DCDS'09 Plenary Talk by Francesco Flammini, Ansaldo STS.
The Workshop is organized by the: Laboratory of Control and Automation of Politecnico di Bari and will be held in Bari, Italy, at the prestigious Domina Hotel Conference Bari-Palace located in the city centre and nearby the old town.
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Model-Based Approaches for Railway Safety, Reliability and Security: The Experience of Ansaldo STS
1. (DCDS’
Dependable Control of Discrete Systems (DCDS’09)
Bari, 10-12 May 2009
10-
Model-Based Approaches for
Railway Safety, Reliability and Security:
The Experience of Ansaldo STS
Dr. Francesco Flammini
Ansaldo STS Italy – Innovation Unit
francesco.flammini@ansaldo-sts.com
francesco.flammini@ansaldo-
2. Outline
• Introduction to modern railway control systems
• The need for model-based approaches
model-
• Succesful applications
• Future developments
DCDS’09, Francesco Flammini
2
3. Catastrophic Failures in Railways
• Brief history… (due to speed or signalling)
history… signalling)
– Recent – Metro Rome, 2006
Rome,
– Most catastrophic: Amagasaki (Japan), 107 killed,
catastrophic: Japan), killed,
555 injuried
– One of the oldest – Waterloo station, 1803
• http://danger-ahead.railfan.net/
http://danger-ahead.railfan.net/
danger
DCDS’09, Francesco Flammini
3
4. Computer-Based Railway Control Systems
Control
System
Sensor Actuator
System System
ENVIRONMENT
• Safety-
Safety-Critical Railway Control Systems:
Systems:
– Interlocking Systems – management of train route and signals in stations
– trackside)
Traffic Management Systems – management of train headways (trackside)
– on-board)
Train Control Systems – management of train movement (on-board)
• Evolution from relays based to computer based → more complex failure modes
• real- complex:
Embedded real-time reactive systems increasingly complex:
– large, distributed,
large, distributed, heterogeneous
• Dependability attributes of interest:
– Reliability Availability Mantainability Safety Security (RAMSS)
• Important to evalutate such attributes in:
– early development stages to support design choices (fault forecasting)
– verification and validation phase, to demonstrate compliance to RAMSS standard (assessment / certificafion)
phase,
DCDS’09, Francesco Flammini
4
5. Automatic Train Protection Systems
HMI TRAFFIC
MANAGEMENT
Radio
Block
Center
GSM
-R
Train Position Report
Wide Area Network
Neighbour
Movement Authority with
Static Speed Profile
TRAIN CONTROL
RBCs Base Trans/receiver Station
ON-BOARD
ap SYSTEM
-g
Air
TRACK CIRCUIT
Balise Telegram with
Eurobalise Balise Group identifier
INTERLOCKING
PHYSICAL CONTROL ENTITIES
IXLj Adjacent IXL IXLk
TRACK CIRCUIT
Automation
WAN System
SIGNAL SWITCH POINT
DCDS’09, Francesco Flammini ROUTE Communication
5
Man Machine IXL Central Computer
STATION Interface Processing Unit
6. Threats of system dependability
Designers and Management Staff Normal Users
Developers Users
Data Network Maintainers
Computer-Based
Electrical Connections Control System
Power Supply Vandals, Hackers,
Terrorists
Vibrations Temperature Moisture
Electromagnetic Fields Environmental Cosmic Radiation
Parameters
DCDS’09, Francesco Flammini
6
7. The core of most control systems
• Triple Modular Redundancy
(TMR) U n it A U n it B U n it C
• Many other fault-tolerance
fault-
mechanisms
– Design diversity E x c lu s io n E x c lu s io n E x c lu s io n
L o g ic
– Error Correcting Codes A -B
L o g ic
B -C
L o g ic
A -C
– Defensive programming
– … V o te r
DCDS’09, Francesco Flammini
7
8. Objectives of dependability assessment
• Extensive simulation with real systems is unfeasible
• We need to evaluate RAMSS attributes of interest
possible:
with models as much as possible:
– Holistic
• System level failure modes
– Realistic
• Correct behavior with not too many conservative assumptions
– Maintainable
• No hyper-skills required to build and modify them
– Efficient
• Quick to build and evaluate on normal computers
– Assessable
• Readable and low error prone
– …
DCDS’09, Francesco Flammini
8
9. New frontiers in dependability modeling
• Multi-paradigm approaches, involving:
Multi- approaches, involving:
– Multi-formalism modeling
Multi-
– Meta-modeling
Meta-
– Model-abstraction and transformation
Model-
• Choice of the modeling approach most suited to the:
• Objective of the analysis (performability, security, maintainability, etc.)
• Constituent subsystems (small embedded device, workstation, etc.)
• Abstraction layers (hardware, software state-machine, software functions, etc.)
• Advantages:
Advantages:
– Modular or compositional approach
• Divide ed impera
• Incremental, multi-level / hierarchical
• Reuse (model libraries)
– They allow for a trade-off among:
trade- among:
• Ease of use
• Expressive power
• Solving efficiency
DCDS’09, Francesco Flammini
9
10. Experience report 1: issues
• Main problem:
problem:
– evaluate system availability with respect to system-level failure
system-
modes to demonstrate compliance to RAM requirements
• Unfeasible with traditional single-formalism stochastic
single-
approaches:
modeling approaches:
– Queueing Networks ➪ limited expressiveness (no failure
modeling)
modeling)
– Fault Trees ➪ limited expressiveness (no performance modeling)
modeling)
– Stochastic Petri Nets ➪ ungovernable complexity and limited
explosion)
efficiency (state space explosion)
– …
• Further problem:
problem:
– how to evaluate the effect of real-world repair strategies (e.g.
real-
maintenance, resources, etc)?
preventive maintenance, limited resources, etc)?
DCDS’09, Francesco Flammini
10
11. Experience report 1: solution
AVAILABILITY MODEL
(overall system, BN)
PERFORMABILITY MODEL MAINTAINABILITY MODEL
RELIABILITY MODEL (network / software, GSPN)
(on-board, FT) (trackside, RFT)
• F. Flammini, M. Iacono, S. Marrone, N. Mazzocca: quot;Using Repairable Fault Trees for the evaluation of design choices for critical repairable systemsquot;. In: Proceedings
Flammini, Iacono, Marrone, Mazzocca: choices
of the 9th IEEE Symposium on High Assurance Systems Engineering, HASE’05, Heidelberg, Germany, October 12-14, 2005: pp. 163-172
HASE’ 12- 163-
• F. Flammini, S. Marrone, N. Mazzocca, V. Vittorini: “Modelling System Reliability Aspects of ERTMS/ETCS by Fault Trees and Bayesian Networksquot;. In: Safety and
Flammini, Marrone, Mazzocca, Vittorini: Trees
Reliability for Managing Risk: Proceedings of the 15th European Safety and Reliability Conference (published in September 1st 2006), ESREL’06, Estoril, Portugal,
Risk: Conference ESREL’ Estoril,
18- 2675-
September 18-22, 2006: pp. 2675-2683
DCDS’09, Francesco Flammini
11
12. Experience report 2: issues
• Main problem:
problem:
– evaluate TMR safety in presence of imperfect maintenance
• Existing GSPN model assuming perfect maintenance
hardly extensible
– Low maintenability
– Very limited efficiency
• No other single formalism approach usable to solve the
overall problem
• Further problem:
problem:
– how to improve the maintenability of the existing GSPN-based
GSPN-
model?
safety model?
DCDS’09, Francesco Flammini
12
13. Experience report 2: solution
Finite State Machine OR Continuous Time M arkov Chain OR Timed Automata REPAIR MODELS
at differ ent levels of detail (environmental & human
factors, CTMC)
M aintenance model
implementation
Choice of the m odel
M ainte nance M ode l Inte rface
Operational Status Fault Ev ents
Composition
(OK, KO, Up w ith f ault, etc .) (Transient, Permanent, etc .)
Failure M ode l Inte rface
Choice of the m odel
H azardo us
Fa l ure
i
Erroneou s
o ut utfr m
p o
voter
O ne
erroneous
outputand
S ameerror i n
npu t datao f
i
both uni t
s
S ameerror
fromthe tw o
C omb na ti n
i o
of l ate nt
e rr rs
o Failure model
voterfai ure
l
implementation
u ni s
t
Laten t erro r Late nt e rror A va t on of
cti i
in A in B e rr rs of
o
both A an d B
Erron eou s Erro neou s E rroneo us
outp utfrom Vote rf ai ure
l ou tput ro m
f o utput f r m
o
one u ni
t A B
EXISTING SAFETY MODEL
Fault Tree Bayesian Netw ork GSPN
(hardware, GSPN)
+ expressiveness, com plexity, realism
- solving efficiency, readability, maintainability
• Flammini, Marrone, Mazzocca, Vittorini: N-
F. Flammini, S. Marrone, N. Mazzocca, V. Vittorini: “A new modelling approach to the safety evaluation of N-modular
DCDS’09, Francesco Flammini maintenance”
redundant computer systems in presence of imperfect maintenance”. In: Reliability Engineering & System Safety (Elsevier) –
ESREL’
special issue on ESREL’07 selected papers. DOI: 10.1016/j.ress.2009.02.014 13
14. Experience report 3: issues
• Main problem:
problem:
– perform system functional verification of the European Railway
Traffic Management System / European Train Control System
(ERTMS/ETCS)
• Issues:
Issues:
– extensive testing unfeasible due to system complexity (test-case
(test-
explosion)
number explosion)
– testing required for both nominal and degraded conditions
– unstable system requirements specification
• Further problem:
problem:
– How to detect missing requirements in order to improve system
specification? (validation
validation)
specification? (validation)
DCDS’09, Francesco Flammini
14
15. Experience report 3: solution
Model-
1. Model-based testing (dynamic
verification)
verification) Partial_Supervision_1
Train Moving in a
1: Receive TAF Granted /
Send Disconnection Request
Disconnection_1
Disconnection Request
Staff Responsible Mode Sent by the RBC
– Automatic generation and
test-
reduction of the test-suite using
2: Receive standstill Position Report in TAF zone /
Send TAF Request
reference abstract models like
Finite State Machines Partial_Supervision_2
Waiting for TAF
1: Receive TAF Granted /
Send MA in Full Supervision
Full_Supervision_1
Train Moving in Full
Granted Supervision
• Flammini, Mazzocca,
F. Flammini, N. Mazzocca, A. Orazzo: “Automatic instantiation of abstract tests to specific
configurations for large critical control systems”. In: Journal of Software Testing, Verification
systems”
91-
& Reliability (STVR), Vol. 19, Issue 2, pp. 91-110
• Flammini, Tommaso, Lazzaro, Pellecchia,
F. Flammini, P. di Tommaso, A. Lazzaro, R. Pellecchia, A. Sanseviero: quot;The Simulation of
Anomalies in the Functional Testing of the ERTMS/ETCS Trackside Systemquot;. In:
Proceedings of the 9th IEEE Symposium on High Assurance Systems Engineering, LOGIC SPECIFICATION
HASE’ 12-
HASE’05, Heidelberg, Germany, October 12-14, 2005: pp. 131-139 131- Req. xx.yy: When the MA verification process is activated, the RBC Logic
shall verify the status of the track circuits assigned to the MA and then […]
...
UML MODEL verification of compliance
1) CLASS DIAGRAMS 2) SEQUENCE DIAGRAMS 3) STATECHARTS
Model-
2. Model-based code inspection
MA
-attributes MA TC MA_state1
+operations() 1
verification)
(static verification)
verify_cond() Send_MA
TC op()
-attributes MA_state2
– UML-
Use of UML-based reverse * +operations()
reverse
refactoring
engineering and refactoring
LOGIC CODE engineering
PROCESS MA;
VARIABLES process_status, control, …
COMMANDS send_MA, …
COMMAND send_MA:
• Abbaneo, Flammini, Lazzaro, Marmo, Mazzocca,
C. Abbaneo, F. Flammini, A. Lazzaro, P. Marmo, N. Mazzocca, A. Sanseviero: quot;UML Based IF cond ASSIGN “ok” TO VARIABLE “control”
Reverse Engineering for the Verification of Railway Control Logicsquot;. In: IEEE Proceedings of
Logicsquot;. AND SEND AUTOMATIC COMMAND “op” TO PROCESS “TC”
DepCoS’ Poręba,
Dependability of Computer Systems, DepCoS’06, Szklarska Poręba, Poland, May 25-27,25- ...
3-
2006: pp. 3-10
DCDS’09, Francesco Flammini
15
16. Experience report 4: issues
• Main problem:
problem:
– Quantitative security risk assessment to support the design of
protection mechanisms and evaluate the return on investment
• Issues:
Issues:
– Traditional reliability modeling formalisms (e.g. Fault Trees)
Trees)
inadequate for security modeling (e.g. no support for
events)
interdependant basic events)
– Complexity in vulnerability modeling
• Further problem:
problem:
– How to demonstrate to the customer the optimality of security
subsystems)?
system design (e.g. size of subsystems)?
DCDS’09, Francesco Flammini
16
17. Experience report 4: solution
R = P ⋅V ⋅ D WORK IN
PROGRESS
RISK MODEL
BAYESIAN NETWORKS STOCHASTIC PETRI NETS
Threat Frequency Threat Vulnerability
Model Model
Threat Consequences
Model
EVENT TREES
• We have already implemented a genetic algorithm to automatically maximize the return on
investment while fulfilling external budget constraints
• Flammini, Mazzocca, Infrastructures”
F. Flammini, A. Gaglione, N. Mazzocca, C. Pragliola: “Quantitative Security Risk Assessment and Management for Railway Transportation Infrastructures”. In:
Proc. 3rd International Workshop on Critical Information Infrastructures Security, CRITIS’08, Frascati (Rome), Italy, October 13-15, 2008: pp. 213-223
Infrastructures CRITIS’ 13- 213-
• F. Flammini, V. Vittorini, N. Mazzocca, C. Pragliola: “A Study on Multiformalism Modelling of Critical Infrastructures”. In: Proc. 3rd International Workshop on
Flammini, Vittorini, Mazzocca, Infrastructures”
Critical Information Infrastructures Security, CRITIS’08, Frascati (Rome), Italy, October 13-15, 2008: pp. 395-402
CRITIS’ 13- 395-
DCDS’09, Francesco Flammini
17
18. Future developments
• Methodology Start of Mission Hand-Over
OPi 1
OPi 2
r
ye
La
– Definition of appropriate
(Gen eralized
es
(Generalized
r
Stocha stic) OP3 Stoch astic)
du
Petri Net Petri Net
oce
Pr
Start of Mission Train 1 Hand-Over Train 2
multiformalism
r
ye
La
rs
Fin ite State Machine
ye
(Gen eralized
re s
(Gen eralized
r
La
Level 0 /
ye
Level 1 Level 2 Level 3 Sto ch astic) OP3 Sto ch astic)
du
STM
La
re
OP2 Petri Net Petri Net
oce
La twa
es
Pr
od
Unfit t ed
are Sof
r
composition operators
ye
gM
rdw at e
t in
Ha e di
OFF SB SR OS Full Supervision
e ra
m
Op
te r
In
System Failure
Finite S tate Ma chine
• Applications
OP1 Ba yesia n Network
TRACKSIDE SUBSYSTEM
r
ye
v5
La
are
fa il 11
rdw
fa il SS 1
v3 v4
fa il 2
Ha
Sy stem Failure
– New case-studies, e.g.
case-studies,
T ransm it t in g
fa il 3
fail SS 2 Correct T elegram
v1 v2
fa il 4
(Repa irab le) Fau lt Tree
r
ye
Non
La
Transmitting Default
r
ye
Transmitting Telegram (safe failure)
ON-BOARD SUBSYSTEM 1
are
La
...
system level safety
ftw
are
So
rdw
Transmitting Uncorrect
Telegram (unsafe failure)
Ha
Start of Mission Hand-Over
evaluation
r
ye
BALISE 1
La
r
ye
es
(Genera lized (Generalized
...
La
ur
Stocha stic) OP3 Stocha stic)
BALISE K
La ode s
ed
Petri Net Petri Net
Ha e rat Proc
r
M
ye
LINESIDE SUBSYSTEM
rdw ing
are
GROUND SUBSYSTEM
Op
ON-BOARD SUBSYSTEM n
• Flammini, Iacono, Marrone, Moscato, Vittorini: framework”
G. Di Lorenzo, F. Flammini, M. Iacono, S. Marrone, F. Moscato, V. Vittorini: “The software architecture of the OsMoSys multisolution framework”. In: Proc. 2nd
VALUETOOLS’ 23-
International Conference on Performance Evaluation Methodologies and Tools, VALUETOOLS’07, Nantes, France, October 23-25, 2007: pp. 1-10 1-
DCDS’09, Francesco Flammini
18
19. • Are models useful only for dependability
assessment?
prediction and assessment?
DCDS’09, Francesco Flammini
19
20. Experience report 5: issues
• Main problem:
problem:
– On-line detection of threats for early warning and
On-
decision support
• Issues:
Issues:
– Integration and reasoning of multi-sensor data
multi-
– Need for real-time detection models
real-
• Further problem:
problem:
– How to quantify uncertainity?
uncertainity?
DCDS’09, Francesco Flammini
20
21. Experience report 5: solution
DETECT Engine
Scenario
Repository
Detected
attack
scenario
Event
History Alarm level
(1, 2, 3, ...)
EVENT TREES
BAYESIAN NETWORKS
NEURAL NETWORKS
• Flammini, Mazzocca, critical infrastructures”
F. Flammini, A. Gaglione, N. Mazzocca, C. Pragliola: “DETECT: a novel framework for the detection of attacks to critical infrastructures”. In: Safety, Reliability and
(eds
eds), ESREL’ 22- 105-
Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds), Proceedings of ESREL’08, Valencia, Spain, 22-25 September 2008: pp. 105-112
• F. Flammini, A. Gaglione, N. Mazzocca, V. Moscato, C. Pragliola: “Wireless Sensor Data Fusion for Critical Infrastructure Security”. In: Advances in Soft
Flammini, Mazzocca, Moscato, Security”
CISIS’ 23-
Computing Vol. 53: Proc. International Workshop on Computational Intelligence in Security for Information Systems, CISIS’08, Genoa, Italy, October 23-24, 2008:
92-
pp. 92-99
DCDS’09, Francesco Flammini
21
22. Thank you for your kind attention
Questions?
Questions?