

·

207 Reads

·

1 Citation

·

·

Philippe Bon

·

[...]

·

Le système européen de surveillance du trafic ferroviaire (en anglais, European Rail Traffic Management System, ERTMS) est un système complexe de contrôle/commande et de signalisation ferroviaire mettant en ½uvre des règles européennes d'exploitation ferroviaires. Cet article propose une étude de cas basée sur deux scénarios extraits de ces règles, un scénario nominal d'autorisation de mouvement et un scénario exceptionnel de franchissement d'un arrêt. En effet, on trouve dans ces scénarios des aspects fonctionnels et de sécurité. Ces aspects nécessitent, d'une part, une modélisation fonctionnelle enrichie par des modèles décrivant la politique de sécurité et les autorisations données aux agents agissant sur le système, et d'autre part, une validation formelle. Pour ce faire, nous avons utilisé la plate-forme B4MSecure, fondée sur l'approche IDM (Ingénierie Dirigée par les Modèles), produisant à partir des modèles UML des spécifications formelles B. L'objectif de ces spécifications résultantes est de valider ces scénarios à l'aide d'outils d'animation et de preuve de spécifications B afin de garantir une analyse rigoureuse de la fonctionnalité et de la politique de sécurité.

Download

Fig. 1. Roles and permissions associated with MA 
B Formal Validation of ERTMS/ETCS Railway Operating Rules

June 2014

·

338 Reads

·

16 Citations

Lecture Notes in Computer Science

The B method is a formal specification method and a means of formal verification and validation of safety-critical systems such as railway systems. In this short paper, we use the B4MSecure tool to transform the UML models, fulfilling requirements of European Railway Traffic Management System (ERTMS) operating rules, into B specifications in order to formally validate them.


Fig. 1. Intensive requirements testing integrated in V-Model 
Fig. 2. (a) General structure of a RCS; (b) Simple conceptual view of a RCS
Fig. 6. General Framework Architecture of SMV 
Modelling and verification methodology for control systems

April 2014

·

104 Reads

·

3 Citations

La modélisation est un processus dédié à l'analyse des exigences dans le but de formaliser les représentations informelles des exigences système. La vérification, en revanche, est un processus de qualification qui permet de détecter et prévenir les défaillances dans les modèles. Ces deux approches sont de plus en plus utilisées dans l'industrie pour maîtriser la complexité croissante des systèmes conçus. Le papier propose une méthodologie générale de modélisation et de vérification pour les systèmes de contrôle à temps réel en se basant sur la ré-utilisabilité des connaissances des experts du domaine pour favoriser les échanges entre les projets similaires. Le papier présente une architecture d'une plate-forme dédiée à l'évaluation des systèmes basée sur un modèle générique de référence des systèmes de contrôle à temps-réel.


Study of the implementation of ERTMS with respect to French national ― "non on board rules" using a collaborative methodology based on formal methods and simulation

April 2014

·

8 Reads

·

5 Citations

L’interopérabilité est un paramètre clef pour la compétitivité des systèmes ferroviaires européens. Elle est la condition à l’ouverture de nouveaux marchés et à la mise à disposition de nouveaux services. Un des points critique et la faculté de délivrer un service performant et sûr, sans avoir recours à des transbordements de passagers ou de matériels. Une des étapes est le respect d’un ensemble de règlements techniques opérationnels qui garantissent que les exigences essentielles sont vérifiées. Le projet Perfect veut contribuer à la validation d’une implantation des spécifications européennes d’interopérabilité sur le sol français. Concrètement, ERTMS " European Rail Traffic Management System ", ne définit que l’environnent technique et opérationnel des matériel à bord des trains. Le comportement des matériels au sol est pour sa part essentiellement régi par les lois nationales. Ce dernier aspect produit une certaine complexité dans l’analyse de sécurité du système global. La proposition principale du projet est d’étudier la consistance des différentes spécifications entre elles en utilisant des outils formels et en choisissant l’angle de la sécurité. Ce problème, critique au regard des enjeux, n’est abordé dans la littérature que de manière très parcellaire.


Formal modelling methodology of French railway interlocking system via Hierarchical coloured Petri net

April 2014

·

10 Reads

ERTMS implementation in France =>ERTMS for on board + national trackside). Problem: hard to evaluate the whole system regarding safety requirements. Ordinary method of railway standards comparison => Experienced experts to compare the detail entries of each rule. Weakness: Low-productivity. Solution: Set up formal specifications of ERTMS and local system to assess the safety of an ERTMS solution on a given french system. Railway interlocking system is a crucial link of local system. The methodology of establishing the formal petri net model of French railway interlocking is the main focus of the work.


Fig. 1 Domain Independant Framework Architecture 
Fig. 2 Concepts and properties of the domain ontology 
Fig. 3 Part of Guidance ontology Meta-model 
Dependency Graph for Requirements Structuring based on Guidance Ontology

December 2013

·

162 Reads

The modeling process aims to define and analyse requirements for testing physical scale systems such as robotic surgery machines, railway signalling and control systems, nuclear reactor control systems, etc... These safety-critical systems whose failure may result in severe human or physical damage, are designed to be testable and verifiable before their implementation. To understand the system specifications and its functionalities, different types of models are used and each one reflects a viewpoint of a particular scope. Furthermore, its aim is to risk analysis and performance testing. Our approach is based on goal-oriented requirements elicitation, structuring and analysis. To automate the latter requirements engineering processes it is crucial that we involve expert knowledge. This process needs to be split into several steps. This work is limited to present techniques to obtain specifications dependency graphs from a set of requirements to determine the global goal model. This paper presents a domain independent framework for operational requirements modeling beside of specifications structuring technique based on Guidance Ontology. The present work focuses on improving the performance of structuring techniques through a pattern recognition based on a guidance ontology. This approach is shown to enable the structuring process automation by making use of domain ontologies as an expert knowledge base and capitalization.


Study of implementation of ERTMS with respect to French national rules using a B centered methodology.

October 2013

·

613 Reads

·

9 Citations

Interoperability of the rail system within Europe is a key to its competitiveness. It aims at creating a rail network allowing a transport that is safe, compliant with the required performance level of the lines, and which does not necessitate train transfers. This requires the compliance with a set of rules, of technical and operational conditions which ensure that all the safety requirements are met. The main proposition is to contribute to the implementation of a European system for railway signalling called ”European Rail Traffic Management System” (ERTMS) using a methodology based on B framework tools. The idea is to assist the writer of the national operating rules. The national operating rules are expected to define the precise implementation of the high level ERTMS Specification Requirement System (SRS). They fulfils the national rule and refines the ERTMS specification in the context of a particular infrastructure. Some parts of the specification may be considered as irrelevant in the context of some particular infrastructures. A second step consists in refining the needed behaviour so that the national safety conditions and the ERTMS can be proved to be fulfilled. The methodology proposes to represent all the needed information using the B formalism in a three stepped methodology: The first step models the useful part of ERTMS specification in the context of the considered infrastructure. A requirements model is obtained. The second step consists in enriching the existing model with a precise description of the functioning of the infrastructure. More precisely, the interlocking implementation and the Automatic Train Protection (ATP) is taken into account and a process model is obtained. The third step consists in consistency checking between the two first models. The second model should be a refinement of the first one, because it is a particular instantiation of the ERTMS requirements. When it is not the case, some proof obligations will not be validated by the proof assistant included in the B framework. Then, the writer of the operating rules can try to introduce new logical propositions so that the proof obligations are fulfilled. When these three tasks are achieved, the writer of the rule has the logical proof that his operation rule is a national instance of the ERTMS SRS. The focus of the paper will be mainly on the second step.


Tropos For Embedded Real-time Control System Modeling and Simulation

July 2013

·

116 Reads

·

4 Citations

Simulation is the imitation of a system or a process in order to manage the complexity of simulated system or to optimize its performance. This paper presents a agent-based strategy of modeling and simulation.We introduce some modelling methodologies in order to determine the most adequate technique to deal with embedded control systems. We also introduce the Tropos and Agentology methodologies by describing used concepts and how they are integrated with the current stages of Tropos and Multi-agent System methodology. The above is illustrated using an embedded real-time control system as a case study.


From a Solution Model to a B Model for Verification of Safety Properties

January 2013

·

25 Reads

·

20 Citations

JOURNAL OF UNIVERSAL COMPUTER SCIENCE

In the context of safety requirement engineering, model transformation is a task of interest. Indeed, it allows us to keep all the requirements while switching from one point of view to another. The presented work assumes that a valid solution has been found and proposes an approach in order to build a valid implementation. As some fine dynamic properties are integrated into the specification, high-level Petri nets are used to specify and verify the solution. Then, considering an industrial railway context, the transformation of the Petri net model in order to provide an input to a B process is considered. This last consideration leads to a proposition of a systematic direct transformation of the Petri net model into abstract B machines. The approach is illustrated by a theoretical railway example. The limitations of this approach are discussed at the end of the paper and some prospects are detailed.


Integration of B Activity into a Global Design Process of Critical Software

December 2012

·

50 Reads

Procedia - Social and Behavioral Sciences

The adequacy of the B method to produce a valid software implementation is well known, particularly in the guided transport domain. However, there is an important work to be performed using the informal specification before entering the B process. A lot of requirements are difficult to express and to assess using formal methods. The use of a human expertise cannot be avoided. The upstream requirements analysis may be assist with some graphical tool using UML notations. Nevertheless the main problem to be solved may be the choice of the adequate tool.


Citations (43)


... Luxton and Marinov (2020) discuss risk assessment regarding terrorist attacks on railway systems and suggest implementing a revised passenger searching mechanism to efficiently identify and eliminate any suspicious objects and individuals in order to ensure passenger and rail infrastructure protection. In case of a CBRNe scenario, this would imply not only the use of adapted sensors for detection of chemical or radiological substances (e.g., Collart-Dutilleul et al., 2018), but also good levels of staff training, public awareness and cooperation with the highly trained CBRNe first responders (e.g., firefighters, civil protection, ambulance, law enforcement agencies (LEAs) or even the military), as pointed out by Havârneanu and Petersen (2019). ...

Reference:

Preparing railway stakeholders against CBRNe threats through better cooperation with security practitioners
A passenger flow oriented security and safety approach in international railway stations
  • Citing Conference Paper
  • April 2018

... Noise data are generated by incorrect operation when drivers are nervous. This information has a greater impact on a small number of data sets [24], so this part only focuses on a small number of data sets. Considering the classification performance and computational cost, the redundant and noisy data are filtered by the KNN-based method. ...

Engineering for Critical Systems: The Automatic Train Operation over European Train Control System for Freight Trains Use Case

International Journal of Transport Development and Integration

... This formal verification consists in discharging a set of proof obligations generated from the Event-B specification. This proof obligations are of type invariant preservation, feasibility of non-deterministic actions and well-defined-ness [18]. Finally, the main methodological contribution is a SysML based approach for system modelling and refinement-based approach for conformance assessment. ...

Modeling Train Systems: From High-Level Architecture Graphical Models to Formal Specifications
  • Citing Chapter
  • May 2023

Lecture Notes in Computer Science

... By repeatedly adjusting the environmental model and our own model, we eventually learn to operate in an unknown environment. This also ensure the security of systems [18,19,6,20]. ...

Identifying Alterability States of a Single Track Railway Line Control System

International Journal of Computers, Communications & Control (IJCCC)

... The literature review related to ERTMS implementation issues is extensive and covers a wide spectrum of issues starting from development of the formal methods for signalling and interlocking systems [2][3]11], through the issues related to the automatic protection systems [23], safety problems [9], risk assessment [4,17], ERTMS capacity [14], communication [12], challenges connected with introduction of ETCS Level 3 [10] and finally the implementation problems [13]. Despite so many publications available from the scientific world, there are no known studies that can serve as sources providing a basis for the further analysis presented in this article, other than documents of the manufacturers of ERTMS equipment and issued by ERA. ...

A Colored Petri Net Model for Control Problem of Border Crossing Under Constraints
  • Citing Conference Paper
  • May 2022

... AI regulations must raise trust levels and encourage users to upload their private information online. Policymakers and legislators should collaborate to develop a robust artificial intelligence regulatory framework and control systems for the preventing abuse of personal data [143]. In addition, global-scale agreements must be adopted with common goals that are flexible and accommodate global contexts. ...

SoREn, How Dynamic Software Update Tools Can Help Cybersecurity Systems to Improve Monitoring and Actions

JOURNAL OF UNIVERSAL COMPUTER SCIENCE

... The importance of interoperability in the railway sector and especially at the level of signaling has aroused interest globally in the world [15], but especially on the European continent where mobility between countries is obvious. Thus, several initiatives focusing on interoperability have emerged as listed in [2] with a focus on managing interfaces in borders as mentioned in [16]. We consider as examples: a. ERTMS: The ERTMS [4] is the standard system managing the interpretation of signaling information by the onboard system to significantly increase the safety, efficiency of rail transport, and cross-border interoperability of rail transport in Europe. ...

Crossing Border in the European Railway System: Operating Modes Management by Colored Petri Nets
  • Citing Chapter
  • March 2021

... As Europe is the continent that offers the most interconnected railway network between countries, the European community has carried out several projects with a view to meeting this need for interoperability [2]. However, only European rail traffic management system (ERTMS) [3] has been able to reach the stage of deployment at the continental level and this system is in deployment in many countries outside Europe because it offers standard requirements that facilitate the purchase process through a large number of suppliers of subsystems are different. However, the interoperability between interlockings themselves still needed to get better use of the technological evolution of computer interlocking, especially on borders between countries. ...

Designing Operating Rules for ERTMS Transnational Lines
  • Citing Chapter
  • March 2021

... Its role is to prevent problems such as misrouting and collisions during train operation [2], while monitoring important information such as each train's geographic location, speed, and direction in realtime to ensure safe train operation. During the long-term operation of railway signals, the interlocking control system will inevitably experience malfunctions, which can be caused by the aging of the control equipment or sudden situations [3]. If these malfunctions are not diagnosed in a timely manner, they may lead to serious accidents in railway operation. ...

Towards safe and secure computer based railway interlocking systems
  • Citing Article
  • July 2020

International Journal of Transport Development and Integration