Invited Talk by Francesco Flammini at the 6th International Workshop on Verification and Evaluation of Computer and Communication Systems (VECoS'12)
CNAM, Paris, France
August 27-28, 2012
co-located with
18th International Symposium on Formal Methods (FM 2012)
http://fm2012.cnam.fr
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Model-Based Approaches for Railway Safety, Reliability & Security
1. 6th International Workshop on Verification and Evaluation of Computer and Communication Systems
CNAM, Paris, France, August 27-28, 2012
Model-Based Approaches for
Railway Safety, Reliability and Security
Dr. Francesco Flammini
Ansaldo STS Italy – Innovation & Competitiveness
IEEE Computer Society Italy Chapter
francesco.flammini@ieee.org
2. Outline
• Introduction to modern railway control systems
• The need for model-based approaches
• Succesful applications
• Future developments
VECoS’12, Francesco Flammini
2
3. Catastrophic Failures in Railways
• Some relevant rail accidents
– Recent (July 23° 2011): Wenzhou (China) high-speed train
collision, 40 killed, 192 injured
– Most catastrophic: Amagasaki (Japan), 107 killed, 555 injuried
– One of the oldest – Waterloo station, 1803
• Some sources
– http://en.wikipedia.org/wiki/List_of_rail_accidents_(2010-2019)
– http://danger-ahead.railfan.net/
VECoS’12, Francesco Flammini
3
4. Computer-Based Railway Control Systems
Control
System
Sensor Actuator
System System
ENVIRONMEN
T
• Safety-Critical Railway Control Systems:
– Interlocking Systems – management of train route and signals in stations
– Traffic Management Systems – management of train headways (trackside)
– Train Control Systems – management of train movement (on-board)
• Evolution from relays based to computer based → more complex failure modes
• Embedded real-time reactive systems increasingly complex:
– large, distributed, heterogeneous
• Dependability attributes of interest:
– Reliability Availability Mantainability Safety Security (RAMSS)
• Important to evalutate such attributes in:
– early development stages to support design choices ( fault forecasting)
– verification and validation phase, to demonstrate compliance to RAMSS standard ( assessment / certificafion)
VECoS’12, Francesco Flammini
4
5. Automatic Train Protection Systems
HMI TRAFFIC
MANAGEMENT
TRAIN CONTROL
INTERLOCKING
PHYSICAL CONTROL ENTITIES
Adjacent IXL
TRACK CIRCUIT
Automation
WAN System
SIGNAL SWITCH POINT
VECoS’12, Francesco Flammini ROUTE Communication
5
Man Machine IXL Central Computer
STATION Interface Processing Unit
6. Threats of system dependability
Designers and Management Staff Normal Users
Developers Users
Data Network Maintainers
Computer-Based
Electrical Connections Control System
Power Supply Vandals, Hackers,
Terrorists
Vibrations Temperature Moisture
Electromagnetic Fields Environmental Cosmic Radiation
Factors
VECoS’12, Francesco Flammini
6
7. The core of most control systems
• Triple Modular Redundancy
(TMR) Unit A Unit B Unit C
• Many other fault-tolerance
mechanisms
– Design diversity Exclusion Exclusion Exclusion
Logic
– Error Correcting Codes A-B
Logic
B-C
Logic
A-C
– Defensive programming
– … Voter
VECoS’12, Francesco Flammini
7
8. Objectives of dependability assessment
• Extensive simulation with real systems is unfeasible
• We need to evaluate RAMSS attributes of interest with
models as much as possible:
– Holistic
• System level failure modes
– Realistic
• Correct behavior with not too many conservative assumptions
– Maintainable
• No hyper-skills required to build and modify them
– Efficient
• Quick to build and evaluate on normal computers
– Assessable
• Readable and low error prone
– …
VECoS’12, Francesco Flammini
8
9. New frontiers in dependability modeling
• Multi-paradigm approaches, involving:
– Multi-formalism modeling
– Meta-modeling
– Model-abstraction and transformation
• Choice of the modeling approach most suited to the:
• Objective of the analysis (performability, security, maintainability, etc.)
• Constituent subsystems (small embedded device, workstation, etc.)
• Abstraction layers (hardware, software state-machine, software functions, etc.)
• Advantages:
– Modular or compositional approach
• Divide ed impera
• Incremental, multi-level / hierarchical
• Reuse (model libraries)
– They allow for a trade-off among:
• Ease of use
• Expressive power
• Solving efficiency
VECoS’12, Francesco Flammini
9
10. Experience report 1: issues
• Main problem:
– evaluate system availability with respect to system-level failure
modes to demonstrate compliance to RAM requirements
• Unfeasible with traditional single-formalism stochastic
modeling approaches:
– Queueing Networks ➪ limited expressiveness (no failure
modeling)
– Fault Trees ➪ limited expressiveness (no performance modeling)
– Stochastic Petri Nets ➪ ungovernable complexity and limited
efficiency (state space explosion)
– …
• Further problem:
– how to evaluate the effect of real-world repair strategies (e.g.
preventive maintenance, limited resources, etc)?
VECoS’12, Francesco Flammini
10
11. Experience report 1: solution
AVAILABILITY MODEL
(overall system, BN)
PERFORMABILITY MODEL MAINTAINABILITY MODEL
RELIABILITY MODEL (network / software, GSPN)
(on-board, FT) (trackside, RFT)
• F. Flammini, M. Iacono, S. Marrone, N. Mazzocca: "Using Repairable Fault Trees for the evaluation of design choices for critical repairable systems". In: Proceedings
of the 9th IEEE Symposium on High Assurance Systems Engineering , HASE’05, Heidelberg, Germany, October 12-14, 2005: pp. 163-172
• F. Flammini, S. Marrone, N. Mazzocca, V. Vittorini: “Modelling System Reliability Aspects of ERTMS/ETCS by Fault Trees and Bayesian Networks". In: Safety and
Reliability for Managing Risk: Proceedings of the 15th European Safety and Reliability Conference (published in September 1st 2006), ESREL’06, Estoril, Portugal,
September 18-22, 2006: pp. 2675-2683
VECoS’12, Francesco Flammini
11
12. Experience report 2: issues
• Main problem:
– evaluate TMR safety in presence of imperfect maintenance
• Existing GSPN model assuming perfect maintenance
hardly extensible
– Low maintenability
– Very limited efficiency
• No other single formalism approach usable to solve the
overall problem
• Further problem:
– how to improve the maintenability of the existing GSPN-based
safety model?
VECoS’12, Francesco Flammini
12
13. Experience report 2: solution
Finite State Machine OR Continuous Tim e Markov Chain OR Tim ed Autom ata REPAIR MODELS
at different levels of detail (environmental & human
factors, CTMC)
Maintenance m odel
im plem entation
Choice of the m odel
M aintenance M odel Interface
Operational Status Com position Fault Events
(OK, KO, Up w ith fault, etc.) (Transient, Permanent, etc.)
Failure M odel Interface
Choice of the m odel
Hazardous
Failure
Erroneous
output from
voter
One
erroneous
output and
Same error in
input data of
both units
Same error
from the two
Combination
of latent
errors
Failure m odel
voter failure
units
im plem entation
Activation of
Latent error Latent error
errors of
in A in B
both A and B
Erroneous Erroneous Erroneous
output from Voter failure output from output from
one unit A B
EXISTING SAFETY MODEL
Fault Tree Bayesian Netw ork GSPN
(hardware, GSPN)
+ expressiveness, com plexity, realism
- solving efficiency, readability, m aintainability
• Flammini, F., Marrone, S., Mazzocca, N., Vittorini, V.: A new modelling approach to the safety evaluation of N-modular
VECoS’12, Francesco Flammini redundant computer systems in presence of imperfect maintenance. In: Reliability Engineering & System Safety, Vol. 94,
Issue 9, September 2009: pp. 1422–1432 13
14. Experience report 3: issues
• Main problem:
– perform system functional verification of the European Railway
Traffic Management System / European Train Control System
(ERTMS/ETCS)
• Issues:
– extensive testing unfeasible due to system complexity (test-case
number explosion)
– testing required for both nominal and degraded conditions
– unstable system requirements specification
• Further problem:
– How to detect missing requirements in order to improve system
specification? (validation)
VECoS’12, Francesco Flammini
14
15. Experience report 3: solution
1. Model-based testing (dynamic
verification) Partial_Supervision_1
Train Moving in a
1: Receive TAF Granted /
Send Disconnection Request
Disconnection_1
Disconnection Request
Staff Responsible Mode Sent by the RBC
– Automatic generation and
reduction of the test-suite using
2: Receive standstill Position Report in TAF zone /
Send TAF Request
reference abstract models like
Finite State Machines Partial_Supervision_2
Waiting for TAF
1: Receive TAF Granted /
Send MA in Full Supervision
Full_Supervision_1
Train Moving in Full
Granted Supervision
• F. Flammini, N. Mazzocca, A. Orazzo: “Automatic instantiation of abstract tests to specific
configurations for large critical control systems”. In: Journal of Software Testing, Verification
& Reliability (STVR), Vol. 19, Issue 2, pp. 91-110
• F. Flammini, P. di Tommaso, A. Lazzaro, R. Pellecchia, A. Sanseviero: "The Simulation of
Anomalies in the Functional Testing of the ERTMS/ETCS Trackside System". In:
Proceedings of the 9th IEEE Symposium on High Assurance Systems Engineering, LOGIC SPECIFICATION
HASE’05, Heidelberg, Germany, October 12-14, 2005: pp. 131-139 Req. xx.yy: When the MA verification process is activated, the RBC Logic
shall verify the status of the track circuits assigned to the MA and then […]
...
UML MODEL verification of compliance
2
1) CLASS DIAGRAMS 2) SEQUENCE DIAGRAMS 3) STATECHARTS
2. Model-based code inspection
MA
-attributes MA TC MA_state1
+operations() 1
(static verification)
verify_cond() Send_MA
TC op()
-attributes MA_state2
– Use of UML-based reverse
* +operations()
reverse
3
refactoring
engineering and refactoring
engineering
1
LOGIC CODE
PROCESS MA;
VARIABLES process_status, control, …
COMMANDS send_MA, …
COMMAND send_MA:
• Flammini, F., Lazzaro, A., Mazzocca, N.: Modeling of Logic Code for Reverse Engineering, IF cond ASSIGN “ok” TO VARIABLE “control”
Verification and Refactoring. In: The International Journal of Safety & Security Engineering, AND SEND AUTOMATIC COMMAND “op” TO PROCESS “TC”
...
Vol. 1, no. 1, February 2011: pp. 77-94
VECoS’12, Francesco Flammini
15
16. Experience report 4: issues
• Main problem:
– Quantitative security risk assessment to support the design of
protection mechanisms and evaluate the return on investment
• Issues:
– Traditional reliability modeling formalisms (e.g. Fault Trees)
inadequate for security modeling (e.g. no support for
interdependant basic events)
– Complexity in vulnerability modeling
• Further problem:
– How to demonstrate to the customer the optimality of security
system design (e.g. size of subsystems)?
VECoS’12, Francesco Flammini
16
17. Experience report 4: solution
RISK MODEL
BAYESIAN NETWORKS STOCHASTIC PETRI NETS
Threat Frequency Threat Vulnerability
Attractivity
Model
Other assets'
attractivity Model
Likelihood of attack
Intrinsic robustness
Accessibility
Existing protections
Asset failure
Aggregated asset
failure
Dependant asset failure
R P V D
Component asset
failure
Influencing asset
failure
Event Tree
Fault Tree
Threat Consequences
Model Sistema Ferroviario
Railway System
*
1
1
1
Fixed
Equip. Fisso Mobile
Equip. Mobile
EVENT TREES / CLASS DIAGRAMS 1
Infrastruct.
Infrastruttura
1 1
*
Controllo e Segnalamento
Signalling & Control
1
*
Rotabile
Rolling S.
1 1
1 1 * 1 1 1 1
Rete di TLC
Network Serv. Car
Carrello Stock Merci
Treno Train Passeng. Train
Treno Passeggeri
*
Line sect.
Tratto di linea Manag. & Maint.
Gestione e manutenzione Segnaletica
Signal
Station
Stazione
1 1 1 1 1 1 1
1 * *
1 0..1 0..1 1
* * * * SST
Ground Rete TLC-LD
WAN GSM-R
Rete GSM-R
1 Locomotive
Locomotore
Switch
Deviatoio Track
Binario Tunnel
Galleria
Service S.
Staz. Servizio
* 1 1 1 1
* 1 1 1
Staz. Passeggeri
Passenger S. Bridge
Ponte
Balise HMI TMR RTM 1 1 SSB
1
CdB
Track Circ. 1
1
Sistema sensoriale 1 1
Sens. system 1 1
1
Temp. Ch.
RTB 1 1 BTM DMI
Sistema di attuazione
Act. system
• Genetic algorithms employed to automatically maximize the ROI
while fulfilling external budget constraints
• Flammini, F., Gaglione, A., Mazzocca, N., Pragliola, C.: Automatic Optimization of Security System Design by Quantitative Risk Assessment and Genetic
Algorithms. In: International Journal of Risk Analysis and Management (IJRAM), Vol. 15, No. 2/3, 2011: pp. 205-221
• Flammini, F., Mazzocca, N., Moscato, F., Pappalardo, A., Pragliola, C., Vittorini, V.,: Multiformalism techniques for critical infrastructure modeling. In: International
Journal of Systems of Systems Engineering (IJSSE), Vol. 2, No. 1, 2010: pp. 19-37
VECoS’12, Francesco Flammini
17
18. • Are models useful only for dependability
prediction and assessment?
VECoS’12, Francesco Flammini
18
19. Experience report 5: issues
• Main problem:
– On-line detection of threats for early warning and
decision support
• Issues:
– Integration and reasoning of multi-sensor data
– Need for real-time detection models
• Further problem:
– How to quantify uncertainity?
VECoS’12, Francesco Flammini
19
20. Experience report 5: solution
DETECT Engine
Scenario
Repository
Detected
attack
scenario
Event
History Alarm level
(1, 2, 3, ...)
EVENT TREES
BAYESIAN NETWORKS
NEURAL NETWORKS
2, <5’
→, <10’
IMS/SAW IR
CAM 1 CAM 2 MIC
CWA CWA
FALL RUN FALL RUN SCREAM
• Flammini, F., Mazzocca, N., Pappalardo, A., Pragliola, C., Vittorini, V.: Augmenting surveillance system capabilities by exploiting event correlation and distributed
attack detection. In: Proc. 2011 Intl. Workshop on Security and Cognitive Informatics for Homeland Defence (SeCIHD’11), co -located with ARES’11, A M. Tjoa et
al. (Eds.), LNCS 6908, pp. 191-204
• Flammini, F., Pappalardo, A., Pragliola, C., Vittorini, V.: A robust approach for on-line and off-line threat detection based on event tree similarity analysis. In: Proc.
Workshop on Multimedia Systems for Surveillance (MMSS) in conjunction with 8th IEEE International Conference on Advanced Video and Signal-Based
Surveillance, Klagenfurt, Austria, August 29-30, 2011: pp. 414-419
VECoS’12, Francesco Flammini
20
21. Work-in-progress & future developments
• Definition of appropriate Model Driven Engineering (MDE)
frameworks supporting Domain Specific Languages (DSL)
and M2M transformations to enable high-level UML
(annotated) modeling and automatic generations of
solvable models
DAM-RAIL
(derived from UML MARTE-DAM profile)
• Bernardi, S, Flammini, F., Marrone, S., Merseguer, J., Papa, C., Vittorini, V.: Model-driven availability evaluation of railway control systems. In: Proc. 30th Intl.
Conf. on Computer Safety, Reliability & Security, SAFECOMP’11, Naples, September 19-21, 2011: pp. 467-479
VECoS’12, Francesco Flammini
21
22. Further reading
Flammini, F. (2012). Railway Safety, Reliability, and
Security: Technologies and Systems Engineering, IGI
Global, doi:10.4018/978-1-4666-1643-1
VECoS’12, Francesco Flammini
22