Model-Based Approaches for Railway Safety, Reliability & Security


Published on

Invited Talk by Francesco Flammini at the 6th International Workshop on Verification and Evaluation of Computer and Communication Systems (VECoS'12)
CNAM, Paris, France
August 27-28, 2012
co-located with
18th International Symposium on Formal Methods (FM 2012)

Published in: Technology, Business
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Model-Based Approaches for Railway Safety, Reliability & Security

  1. 1. 6th International Workshop on Verification and Evaluation of Computer and Communication Systems CNAM, Paris, France, August 27-28, 2012 Model-Based Approaches for Railway Safety, Reliability and Security Dr. Francesco Flammini Ansaldo STS Italy – Innovation & Competitiveness IEEE Computer Society Italy Chapter
  2. 2. Outline • Introduction to modern railway control systems • The need for model-based approaches • Succesful applications • Future developmentsVECoS’12, Francesco Flammini 2
  3. 3. Catastrophic Failures in Railways • Some relevant rail accidents – Recent (July 23° 2011): Wenzhou (China) high-speed train collision, 40 killed, 192 injured – Most catastrophic: Amagasaki (Japan), 107 killed, 555 injuried – One of the oldest – Waterloo station, 1803 • Some sources – –’12, Francesco Flammini 3
  4. 4. Computer-Based Railway Control Systems Control System Sensor Actuator System System ENVIRONMEN T • Safety-Critical Railway Control Systems: – Interlocking Systems – management of train route and signals in stations – Traffic Management Systems – management of train headways (trackside) – Train Control Systems – management of train movement (on-board) • Evolution from relays based to computer based → more complex failure modes • Embedded real-time reactive systems increasingly complex: – large, distributed, heterogeneous • Dependability attributes of interest: – Reliability Availability Mantainability Safety Security (RAMSS) • Important to evalutate such attributes in: – early development stages to support design choices ( fault forecasting) – verification and validation phase, to demonstrate compliance to RAMSS standard ( assessment / certificafion)VECoS’12, Francesco Flammini 4
  5. 5. Automatic Train Protection Systems HMI TRAFFIC MANAGEMENT TRAIN CONTROL INTERLOCKING PHYSICAL CONTROL ENTITIES Adjacent IXL TRACK CIRCUIT Automation WAN System SIGNAL SWITCH POINTVECoS’12, Francesco Flammini ROUTE Communication 5 Man Machine IXL Central Computer STATION Interface Processing Unit
  6. 6. Threats of system dependability Designers and Management Staff Normal Users Developers Users Data Network Maintainers Computer-Based Electrical Connections Control System Power Supply Vandals, Hackers, Terrorists Vibrations Temperature Moisture Electromagnetic Fields Environmental Cosmic Radiation FactorsVECoS’12, Francesco Flammini 6
  7. 7. The core of most control systems• Triple Modular Redundancy (TMR) Unit A Unit B Unit C• Many other fault-tolerance mechanisms – Design diversity Exclusion Exclusion Exclusion Logic – Error Correcting Codes A-B Logic B-C Logic A-C – Defensive programming – … VoterVECoS’12, Francesco Flammini 7
  8. 8. Objectives of dependability assessment • Extensive simulation with real systems is unfeasible • We need to evaluate RAMSS attributes of interest with models as much as possible: – Holistic • System level failure modes – Realistic • Correct behavior with not too many conservative assumptions – Maintainable • No hyper-skills required to build and modify them – Efficient • Quick to build and evaluate on normal computers – Assessable • Readable and low error prone – …VECoS’12, Francesco Flammini 8
  9. 9. New frontiers in dependability modeling• Multi-paradigm approaches, involving: – Multi-formalism modeling – Meta-modeling – Model-abstraction and transformation• Choice of the modeling approach most suited to the: • Objective of the analysis (performability, security, maintainability, etc.) • Constituent subsystems (small embedded device, workstation, etc.) • Abstraction layers (hardware, software state-machine, software functions, etc.)• Advantages: – Modular or compositional approach • Divide ed impera • Incremental, multi-level / hierarchical • Reuse (model libraries) – They allow for a trade-off among: • Ease of use • Expressive power • Solving efficiencyVECoS’12, Francesco Flammini 9
  10. 10. Experience report 1: issues• Main problem: – evaluate system availability with respect to system-level failure modes to demonstrate compliance to RAM requirements• Unfeasible with traditional single-formalism stochastic modeling approaches: – Queueing Networks ➪ limited expressiveness (no failure modeling) – Fault Trees ➪ limited expressiveness (no performance modeling) – Stochastic Petri Nets ➪ ungovernable complexity and limited efficiency (state space explosion) – …• Further problem: – how to evaluate the effect of real-world repair strategies (e.g. preventive maintenance, limited resources, etc)?VECoS’12, Francesco Flammini 10
  11. 11. Experience report 1: solution AVAILABILITY MODEL (overall system, BN) PERFORMABILITY MODEL MAINTAINABILITY MODEL RELIABILITY MODEL (network / software, GSPN) (on-board, FT) (trackside, RFT) • F. Flammini, M. Iacono, S. Marrone, N. Mazzocca: "Using Repairable Fault Trees for the evaluation of design choices for critical repairable systems". In: Proceedings of the 9th IEEE Symposium on High Assurance Systems Engineering , HASE’05, Heidelberg, Germany, October 12-14, 2005: pp. 163-172 • F. Flammini, S. Marrone, N. Mazzocca, V. Vittorini: “Modelling System Reliability Aspects of ERTMS/ETCS by Fault Trees and Bayesian Networks". In: Safety and Reliability for Managing Risk: Proceedings of the 15th European Safety and Reliability Conference (published in September 1st 2006), ESREL’06, Estoril, Portugal, September 18-22, 2006: pp. 2675-2683VECoS’12, Francesco Flammini 11
  12. 12. Experience report 2: issues• Main problem: – evaluate TMR safety in presence of imperfect maintenance• Existing GSPN model assuming perfect maintenance hardly extensible – Low maintenability – Very limited efficiency• No other single formalism approach usable to solve the overall problem• Further problem: – how to improve the maintenability of the existing GSPN-based safety model?VECoS’12, Francesco Flammini 12
  13. 13. Experience report 2: solution Finite State Machine OR Continuous Tim e Markov Chain OR Tim ed Autom ata REPAIR MODELS at different levels of detail (environmental & human factors, CTMC) Maintenance m odel im plem entation Choice of the m odel M aintenance M odel Interface Operational Status Com position Fault Events (OK, KO, Up w ith fault, etc.) (Transient, Permanent, etc.) Failure M odel Interface Choice of the m odel Hazardous Failure Erroneous output from voter One erroneous output and Same error in input data of both units Same error from the two Combination of latent errors Failure m odel voter failure units im plem entation Activation of Latent error Latent error errors of in A in B both A and B Erroneous Erroneous Erroneous output from Voter failure output from output from one unit A B EXISTING SAFETY MODEL Fault Tree Bayesian Netw ork GSPN (hardware, GSPN) + expressiveness, com plexity, realism - solving efficiency, readability, m aintainability • Flammini, F., Marrone, S., Mazzocca, N., Vittorini, V.: A new modelling approach to the safety evaluation of N-modularVECoS’12, Francesco Flammini redundant computer systems in presence of imperfect maintenance. In: Reliability Engineering & System Safety, Vol. 94, Issue 9, September 2009: pp. 1422–1432 13
  14. 14. Experience report 3: issues• Main problem: – perform system functional verification of the European Railway Traffic Management System / European Train Control System (ERTMS/ETCS)• Issues: – extensive testing unfeasible due to system complexity (test-case number explosion) – testing required for both nominal and degraded conditions – unstable system requirements specification• Further problem: – How to detect missing requirements in order to improve system specification? (validation)VECoS’12, Francesco Flammini 14
  15. 15. Experience report 3: solution1. Model-based testing (dynamic verification) Partial_Supervision_1 Train Moving in a 1: Receive TAF Granted / Send Disconnection Request Disconnection_1 Disconnection Request Staff Responsible Mode Sent by the RBC – Automatic generation and reduction of the test-suite using 2: Receive standstill Position Report in TAF zone / Send TAF Request reference abstract models like Finite State Machines Partial_Supervision_2 Waiting for TAF 1: Receive TAF Granted / Send MA in Full Supervision Full_Supervision_1 Train Moving in Full Granted Supervision• F. Flammini, N. Mazzocca, A. Orazzo: “Automatic instantiation of abstract tests to specific configurations for large critical control systems”. In: Journal of Software Testing, Verification & Reliability (STVR), Vol. 19, Issue 2, pp. 91-110• F. Flammini, P. di Tommaso, A. Lazzaro, R. Pellecchia, A. Sanseviero: "The Simulation of Anomalies in the Functional Testing of the ERTMS/ETCS Trackside System". In: Proceedings of the 9th IEEE Symposium on High Assurance Systems Engineering, LOGIC SPECIFICATION HASE’05, Heidelberg, Germany, October 12-14, 2005: pp. 131-139 Req. xx.yy: When the MA verification process is activated, the RBC Logic shall verify the status of the track circuits assigned to the MA and then […] ... UML MODEL verification of compliance 2 1) CLASS DIAGRAMS 2) SEQUENCE DIAGRAMS 3) STATECHARTS2. Model-based code inspection MA -attributes MA TC MA_state1 +operations() 1 (static verification) verify_cond() Send_MA TC op() -attributes MA_state2 – Use of UML-based reverse * +operations() reverse 3 refactoring engineering and refactoring engineering 1 LOGIC CODE PROCESS MA; VARIABLES process_status, control, … COMMANDS send_MA, … COMMAND send_MA:• Flammini, F., Lazzaro, A., Mazzocca, N.: Modeling of Logic Code for Reverse Engineering, IF cond ASSIGN “ok” TO VARIABLE “control” Verification and Refactoring. In: The International Journal of Safety & Security Engineering, AND SEND AUTOMATIC COMMAND “op” TO PROCESS “TC” ... Vol. 1, no. 1, February 2011: pp. 77-94VECoS’12, Francesco Flammini 15
  16. 16. Experience report 4: issues• Main problem: – Quantitative security risk assessment to support the design of protection mechanisms and evaluate the return on investment• Issues: – Traditional reliability modeling formalisms (e.g. Fault Trees) inadequate for security modeling (e.g. no support for interdependant basic events) – Complexity in vulnerability modeling• Further problem: – How to demonstrate to the customer the optimality of security system design (e.g. size of subsystems)?VECoS’12, Francesco Flammini 16
  17. 17. Experience report 4: solution RISK MODEL BAYESIAN NETWORKS STOCHASTIC PETRI NETS Threat Frequency Threat Vulnerability Attractivity Model Other assets attractivity Model Likelihood of attack Intrinsic robustness Accessibility Existing protections Asset failure Aggregated asset failure Dependant asset failure R P V D Component asset failure Influencing asset failure Event Tree Fault Tree Threat Consequences Model Sistema Ferroviario Railway System * 1 1 1 Fixed Equip. Fisso Mobile Equip. Mobile EVENT TREES / CLASS DIAGRAMS 1 Infrastruct. Infrastruttura 1 1 * Controllo e Segnalamento Signalling & Control 1 * Rotabile Rolling S. 1 1 1 1 * 1 1 1 1 Rete di TLC Network Serv. Car Carrello Stock Merci Treno Train Passeng. Train Treno Passeggeri * Line sect. Tratto di linea Manag. & Maint. Gestione e manutenzione Segnaletica Signal Station Stazione 1 1 1 1 1 1 1 1 * * 1 0..1 0..1 1 * * * * SST Ground Rete TLC-LD WAN GSM-R Rete GSM-R 1 Locomotive Locomotore Switch Deviatoio Track Binario Tunnel Galleria Service S. Staz. Servizio * 1 1 1 1 * 1 1 1 Staz. Passeggeri Passenger S. Bridge Ponte Balise HMI TMR RTM 1 1 SSB 1 CdB Track Circ. 1 1 Sistema sensoriale 1 1 Sens. system 1 1 1 Temp. Ch. RTB 1 1 BTM DMI Sistema di attuazione Act. system • Genetic algorithms employed to automatically maximize the ROI while fulfilling external budget constraints • Flammini, F., Gaglione, A., Mazzocca, N., Pragliola, C.: Automatic Optimization of Security System Design by Quantitative Risk Assessment and Genetic Algorithms. In: International Journal of Risk Analysis and Management (IJRAM), Vol. 15, No. 2/3, 2011: pp. 205-221 • Flammini, F., Mazzocca, N., Moscato, F., Pappalardo, A., Pragliola, C., Vittorini, V.,: Multiformalism techniques for critical infrastructure modeling. In: International Journal of Systems of Systems Engineering (IJSSE), Vol. 2, No. 1, 2010: pp. 19-37VECoS’12, Francesco Flammini 17
  18. 18. • Are models useful only for dependability prediction and assessment?VECoS’12, Francesco Flammini 18
  19. 19. Experience report 5: issues • Main problem: – On-line detection of threats for early warning and decision support • Issues: – Integration and reasoning of multi-sensor data – Need for real-time detection models • Further problem: – How to quantify uncertainity?VECoS’12, Francesco Flammini 19
  20. 20. Experience report 5: solution DETECT Engine Scenario Repository Detected attack scenario Event History Alarm level (1, 2, 3, ...) EVENT TREES BAYESIAN NETWORKS NEURAL NETWORKS 2, <5’ →, <10’ IMS/SAW IR CAM 1 CAM 2 MIC CWA CWA FALL RUN FALL RUN SCREAM • Flammini, F., Mazzocca, N., Pappalardo, A., Pragliola, C., Vittorini, V.: Augmenting surveillance system capabilities by exploiting event correlation and distributed attack detection. In: Proc. 2011 Intl. Workshop on Security and Cognitive Informatics for Homeland Defence (SeCIHD’11), co -located with ARES’11, A M. Tjoa et al. (Eds.), LNCS 6908, pp. 191-204 • Flammini, F., Pappalardo, A., Pragliola, C., Vittorini, V.: A robust approach for on-line and off-line threat detection based on event tree similarity analysis. In: Proc. Workshop on Multimedia Systems for Surveillance (MMSS) in conjunction with 8th IEEE International Conference on Advanced Video and Signal-Based Surveillance, Klagenfurt, Austria, August 29-30, 2011: pp. 414-419VECoS’12, Francesco Flammini 20
  21. 21. Work-in-progress & future developments• Definition of appropriate Model Driven Engineering (MDE) frameworks supporting Domain Specific Languages (DSL) and M2M transformations to enable high-level UML (annotated) modeling and automatic generations of solvable models DAM-RAIL (derived from UML MARTE-DAM profile)• Bernardi, S, Flammini, F., Marrone, S., Merseguer, J., Papa, C., Vittorini, V.: Model-driven availability evaluation of railway control systems. In: Proc. 30th Intl. Conf. on Computer Safety, Reliability & Security, SAFECOMP’11, Naples, September 19-21, 2011: pp. 467-479VECoS’12, Francesco Flammini 21
  22. 22. Further reading Flammini, F. (2012). Railway Safety, Reliability, and Security: Technologies and Systems Engineering, IGI Global, doi:10.4018/978-1-4666-1643-1VECoS’12, Francesco Flammini 22
  23. 23. Thank you for your kind attention Questions?