This approach requires us to modify certain practices. Risk analysis generally takes place during the system development cycle and during the development of associated application software. The system design processes include a feasibility analysis stage, where designers define the characteristics of the environment and identify the associated risks. In this chapter, we will show that system risk analysis can be carried out using a formal model. This formal model can be used as a reference point, as a tool to support reflection and as a tool for analyzing the impact of changes. Our aim in this book is to provide an approach for the formalization and monitoring of risks, taking account of the requirements of system components (software and hardware). The proposed methodology is based on the use of the formal method known as the “B method” [ABR 96].

This methodology conforms to the requirements set out in the European Committee for Electrotechnical Standardization (CENELEC¹) reference document for application to rail transport systems. This document consists of three standards: EN 50126 [CEN 99], EN 50129 [CEN 03] and EN 50128 [CEN 01, CEN 11]. These three standards recommend the implementation of a process based on the notion of requirements, with consideration given to operational safety throughout the whole system design cycle.

This chapter is divided into four sections. First, we will present the standard safety procedures used for rail transport systems. Then, we will establish a methodological context. Next, we will present a case study, analyzing the risk of collision between two trains. Finally, we will present a formal model and analysis. We will conclude by considering the methodology and its implementation.

With terrestrial transports, as indicated in [BAR 90], accidents may be categorized into different classes:

– System-initiated accidents: the users of the system are in a passive position and are victims of the damage, which can be attributed to failures on the part of the staff (maintenance, intervention, operation, etc.), to failures internal to the system or to anomalous circumstances in the environment.

– User-initiated accidents: this category refers to events surrounding one or several users (malaise, panic, suicide, etc.).

– Accidents initiated by a system–user interaction: as opposed to the previous category, in this case the user is active and interacts with the system. Incorrect use of the system lies at the root of this type of accident (e.g. non-compliance with the audio signal for door closure).

In aiming to avoid accidents, we must take account of the possibility of these accidents occurring when creating a system. The definition given above highlights the notion of an event, which may be refined by considering the notion of undesirable events (see definition 1.2).

We can distinguish between two types of damage: individual damage and collective damage.

A user-initiated accident is likely to provoke damage to individuals, whereas the remaining two categories can cause damage either to individuals or collectivities. Once the category is identified, the level of severity of the accident² can be determined: insignificant (minor), marginal (significant), critical and catastrophic.

In [HAD 98], which applies exclusively to the context of rail transport, the authors proposed an accident typology connecting categories of accidents, potential accidents, damage types, severity levels, types of danger and dangerous elements. This typology allows us to establish links between dangerous elements, such as a lightning strike, and system accidents, such as a train collision.

The “accident” situation is definitive; the concept of potential accidents is therefore a useful one. The notion of a potential accident refers to a known situation which may lead us to an accident.

For rail transport systems, the list of potential accidents (see definition 1.3) includes derailment, passengers falling, collision, dragging or trapping individual victims, electrocution, fire, explosions, flooding, etc.

Figure 1.1 is taken from [HAB 95]. It shows an example of the classification of a potential accident, in this case a collision. The potential accident situation is linked to the notion of danger (see definition 1.4).

A danger (see definition 1.4) is therefore a dangerous situation, the consequences of which may be damaging to human life (injury or death), to society (loss of production, financial loss, damage to image, etc.) or to the environment (damage to the natural and animal world, pollution, etc.). The terms “danger” and “threat” are used on the basis of whether the origin is random or voluntary (deterministic). The term “threat” is therefore used in the context of safety and/or security/confidentiality activities.

Dangers may be grouped into three categories: dangers created by the system or its equipment, dangers created by human activity (operator errors, maintenance errors, passenger actions, etc.) and dangers linked to unusual environmental circumstances (earthquakes, wind, fog, heat, humidity, etc.).

For a given system, dangerous situations are identified through systematic analysis, which consists of two complementary phases:

– an empirical phase, based on feedback (existing lists, accident analysis, etc.);

– a creative and/or predictive phase that may be based on brainstorming, forecasting studies, etc.

The notion of danger (dangerous situations) is directly linked to the notion of fault.

Figure 1.2 shows the pathway leading from an undesirable event to an accident. Note that the potential accident will only occur with the right operational context. For example, if a driver fails to follow a red light when moving onto a different line, the risk of an accident is much lower if this line is a small one with little traffic than if the train is joining a main line with high traffic levels. The passage from an undesirable event to a dangerous situation is linked to the technical context in a similar way.

Figure 1.3 shows the full sequence of events from a cause to a potential accident (see [BLA 08], for example, for further details). The notion of causes is used to bring in different types of faults which may affect the system, such as faults concerning one or more functions (a function may be associated with multiple parts of the internal equipment), equipment faults, human error or external factors (electromagnetic compatibility (EMC), etc.).

Figure 1.4 shows the combinatorics involved in a potential accident. Analysts must then identify representative scenarios (cause/undesirable event/dangerous situation/potential accident).

– Risk analysis is performed at the system specification level. Undesirable events are identified by safety engineers and the risk analysis checks that system specifications are robust enough to prevent these events from occurring. A system safety framework is used to describe the activities to be performed throughout the system lifecycle.

– Testing activities: dedicated system engineers specify a “safety oriented” testing strategy, and a specific team is responsible for the implementation of testing tasks.

Once the system-level specifications and basic implementation concepts are validated by risk analysts, development is organized as for any other project. The safety testing strategy is destructive; discontinuity occurs in the safety activity process, meaning that safety objectives cannot be easily traced. It is also difficult to test for completeness [BOU 97b] and to test system completion mechanisms.

In system modeling, a distinction is traditionally made between safety and liveness properties. A safety property stipulates that specific “bad things” will not happen during execution, while liveness properties stipulate that certain “good things” will (eventually) happen.