Francesco Flammini

Model-driven availability evaluation of railway control systems

Maintenance of real-world systems is a complex task involving several actors, procedures and technologies. Proper approaches are needed in order to evaluate the impact of different maintenance policies considering cost/benefit factors. To that aim, maintenance models may be used within availability, performability or safety models, the latter developed using formal languages according to the requirements of international standards. In this paper, a model-driven approach is described for the development of formal maintenance and reliability models for the availability evaluation of repairable systems. The approach facilitates the use of formal models which would be otherwise difficult to manage, and provides the basis for automated models construction. Starting from an extension to maintenance aspects of the MARTE-DAM profile for dependability analysis, an automated process based on model-to-model transformations is described. The process is applied to generate a Repairable Fault Trees model from the MARTE-DAM specification of the Radio Block Centre - a modern railway controller.

Towards Wireless Sensor Networks for railway infrastructure monitoring

In recent years, there has been an increasing interest in the adoption of emerging sensing technologies for instrumentation within a variety of structural systems. Structural health monitoring systems are widely adopted to monitor the behavior of structures during forced vibration testing or natural excitation (e.g. earthquakes, winds, live loading). They can be found in a number of civil structures, including bridges and viaducts, and also in applications of vehicle health monitoring. Moreover, since infrastructures can be damaged by human originated threats, the adoption of security measures is also essential. This paper presents a proposal of an early warning system based on Wireless Sensor Networks (WSN) for railway infrastructure monitoring. It exploits already available research results and tools for WSN management, integration and data fusion. The aim is to hedge detection capabilities in a complete framework for structural failures as well as security threats, including both natural hazards and intentional attacks.

Enabling the usage of UML in the verification of railway systems: The DAM-rail approach

The need for integration of model-based verification into industrial processes has produced several attempts to define Model-Driven solutions implementing a unifying approach to system development. A recent trend is to implement tool chains supporting the developer both in the design phase and V&V activities. In this Model-Driven context, specific domains require proper modelling approaches, especially for what concerns RAM (Reliability, Availability, Maintainability) analysis and fulfillment of international standards. This paper specifically addresses the definition of a Model-Driven approach for the evaluation of RAM attributes in railway applications to automatically generate formal models. For this aim we extend the MARTE-DAM UML profile with concepts related to maintenance aspects and service degradation, and show that the MARTE-DAM framework can be successfully specialized for the railway domain. Model transformations are then defined to generate Repairable Fault Tree and Bayesian Network models from MARTE-DAM specifications. The whole process is applied to the railway domain in two different availability studies.

Dependable integrated surveillance systems for the physical security of metro railways

Rail-based mass transit systems are vulnerable to many criminal acts, ranging from vandalism to terrorism. In this paper, we present the architecture, the main functionalities and the dependability related issues of a security system specifically tailored to metro railways. Heterogeneous intrusion detection, access control, intelligent video-surveillance and sound detection devices are integrated in a cohesive Security Management System (SMS). In case of emergencies, the procedural actions required to the operators involved are orchestrated by the SMS. Redundancy both in sensor dislocation and hardware apparels (e.g. by local or geographical clustering) improve detection reliability, through alarm correlation, and overall system resiliency against both random and malicious threats. Video-analytics is essential, since a small number of operators would be unable to visually control a large number of cameras. Therefore, the visualization of video streams is activated automatically when an alarm is generated by smart-cameras or other sensors, according to an event-driven approach. The system is able to protect stations (accesses, technical rooms, platforms, etc.), tunnels (portals, ventilation shafts, etc.), trains and depots. Presently, the system is being installed in the Metrocampania underground regional railway. To the best of our knowledge, this is the first subway security system featuring artificial intelligence algorithms both for video and audio surveillance. The security system is highly heterogeneous in terms not only of detection technologies but also of embedded computing power and communication facilities. In fact, sensors can differ in their inner hardware-software architecture and thus in the capacity of providing information security and dependability. The focus of this paper is on the development of novel solutions to achieve a measurable level of dependability for the security system in order to fulfill the requirements of the specific application.

A new modeling approach to the safety evaluation of N-modular redundant computer systems in presence of imperfect maintenance

A large number of safety-critical control systems are based on N-modular redundant architectures, using majority voters on the outputs of independent computation units. In order to assess the compliance of these architectures with international safety standards, the frequency of hazardous failures must be analyzed by developing and solving proper formal models. Furthermore, the impact of maintenance faults has to be considered, since imperfect maintenance may degrade the safety integrity level of the system. In this paper, we present both a failure model for voting architectures based on Bayesian networks and a maintenance model based on continuous time Markov chains, and we propose to combine them according to a compositional multiformalism modeling approach in order to analyze the impact of imperfect maintenance on the system safety. We also show how the proposed approach promotes the reuse and the interchange of models as well the interchange of solving tools.

Using repairable fault trees for the evaluation of design choices for critical repairable systems

Critical repairable systems are characterized by complex architecture and requirements. The evaluation of benefits produced by repair policies on the overall system availability is not straightforward, as policies can be very articulated and different. In order to support this evaluation process, the repairable fault tree (RFT) formalism revealed to be useful and suitable to represent complex repair policies by extending the existing fault tree formalism. In this paper we show how to exploit RFT advantages by evaluating the effects of different repair policies on the availability of the most critical component of ERTMS/ETCS (an European railway standard) systems: the radio block centre (RBC).

Quantitative Security Risk Assessment and Management for Railway Transportation Infrastructures

Scientists have been long investigating procedures, models and tools for the risk analysis in several domains, from economics to computer networks. This paper presents a quantitative method and a tool for the security risk assessment and management specifically tailored to the context of railway transportation systems, which are exposed to threats ranging from vandalism to terrorism. The method is based on a reference mathematical model and it is supported by a specifically developed tool. The tool allows for the management of data, including attributes of attack scenarios and effectiveness of protection mechanisms, and the computation of results, including risk and cost/benefit indices. The main focus is on the design of physical protection systems, but the analysis can be extended to logical threats as well. The cost/benefit analysis allows for the evaluation of the return on investment, which is a nowadays important issue to be addressed by risk analysts.

Wireless Sensor Data Fusion for Critical Infrastructure Security

Wireless Sensor Networks (WSN) are being investigated by the research community for resilient distributed monitoring. Multiple sensor data fusion has proven as a valid technique to improve detection effectiveness and reliability. In this paper we propose a theoretical framework for correlating events detected by WSN in the context of critical infrastructure protection. The aim is to develop a decision support and early warning system used to effectively face security threats by exploiting the advantages of WSN. The research addresses two relevant issues: the development of a middleware for the integration of heterogeneous WSN (SeNsIM, Sensor Networks Integration and Management) and the design of a model-based event correlation engine for the early detection of security threats (DETECT, DEcision Triggering Event Composer & Tracker). The paper proposes an overall system architecture for the integration of the SeNsIM and DETECT frameworks and provides example scenarios in which the system features can be exploited.

Towards Model-Driven V&V assessment of railway control systems

Verification and Validation (V&V) activities aiming at certifying railway controllers are among the most critical and time-consuming in system development life cycle. As such, they would greatly benefit from novel approaches enabling both automation and traceability for assessment purposes. While several formal and Model-Based approaches have been proposed in the scientific literature, some of which are successfully employed in industrial settings, we are still far from an integrated and unified methodology which allows guiding design choices, minimizing the chances of failures/non-compliances, and considerably reducing the overall assessment effort. To address these issues, this paper describes a Model-Driven Engineering approach which is very promising to tackle the aforementioned challenges. In fact, the usage of appropriate Unified Modeling Language profiles featuring system analysis and test case specification capabilities, together with tool chains for model transformations and analysis, seems a viable way to allow end-users to concentrate on high-level holistic models and specification of non-functional requirements (i.e., dependability) and support the automation of the V&V process. We show, through a case study belonging to the railway signalling domain, how the approach is effective in supporting activities like system testing and availability evaluation.

A MULTIFORMALISM MODULAR APPROACH TO ERTMS/ETCS FAILURE MODELING

European Railway Traffic Management System/European Train Control System (ERTMS/ETCS) is a recent standard aimed at improving performance, safety and inter-operability of modern railways. In order to be compliant to ERTMS/ETCS, a railway signalling system must meet strict nonfunctional requirements on system level failure modes. In this paper, a multiformalism model is employed to perform an availability analysis of an ERTMS/ETCS reference architecture at early phases of its development cycle. At this aim, a bottom-up analysis is performed from subsystem failure models (expressed by means of Generalized Stochastic Petri Nets, Fault Trees and Repairable Fault Trees) up to the overall system model. The modular approach, here used, allows to evaluate the influence of basic design parameters on the probability of system-level failure modes and demonstrates that system availability is within the bound required by the ERTMS/ETCS specification. The results show that the multiformalism modeling approach helps to cope with complexity, eases the verification of availability requirements and can be successfully applied to the analysis of complex critical systems.