Using STAMP/STPA to Chinese High Speed Railway Train Control System

Similar documents
Using STAMP to analysis Chinese High Speed Railway Accident Yong-wen Railway Accident

APPLICATION OF CAST AND STPA TO RAILROAD SAFETY IN CHINA. Airong Dong

A Comprehensive Safety Engineering Approach for Software Intensive Systems based on STPA

ERTMS/ETCS Configuration Management

Safety Driven Design with UML and STPA M. Rejzek, S. Krauss, Ch. Hilbes. Fourth STAMP Workshop, March 23-26, 2015, MIT Boston

Comparison of Risk Analysis Methodologies in an Electrical Grid. Svana Helen Björnsdóttir STAMP Workshop in Amsterdam October 4-6, 2015

Using STAMP to analyze serious accidents in China railway system

CTCS Chinese Train Control System

ERTMS/ETCS. Functional Requirements Specification FRS

Railway Business Strategy and R&D in Europe

BENEFIT OF DYNAMIC USE CASES TO EARLY DESIGN A DRIVING ASSISTANCE SYSTEM FOR PEDESTRIAN/TRUCK COLLISION AVOIDANCE

The Shanghai Maglev Route

Multiagent Control of Traffic Signals Vision Document 2.0. Vision Document. For Multiagent Control of Traffic Signals. Version 2.0

Risk Analysis of a CBTC Signaling System

Managing Design Changes using Safety-Guided Design for a Safety Critical Automotive System

Thameslink Desiro City & Signalling Press Trip April 20 to 21, 2015 Evolution in Motion. Siemens Mobility Division

Appendix A. About RailSys 3.0. A.1 Introduction

University of Paderborn Software Engineering Group II-25. Dr. Holger Giese. University of Paderborn Software Engineering Group. External facilities

Lineside Signal Spacing and Speed Signage

SFTA, SFMECA AND STPA APPLIED TO BRAZILIAN SPACE SOFTWARE

3 RBC INTERFACE TO INTERLOCKINGS IN FINLAND

Railway Crossing Information System

AUTOMATIC TRAIN OPERATION: THE MANDATORY IMPROVEMENT FOR ETCS APPLICATIONS

Railway Research and Technology in China Today

Effective Application of Software Safety Techniques for Automotive Embedded Control Systems SAE TECHNICAL PAPER SERIES

Frame of IoT in China

CAST Analysis John Thomas and Nancy Leveson. All rights reserved.

Lineside Signal Spacing and Speed Signage

Meeting DO-178B Software Verification Guidelines with Coverity Integrity Center

INSTRUCTOR S GUIDE. Stay on the Right Track Highway-Railway Crossing Awareness Training for Newly Licensed Drivers

Requirements Analysis Concepts & Principles. Instructor: Dr. Jerry Gao

Human Factors in the Development of Safety- Critical Railway Systems

Cisco Positive Train Control: Enhancing End-to-End Rail Safety

Safety-Driven Model-Based System Engineering Methodology Part I: Methodology Description *

WITH HIGH SPEED TO A SAFE EMERGENCY HANDLING - VIENNA - ST. PÖLTEN TUNNEL HIGH-SPEED LINE

CATIA V5R21 - FACT SHEET

Traffic Engineering Management Concepts

Dominic Taylor CEng MIET MIMechE MIRSE MCMI, Invensys Rail

A comprehensive information system for railway networks

Comparison Control Strategies for ISG hybrid electric vehicle. Hailu Tang 1, a

Automatic Train Control based on the Multi-Agent Control of Cooperative Systems

4. Critical success factors/objectives of the activity/proposal/project being risk assessed

Test Specification. Introduction

System Theoretic Approach To Cybersecurity

System Safety Process Applied to Automotive High Voltage Propulsion Systems

The momentum of a moving object has a magnitude, in kg m/s, and a... (1)

Adaptive Cruise Control System Overview

RATP safety approach for railway signalling systems

Using big data in automotive engineering?

Introduction to system safety and risk management in complex systems. Dr. John Thomas Massachusetts Institute of Technology

ASSESSMENT OF THE ISO STANDARD, ROAD VEHICLES FUNCTIONAL SAFETY

HAVEit. Reiner HOEGER Director Systems and Technology CONTINENTAL AUTOMOTIVE

Inventory Routing. An advanced solution for demand forecasting, stock replenishment, and route planning and execution

Functional Safety with ISO Principles and Practice Dr. Christof Ebert, Dr. Arnulf Braatz Vector Consulting Services

ChE-1800 H-2: Flowchart Diagrams (last updated January 13, 2013)

Making model-based development a reality: The development of NEC Electronics' automotive system development environment in conjunction with MATLAB

Complementary Tests: the key of the successful ERTMS deployment in Spain.

ProSoftMod Commission Report Documentation

Technical Bulletin. Understanding Servo Safety Functionality and SIL ratings

Ein einheitliches Risikoakzeptanzkriterium für Technische Systeme

S3 Benchmark A Fault Tree Based Model for ETCS Application Level 2

siemens.com/mobility Trainguard LEU S21 Central trackside equipment component

Design of Network Educating Information System Based on Use Cases Driven Shenwei Wang 1 & Min Guo 2

OSW TN002 - TMT GUIDELINES FOR SOFTWARE SAFETY TMT.SFT.TEC REL07

Cyber Safety: A Systems Thinking and Systems Theory Approach to Managing Cyber Security Risks

Automated Firewall Change Management. Ensure continuous compliance and reduce risk with secure change management workflows

Trainguard Sirius CBTC

Application of Adaptive Probing for Fault Diagnosis in Computer Networks 1

Nemo 96HD/HD+ MODBUS

Algorithms and optimization for search engine marketing

Functional Safety Lifecycle of the LCLS PLC PPS Systems E. Michael Saleski * May 31, 2006

Hybrid System for Driver Assistance

ITIL Intermediate Qualification: Service Offerings and Agreement. Webinar presentation 8 May 2009

Software Engineering Introduction & Background. Complaints. General Problems. Department of Computer Science Kent State University

Safety and Security Driven Design. Unmanned Aircraft-National Airspace System Integration Case Study

Rail Automation. What is ACSES? usa.siemens.com/rail-automation

Cars of the future. What is your most favourite car in the world? Give a description of your first car


Car Racing Game. Figure 1 The Car Racing Game

Introduction to Simulink

Design and Implementation of Production Management Information System for Jiujiang Railway Track Depot

Energy Recovery System for Excavators Meng (Rachel) Wang, Chad Larish Eaton Corporation

Health and safety policy

By: M.Habibullah Pagarkar Kaushal Parekh Jogen Shah Jignasa Desai Prarthna Advani Siddhesh Sarvankar Nikhil Ghate

Introduction to Project Management

PEDESTRIAN AND BICYCLE ACCIDENT DATA. Irene Isaksson-Hellman If Insurance Company P&C Ltd.

Karunya University Dept. of Information Technology

Big Data: A new era of insurance? Dr. Iordanis Chatziprodromou, Mexico 2015

Transcription:

Using STAMP/STPA to Chinese High Speed Railway Train Control System Liu Jintao,Ph.D. candidate State Key Laboratory of Rail Traffic Control and Safety Beijing Jiaotong University

Outline Background and Motivation Train control system in requirements phase Hazard analysis on train control system Some ideas in using STPA in requirements phase Internal Function Modules in Control Loops Causal Factors Formal model-based Causal Factors Analysis Case study : Chinese Train Control System Chinese High Speed Railway Train Control System Perform STPA on study case Conclusion

Background and Motivation What is train control system? To separate and protect train against collision and derailment. Train Control V 80km/h Real speed Line limit speed Permitted speed Infrastructure Train S S AT VCC S S Safety braking distance S S AT RCC S S Sep. 2006.German High-Speed Maglev Accident. 23 people dead, 10 injured. Apr. 2008. China JiaoJi Railway Accident.. 72 people dead, 416 injured. Jul. 2011. China YongWen Railway Accident. 40 people dead, 200 injured. Train Control System is Safety-Critical

Background and Motivation Main features of Train Control System in the Requirements Phase In requirements phase of train control system lifecycle, the system is specified in system requirements specification (SRS). - Described in natural language - Refinement of functional requirements on technical level (A set of function modules and their inputs/outputs)

Background and Motivation Hazard Analysis on Train Control System in the Requirements Phase As the basis of system design and development, train control system depicted in SRS shall be analyzed to identify the hazardous factors that lead to the system hazard. According to these hazardous factors, we could further improve the SRS, and establish the safety requirements.

Background and Motivation Why and How to use STAMP/STPA Event Chain can not effectively help to analyze the hazardous factors. Specifically Not Repeat the Benefits of STPA Step1: Identify unsafe control actions Step2: Identify causal factors Causal factors focused by STPA are related to the control algorithm, the process model and so on. The system in requirements phase is described in natural language, for which the formal description is more accurate way. Considering such two aspects, we propose some ideas to customize the specific implementation of STPA.

Outline Background and Motivation Train control system in requirements phase Hazard analysis on train control system Some ideas in using STPA in requirements phase Internal Function Modules in Control Loops Causal Factors Formal model-based Causal Factors Analysis Case study : Chinese Train Control System Chinese High Speed Railway Train Control System Perform STPA on study case Conclusion

Some ideas in using STPA in requirements phase Internal Function Modules in Control Loops Step 1: activity F1 a, activity F2 b; Step 2: activity F3 c; Step 3: activity F4 d, activity F5 e;... Inputs Internal function module F1 Step 2 Internal function module F3 Step 1 Internal function module F2 Controller Internal function module F4 Step 3 Internal function module F5 Outputs

Some ideas in using STPA in requirements phase Internal Function Modules in Control Loops We describe the internal function modules and their inputs/outputs in the controller using the form of lists. Inputs Internal function module F1 Internal function module F3 Internal Function Internal function module F2 F1 Controller Modules in Controller F2 F3 Input: Internal function Output: module Input: F4 Output: Input: Output: Inputs/Outputs Internal function module F5 Outputs

Some ideas in using STPA in requirements phase Causal Factors Map the control algorithm-related and process model-related issues into the layer of function modules and their inputs. Inputs of internal function modules in controller is incorrect, missing, or not updated in time Flaw(s) in engineering process Flaw(s) in updating process Incorrect data entered by human Internal function modules in controller fail Flaw(s) in creation process Incorrect modification a) We identify the inputs-related causal factors with manual analysis. b) We identify the function modulerelated issues with formal method.

Some ideas in using STPA in requirements phase Formal model-based Causal Factors Analysis Behavior Model Functional Failure Model Step1: Find all possible internal functional failures according to the list of controller. Definition 1 The Functional Failure Description Notation (FFDN) consists of the representing characters of <C, M, F, D, S, f, A >, where, Step2: Model the normal behavior with Hybrid Automata 1) Unsafe C refers to a finite set of system components; Integrated 2) Control M refers to a finite set of failure description modules of system components, for i C, M Model i is Actions the failure description module of component i, and is also called FFDN module; 3) F= {F 1, F 2 F n } refers to a finite set of possible functional failures of a system component; failures with FFDN 4) D= {D 1_dev, D 2_dev D n_dev } refers to a finite set of the data deviations resulted by the functional failures, for m, k C and m k, D Function modulesrelated causal factors m D k = ; 5) S= {S 1, S 2 S n } refers to the set of states affected by functional failures, and S S, where the S is the set of states of the normal behavior model; above leading to UCAs 6) f : F D S refers to the mapping relationships between F and D, and F and S, where f={f D, f S }; 7) A= {f D (F), f S (F)} refers to the influence of functional failures, where f D (F) refers to the influence monitor. of functional failures on the data and f S (F) refers to the influence of functional failures on the states. Step3: Model the internal functional Definition 2 (Monitor). The fault events monitor is a structure M=(S, A, f,init),where, S={s 1, s Step4: 2 s Integrate n } is the sets of states these two models of the monitor, A= {a 1, a 2 a n } is the sets of fault events in the PHAVer model, f : A S is the mapping function from A to S, Init=S Step5: Analyze the internal function 0 is the sets of initial states of the fault events modules-related causal factors with the tool PHAVer

Outline Background and Motivation Train control system in requirements phase Hazard analysis on train control system Some ideas in using STPA in requirements phase Internal Function Modules in Control Loops Causal Factors Formal model-based Causal Factors Analysis Case study : Chinese Train Control System Chinese High Speed Railway Train Control System Perform STPA on study case Conclusion

Case Study Chinese High Speed Railway Train Control System One typical hazard of the system is considered: The train control system does not protect the train against exceedance of the safe speed limits. Train1 The hazard can be traced to one system-level safety constraint that mitigates the hazard: The train control system shall make impossible the violation of the safe speed limits. Reference structure of the system

Case Study Control Structure We take vital computer as example to illustrate the list containing internal function modules and inputs/outputs. Internal Function Modules in Vital Computer 1 Supervision and protection 2 Train properties handling 3 Data provision 4 Emergency handling Inputs/Outputs Input: Track description, Train data, System data, Location data, MA data, Emergency stop location, Session status Output: Train order, MA request Input: Driver input, Location data Output: Train data, Train integrity status, Position report Input: Track description, MA data, System data The down arrows represent the Output: Track description, MA data, System data control actions, and the up Input: Emergency message, Revocation arrows of represent emergency the message feedbacks. Output: Emergency stop location, The Acknowledgement horizontal arrows of represent emergency stop the information interaction.

Case Study Step1: Unsafe Control Actions (UCAs) Type UCAs Scenarios Refined safety constraints A required control action is not provided or is inadequately executed An incorrect or unsafe control action is provided. A potentially correct or adequate control action is provided at the wrong time UCA1.1 The train in over-speed doesn t receive the brake command from the VC. UCA1.2 The VC doesn t receive the emergency message from the RBC. UCA1.3 The VC doesn t receive the route information or the speed restriction. UCA2.1 The RBC provides an incorrect MA for the VC. UCA2.2 Both RBC and balise provide incorrect route information and speed restriction. UCA2.3 The driver inputs incorrect train data into the VC. UCA2.4 The driver accelerates the train. UCA3.1 The VC sends the brake command to the train too late. UCA3.2 The RBC shortens a given MA too late when necessary. UCA3.3 The driver releases the emergency brake too early. The speed of train have been exceeded the speed limitation. The emergency situations happened. The route has the fixed speed limit. When VC requests the MA or the MA is sent periodically. The route has the fixed speed limit. When driver started the train. When the speed is close to the speed restriction The speed of train have been exceeded the speed limitation. When the route has been changed in some situations. The train has not been stopped completely. The train shall receive the brake command when the speed of train have been exceeded the speed limitation. The VC shall receive the emergency message in emergency situations. The VC shall receive the route information and the speed restriction The RBC shall provide the correct MA for the VC. Type UCAs Scenarios Refined safety constraints A required control action is not provided or is inadequately executed UCA1.1 The train in over-speed doesn t receive the brake command from the VC. The speed of train have been exceeded the speed limitation. The train shall receive the brake command when the speed of train have been exceeded the speed limitation. Both RBC and balise shall provide correct route information and speed restriction. The driver shall input correct train data into the VC The driver shall not accelerate the train without considering the speed restriction. The VC shall send the brake command to the train in time. The RBC shall shorten a given MA in time. The driver shall release the emergency brake when the train has stopped. Hazard: The train exceeds the safe speed limits.

Case Study Step2A: Inputs-related Causal Factors Unsafe control actions (UCA) UCA1.1 The train in over-speed doesn t receive the brake command from the VC. UCA1.2 The VC doesn t receive the emergency message from the RBC. Inputs-related causal factors(icf)leading to unsafe control actions ICF1.1.1: The actual speed used to compare with the speed restriction in the VC is incorrect. ICF1.1.2: The train data (e.g. train category, braking model, etc.) used for speed profile is incorrect. ICF1.1.3: The system data used to select brake commands in the VC is incorrect. ICF1.1.4: The emergency stop location in the VC is missing. ICF1.2.1: The emergency situation which shall be known by the RBC is incorrect or missing. ICF1.2.2: The end of authority (EOA) used to evaluate emergency in the RBC is incorrect. ICF1.2.3: The location data received by the RBC is incorrect. UCA1.3 The VC doesn t receive the route information or the speed restriction. Unsafe control actions (UCA) UCA2.1 The RBC provides an incorrect MA for the VC. UCA2.2 Both RBC and balise provide incorrect route information and speed restriction. UCA1.1 The train in over-speed doesn t receive the brake command from the VC. UCA2.3 The driver inputs incorrect train data into the VC. UCA2.4 The driver accelerates the train. UCA3.1 The VC sends the brake command to the train too late. UCA3.2 The RBC shortens a given MA too late when necessary. ICF1.3.1: The route information and the speed restriction stored in both balise and RBC are missing. Inputs-related causal factors leading to unsafe control actions ICF2.1.1: The location data used to generate the MA is incorrect. ICF2.1.2: The route information used to generate the MA is incorrect. ICF2.1.3: The train data received by the RBC is incorrect. ICF1.1.1: The actual speed used to compare with the speed ICF2.2.1: The route information and the speed restriction both balise and RBC are incorrect. restriction in the VC is incorrect. ICF1.1.2: ICF2.3.1: The The train train data known (e.g. by the train driver is category, incorrect. braking model, etc.) used for speed profile is incorrect. ICF2.4.1: The permit speed and the target speed displayed to the driver are incorrect. ICF1.1.3: ICF2.4.2: The The system actual speed data or the used location data to select displayed to brake the driver commands is incorrect. in the VC is incorrect. ICF1.1.4: The emergency stop location in the VC is missing. ICF3.1.1: The actual speed or the location data used to determine the braking time is incorrect. ICF3.1.2: The EOA or the speed restriction used for the calculation of speed profile is incorrect. ICF3.1.3: The train data used to determine the braking time is incorrect. ICF3.2.1: The route information in the RBC is not updated in time. ICF3.2.2: The location data in the RBC is not updated in time. UCA3.3 The driver releases the emergency brake too early. ICF3.3.1: The current speed provided by the DMI is incorrect.

Case Study Step2B: Formal Model-based Causal Factors Analysis

Case Study Step2B: Formal Model-based Causal Factors Analysis Unsafe control actions (UCA) UCA1.1V>Vmrsp+dv_sbi&Order_reqSB=0 or Lc>EOA&Order_reqSB=0 Unsafe control actions (UCA) UCA1.2 Emsituation=1&MesgGot=0 UCA1.3 MesgGot=0&BTM_BMsg=0&RouteInfor=1 &BaliseInfor=1 UCA1.1 The train in over-speed doesn t receive the brake command from the VC. UCA2.1 MesgSent=1&MesgGot=1&MesgCorrect=0 UCA1.2 The VC doesn t receive the emergency message from the RBC. Unsafe control actions UCA2.2 RouteInfor=1&BaliseInfor=1&MesgGot=1& BTM_BMsg=1&MesgCorrect=0&BMesgCorrect=0 UCA1.3 The VC doesn t receive the route information or the speed restriction. UCA2.3 Input=1&DMI_TD=1&DataCorrect=0 UCA2.1 The RBC provides an incorrect MA for UCA1.1V>Vmrsp+dv_sbi&Order_reqS the VC. B=0 or Lc>EOA&Order_reqSB=0 UCA2.4 V>Vmrsp+dv_sbi&Acc=1 or Lc>EOA&Acc=1 UCA3.1 Order_reqSB=0&t_Delay2=tnormal2 UCA2.2 Both RBC and balise provide incorrect route information and speed restriction. UCA3.2 t1_rbc=tnormal4&mesgsent=0 UCA2.3 The driver inputs incorrect train data into the VC. UCA3.3 V>0& Order_reqEB=1&RelEB=1 UCA2.4 The driver accelerates the train. Function module-related causal factors leading to unsafe control actions {F_SDU_3, F_VC_11},{F_VC_3},{F_VC_8}, {F_VC_9},{F_VC_12},{F_VC_14},{F_VC_15}, {F_VC_17},{F_TIU_1},{F_SDU_1} Inputs-related causal factors(icf)leading to unsafe control actions {F_RBC_5},{F_RBC_6},{F_RBC_11},{F_RTM_2} {F_RBC_11, F_Balise_2},{F_RTM_2, F_BTM_3}, {F_RTM_2, F_BTM_1} ICF1.1.1: The actual speed used to compare with the speed restriction in the VC is incorrect. ICF1.1.2: The train data (e.g. train category, braking model, etc.) used for speed profile is incorrect. ICF1.1.3: The system data used to select brake commands in the VC is incorrect. ICF1.1.4: The emergency stop location in the VC is missing. {F_RTM_5, F_VC_2, F_RBC_1} Function module-related causal factors leading to unsafe control actions ICF1.2.1: The emergency situation which shall be known by the RBC is incorrect or missing. ICF1.2.2: The end of authority (EOA) used to evaluate emergency in the RBC is incorrect. ICF1.2.3: The location data received by the RBC is incorrect. {F_RBC_2, F_Balise_1},{F_RTM_5, F_VC_2}, {F_BTM_2, F_VC_2} ICF1.3.1: The route information and the speed restriction stored in both balise and RBC are missing. {F_Driver_1},{F_DMI_1} {F_SDU_3, F_VC_11},{F_VC_3},{F_VC_8}, {F_VC_9},{F_VC_12},{F_VC_14},{F_VC_1 5}, {F_VC_17},{F_TIU_1},{F_SDU_1} ICF2.1.1: The location data used to generate the MA is incorrect. ICF2.1.2: The route information used to generate the MA is incorrect. ICF2.1.3: The train data received by the RBC is incorrect. {F_Driver_2},{F_DMI_2},{F_DMI_3},{F_Driver_4} {F_VC_16},{F_VC_18},{F_TIU_5} ICF2.2.1: The route information and the speed restriction in both balise and RBC are incorrect. {F_RBC_12},{F_RTM_6},{F_RBC_6} ICF2.3.1: The train data known by the driver is incorrect. {F_Driver_3},{F_DMI_2} ICF2.4.1: The permit speed and the target speed displayed to the driver are incorrect. ICF2.4.2: The actual speed or the location data displayed to the driver is incorrect.

Case Study Comparison with traditional analysis Analysis using FTA Inputs-related issues leading to the hazard are hard to analyze in detail. For example, incorrect data to trackside constituents Some failures identified are mistaken for the single points of failures. For example, SDU fail to determine the distance {F_SDU_3} Once the hazard changes, the analysis needs to be performed all over again from the beginning to the end Analysis using STPA Inputs-related control flaws identified with the STPA method are more detailed, (missing, incorrect or not updating in time) Results are more complete. For example, {F_SDU_3, F_VC_11} Hierarchical control structure and the behavior models can be reused for analyzing another hazard as long as the system remains unchanged

Outline Background and Motivation Train control system in requirements phase Hazard analysis on train control system Some ideas in using STPA in requirements phase Internal Function Modules in Control Loops Causal Factors Formal model-based Causal Factors Analysis Case study : Chinese Train Control System Chinese High Speed Railway Train Control System Perform STPA on study case Conclusion

Conclusion We found that STAMP/STPA is extremely useful for the train control system. We showed the specific implementation of STPA in the hazard analysis of train control system in requirements phase. Future work is suggested that more study should be carried out on identification of inputs-related causal factors with the formal methods.

Q&A Thank you! State Key Laboratory of Rail Traffic Control and Safety Beijing Jiaotong University, Beijing, China

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information