International maintenance from international perspective Asset management and critical computerized system maintenance
30th March 2017
Dr. Marc Antoni FIRSE – AFFI – VDEI
Rail System Director
Human capital
Operation
principles - Rules
Environment by
sub network
Infrastructure Rolling stock
Same Balance
for Costs and
Safety
x
The “railway is a system” - signalling is his heart,
Railway is a system of systems and a “network” too
2 UIC – Rail System – Dr. Marc ANTONI
The railway system
Reduction of 30% cost of operation and maintenance
with identical traffic
Doubling the traffic capacity on a existing network or tracks
at the same operation costs
No possibility to use massive modernisation or renewal
investment with acceptable founding rate
Possibility to use “digital improvement” to create the move:
digital to improve the railway performances
NB : Moving digital isn’t a technical issue but a human
capital issue!
3 UIC – Rail System – Dr. Marc ANTONI
The today main railways challenges
An adapted Asset management policy to entire networks
the railways objectives are shared and targeted
Asset management, Security and Safety teams have to
contribute together from the early stage of the system
definition (less then 4 target)
In both cases : the battle is won or loose at the first stage of
the design (has to be confirmed) especially for critical
computerized system
4 UIC – Rail System – Dr. Marc ANTONI
How to reach theses goals ?
Main goals:
> Develop specific methods and tools for the lowest whole life
cycle, whole system cost.
> Develop specification and procurement methods to minimize
the future for the lowest whole life cycle, whole system cost
> Asset management is the art of striving for high performance
in a context of “shortages” – individual resource managers
are not aware of overall shortages
These needs, a “Governance” necessary conditions but
not sufficient for asset managers to operate effectively
Asset Management in practice
5 UIC – Rail System – Dr. Marc ANTONI
TARGET INDUSTRIAL PROCESS => including Costs, Safety, Security
Network Strategy
Asset Management System
Network
strategy Definition of
network
performance
objectives
Route
Strategies Definition
Objectives Asset
strategies Definition of
technical policies
GPMR, SNIT,
(French transport
infrastructure
schemes)
performance
contracts, etc.
Axes, objectives
performance per
route
Renewal policies,
maintenance,
products, etc.
Planning by
route Medium-term
planning of work
by route
Work portfolios,
capacity schemes,
budgets, resources
Scheduling by
route Short-term
planning of work
by route
Carrying out of
work Work, findings,
performance
Scheduling of
work portfolios
Performance findings, incidents,
network condition
Asset manager Production
6 UIC – Rail System – Dr. Marc ANTONI
Asset Management in practice
The battle of Asset Management is won in the early design
phase - The impact of new design and renewal, is huge
Railway is an “always living system”, signalling is the heart
> We can only renew or maintain the “always living railway
system” that we have given thought to in advance
> If we haven’t given it any thought in advance we would have to
pay much more to do the same… if possible in a safe way
Railway and signalling system in particular case, is not a
factory
7 UIC – Rail System – Dr. Marc ANTONI
Asset Management in practice
The maintenance costs of the infrastructure are function of various parameters Impact estimated by modelling Several parameters have a strong impact on the costs
LCC
Safety
Security
Rather
YES
Rather
No
Asset Management in design
Monitoring,
supervision
and
maintenance
centre
Digital new possibilities can help to improve the
maintenance and renewal processes, to reduce the
track possession needs…
8 UIC – Rail System – Dr. Marc ANTONI
Four steps for modelling and operational asset management:
3 – Tools for LCC calculation at the national or route levels, including
environmental effects, track possession and unavailability costs…
2 – Tools for the estimation of maintenance needs of the assets
(with different renewal strategies)
1 – Work of the deterioration and failure laws
of each infrastructure modular components
0 – Data base describing the population, the
traceability of the maintenance operations, the traffic…
Asset Management in design
Cœur à Pointe Mobile LGV
0
0,05
0,1
0,15
0,2
0,25
0,3
0 50 100 150 200 250 300 350
Cœur Pointe Mobile Béton
Cœur Pointe Mobile Bois
9 UIC – Rail System – Dr. Marc ANTONI
ATO, ETCS (or any other signalling module) has to be
interfaced with the whole railway system, especially the legacy
signalling system that must remain
Design choices are key for Maintenance, Safety&Security
Critical computerized system or interface Over system
Exploitation
rules
sensors
Field Elements
ERTMS
system
Operators Maintenance
Block
system Rolling stocks
Functional
Software
(formal
provable)
Hard and
Ground Software
Signalling is the heart of the railway system:
10 UIC – Rail System – Dr. Marc ANTONI
Asset Management in signalling systems
Examples of design choices impacts
> Formal versus natural language for computerized signalling
systems requirements?
the best for the life cycle cost of the computerized
signalling systems? For their safety and security demo? For
their future evolutions?.
Necessary for SAFETY & SECURITY FORMAL PROOFS
Complex system
(never provable
never for safety,
never for security)
Complicated
system (can be
proved for both)
Not asset
manageable!
11 UIC – Rail System – Dr. Marc ANTONI
Asset Management in signalling systems
Interconnected computerized systems a new paradigm
regarding the safety assessment and the validation
The classical methods have notable disadvantages:
1. Classical methods only can check test cases:
2. Criticality check by computerized systems could be not
affordable or sufficient (necessary to define the boundaries of
all system reachable states and be able to proof formally that
the system never leave the defined boundaries)
“formal methods” to avoid the occurrence of “black
swans” - impossible with “test cases” applied on the
integrated system.
12 UIC – Rail System – Dr. Marc ANTONI
Asset Management in signalling systems
The specifications shall apply information (formal) at functional level
Beyond of technology detailed aspects
To enable the de-coupling of functional software from the implementable hardware
-Benefit: Foster the migration, maintenance, avoidance of obsolescence (Avoidance of “vendor lock-in”)
Formal functional specifications is a necessity for safety
and security “construction” and “demonstration”
System integration in the railway system
13 UIC – Rail System – Dr. Marc ANTONI
Asset Management in signalling systems
Security-is-Safety & Safety-is-Security
SAFETY
PHYSICAL
SECURITY
CYBER SECURIT
Y
Convergence
RESILIENCE
Need to be considered
from the railway system’s
point of view
14 UIC – Rail System – Dr. Marc ANTONI
Asset Management in signalling systems
The design of a critical signalling system has to consider from
the first design stage the security challenges
Safety and security are dependant:
Safety and security to be considered at the “system level”
Step one: Identification of the company acceptable and not
acceptable consequences:
The “acceptable” and “unacceptable” consequences have
to be considered differently: The unacceptable consequences
have to be eradicated by design vs. the acceptable one can be
mitigated
Security & Safety have to be considered together
15 UIC – Rail System – Dr. Marc ANTONI
Asset Management in signalling systems
R1 : [Network] Paralysis of the railway traffic during many
days following a human mistake leading to a virus
dissemination on the operational network
R2 : [Network] Paralysis of the railway traffic following the
unavailability of the operational network
R3 : [Computerized system] Paralysis of the railway traffic
following a human mistake and virus infection of the
remote control centre…
R4 : [Computerized system/Network] Paralysis of the railway
traffic following an internal or external malicious attack
R5 : [Computerized system/Network] Paralysis of the railway
traffic during many days following the unavailability of
the remote control centre (disaster, strike)
R6 : [Computerized] Incapacity to use the remote monitoring
of the infrastructure assets and local remote control
modules following a cyber attack (from Internet)
Low risk, no disposition necessary
Medium risk, to verify the necessity to reduce them
High risk, necessary dispositions to reduce them
Non acceptable risk, priority action to be launched
1 2 3 4
Impact (Severity)
Very High High Medium Low
1
2
3
4
Low
Medium
High
Very High
Frequency
R1
R4
R6 R3
R2
« UNACCEPTABLE »
For each identified category of systems, networks, sub-networks, functions (security level 1 to 4) Leads to different packages of coherent solutions on different axles on the Supplier and railway sides The battle of the safety is won or lost in the first stage of design
R5
Risks cartography (Ex of a IP signalling network)
16 UIC – Rail System – Dr. Marc ANTONI
Asset Management in signalling systems
IP level Mitigation measures (firewall; Privacy of data collected; Integrity of data collected; VPN; Events monitoring; Intrusion detection system (IDS); DMZ, network segmentation)
IT level (Safe operating system vs. specific real time operating system not known, distinction between HW + basic SW and Functional SW...)
Functional level (coherence between the context and the input data… formal proof, detection system (IDS), functional automatic detection and commutation…)
Organisation and architecture system
(Security and safety management system, skill, education, confinement of the accesses, authorizations…)
CONVERGENCE:
Reduce the possibility
to go through
Four pillars for a coherent security system vision
Railways Suppliers
17 UIC – Rail System – Dr. Marc ANTONI
Asset Management in signalling systems
Modularity and interfaces challenges:
> The asset manager has to control the modularity of the railway
system - unique way being responsible for performance, safety-
security, operation and maintenance costs...
> This gives the possibility to estimate the right failure-
degradation laws, to improve maintenance, to make possible
an integration of the whole railway system on long term
Key principles for a better future
18 UIC – Rail System – Dr. Marc ANTONI
Formalisation of the sub-system requirements:
> To become “modelizable” and/or “formally provable” before
the launch of new sub-systems, to facilitate their integration
and safety-security demonstration... Regarding the real
condition of use avoid “black boxes”
Ageing and/or wearing simulations to:
> Describe and justify each possible scenario regarding the
different packages of constraints
> Project itself in the different possible future scenarios
> Prioritize the possible actions to be launched... regarding the
possible impacts of different technical strategies
Key principles for a better future
Architectures choices at the railway system level:
> To consider at the same time the companies objectives and the
Operation, Maintenance, Safety & security aspects
functional white boxes
fall-back systems in case of maintenance operation,
failure or cyber attack
Conclusion
> The battle for asset management, Safety and Security is
won or lost at the system definition & design stage
- Acceptable or not acceptable consequences
- Human capital management
- Operation principle evolutions…
to reach the companies cost and performance objectives
> The asset manager needs a clear asset strategy
supported by a complete reflexion of all the points seen:
- ability to integrate the new components, maintain and
operate the system,
- in safety and security, with efficiency
20 UIC – Rail System – Dr. Marc ANTONI
A miracle is never coming alone, its
needs to be facilitated
If we don’t think of the future, we will
pay for it
Power is the control of the
incertitude's of the other...
Thank you for your kind
attention
Dr. Marc Antoni UIC Rail System Director [email protected]
UIC – Rail System Department – Dr. Marc ANTONI 21
ERTMS Level 2 with
moving block
Fall-back track-
mobile system