Events > Summer School

Summer School


Resilience in Computing Systems and Information Infrastructures
— from Concepts to Practice —

24-28 September 2007, Porquerolles, France



Target audience
Biodata of the lecturers


Resilience is the discipline studying how a system can resist to, and survive the effects of faults, interaction mistakes, or malicious attacks and disruptions. Resilience is essential especially for those ubiquitous computing systems that are elements of large, ever evolving networks of computer and mobile devices, in Ambient Intelligence. This summer school will provide basic elements, contextual information and examples on resilience from the multidisciplinary domains of dependability, security and human factor.

Target Audience

The target audience for the summer school includes:

• technical, system and cognitive engineers; human factor specialists; safety specialists; project managers; consultants from industries and companies with an interest in the resilience discipline;

• doctorate students in information and communication technology, computer science, engineering, and cognitive science with an interest in the resilience discipline.

Participation of doctorate students to the Summer School will be considered as relevant training activity in their curriculum. The Scientific Direction of the School proposes an average crediting 3 ECTS that must be agreed by the student, who intends to participate, with his/her local College of Doctorate of his/her University.


The objective of the summer school is to introduce the target audience to the concept of resilience, showing how to design, verify and evaluate resilient systems. Basic concepts and theoretical information will be complemented, providing practical examples of resilience problems, solutions, and best practices from several industrial domains, and outlining the more promising research initiatives in the area, and their potential results.


The summer school is organised by the Resilience for Survivability in IST (ReSIST) Network of Excellence, under the sponsorship of the European Union.

School director: Alberto Pasquini (Deep Blue)
School deputy-directors: Marc Dacier (Institut Eurecom), and Istvan Majzik (Budapest University of Technology and Economics)
School coordinators: Karama Kanoun and Jean-Claude Laprie (LAAS-CNRS)


The School programme is based on four sessions, described in detail hereafter:
    • Introduction to resilience
    • How to build resilience
    • Resilience in practice
    • Perspectives of resilience

INTRODUCTION TO RESILIENCE- The first session will address the introductory aspects of the school. This session will consist of three lectures. The first will last 60 minutes and will be dedicated to organisational aspects of the school; the other two, lasting 90 minutes each, to the basic introductory concepts of resilience.




Introduction: Aims and organisation of the school

Alberto Pasquini

Deep Blue, Italy

This lecture will be based in two parts. The first one will present the aims, structure and practical organisational aspects of the school. The second will be dedicated to a quick presentation of the coming school lectures.

Resilience: an essential property for the sustainability of computing systems and infrastructures

Jean-Claude Laprie


Resilience is the persistence of delivery of justifiably trusted service in the presence of evolutionary changes. The changes can be planned, predictable, or totally unforeseen.

The lecture will first focus on the relationship of resilience with dependability and security, emphasizing the impact of the evolutions of sources of failures, be they accidental or malicious, on the approaches to defend against them. Then the rationale of ReSIST will be presented, as well as its major achievements to date.

The human role in ensuring and improving resilience

Alberto Pasquini

Deep Blue, Italy

This lecture will introduce the concept of socio-technical systems, that is, the systems whose resulting performances are the outcome of a close interaction between a human, and a technological component, sometimes with the support of procedures and rules, that regulates the interactions between different components and between components and the external world. The lecture will then present the available methods for understanding, analysing, and modelling socio-technical systems and for evaluating and improving resilience in socio-technical systems.

HOW TO BUILD RESILIENCE - The second session will address basic aspects of resilience building:

       • Resilience Design;
       • Resilience Verification;
       • Resilience Evaluation.

This session will be largely based on the material contained in the ReSIST Deliverable State of Knowledge on Resilience Building Technologies . The session will include three lectures, each one lasting three hours, in the mornings from Tuesday to Thursday.




Architectural, paradigmatic and algorithmic issues in Resilience

Paulo Verissimo

University of Lisbon, Portugal

This lecture will provide the basis for the design of resilient systems as a whole. It will focus on the architectural, paradigmatic and algorithmic
issues that make a computerized system be resilient, analysing the aspects of computer system design that contribute to correct/safe control in spite of threats.

Checking models, proving programs, and testing systems

Marie-Claude Gaudel

University of Paris-Sud, Orsay, France

Verification and Validation of computerised systems rely on numerous methods. This lecture will focus on three of them: model-checking, program proving and system testing.

First, the principles of these methods will be reminded. Then some overview of their current possibilities on different types of systems and properties will be given. In a last part, some interactions of these methods will be discussed: model-checking can be used as tool for generating test cases; testing and proving can be used in a complementary way. The conclusion will discuss the use of these methods in an integrated Verification and Validation process.

Resilience evaluation with regard to accidental and malicious threats

Mohamed Kaâniche


This lecture will present: 1) the main concepts and techniques that are commonly used to evaluate the dependability and security of computing systems and 2) the state of knowledge and research challenges in this field. Both accidental   and malicious threats will be addressed, considering model-based and experimental evaluation approaches. Examples of applications and case studies will be presented for illustration.


RESILIENCE IN PRACTICE - The third session will provide the point of view of practitioners from different industrial domains. This session will include four lectures. Each lecture will describe the characteristics of a specific industrial domain, with emphasis on the resilience problems that are specific of that domain. The lectures will continue presenting the experience in each specific industrial domain in the form of one or more examples, best practices, success and/or failure stories about resilience. These lectures will be in the afternoon of Tuesday and Thursday, and last 90 minutes each.




A practitioner point of view about Resilience in ubiquitous systems

Michele Morganti

Siemens Communications, Italy

This lecture will describe the characteristics of the telecommunication domain with regard to Resilience, with specific reference to ubiquitous systems. Description of best practices, and real success and failure stories will provide concrete examples about Resilience in Telecommunications.

SESAR safety: an overarching Safety Management process in Air Traffic Management

Oliver Sträter

Eurocontrol, Belgium

The lecture will describe the specific resilience needs and challenges of Air Traffic Management, through a set of examples.The lecture will continue describing the overall solutions that are envisaged in SESAR, the new Single European Sky ATM Research Programme, that will lead to the ATM Organisation of 2020.

RATP safety approach for railway signalling systems

Pierre Chartier

RATP, France

From the very first safety-critical software in the railway world with SACEM for RER A put into service in 1989, to today's metro lines modernisation program including metro line 1 automation, we will explain how RATP has coped with the difficulty of demonstrating safety of software systems. In particular, we will illustrate the contribution of formal methods like B or SCADE to demonstrate software safety and we will show different kinds of computer architectures like the coded processor able to run safely critical software in the railway context.

Security and complexity in networks

Michael Behringer

CISCO Systems, France

 Today's networks and applications are becoming increasingly complex, to match growing demand for new applications. This has two consequences: First, security measures need to adapt, and are also becoming more complex; second, it becomes harder to manage and maintain the increasing complexity. This lecture discusses these issues in more detail, and ways forward to cope with increasing complexity.

PERSPECTIVES OF RESILIENCE - The fourth and last session will address the future perspectives in Resilience. This will be done through a panel with the speakers and the students for discussing of gaps and future challenges of resilience and a presentation, both lasting 90 minutes. Both will last 90 minutes and run during the last day of the school. They will be based on the ReSIST deliverable From resilience-building to resilience-scaling: directions.




Panel session: gaps and future challenges in Resilience

Michel Banâtre

Directeur de Recherche INRIA, IRISA, France

The Panel will be dedicated to the investigation of gaps and future challenges in Resilience and will run in close interaction with the participants.

Final reflections on Resilience

Tom Anderson

University of Newcastle, UK

What do we want with regard to IT based systems (and networks of them)? We want safety, for ourselves and others; security of information; systems that deliver dependable service. And we want this from systems that are resilient : to the impact of change, to inevitability of flaws, and to the attacks of the wicked. It's a demanding requirement, and poses a tremendous challenge. This concluding lecture offers a few observations and hopes for the future.

Biodata of the Lecturers

Tom Anderson
obtained his PhD in Computing Science from the University of Newcastle upon Tyne in 1972. He then joined the staff of the University's Computing Laboratory as a Research Associate working on the development of recovery blocks and multi-level recovery. He spent 1978-79 at NASA Langley Research Center in Virginia investigating fault tolerance for flight software, and then became first a Lecturer, and then Professor of Computing Science at Newcastle. From 1980 onwards he has acted as Principal Investigator for a series of major research projects, including a major experimental evaluation of software fault tolerance techniques and a ten-year project on dependable avionic systems. From 1992-97 he was Head of Department for Computing Science; from 1998-2002 he was Dean of the Faculty of Science. Tom has more than 60 publications between papers in international journals and conference proceedings, books and books chapters.

Michel Banâtre got his "Thèse d'Etat" degree in 1984. Since 1986 he has a "Directeur de recherche" position at INRIA. Between 1982 and 1995 He got a strong experience in the design of fault tolerant multiprocessor architectures and fault tolerant distributed systems based on stable storage technology. Then he was involved in the design of multimedia services with Quality of Service (QOS): a reliable VOD server in cooperation with Thomson Multimedia and an electronic newspaper service in cooperation with Ouest-France (the biggest daily newspaper in France). This service has been generalised in order to integrate user mobility (ECC FollowMe project). He is currently leading the ACES (Ambient Computing and Embedded Systems) INRIA research group working on embedded systems, Spontaneous Information Systems based on Short Distance Wireless (SDW)technology, context aware services and Java based operating system for PDA. These research activities are strongly connected with industry partners such as Texas Instruments, Alcatel, and end-users. These researches are also supported by grants from ECC. Michel Banâtre has over 70 publications and patents in the areas of programming languages, distributed systems, fault tolerant architectures, multimedia information systems and context-aware information systems based on SDW technologies.

Michael Behringer works at Cisco Systems as a distinguished engineer, focusing on service provider core and security topics, such as MPLS security, NGN security and denial of service attack prevention. Prior to joining Cisco, he worked at the European service provider DANTE, responsible for the design and implementation of DANTE's pan-European networks. Michael holds a diploma in computer science. He is an active member of the IETF and has published several papers, RFCs and a book on MPLS VPN security.

Pierre Chartier is Head of System Qualification in Railway System Engineering Unit at Paris Mass Transit Authority (RATP). In this position, he manages the safety assessment of railway systems on all phases from system definition to system commissioning including software and hardware development. Until 2006, he led the Software Qualification Laboratory in charge of safety-critical software assessment of railway systems for three years. Prior to this assignment, he was responsible for methods and tools for safety-critical software while being involved in several software assessments for other three years. His interests included especially formal methods (B method, SCADE) and safe computer architectures (coded processor, 2oo2 and 2oo3 redundant architectures). The five years before, he was engaged in research on formal methods and formal proofs in connection with the METEOR project, interspersed with a 16 months visit to Cambridge Computer Laboratory (UK). He received a Master's degree in mathematics in 1993 and a post graduate qualification in computer science in 1994 from Paris VII University. He is still involved in research projects, especially PROOFER which aims at formally proving system safety properties on computerised interlocking systems. He is currently member of the CENELEC experts group for the revision of the EN50128 standard.

Marie-Claude Gaudel was appointed as a professor at the University of Paris-Sud at Orsay in 1984. Before joining UPS, she was a researcher at INRIA, and then in charge of the Software Engineering group at the industrial research center of Alcatel-Alsthom (Marcoussis, France). Her research interests are in the areas of software: formal methods, program robustness, testing and certification. She got an Outstanding Paper Award of the IEEE Chapter of Software Engineering for the work of her group on program robustness in Marcoussis. She is Doctor Honoris Causa of EPFL, and she got the CNRS Silver Medal in 1996 for her work on software testing.

Jean-Claude Laprie is "Directeur de Recherche" at CNRS, the French National Organization for Scientific Research. He joined LAAS-CNRS in 1968, where he founded the research group on Fault Tolerance and Dependable Computing in 1975, that he directed until he became Director of LAAS, in 1997 (up to the end of his term of office, in december 2002). His research has focused on dependable computing since 1973, and especially on fault tolerance, on dependability evaluation, subjects on which he has authored and coauthored more than 100 papers, as well as coauthored or edited several books. He has also been very active in the formulation of the basic concepts of dependability, the views developed being widely adopted by the scientific community. He has been very active in the international community, and he is currently a vice-president of IFIP, the International Federation for Information Processing. He is the coordinator of the European Network of Excellence ReSIST (Resilience for Survivability in Information Society Technologies). He received in 1993 the Silver Medal of the French Scientific Research, and in December 2002 the French National Merit Medal.

Mohamed Kaâniche is Chargé de Recherche at CNRS, the French National Organization for Scientific Research. He joined LAAS-CNRS in 1988 as a member of   the research group on Dependable Computing and Fault Tolerance. From March 1997 to February 1998, he was a Visiting Research Assistant Professor at the University of Illinois at Urbana Champaign, USA. His research activities focus on the dependability and security evaluation of fault-tolerant computing systems and critical infrastructures based on analytical modeling and experimental measurement approaches. He has (co)authored more than 60 papers on these subjects in international journals and conference proceedings. He has participated and contributed to several national and European research projects and networks of excellence such as PDCS, DeVa, DSoS, CRUTIAL, HIDENETS and ReSIST, and he has served on numerous programme and organisation committees of international conferences. He was the Programme co-chair of PRDC-2004 and Programme Chair of EDCC-5.

Michele Morganti graduated in Electronic Engineering and Computer Science from the Politecnico of Milano in 1973. After nine years with the Electronic Switching Division of Telettra, in 1983 he joined Italtel where from 1987 through 1999 he was in charge of Corporate Research. In november 1999 he joined Siemens ICN, first as Chief Technical Officer and then as responsible for Mobile Solutions. From april 2001 through february 2003 he was in charge of Strategic Marketing and Business Excellence for the Siemens group in Italy. He is now Senior Vice President for Technology Innovation at Siemens Communications Italy. An active member of several international professional organization including the IEEE Computer and Communications Societies, IFIP and FITCE, he has published over 50 papers on various aspects of telecommunications, computers and computer networking and has contributed to numerous conferences and publications worldwide.

Alberto Pasquini is a safety analysis expert with a full University degree in Electronic Engineering, and more than 20 years of experience in the safety domain, in several industrial areas including nuclear and transportation.. His research interests are on dependability of interactive systems, software and human reliability, in these areas he has been involved as partner or coordinator in several international collaborative projects.. He has more than 60 publications in International journals, books, and Conference proceedings. He is or has recently been member of the Programme Committee of several international Conferences. He is currently with Italian Agency for Environment Energy and New Technology and with Deep Blue, an Italian research and consultancy company operating the areas of human factor, safety and validation.

Oliver Sträter studied engineering psychology and worked for GRS (Gesellschaft für Anlagen- und Reaktorsicherheit), part of the German Nuclear Regulatory Body, from 1992 till 2002. At GRS he developed methods for incident investigation and reliability assessment regarding the human impact on the safety of nuclear installations. During this work he performed his Ph.D. on evaluation of operational experience regarding human reliability together with the Institute of Ergonomics of the University of Technology Munich. From 1999 to 2002 he was assistance Professor at the Institute of Ergonomics. From 2001 he moved to EUROCONTROL, the European Organization for the Safety of Air Navigation, where he developed methods and tools for dealing with Human automation issues in European Air Traffic Management within the SHAPE project (Solutions for Human Automation Partnership in European ATM). In 2003 he became member of the German Nuclear Safety Commission. Since 2004 he is working for the development of the long term safety strategy of Air Traffic Management in the context of SESAR. He recently published: Cognition and safety - An Integrated Approach to Systems Design and Performance Assessment.

Paulo Veríssimo is professor of the Department of Informatics (DI) of the University of Lisboa Faculty of Sciences, and Director of LASIGE, a research laboratory of the DI. He belongs to the European Security & Dependability Advisory Board, and is associate editor of the IEEE Transactions on Dependable and Secure Computing. He is past Chair of the IEEE Technical Committee on Fault Tolerant Computing and of the Steering Committee of the DSN conference, and belonged to the Executive Board of the CaberNet European Network of Excellence. He was coordinator of the CORTEX IST/FET project. He is senior member of the IEEE. Paulo Veríssimo leads the Navigators research group of LASIGE, and is currently interested in: architecture, middleware and protocols for distributed, pervasive and embedded systems, in the facets of real-time adaptability and fault/intrusion tolerance. He is author of more than 130 refereed publications in international scientific conferences and   journals in the area, and co-author of five books.


 - Resilience: an Essential Property for the Sustainability of Computing Systems and Infrastructures — From Dependability to Resilience 
     Jean-Claude Laprie, LAAS-CNRS, France

  - The Human Role in Ensuring and Improving Resilience
      Alberto Pasquini, Deep Blue, Italy

  - Design for Resilient Systems — Architectural, Paradigmatic and Algorithmic Issues
      Paulo Verissimo, University of Lisbon, Portugal

  - Anywhere Anytime Communications —  A Practitioner Point of View about Resilience in Ubiquitous Systems
      Michele Morganti, Siemens Communications Italy

  - Resilience in Air Traffic Management
      Alberto Pasquini, Deep Blue, Italy
  - Checking Models, Proving Programs, and Testing Systems
      Marie-Claude Gaudel, University of Paris-Sud, Orsay, France

  - Resilience Evaluation with Regard to Accidental and Malicious Threats
       Mohamed Kaâniche, LAAS-CNRS, France

  - RATP Safety Approach for Railway Signalling Systems
       Pierre Chartier, RATP, France

  -  Security and Complexity in Networks
       Michael Behringer, CISCO Systems, France

  - Reflections on Resilience
       Tom Anderson, University of Newcastle, UK

Go to Top