Professional Documents
Culture Documents
s IN THE lFTH SECTION A
18
Reliability, safety and security of innovative command/control systems
Table 1 - Formalisms used for reliability, safety and security evaluation Starting from each failure representationin a single
mode, the traditional node of more failure
Fault Trees - The Fault Trees are a formalism traditionally employed approach to reliability modes and to express
in probabilistic risk analyses. They relate the occurrence of an undesired analyses through the interdependencies among
event (Top Event), typically a system failure, to a set of elementary simple formalism of the events. In [6] this
events (Basic Event) according to a binarytree structure, in which the Fault Trees(FT) has the formalismis used for the
Top Eventrepresents the root and the Basic Eventsthe leaves. objective of defining global model,
All the events are connectedto each other using the classical operators thecombination of events representing all the
of the Boolean logic (AND, OR) and other possible ad-hoc connectors that could generate a afore mentioned failure
introduced in the various extensions of formalism proposed in the failure. Theanalysis aims at modes in a single model;
scientific literature (Dynamic, Parametric, Repairable, etc.). finding events which are no s Repairable Fault Trees (2)
They are efficiently solved through combinatory approaches based on the further decomposable into (RFT), allowing the
so called “minimal cut sets”; however, they feature a limited expressive simpler events (the so called modellingof any
power (for example, they cannot model maintenance policies differing “leaves”) andthe related articulated maintenance
from the “perfect repair”). probability distributions. policies, including
The evaluation of themodel preventative
Finite State Automata - The Finite State Automata (or Machines)
through combinatorial maintenance, priority of
are a formalism based on the concepts of states and transitions (between
algorithms allows to intervention, limited
states). The modelled system evolves over time as a function of the
estimate system failure repair resources, etc.
current state and of the received input. The automatacan model a large
rate starting from the basic In [7] the RFT formalism
number of dynamic systems in a more or less abstract manner. There
faultevents. Similarly, fault isapplied to the Radio
exist numerous extensions (including non deterministic, hybrid, timed,
trees can model availability Block Centre (RBC), that
etc.), which are suitable for the automatic verification of properties
aspectsin very simplified it is aERMS/ETCS
through model-checking techniques.
and often unrealistic tracksidesubsystem
Markov Chains - Continuous Time Markov Chains represent a assumptions (including which is responsiblefor
discrete stochastic process through a graph in which the places indicate “unlimited repair the train distancing;
states and the arcs indicate transitions between states, which are resources”). Given their
s Generalised Stochastic
associated exponential probability distributions (satisfyingthe so called low expressive power, they
Petri Nets (GSPN), suited
“memoryless” property). Given the process properties, the behaviour cannot model advanced
to model both
of the modelled system at time t onlydepends on the current state aspects, likecommon
performance and
and not on the past ones. The use of this formalism is widespread in modes of failures, complex
transmission errors on
maintainability analyses. repair policies including
communication channels
preventive maintenance,
Bayesian Networks - A Bayesian Network is a direct acyclic graph (and therefore the impact
and failures due to
in which the places represent stochastic variables and the arcs represent of these errors on
performance degradations
therelationships of statistical dependence between the variables, performance) [8].
or to the congestion of
quantified by conditional probabilities. It is possible to demonstrate that The construction of a
the communications
a Bayesian Network represents the joined probability distribution of holistic model of the
channels (the so called
the set of variables represented by theplaces. Traditionally employed in entire system requires
performability aspects).
artificial intelligence applications, in recent years Bayesian networks the combination of
On the other hand, the
have found a place in the evaluation of reliability, in particular being heterogeneous sub mod-
Markov Chainsformalism,
able to express and extend the Fault Tree formalism, without resorting els through appropriate
widespreadfor repairable
to approaches based on the state space analysis. The decision making composition operators.
systems modeling, is not
extensions can model problems of cost/benefit analysis, while the In [6], themodels interact
suited to model complex
dynamic extensions introduce the concept of “time”. by exchanging results (for
systems with a high number
Neural Networks - The Artificial Neural Networks are mathematical of states. example theevaluation
models that represent the interconnection of elements, namely “artificial result of a model is used
A possible solution to the
neurons”, which are mathematical functions which in some manner as a parameter in or-der to
problem is to combine more
mimic the properties of actual neurons. Theycan be used to solve populate another model),
modelling formalisms as
engineering problems of artificial intelligence in several technological hence the composition can
a function of the aspects
fields. In particular, in the reliability engineering field they can be be produced through the
to bemodelled, using the
employed in order to develop diagnostic, prognostic, early warning and so called “connectors”; in
so called multiformalism
decision support systems. other cases, the composition
approach[5]. According
can relate to the sharing
Petri Nets - A Petri Net is a mathematical representation of a discrete to that approach, the fault
ofstates, events or actions.
distributed system. Its elements are places, transitions and directed trees could beused for the
In fig.1 an example of a
arcs connecting places and transitions. In the places there can be tokens, modelling of not on-line
multi-formalism model of
which can enable the shooting of thetransitions according to appropriate repairable sub-systems (for
availability is shown (in
rules. Following the shooting of the transition, one or more tokens are example those on-board),
which the connectors are
removed bythe input places and others are generated in the output featuring no commonmode
omitted) for the ERTMS/
places. If extended with priority, multiple and inhibitor arcs, Petri Nets of failures and a single
ETCS system.
have the same expressive power of Turing machines, that is virtually failure mode of interest
unlimited. Petri Nets are not straightforwardto use. forthe analyses. (Sub) (2) From a graphical point of view,
The basic formalism allows structural property analyses (e.g. absence Systems not featuring such
RFTs are extensions of thetraditional
of deadlocks), while its timed and/or stochastic extensions also enable characteristics can be fault trees with reparation blocks. They
quantitative analyses (e.g. computation of reliability and performance modelled using: are solved bytransforming the model
indices). s Bayesian Networks (BN), into a GSPN and by using several solu-
allowing the tion techniques.
19
Technology & Innovation
In the case study, 4 different excluded and the system does not create problems as easily maintainable,
formalisms were employed continues to work ina “2 long as one is able toshow but on the other hand
(BN, FT, RFT, GSPN), out of 2” configuration. that the system fulfils the theyforce the modeller into
according to the criteria In order to evaluate the requirements defined by the further approximations
described above. The safety of TMR systems, specifications. in orderto guarantee that
model was used in order to it ispossible to employ When state-based modelling the obtained results are
evaluate the performance of GSPN models, which is preferable or essential,it more conservative than the
Italian high-speed railways take into account, among is possible to combine exact ones. An example of
supplied by Ansaldo other things, the fault type models expressed in a multiformalism approach
STS. In summary, the (transient orpermanent) and differentformalisms. applied tothe evaluation
multiformalism approach the efficiency of the self- For example, in case of of safety is documented
enables a more detailed and diagnostic mechanisms [9]. imperfect mainte-nance in [10]. The appli-cation
manageable representation GSPNs feature a very high problems, it is appropriate addresses majority voting
of the sytem, with the expressive power,however to keep track of systemstate systems (“2 out of 2” and“2
advantage of estimating they are extremely difficult since it is possible to have out of 3”) used by Ansaldo
(through parametric to maintain. Amongtheir non diagnosable latent STS for the vital cores
sensitivity analyses) defects we can list the er-rors due to permanent ofcontrol and signalling
the system level impact difficult readability, the faults. In that case, it is systems, including the ones
of reliability and fault- limited solving efficiency, possible toseparate the usedfor route management
tolerance parameters, and and the support tools failure model (expressed or interlocking(ACS and
consequently offine tuning which are toofew and hard in the most convenient NVP, en-coders, etc.), which
design choices according to to use. As a consequence, formalism) from the are currently operational
their cost-effectiveness. extensions of themodels maintainability model, in many installations
which account for further thatcan be expressed in several countries. In
Safety evaluation aspects, for example theones through state-machines particular, the refer-enced
in presence of of imperfect maintenance, at different levels of work shows the industrial
imperfectmaintenance are very difficult to obtain. abstraction, according feasibility of such an ap-
In order to overcome to the detail requested proach, describing the
Many control systems these limitations, the by theanalyses, as it is solution of a real problem,
employed in safety-critical compromise of adopting schematically represented that isthe evaluation of
applications are based on reduced expressive power in fig. 2 (inwhich the model the impact of imperfect
fault-tolerant processors in formalismscould be “thumbnails” have the only maintenance onthe mean
TripleModular Redundancy acceptable. One of these aim of giving an idea of the times between hazardous
(TMR) architectures. The formalisms is theBayesian different complexities). failures, which ishard to
TMR architecture allows Network [6]. The latter aspect is linked solve using traditional
a “2 out of 3” majority The use of such a formalism, to the evaluation result in techniques.
voting on the outputs whichis not based on case of the safetymodels,
of three independent, statespace analyses, obliges since more abstract models Support to system
galvanically insulated the modeller to make have a reduced number of functional verifications
and diversely developed conservative assumptions states and they are typically
sections. In case of failures In a complex system
on fault latencies, butthat more readable andtherefore
in one section, this is composed of different
20
Reliability, safety and security of innovative command/control systems
21
Technology & Innovation
more defects in less time, Management System (SMS)
speed-up corrective actions in order to correlate basic
and automate the generation events to “sniff” suspect
of test cases. events andeven to increase
Security risk analyses event detection reliability
basing on sen-sor diverse
The terrorist attacks redundancy [18].
against railway and subway
infrastructures which have Conclusions and future
happened in recent years developments
have hig hlighted the issue
of system protection against In this article we
malicious threats. Besides Fig.4 - Risk evaluation usingdifferent formalisms have briefly addressed
terrorism, security concerns differentmodelling
often include also natural the temporal evolution to identify knownthreat approaches for
events and vandalism; the of the threats and the patterns, previously stored the evaluation of
latter can cause relevant latency of detection and in repositories using reliability,safety and
damages to infrastructure intervention; the evaluation appropriate composite-event security of rail-based transit
operators. In such a context, of damage D can be based specification languages. systems, high-lighting
it is very important to be on Event Trees, which An important requirement, some useful paradigms,
able to evaluate the risk allow the evaluationof the in this case, is the possibil- including multi-formalism
that the system is subject consequences based on ity of real-time operation, modelling. The latter is an
to, in order to predict the cause/effect dependencies. which needs compact aspect of multi-paradigm
effectiveness of protection Models taking into account modelsand/or formalisms modelling, which also
systems and other the evolution dynamics featuring high solving includes the concepts
mitigation interventions ofthe threats in a more efficiency. Tothat aim, of model abstraction
in terms of cost/benefits. detailed manner can be deterministic or stochastic and transformation. The
The risk is a combination adopted inorder to highlight formalisms can beemployed. formalisms adoptedare
of three factors which the interdependences of For example, Event Trees predominantly graph-based
are related to each threat: the railway system with belong to the firstcategory, and rather widespread,being
frequency of occurrence, the other interacting whose solvers are highly powerful and easy to
vulnerability (of the infrastructures (for exam- efficient. Unfortunately, use. We have not tackled
system against the threat), ple, the networks of deterministic formalisms inthis paper the problems
damage (i.e. evaluation electrical distribution and in detection models allow of the verification of
of the consequences). telecom-munications) [16]. the estimation of the level propertieson the models
Each of these possibly of evolution of threats, but (model-checking[19]),
Multi-formalism modelling
interdependent factors do notallow the detection which is enabled bycertain
approaches for the analysis
requires appropriate models of scenarios which vary formalisms based on state-
of security attributes are
in order to be evaluated from those al-ready space analysis (see also
being studied. One of
in a quantitative way. known neither provide [20]).
the objectives is to use
The analytic estimation, any information about
libraries of modular models We have shown that,
on the other hand, is thedetection reliability.
which can be conveniently generally speaking,
essential to improve the On the other hand, the
composed to allow the approachesbased on models
precision of the results employmentof heuristics
evaluation and automatic are employable in multiple
and to perform possible based on Bayesian models,
optimisation of security applicationsand enable a
automatic optimisations on already used inthe context
attributes taking into higher precision in system
the design of the protection of computer networks
account possible external representationand results
mechanisms, as described Intrusion DetectionSystems,
constraints. evaluation. Furthermore,
in reference [15] considering allow us to take into account they allow for modular
the case study of a generic data uncertaintyand
Real-time threat development techniques,
metro railway system. therefore estimate the level
detection possibly through librarie
Fig.4 shows a possible of reliability of the detected sof sub-models which can
approach to the modelling A further interesting event. As a consequence, be integrated by means
of risk which requires application of models is the it is possible to associateto of composition operators.
the construction of realtime detection of threats the result a stochastic index There are several still-open
models expressed in in applications including which is function of mod-el researchareas related to
different formalisms: diagnostics, prognostics, parametric and structural those topics, which aim at
the determination of the early identification of uncertainty. making the employment
frequency P can be based on terrorist attacks and A simplified representation of advanced techniques
the correlation of statistical environmental monitoring, of such a system is report-ed a common practice
data through Bayesian in order to build early in fig.5, while a description inindustry. Included
Networks; the evaluation warning and decision of higher detail can in those areas there are
of the vulnerability V can support systems. In those befound in reference [17]. the theoreticalaspects
be performed by means applications, the models The system is currently in of heterogeneous
of Generalised Stochastic are necessary to build the theprototype phase but we model composition and
Petri Nets, which allow us detection engine fusing foresee an integration inside thetechnological aspects
to take into account both heterogeneous sensor data the Ansaldo STS Security related to the distributed
22
Reliability, safety and security of innovative command/control systems
23