Model-Based Approaches for Railway Safety, Reliability and Security: The Experience of Ansaldo STS

(DCDS’
Dependable Control of Discrete Systems (DCDS’09)
Bari, 10-12 May 2009
10-

Model-Based Approaches for
Railway Safety, Reliability and Security:
The Experience of Ansaldo STS

Dr. Francesco Flammini
Ansaldo STS Italy – Innovation Unit
francesco.flammini@ansaldo-sts.com
francesco.flammini@ansaldo-

Outline

• Introduction to modern railway control systems

• The need for model-based approaches
model-

• Succesful applications

• Future developments

DCDS’09, Francesco Flammini
2

Catastrophic Failures in Railways

• Brief history… (due to speed or signalling)
history… signalling)
– Recent – Metro Rome, 2006
Rome,
– Most catastrophic: Amagasaki (Japan), 107 killed,
catastrophic: Japan), killed,
555 injuried
– One of the oldest – Waterloo station, 1803
• http://danger-ahead.railfan.net/
http://danger-ahead.railfan.net/
danger

3

Computer-Based Railway Control Systems
Control
System

Sensor Actuator
System System

ENVIRONMENT

• Safety-
Safety-Critical Railway Control Systems:
Systems:
– Interlocking Systems – management of train route and signals in stations
– trackside)
Traffic Management Systems – management of train headways (trackside)
– on-board)
Train Control Systems – management of train movement (on-board)
• Evolution from relays based to computer based → more complex failure modes
• real- complex:
Embedded real-time reactive systems increasingly complex:
– large, distributed,
large, distributed, heterogeneous
• Dependability attributes of interest:
– Reliability Availability Mantainability Safety Security (RAMSS)
• Important to evalutate such attributes in:
– early development stages to support design choices (fault forecasting)
– verification and validation phase, to demonstrate compliance to RAMSS standard (assessment / certificafion)
phase,

4

Automatic Train Protection Systems
HMI TRAFFIC
MANAGEMENT

Radio
Block
Center
GSM
-R
Train Position Report

Wide Area Network
Neighbour
Movement Authority with
Static Speed Profile
TRAIN CONTROL
RBCs Base Trans/receiver Station

ON-BOARD
ap SYSTEM
-g
Air

TRACK CIRCUIT
Balise Telegram with
Eurobalise Balise Group identifier

INTERLOCKING
PHYSICAL CONTROL ENTITIES

IXLj Adjacent IXL IXLk
TRACK CIRCUIT

Automation
WAN System
SIGNAL SWITCH POINT

DCDS’09, Francesco Flammini ROUTE Communication

5
Man Machine IXL Central Computer
STATION Interface Processing Unit

Threats of system dependability

Designers and Management Staff Normal Users
Developers Users

Data Network Maintainers

Computer-Based
Electrical Connections Control System

Power Supply Vandals, Hackers,
Terrorists

Vibrations Temperature Moisture

Electromagnetic Fields Environmental Cosmic Radiation
Parameters

6

The core of most control systems
• Triple Modular Redundancy
(TMR) U n it A U n it B U n it C
• Many other fault-tolerance
fault-
mechanisms
– Design diversity E x c lu s io n E x c lu s io n E x c lu s io n
L o g ic
– Error Correcting Codes A -B
L o g ic
B -C
L o g ic
A -C
– Defensive programming
– … V o te r

7

Objectives of dependability assessment
• Extensive simulation with real systems is unfeasible
• We need to evaluate RAMSS attributes of interest
possible:
with models as much as possible:
– Holistic
• System level failure modes
– Realistic
• Correct behavior with not too many conservative assumptions
– Maintainable
• No hyper-skills required to build and modify them
– Efficient
• Quick to build and evaluate on normal computers
– Assessable
• Readable and low error prone
– …
8

New frontiers in dependability modeling
• Multi-paradigm approaches, involving:
Multi- approaches, involving:
– Multi-formalism modeling
Multi-
– Meta-modeling
Meta-
– Model-abstraction and transformation
Model-
• Choice of the modeling approach most suited to the:
• Objective of the analysis (performability, security, maintainability, etc.)
• Constituent subsystems (small embedded device, workstation, etc.)
• Abstraction layers (hardware, software state-machine, software functions, etc.)
• Advantages:
Advantages:
– Modular or compositional approach
• Divide ed impera
• Incremental, multi-level / hierarchical
• Reuse (model libraries)
– They allow for a trade-off among:
trade- among:
• Ease of use
• Expressive power
• Solving efficiency
9

Experience report 1: issues
• Main problem:
problem:
– evaluate system availability with respect to system-level failure
system-
modes to demonstrate compliance to RAM requirements
• Unfeasible with traditional single-formalism stochastic
single-
approaches:
modeling approaches:
– Queueing Networks ➪ limited expressiveness (no failure
modeling)
modeling)
– Fault Trees ➪ limited expressiveness (no performance modeling)
modeling)
– Stochastic Petri Nets ➪ ungovernable complexity and limited
explosion)
efficiency (state space explosion)
– …
• Further problem:
problem:
– how to evaluate the effect of real-world repair strategies (e.g.
real-
maintenance, resources, etc)?
preventive maintenance, limited resources, etc)?
10

Experience report 1: solution
AVAILABILITY MODEL
(overall system, BN)

PERFORMABILITY MODEL MAINTAINABILITY MODEL
RELIABILITY MODEL (network / software, GSPN)
(on-board, FT) (trackside, RFT)

• F. Flammini, M. Iacono, S. Marrone, N. Mazzocca: quot;Using Repairable Fault Trees for the evaluation of design choices for critical repairable systemsquot;. In: Proceedings
Flammini, Iacono, Marrone, Mazzocca: choices
of the 9th IEEE Symposium on High Assurance Systems Engineering, HASE’05, Heidelberg, Germany, October 12-14, 2005: pp. 163-172
HASE’ 12- 163-
• F. Flammini, S. Marrone, N. Mazzocca, V. Vittorini: “Modelling System Reliability Aspects of ERTMS/ETCS by Fault Trees and Bayesian Networksquot;. In: Safety and
Flammini, Marrone, Mazzocca, Vittorini: Trees
Reliability for Managing Risk: Proceedings of the 15th European Safety and Reliability Conference (published in September 1st 2006), ESREL’06, Estoril, Portugal,
Risk: Conference ESREL’ Estoril,
18- 2675-
September 18-22, 2006: pp. 2675-2683

11


• Main problem:
problem:
– evaluate TMR safety in presence of imperfect maintenance
• Existing GSPN model assuming perfect maintenance
hardly extensible
– Low maintenability
– Very limited efficiency
• No other single formalism approach usable to solve the
overall problem
problem:
– how to improve the maintenability of the existing GSPN-based
GSPN-
model?
safety model?

12

Finite State Machine OR Continuous Time M arkov Chain OR Timed Automata REPAIR MODELS
at differ ent levels of detail (environmental & human
factors, CTMC)
M aintenance model
implementation

Choice of the m odel

M ainte nance M ode l Inte rface
Operational Status Fault Ev ents
Composition
(OK, KO, Up w ith f ault, etc .) (Transient, Permanent, etc .)
Failure M ode l Inte rface

Choice of the m odel

H azardo us
Fa l ure
i

Erroneou s
o ut utfr m
p o
voter
O ne
erroneous
outputand
S ameerror i n
npu t datao f
i
both uni t
s
S ameerror
fromthe tw o
C omb na ti n
i o
of l ate nt
e rr rs
o Failure model
voterfai ure
l

implementation
u ni s
t

Laten t erro r Late nt e rror A va t on of
cti i
in A in B e rr rs of
o
both A an d B

Erron eou s Erro neou s E rroneo us
outp utfrom Vote rf ai ure
l ou tput ro m
f o utput f r m
o
one u ni
t A B

EXISTING SAFETY MODEL
Fault Tree Bayesian Netw ork GSPN
(hardware, GSPN)
+ expressiveness, com plexity, realism
- solving efficiency, readability, maintainability
• Flammini, Marrone, Mazzocca, Vittorini: N-
F. Flammini, S. Marrone, N. Mazzocca, V. Vittorini: “A new modelling approach to the safety evaluation of N-modular
DCDS’09, Francesco Flammini maintenance”
redundant computer systems in presence of imperfect maintenance”. In: Reliability Engineering & System Safety (Elsevier) –
ESREL’
special issue on ESREL’07 selected papers. DOI: 10.1016/j.ress.2009.02.014 13

• Main problem:
problem:
– perform system functional verification of the European Railway
Traffic Management System / European Train Control System
(ERTMS/ETCS)
• Issues:
Issues:
– extensive testing unfeasible due to system complexity (test-case
(test-
explosion)
number explosion)
– testing required for both nominal and degraded conditions
– unstable system requirements specification
problem:
– How to detect missing requirements in order to improve system
specification? (validation
validation)
specification? (validation)

14

Model-
1. Model-based testing (dynamic
verification)
verification) Partial_Supervision_1
Train Moving in a
1: Receive TAF Granted /
Send Disconnection Request
Disconnection_1
Disconnection Request
Staff Responsible Mode Sent by the RBC
– Automatic generation and
test-
reduction of the test-suite using
2: Receive standstill Position Report in TAF zone /
Send TAF Request

reference abstract models like
Finite State Machines Partial_Supervision_2
Waiting for TAF
1: Receive TAF Granted /
Send MA in Full Supervision
Full_Supervision_1
Train Moving in Full
Granted Supervision
• Flammini, Mazzocca,
F. Flammini, N. Mazzocca, A. Orazzo: “Automatic instantiation of abstract tests to specific
configurations for large critical control systems”. In: Journal of Software Testing, Verification
systems”
91-
& Reliability (STVR), Vol. 19, Issue 2, pp. 91-110
• Flammini, Tommaso, Lazzaro, Pellecchia,
F. Flammini, P. di Tommaso, A. Lazzaro, R. Pellecchia, A. Sanseviero: quot;The Simulation of
Anomalies in the Functional Testing of the ERTMS/ETCS Trackside Systemquot;. In:
Proceedings of the 9th IEEE Symposium on High Assurance Systems Engineering, LOGIC SPECIFICATION
HASE’ 12-
HASE’05, Heidelberg, Germany, October 12-14, 2005: pp. 131-139 131- Req. xx.yy: When the MA verification process is activated, the RBC Logic
shall verify the status of the track circuits assigned to the MA and then […]
...
UML MODEL verification of compliance
1) CLASS DIAGRAMS 2) SEQUENCE DIAGRAMS 3) STATECHARTS

Model-
2. Model-based code inspection
MA
-attributes MA TC MA_state1
+operations() 1

verification)
(static verification)
verify_cond() Send_MA
TC op()

-attributes MA_state2

– UML-
Use of UML-based reverse * +operations()
reverse
refactoring

engineering and refactoring
LOGIC CODE engineering
PROCESS MA;
VARIABLES process_status, control, …
COMMANDS send_MA, …
COMMAND send_MA:
• Abbaneo, Flammini, Lazzaro, Marmo, Mazzocca,
C. Abbaneo, F. Flammini, A. Lazzaro, P. Marmo, N. Mazzocca, A. Sanseviero: quot;UML Based IF cond ASSIGN “ok” TO VARIABLE “control”
Reverse Engineering for the Verification of Railway Control Logicsquot;. In: IEEE Proceedings of
Logicsquot;. AND SEND AUTOMATIC COMMAND “op” TO PROCESS “TC”
DepCoS’ Poręba,
Dependability of Computer Systems, DepCoS’06, Szklarska Poręba, Poland, May 25-27,25- ...
3-
2006: pp. 3-10
15


• Main problem:
problem:
– Quantitative security risk assessment to support the design of
protection mechanisms and evaluate the return on investment
• Issues:
Issues:
– Traditional reliability modeling formalisms (e.g. Fault Trees)
Trees)
inadequate for security modeling (e.g. no support for
events)
interdependant basic events)
– Complexity in vulnerability modeling
problem:
– How to demonstrate to the customer the optimality of security
subsystems)?
system design (e.g. size of subsystems)?

16

R = P ⋅V ⋅ D WORK IN
PROGRESS
RISK MODEL
BAYESIAN NETWORKS STOCHASTIC PETRI NETS
Threat Frequency Threat Vulnerability
Model Model

Threat Consequences
Model
EVENT TREES

• We have already implemented a genetic algorithm to automatically maximize the return on
investment while fulfilling external budget constraints

• Flammini, Mazzocca, Infrastructures”
F. Flammini, A. Gaglione, N. Mazzocca, C. Pragliola: “Quantitative Security Risk Assessment and Management for Railway Transportation Infrastructures”. In:
Proc. 3rd International Workshop on Critical Information Infrastructures Security, CRITIS’08, Frascati (Rome), Italy, October 13-15, 2008: pp. 213-223
Infrastructures CRITIS’ 13- 213-
• F. Flammini, V. Vittorini, N. Mazzocca, C. Pragliola: “A Study on Multiformalism Modelling of Critical Infrastructures”. In: Proc. 3rd International Workshop on
Flammini, Vittorini, Mazzocca, Infrastructures”
Critical Information Infrastructures Security, CRITIS’08, Frascati (Rome), Italy, October 13-15, 2008: pp. 395-402
CRITIS’ 13- 395-
17

Future developments

• Methodology Start of Mission Hand-Over
OPi 1
OPi 2

r
ye
La
– Definition of appropriate
(Gen eralized

es
(Generalized

r
Stocha stic) OP3 Stoch astic)

du
Petri Net Petri Net

oce
Pr
Start of Mission Train 1 Hand-Over Train 2

multiformalism

r
ye
La

rs
Fin ite State Machine

ye
(Gen eralized

re s
(Gen eralized

r

La
Level 0 /

ye
Level 1 Level 2 Level 3 Sto ch astic) OP3 Sto ch astic)

du
STM

La

re
OP2 Petri Net Petri Net

oce

La twa
es

Pr
od
Unfit t ed

are Sof
r
composition operators

ye
gM

rdw at e
t in

Ha e di
OFF SB SR OS Full Supervision

e ra

m
Op

te r
In
System Failure
Finite S tate Ma chine

• Applications
OP1 Ba yesia n Network
TRACKSIDE SUBSYSTEM

r
ye
v5

La
are
fa il 11

rdw
fa il SS 1
v3 v4
fa il 2

Ha
Sy stem Failure

– New case-studies, e.g.
case-studies,
T ransm it t in g
fa il 3
fail SS 2 Correct T elegram
v1 v2
fa il 4
(Repa irab le) Fau lt Tree

r
ye
Non

La
Transmitting Default

r
ye
Transmitting Telegram (safe failure)
ON-BOARD SUBSYSTEM 1

are
La
...

system level safety

ftw
are
So
rdw
Transmitting Uncorrect
Telegram (unsafe failure)

Ha
Start of Mission Hand-Over

evaluation

r
ye
BALISE 1

La
r
ye
es
(Genera lized (Generalized
...

La
ur
Stocha stic) OP3 Stocha stic)
BALISE K

La ode s
ed
Petri Net Petri Net

Ha e rat Proc

r
M
ye
LINESIDE SUBSYSTEM

rdw ing
are
GROUND SUBSYSTEM

Op
ON-BOARD SUBSYSTEM n

• Flammini, Iacono, Marrone, Moscato, Vittorini: framework”
G. Di Lorenzo, F. Flammini, M. Iacono, S. Marrone, F. Moscato, V. Vittorini: “The software architecture of the OsMoSys multisolution framework”. In: Proc. 2nd
VALUETOOLS’ 23-
International Conference on Performance Evaluation Methodologies and Tools, VALUETOOLS’07, Nantes, France, October 23-25, 2007: pp. 1-10 1-

18

• Are models useful only for dependability
assessment?
prediction and assessment?

19


• Main problem:
problem:
– On-line detection of threats for early warning and
On-
decision support
• Issues:
Issues:
– Integration and reasoning of multi-sensor data
multi-
– Need for real-time detection models
real-
problem:
– How to quantify uncertainity?
uncertainity?

20


DETECT Engine
Scenario
Repository
Detected
attack
scenario
Event
History Alarm level
(1, 2, 3, ...)
EVENT TREES
BAYESIAN NETWORKS
NEURAL NETWORKS

• Flammini, Mazzocca, critical infrastructures”
F. Flammini, A. Gaglione, N. Mazzocca, C. Pragliola: “DETECT: a novel framework for the detection of attacks to critical infrastructures”. In: Safety, Reliability and
(eds
eds), ESREL’ 22- 105-
Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds), Proceedings of ESREL’08, Valencia, Spain, 22-25 September 2008: pp. 105-112
• F. Flammini, A. Gaglione, N. Mazzocca, V. Moscato, C. Pragliola: “Wireless Sensor Data Fusion for Critical Infrastructure Security”. In: Advances in Soft
Flammini, Mazzocca, Moscato, Security”
CISIS’ 23-
Computing Vol. 53: Proc. International Workshop on Computational Intelligence in Security for Information Systems, CISIS’08, Genoa, Italy, October 23-24, 2008:
92-
pp. 92-99
21

Thank you for your kind attention

Questions?
Questions?

Model-Based Approaches for Railway Safety, Reliability and Security: The Experience of Ansaldo STS

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (10)

Similar to Model-Based Approaches for Railway Safety, Reliability and Security: The Experience of Ansaldo STS

Similar to Model-Based Approaches for Railway Safety, Reliability and Security: The Experience of Ansaldo STS (20)

More from Francesco Flammini

More from Francesco Flammini (20)

Recently uploaded

Recently uploaded (20)

Model-Based Approaches for Railway Safety, Reliability and Security: The Experience of Ansaldo STS