• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Model-Based Approaches for Railway Safety, Reliability and Security: The Experience of Ansaldo STS

Model-Based Approaches for Railway Safety, Reliability and Security: The Experience of Ansaldo STS



DCDS'09 Plenary Talk by Francesco Flammini, Ansaldo STS. ...

DCDS'09 Plenary Talk by Francesco Flammini, Ansaldo STS.
The Workshop is organized by the: Laboratory of Control and Automation of Politecnico di Bari and will be held in Bari, Italy, at the prestigious Domina Hotel Conference Bari-Palace located in the city centre and nearby the old town.



Total Views
Views on SlideShare
Embed Views



2 Embeds 9

http://www.linkedin.com 6
http://www.slideshare.net 3



Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

    Model-Based Approaches for Railway Safety, Reliability and Security: The Experience of Ansaldo STS Model-Based Approaches for Railway Safety, Reliability and Security: The Experience of Ansaldo STS Presentation Transcript

    • (DCDS’ Dependable Control of Discrete Systems (DCDS’09) Bari, 10-12 May 2009 10- Model-Based Approaches for Railway Safety, Reliability and Security: The Experience of Ansaldo STS Dr. Francesco Flammini Ansaldo STS Italy – Innovation Unit francesco.flammini@ansaldo-sts.com francesco.flammini@ansaldo-
    • Outline • Introduction to modern railway control systems • The need for model-based approaches model- • Succesful applications • Future developments DCDS’09, Francesco Flammini 2
    • Catastrophic Failures in Railways • Brief history… (due to speed or signalling) history… signalling) – Recent – Metro Rome, 2006 Rome, – Most catastrophic: Amagasaki (Japan), 107 killed, catastrophic: Japan), killed, 555 injuried – One of the oldest – Waterloo station, 1803 • http://danger-ahead.railfan.net/ http://danger-ahead.railfan.net/ danger DCDS’09, Francesco Flammini 3
    • Computer-Based Railway Control Systems Control System Sensor Actuator System System ENVIRONMENT • Safety- Safety-Critical Railway Control Systems: Systems: – Interlocking Systems – management of train route and signals in stations – trackside) Traffic Management Systems – management of train headways (trackside) – on-board) Train Control Systems – management of train movement (on-board) • Evolution from relays based to computer based → more complex failure modes • real- complex: Embedded real-time reactive systems increasingly complex: – large, distributed, large, distributed, heterogeneous • Dependability attributes of interest: – Reliability Availability Mantainability Safety Security (RAMSS) • Important to evalutate such attributes in: – early development stages to support design choices (fault forecasting) – verification and validation phase, to demonstrate compliance to RAMSS standard (assessment / certificafion) phase, DCDS’09, Francesco Flammini 4
    • Automatic Train Protection Systems HMI TRAFFIC MANAGEMENT Radio Block Center GSM -R Train Position Report Wide Area Network Neighbour Movement Authority with Static Speed Profile TRAIN CONTROL RBCs Base Trans/receiver Station ON-BOARD ap SYSTEM -g Air TRACK CIRCUIT Balise Telegram with Eurobalise Balise Group identifier INTERLOCKING PHYSICAL CONTROL ENTITIES IXLj Adjacent IXL IXLk TRACK CIRCUIT Automation WAN System SIGNAL SWITCH POINT DCDS’09, Francesco Flammini ROUTE Communication 5 Man Machine IXL Central Computer STATION Interface Processing Unit
    • Threats of system dependability Designers and Management Staff Normal Users Developers Users Data Network Maintainers Computer-Based Electrical Connections Control System Power Supply Vandals, Hackers, Terrorists Vibrations Temperature Moisture Electromagnetic Fields Environmental Cosmic Radiation Parameters DCDS’09, Francesco Flammini 6
    • The core of most control systems • Triple Modular Redundancy (TMR) U n it A U n it B U n it C • Many other fault-tolerance fault- mechanisms – Design diversity E x c lu s io n E x c lu s io n E x c lu s io n L o g ic – Error Correcting Codes A -B L o g ic B -C L o g ic A -C – Defensive programming – … V o te r DCDS’09, Francesco Flammini 7
    • Objectives of dependability assessment • Extensive simulation with real systems is unfeasible • We need to evaluate RAMSS attributes of interest possible: with models as much as possible: – Holistic • System level failure modes – Realistic • Correct behavior with not too many conservative assumptions – Maintainable • No hyper-skills required to build and modify them – Efficient • Quick to build and evaluate on normal computers – Assessable • Readable and low error prone – … DCDS’09, Francesco Flammini 8
    • New frontiers in dependability modeling • Multi-paradigm approaches, involving: Multi- approaches, involving: – Multi-formalism modeling Multi- – Meta-modeling Meta- – Model-abstraction and transformation Model- • Choice of the modeling approach most suited to the: • Objective of the analysis (performability, security, maintainability, etc.) • Constituent subsystems (small embedded device, workstation, etc.) • Abstraction layers (hardware, software state-machine, software functions, etc.) • Advantages: Advantages: – Modular or compositional approach • Divide ed impera • Incremental, multi-level / hierarchical • Reuse (model libraries) – They allow for a trade-off among: trade- among: • Ease of use • Expressive power • Solving efficiency DCDS’09, Francesco Flammini 9
    • Experience report 1: issues • Main problem: problem: – evaluate system availability with respect to system-level failure system- modes to demonstrate compliance to RAM requirements • Unfeasible with traditional single-formalism stochastic single- approaches: modeling approaches: – Queueing Networks ➪ limited expressiveness (no failure modeling) modeling) – Fault Trees ➪ limited expressiveness (no performance modeling) modeling) – Stochastic Petri Nets ➪ ungovernable complexity and limited explosion) efficiency (state space explosion) – … • Further problem: problem: – how to evaluate the effect of real-world repair strategies (e.g. real- maintenance, resources, etc)? preventive maintenance, limited resources, etc)? DCDS’09, Francesco Flammini 10
    • Experience report 1: solution AVAILABILITY MODEL (overall system, BN) PERFORMABILITY MODEL MAINTAINABILITY MODEL RELIABILITY MODEL (network / software, GSPN) (on-board, FT) (trackside, RFT) • F. Flammini, M. Iacono, S. Marrone, N. Mazzocca: quot;Using Repairable Fault Trees for the evaluation of design choices for critical repairable systemsquot;. In: Proceedings Flammini, Iacono, Marrone, Mazzocca: choices of the 9th IEEE Symposium on High Assurance Systems Engineering, HASE’05, Heidelberg, Germany, October 12-14, 2005: pp. 163-172 HASE’ 12- 163- • F. Flammini, S. Marrone, N. Mazzocca, V. Vittorini: “Modelling System Reliability Aspects of ERTMS/ETCS by Fault Trees and Bayesian Networksquot;. In: Safety and Flammini, Marrone, Mazzocca, Vittorini: Trees Reliability for Managing Risk: Proceedings of the 15th European Safety and Reliability Conference (published in September 1st 2006), ESREL’06, Estoril, Portugal, Risk: Conference ESREL’ Estoril, 18- 2675- September 18-22, 2006: pp. 2675-2683 DCDS’09, Francesco Flammini 11
    • Experience report 2: issues • Main problem: problem: – evaluate TMR safety in presence of imperfect maintenance • Existing GSPN model assuming perfect maintenance hardly extensible – Low maintenability – Very limited efficiency • No other single formalism approach usable to solve the overall problem • Further problem: problem: – how to improve the maintenability of the existing GSPN-based GSPN- model? safety model? DCDS’09, Francesco Flammini 12
    • Experience report 2: solution Finite State Machine OR Continuous Time M arkov Chain OR Timed Automata REPAIR MODELS at differ ent levels of detail (environmental & human factors, CTMC) M aintenance model implementation Choice of the m odel M ainte nance M ode l Inte rface Operational Status Fault Ev ents Composition (OK, KO, Up w ith f ault, etc .) (Transient, Permanent, etc .) Failure M ode l Inte rface Choice of the m odel H azardo us Fa l ure i Erroneou s o ut utfr m p o voter O ne erroneous outputand S ameerror i n npu t datao f i both uni t s S ameerror fromthe tw o C omb na ti n i o of l ate nt e rr rs o Failure model voterfai ure l implementation u ni s t Laten t erro r Late nt e rror A va t on of cti i in A in B e rr rs of o both A an d B Erron eou s Erro neou s E rroneo us outp utfrom Vote rf ai ure l ou tput ro m f o utput f r m o one u ni t A B EXISTING SAFETY MODEL Fault Tree Bayesian Netw ork GSPN (hardware, GSPN) + expressiveness, com plexity, realism - solving efficiency, readability, maintainability • Flammini, Marrone, Mazzocca, Vittorini: N- F. Flammini, S. Marrone, N. Mazzocca, V. Vittorini: “A new modelling approach to the safety evaluation of N-modular DCDS’09, Francesco Flammini maintenance” redundant computer systems in presence of imperfect maintenance”. In: Reliability Engineering & System Safety (Elsevier) – ESREL’ special issue on ESREL’07 selected papers. DOI: 10.1016/j.ress.2009.02.014 13
    • Experience report 3: issues • Main problem: problem: – perform system functional verification of the European Railway Traffic Management System / European Train Control System (ERTMS/ETCS) • Issues: Issues: – extensive testing unfeasible due to system complexity (test-case (test- explosion) number explosion) – testing required for both nominal and degraded conditions – unstable system requirements specification • Further problem: problem: – How to detect missing requirements in order to improve system specification? (validation validation) specification? (validation) DCDS’09, Francesco Flammini 14
    • Experience report 3: solution Model- 1. Model-based testing (dynamic verification) verification) Partial_Supervision_1 Train Moving in a 1: Receive TAF Granted / Send Disconnection Request Disconnection_1 Disconnection Request Staff Responsible Mode Sent by the RBC – Automatic generation and test- reduction of the test-suite using 2: Receive standstill Position Report in TAF zone / Send TAF Request reference abstract models like Finite State Machines Partial_Supervision_2 Waiting for TAF 1: Receive TAF Granted / Send MA in Full Supervision Full_Supervision_1 Train Moving in Full Granted Supervision • Flammini, Mazzocca, F. Flammini, N. Mazzocca, A. Orazzo: “Automatic instantiation of abstract tests to specific configurations for large critical control systems”. In: Journal of Software Testing, Verification systems” 91- & Reliability (STVR), Vol. 19, Issue 2, pp. 91-110 • Flammini, Tommaso, Lazzaro, Pellecchia, F. Flammini, P. di Tommaso, A. Lazzaro, R. Pellecchia, A. Sanseviero: quot;The Simulation of Anomalies in the Functional Testing of the ERTMS/ETCS Trackside Systemquot;. In: Proceedings of the 9th IEEE Symposium on High Assurance Systems Engineering, LOGIC SPECIFICATION HASE’ 12- HASE’05, Heidelberg, Germany, October 12-14, 2005: pp. 131-139 131- Req. xx.yy: When the MA verification process is activated, the RBC Logic shall verify the status of the track circuits assigned to the MA and then […] ... UML MODEL verification of compliance 1) CLASS DIAGRAMS 2) SEQUENCE DIAGRAMS 3) STATECHARTS Model- 2. Model-based code inspection MA -attributes MA TC MA_state1 +operations() 1 verification) (static verification) verify_cond() Send_MA TC op() -attributes MA_state2 – UML- Use of UML-based reverse * +operations() reverse refactoring engineering and refactoring LOGIC CODE engineering PROCESS MA; VARIABLES process_status, control, … COMMANDS send_MA, … COMMAND send_MA: • Abbaneo, Flammini, Lazzaro, Marmo, Mazzocca, C. Abbaneo, F. Flammini, A. Lazzaro, P. Marmo, N. Mazzocca, A. Sanseviero: quot;UML Based IF cond ASSIGN “ok” TO VARIABLE “control” Reverse Engineering for the Verification of Railway Control Logicsquot;. In: IEEE Proceedings of Logicsquot;. AND SEND AUTOMATIC COMMAND “op” TO PROCESS “TC” DepCoS’ Poręba, Dependability of Computer Systems, DepCoS’06, Szklarska Poręba, Poland, May 25-27,25- ... 3- 2006: pp. 3-10 DCDS’09, Francesco Flammini 15
    • Experience report 4: issues • Main problem: problem: – Quantitative security risk assessment to support the design of protection mechanisms and evaluate the return on investment • Issues: Issues: – Traditional reliability modeling formalisms (e.g. Fault Trees) Trees) inadequate for security modeling (e.g. no support for events) interdependant basic events) – Complexity in vulnerability modeling • Further problem: problem: – How to demonstrate to the customer the optimality of security subsystems)? system design (e.g. size of subsystems)? DCDS’09, Francesco Flammini 16
    • Experience report 4: solution R = P ⋅V ⋅ D WORK IN PROGRESS RISK MODEL BAYESIAN NETWORKS STOCHASTIC PETRI NETS Threat Frequency Threat Vulnerability Model Model Threat Consequences Model EVENT TREES • We have already implemented a genetic algorithm to automatically maximize the return on investment while fulfilling external budget constraints • Flammini, Mazzocca, Infrastructures” F. Flammini, A. Gaglione, N. Mazzocca, C. Pragliola: “Quantitative Security Risk Assessment and Management for Railway Transportation Infrastructures”. In: Proc. 3rd International Workshop on Critical Information Infrastructures Security, CRITIS’08, Frascati (Rome), Italy, October 13-15, 2008: pp. 213-223 Infrastructures CRITIS’ 13- 213- • F. Flammini, V. Vittorini, N. Mazzocca, C. Pragliola: “A Study on Multiformalism Modelling of Critical Infrastructures”. In: Proc. 3rd International Workshop on Flammini, Vittorini, Mazzocca, Infrastructures” Critical Information Infrastructures Security, CRITIS’08, Frascati (Rome), Italy, October 13-15, 2008: pp. 395-402 CRITIS’ 13- 395- DCDS’09, Francesco Flammini 17
    • Future developments • Methodology Start of Mission Hand-Over OPi 1 OPi 2 r ye La – Definition of appropriate (Gen eralized es (Generalized r Stocha stic) OP3 Stoch astic) du Petri Net Petri Net oce Pr Start of Mission Train 1 Hand-Over Train 2 multiformalism r ye La rs Fin ite State Machine ye (Gen eralized re s (Gen eralized r La Level 0 / ye Level 1 Level 2 Level 3 Sto ch astic) OP3 Sto ch astic) du STM La re OP2 Petri Net Petri Net oce La twa es Pr od Unfit t ed are Sof r composition operators ye gM rdw at e t in Ha e di OFF SB SR OS Full Supervision e ra m Op te r In System Failure Finite S tate Ma chine • Applications OP1 Ba yesia n Network TRACKSIDE SUBSYSTEM r ye v5 La are fa il 11 rdw fa il SS 1 v3 v4 fa il 2 Ha Sy stem Failure – New case-studies, e.g. case-studies, T ransm it t in g fa il 3 fail SS 2 Correct T elegram v1 v2 fa il 4 (Repa irab le) Fau lt Tree r ye Non La Transmitting Default r ye Transmitting Telegram (safe failure) ON-BOARD SUBSYSTEM 1 are La ... system level safety ftw are So rdw Transmitting Uncorrect Telegram (unsafe failure) Ha Start of Mission Hand-Over evaluation r ye BALISE 1 La r ye es (Genera lized (Generalized ... La ur Stocha stic) OP3 Stocha stic) BALISE K La ode s ed Petri Net Petri Net Ha e rat Proc r M ye LINESIDE SUBSYSTEM rdw ing are GROUND SUBSYSTEM Op ON-BOARD SUBSYSTEM n • Flammini, Iacono, Marrone, Moscato, Vittorini: framework” G. Di Lorenzo, F. Flammini, M. Iacono, S. Marrone, F. Moscato, V. Vittorini: “The software architecture of the OsMoSys multisolution framework”. In: Proc. 2nd VALUETOOLS’ 23- International Conference on Performance Evaluation Methodologies and Tools, VALUETOOLS’07, Nantes, France, October 23-25, 2007: pp. 1-10 1- DCDS’09, Francesco Flammini 18
    • • Are models useful only for dependability assessment? prediction and assessment? DCDS’09, Francesco Flammini 19
    • Experience report 5: issues • Main problem: problem: – On-line detection of threats for early warning and On- decision support • Issues: Issues: – Integration and reasoning of multi-sensor data multi- – Need for real-time detection models real- • Further problem: problem: – How to quantify uncertainity? uncertainity? DCDS’09, Francesco Flammini 20
    • Experience report 5: solution DETECT Engine Scenario Repository Detected attack scenario Event History Alarm level (1, 2, 3, ...) EVENT TREES BAYESIAN NETWORKS NEURAL NETWORKS • Flammini, Mazzocca, critical infrastructures” F. Flammini, A. Gaglione, N. Mazzocca, C. Pragliola: “DETECT: a novel framework for the detection of attacks to critical infrastructures”. In: Safety, Reliability and (eds eds), ESREL’ 22- 105- Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds), Proceedings of ESREL’08, Valencia, Spain, 22-25 September 2008: pp. 105-112 • F. Flammini, A. Gaglione, N. Mazzocca, V. Moscato, C. Pragliola: “Wireless Sensor Data Fusion for Critical Infrastructure Security”. In: Advances in Soft Flammini, Mazzocca, Moscato, Security” CISIS’ 23- Computing Vol. 53: Proc. International Workshop on Computational Intelligence in Security for Information Systems, CISIS’08, Genoa, Italy, October 23-24, 2008: 92- pp. 92-99 DCDS’09, Francesco Flammini 21
    • Thank you for your kind attention Questions? Questions?