Integration of Petri Nets into CAST by the Example of 7.23 Accidentpsas.scripts.mit.edu/home/wp-content/uploads/2013/04/03... · 2013-04-03 · Slide 2 Hosse, Spiegel, Schnieder |

Institut für Verkehrssicherheitund Automatisierungstechnik

Prof. Dr.-Ing. Dr. h.c. mult. E. Schnieder

Integration of Petri Nets into CAST by the Example of

7.23 Accident

Dipl.-Wirtsch.-Ing. René S. Hosse, Dirk Spiegel M.Sc. M.Sc., Prof. Dr.-Ing. Dr. h.c. mult. Eckehard Schnieder

27. March 2013





René

Dirk

27. March 2013

Slide 2

Hosse, Spiegel, Schnieder | 2nd STAMP Workshop | MIT

1) Motivation

2) Goal of Hybrid Approach

3) Methodology

(1) STAMP/CAST (to be known)

(2) ProFunD

(3) Hybrid Approach

4) Sample Application on Accident 7.23

5) Results and Discussions

6) Conclusions

Contents





1. Motivation What do we do?

27. March 2013 Hosse, Spiegel, Schnieder | 2nd STAMP Workshop | MIT

Slide 3

Ground transportation safety

• Automotive

• Driver assistant systems / automous driving

• E.g. time series analyses

• Railway

• ERTMS/ETCS development

• Satellite based localisation services

• Safety cases (or: hazard cases)

System Safety Engineering, primarily model-based engineering

Automation Engineering (e.g. SmallCAN)

Terminology and Requirements Engineering

Institute für Traffic Safety

and Automation Engineering





1. Motivation Why we do need STAMP + ?

Why we need STAMP + ?

But:

• Little normative background

• Partly conflicting with RAMS

standards (reliability, availability,

maintainability, safety)

• Little distribution throughout ground

transportation industry in Europe,

only few application known

• No accepted formal methods

included, except System Dynamics


Slide 4

Advantages of STAMP for Railway

applications:

Understandable for non-engineers

(interdisciplinary application) and relatively

easy to use

High amount of detection of control lacks

Involving complex human decision making,

software error, systemic accidents and

organizational risk

Performing STAMP analysis improves

significantly system understanding





1. Motivation System Development in Europe Railway Standards: V-Model


Slide 5

“For developing precise system definitions and for simplifying the

evidence of safety, the use of formal methods is highly

recommended in the new European CENELEC standards for safe

railway systems (EN 50126, EN 50128, DIN EN 61508).“

[Arabestani et. al. 2004, p.119]





1. Motivation Orthogonality: Thinking in Means of Description, Methods and Tools (1/3)


Slide 6

Mean of

Description

Method Tool

System Dynamics

Reliability Block

Diagrams

Pen & Paper

Failure Trees

Petri net

STAMP/CAST/STPA

ProFunD

FMEA

CREAM

SpecTRM

PiTool

Any Logic

Vensim







Slide 7

Mean of

Description

Method Tool

System Dynamics

Reliability Block

Diagrams

Pen & Paper

Failure Trees

Petri net

STAMP/CAST/STPA

ProFunD

FMEA

CREAM

SpecTRM

PiTool

Any Logic

Vensim







Slide 8

Mean of

Description

Method Tool

System Dynamics

Reliability Block

Diagrams

Pen & Paper

Failure Trees

Petri net

STAMP/CAST/STPA

ProFunD

FMEA

CREAM

SpecTRM

PiTool

Any Logic

Vensim





27. March 2013

Slide 9


1) Motivation


3) Methodology


(2) ProFunD

(3) Hybrid Approach



6) Conclusions

Contents





STAMP + ProFunD

STAMP

ProFunD


Slide 10

2. Goal of Hybrid Approach Hybridization of qualitative approach and quantitative approach

qualitative quantitative

Organization

Technology





27. March 2013

Slide 11


1) Motivation


3) Methodology


(2) ProFunD

(3) Hybrid Approach



6) Conclusions

Contents






Slide 12

3. Methodology (2) ProFunD – Fundamental Concepts

Func onalSystemSafetyAnalysis

SystemHazardLog

HazardAnalysis

Model-basedAnalysis

Model-basedAnalysis

HazardousSitua on

Implementa on

TechnicalSynthesisandlocaldependabilitymodeling

Model3TechnicalDesign

Func onalSynthesisandglobaldependabilitymodeling

Model2Func onalDesign

ModelingofOpera veProcess

Model1RequirementsAnalyzes

Opera veProcess

RiskAnalysis

SystemHazardAnalysis

Physical Processes

Functional Layer

(Human, Soft- and

Hardware)

Component

Dependability

[Slovák 2006]






Slide 13

3. Methodology (3) Hybrid Approach – Analysis Process on the example of CAST

Identification of Proximate Events

Construction of Safety Control Structure

ProFunD-based Petri Net Model

Model Analysis and Evaluation

Recommendations





27. March 2013

Slide 14


1) Motivation


3) Methodology


(2) ProFunD

(3) Hybrid Approach


5) Results and Discussion

6) Conclusions

Contents





Lightning caused track circuit failure

TC continued transmitting to the TTC the “block free signal”

Transmitting incorrect signals

Communication channel of D3115 was damaged

CTC dispatcher “forgot” to track the train

7:30 pm track circuit was damaged

7:39 pm failure was detected

8:30 pm the accident happened

~ 1 hour to fix and consider the failure

Most of the accident report was dedicated

to assign responsibilities and its punishments

4. Sample Application Accident introduction of the Wenzhou accident

Hosse, Spiegel, Schnieder | 2nd STAMP Workshop | MIT 27th March 2013

Slide 15

[Dajiang Suo 2012]





Application is based on

the control structure by

Airong Dong

Multiple simplifications

have been made

(Signal flows)

Pi-Tool has been used

(Provided by iQST

GmbH)

4. Sample Application Control Structure as basis for the Petri net modelling

Train Schedule TSR Orders Legend:

Dispatching Center

Human Controller

Routing Status Display

Dispatching Communication

Control Feedback

Station

TSR TSR Status Control Action

Routing Block Status

Track occupancy Status

Status Display Signal Status

TSR TSR Status

Route Status Block Status

Track Circuit Occ Status

Signal Status

Wayside

Speed Limits TSR

Occupancy Status Ahead Line Parameters

On-board Movement Authority Limit

Operation Mode

Mode Selection Overspeed Alarm

Propulsion Cab Signal

Brake Train Speed Brake Brake Status

TSR

Setting

TCC

Train Operator

Signal

Display

On-board ATP System

Train Subsystem

CTC Dispatcher

Block Signal Track Circuit Transponder

Station Interlocking

System including Track

Circuits

Station Interlocking

Computer

Station Operator

CTC

CTC Station Workstation

Signal

Control

Signal

Status

TC

coding

TC

Status

Transponder

messaging

Transponder

Status


Slide 16

[Airong Dong 2012]






Slide 17

4. Sample Application Transforming standard control loop

Controller

Controlled Process

Control

ActionsFeedback

System State System Events

[Leveson 2011]





27th March 2013 Hosse, Spiegel, Schnieder | 2nd STAMP Workshop | MIT

Slide 18

4. Sample Application System-theory element transformation - simple control loop with control flaws





4. Sample Application State tree (simplified reachability graph)


Slide 19





27. March 2013

Slide 20


1) Motivation


3) Methodology


(2) ProFunD

(3) Hybrid Approach



6) Conclusions

Contents





Same amount of critical system states as in Airong Dong are detected

General design rules as the fail-safe principle are detected in either analysis

(except the station operator who was neglected during the formal model)

Grade of detail is much higher within the new method due to the PN which force the

analysis for a high precision modelling

5. Results and Discussions Comparison with CAST analysis

CAST Analysis by keywords New Method

Did not track leading train Wrong assumptions in mental model (“T1

time passed since train entered” &

“communication bus intact”)

Did not track TC 5829 AG failure status Forgetting of “abnormal condition”

Unable to report train cannot start in OS

mode

“T1 FP OS failed to restart” &

“Communication bus b1 defect”


Slide 21

[Airong Dong 2012]





27. March 2013

Slide 22


1) Motivation


3) Methodology


(2) ProFunD

(3) Hybrid Approach



6) Conclusions

Contents





The new method:

enables to detect as many failures as CAST-Analysis

shows the system states on which basis decisions were made including contextural

factors

enables analysis technique with larger analysis capabilities (qualitative / quantitative)

Systems are easily too complex to be analyzed with a reachability graph

has shown STAMP / CAST can be applied orthogonally

does not help to determine when a system is safe

Future Work: Provide Open Source Tools for STAMP / CAST

6. Conclusions


Slide 23





[Airong Dong 2012] Airong Dong: Application of CAST and STPA to Railroad Safety in China. Master Thesis, Boston, 2012.

[Dajiang Suo 2012] Dajiang Suo: System Theoretic Analysis of the “7.23” Yong-Tai-Wen Railway Accident. Master Thesis, Beijing, 2012.

[DIN EN 50126] Deutsches Institut für Normung:: Railway application: The specification and demonstration of Reliability, Availability, Maintainability and Safety(RAMS).

[Kaiser et al. 2007] Kaiser, B.; Gramlich, C.; Förster, M.: State/event fault trees—A safety analysis model for software-controlled systems, in: Reliability Engineering & System Safety, Vol. 92 (2007) No. 11, pp. 1521–1537.

[Leveson 2011] Leveson, N.: Engineering a safer world. Systems thinking applied to safety, MIT Press, Cambridge Mass, 2011.

[Meyer zu Hörste 2004] Meyer zu Hörste, M.: Methodische Analyse und generische Modellierung von Eisenbahnleit- und -sicherungssystemen. Dissertation. 571, VDI-Verl, Düsseldorf, Braunschweig, 2004.

[Ministry of Railway China 2011] Ministry of Railway China: Investigation Report of "7.23 Yong-Wen Severe Railway Transportatoin Accident", 2011.

[Slovák 2006] Slovák, R.: Methodische Modellierung und Analyse von Sicherungssystemen des Eisenbahnverkehrs. Dissertation, Braunschweig, 2006.

Literature


Slide 24





Dipl.-Wirtsch.-Ing. René Sebastian Hosse

Dirk Spiegel, M.Sc., M.Sc.

Institute for Traffic Safety and Automation Engineering

Technische Universität Braunschweig

Germany

{hosse; spiegel}@iva.ing.tu-bs.de


Slide 25

Contacts





Backup


Slide 26






Slide 27

2. Goal of Hybrid Approach Comparison of STAMP and ProFunD Approach

Te

ch

niq

ue

/ M

eth

od

s /

me

an

s o

f d

es

cri

pti

on

Su

ite

d f

or

co

mp

lex

sys

tem

s

Su

ite

d f

or

ne

w s

ys

tem

de

sig

ns

Qu

alita

tive

An

aly

sis

(Sta

te s

pa

ce

)

Qu

an

tita

tive

An

aly

sis

(Pro

ba

bilit

ies

/ra

tes

)

Qu

an

tita

tive

An

aly

sis

(Sto

ch

as

tic

dis

trib

uti

on

s)

Sim

ula

tio

n

Su

ite

d f

or

co

mb

ina

tio

n

of

failu

res

Su

ite

d f

or

ord

er

de

pe

nd

en

cie

s

Bo

tto

m U

p o

r T

op

Do

wn

Su

ite

d f

or

allo

ca

tio

n o

f

sa

fety

re

qu

ire

me

nts

Ex

pe

rt k

no

wle

dg

e

req

uir

ed

Ac

ce

pta

nc

e a

nd

dis

trib

uti

on

To

ols

ne

ed

ed

Pla

us

ibilit

y c

he

ck

s

Ava

ila

bilit

y o

f T

oo

ls

IEC

No

rm

ETA - - - ○ - ○ - + B-U - ○ ○ ○ + ○ 62502

FMECA - - - ○ - - - - B-U - + + ○ + + 60812

FTA + + - + - - + - T-D + ○ + ○ + + 61025

HAZOP - - - - - - - - B-U - ○ ○ ○ + ○ 61882

Markov ○ ○ ○ - + ○ + + T-D + - ○ - - ○ 61165

RBD + - ○ + + - + - T-D + - ○ ○ + ○ 61078

PN/ProFun

D + + + + + + + + T-D + - - - + ○ 62551

SD/STAMP + + - - - - + + T-D + + - - ○ ○ 62740

SoTeRiA + + - + + + + + T-D - - - - ○ ○ ---

CREAM /

DREAM

○ ○ - + - - ○ + T-D - - - ○ ○ ○ ---





Accidental condition = 2 trains in one block

Application of STHAR

Petri net of the process


Slide 28

[Slovák 2006]






Petri Net of CTC dispatcher mental model


Slide 29






Petri net of the CTC Dispatcher functional model


Slide 30





27th March 2013


Dependability CTC dispatcher

“Forgetting” of abnormal condition

Assumptions of mental tracking


Slide 31






Slide 32

2. Goal of Hybrid Approach Objectives of the Hybrid Approach

• To use the control structure as a basis for the combination

• To take socio-technical elements into consideration

• To retain the foundations of system theory (emergence and hierarchy, communication and control, process model)

• To facilitate a state-based analysis method

• To ensure safety by integrating safety constraints

Objectives of STAMP

• To provide guidance for the model building process

• To enable hazard and accident analyses

Objectives of ProFunD

• To maintain nonlinearity

• To allow investigation into causal effects

• To allow detection of states leading to hazards

• To facilitate qualitative and quantitative analysis

Objectives of STAMP/ProFunD

[Leveson 2011] [Slovák 2006]

Documents

Integration of Petri Nets into CAST by the Example of 7.23 Accidentpsas.scripts.mit.edu/home/wp-content/uploads/2013/04/03... · 2013-04-03 · Slide 2 Hosse, Spiegel, Schnieder |