International maintenance from international perspective · International maintenance from...

International maintenance from international perspective Asset management and critical computerized system maintenance

30th March 2017

Dr. Marc Antoni FIRSE – AFFI – VDEI

Rail System Director

Human capital

Operation

principles - Rules

Environment by

sub network

Infrastructure Rolling stock

Same Balance

for Costs and

Safety

x

The “railway is a system” - signalling is his heart,

Railway is a system of systems and a “network” too

2 UIC – Rail System – Dr. Marc ANTONI

The railway system

Reduction of 30% cost of operation and maintenance

with identical traffic

Doubling the traffic capacity on a existing network or tracks

at the same operation costs

No possibility to use massive modernisation or renewal

investment with acceptable founding rate

Possibility to use “digital improvement” to create the move:

digital to improve the railway performances

NB : Moving digital isn’t a technical issue but a human

capital issue!


The today main railways challenges

An adapted Asset management policy to entire networks

the railways objectives are shared and targeted

Asset management, Security and Safety teams have to

contribute together from the early stage of the system

definition (less then 4 target)

In both cases : the battle is won or loose at the first stage of

the design (has to be confirmed) especially for critical

computerized system


How to reach theses goals ?

Main goals:

> Develop specific methods and tools for the lowest whole life

cycle, whole system cost.

> Develop specification and procurement methods to minimize

the future for the lowest whole life cycle, whole system cost

> Asset management is the art of striving for high performance

in a context of “shortages” – individual resource managers

are not aware of overall shortages

These needs, a “Governance” necessary conditions but

not sufficient for asset managers to operate effectively

Asset Management in practice


TARGET INDUSTRIAL PROCESS => including Costs, Safety, Security

Network Strategy

Asset Management System

Network

strategy Definition of

network

performance

objectives

Route

Strategies Definition

Objectives Asset

strategies Definition of

technical policies

GPMR, SNIT,

(French transport

infrastructure

schemes)

performance

contracts, etc.

Axes, objectives

performance per

route

Renewal policies,

maintenance,

products, etc.

Planning by

route Medium-term

planning of work

by route

Work portfolios,

capacity schemes,

budgets, resources

Scheduling by

route Short-term

planning of work

by route

Carrying out of

work Work, findings,

performance

Scheduling of

work portfolios

Performance findings, incidents,

network condition

Asset manager Production



The battle of Asset Management is won in the early design

phase - The impact of new design and renewal, is huge

Railway is an “always living system”, signalling is the heart

> We can only renew or maintain the “always living railway

system” that we have given thought to in advance

> If we haven’t given it any thought in advance we would have to

pay much more to do the same… if possible in a safe way

Railway and signalling system in particular case, is not a

factory



The maintenance costs of the infrastructure are function of various parameters Impact estimated by modelling Several parameters have a strong impact on the costs

LCC

Safety

Security

Rather

YES

Rather

No

Asset Management in design

Monitoring,

supervision

and

maintenance

centre

Digital new possibilities can help to improve the

maintenance and renewal processes, to reduce the

track possession needs…


Four steps for modelling and operational asset management:

3 – Tools for LCC calculation at the national or route levels, including

environmental effects, track possession and unavailability costs…

2 – Tools for the estimation of maintenance needs of the assets

(with different renewal strategies)

1 – Work of the deterioration and failure laws

of each infrastructure modular components

0 – Data base describing the population, the

traceability of the maintenance operations, the traffic…

Asset Management in design

Cœur à Pointe Mobile LGV

0

0,05

0,1

0,15

0,2

0,25

0,3

0 50 100 150 200 250 300 350

Cœur Pointe Mobile Béton

Cœur Pointe Mobile Bois


ATO, ETCS (or any other signalling module) has to be

interfaced with the whole railway system, especially the legacy

signalling system that must remain

Design choices are key for Maintenance, Safety&Security

Critical computerized system or interface Over system

Exploitation

rules

sensors

Field Elements

ERTMS

system

Operators Maintenance

Block

system Rolling stocks

Functional

Software

(formal

provable)

Hard and

Ground Software

Signalling is the heart of the railway system:


Asset Management in signalling systems

Examples of design choices impacts

> Formal versus natural language for computerized signalling

systems requirements?

the best for the life cycle cost of the computerized

signalling systems? For their safety and security demo? For

their future evolutions?.

Necessary for SAFETY & SECURITY FORMAL PROOFS

Complex system

(never provable

never for safety,

never for security)

Complicated

system (can be

proved for both)

Not asset

manageable!



Interconnected computerized systems a new paradigm

regarding the safety assessment and the validation

The classical methods have notable disadvantages:

1. Classical methods only can check test cases:

2. Criticality check by computerized systems could be not

affordable or sufficient (necessary to define the boundaries of

all system reachable states and be able to proof formally that

the system never leave the defined boundaries)

“formal methods” to avoid the occurrence of “black

swans” - impossible with “test cases” applied on the

integrated system.



The specifications shall apply information (formal) at functional level

Beyond of technology detailed aspects

To enable the de-coupling of functional software from the implementable hardware

-Benefit: Foster the migration, maintenance, avoidance of obsolescence (Avoidance of “vendor lock-in”)

Formal functional specifications is a necessity for safety

and security “construction” and “demonstration”

System integration in the railway system



Security-is-Safety & Safety-is-Security

SAFETY

PHYSICAL

SECURITY

CYBER SECURIT

Y

Convergence

RESILIENCE

Need to be considered

from the railway system’s

point of view



The design of a critical signalling system has to consider from

the first design stage the security challenges

Safety and security are dependant:

Safety and security to be considered at the “system level”

Step one: Identification of the company acceptable and not

acceptable consequences:

The “acceptable” and “unacceptable” consequences have

to be considered differently: The unacceptable consequences

have to be eradicated by design vs. the acceptable one can be

mitigated

Security & Safety have to be considered together



R1 : [Network] Paralysis of the railway traffic during many

days following a human mistake leading to a virus

dissemination on the operational network

R2 : [Network] Paralysis of the railway traffic following the

unavailability of the operational network

R3 : [Computerized system] Paralysis of the railway traffic

following a human mistake and virus infection of the

remote control centre…

R4 : [Computerized system/Network] Paralysis of the railway

traffic following an internal or external malicious attack

R5 : [Computerized system/Network] Paralysis of the railway

traffic during many days following the unavailability of

the remote control centre (disaster, strike)

R6 : [Computerized] Incapacity to use the remote monitoring

of the infrastructure assets and local remote control

modules following a cyber attack (from Internet)

Low risk, no disposition necessary

Medium risk, to verify the necessity to reduce them

High risk, necessary dispositions to reduce them

Non acceptable risk, priority action to be launched

1 2 3 4

Impact (Severity)

Very High High Medium Low

1

2

3

4

Low

Medium

High

Very High

Frequency

R1

R4

R6 R3

R2

« UNACCEPTABLE »

For each identified category of systems, networks, sub-networks, functions (security level 1 to 4) Leads to different packages of coherent solutions on different axles on the Supplier and railway sides The battle of the safety is won or lost in the first stage of design

R5

Risks cartography (Ex of a IP signalling network)



IP level Mitigation measures (firewall; Privacy of data collected; Integrity of data collected; VPN; Events monitoring; Intrusion detection system (IDS); DMZ, network segmentation)

IT level (Safe operating system vs. specific real time operating system not known, distinction between HW + basic SW and Functional SW...)

Functional level (coherence between the context and the input data… formal proof, detection system (IDS), functional automatic detection and commutation…)

Organisation and architecture system

(Security and safety management system, skill, education, confinement of the accesses, authorizations…)

CONVERGENCE:

Reduce the possibility

to go through

Four pillars for a coherent security system vision

Railways Suppliers



Modularity and interfaces challenges:

> The asset manager has to control the modularity of the railway

system - unique way being responsible for performance, safety-

security, operation and maintenance costs...

> This gives the possibility to estimate the right failure-

degradation laws, to improve maintenance, to make possible

an integration of the whole railway system on long term

Key principles for a better future


Formalisation of the sub-system requirements:

> To become “modelizable” and/or “formally provable” before

the launch of new sub-systems, to facilitate their integration

and safety-security demonstration... Regarding the real

condition of use avoid “black boxes”

Ageing and/or wearing simulations to:

> Describe and justify each possible scenario regarding the

different packages of constraints

> Project itself in the different possible future scenarios

> Prioritize the possible actions to be launched... regarding the

possible impacts of different technical strategies

Key principles for a better future

Architectures choices at the railway system level:

> To consider at the same time the companies objectives and the

Operation, Maintenance, Safety & security aspects

functional white boxes

fall-back systems in case of maintenance operation,

failure or cyber attack

Conclusion

> The battle for asset management, Safety and Security is

won or lost at the system definition & design stage

- Acceptable or not acceptable consequences

- Human capital management

- Operation principle evolutions…

to reach the companies cost and performance objectives

> The asset manager needs a clear asset strategy

supported by a complete reflexion of all the points seen:

- ability to integrate the new components, maintain and

operate the system,

- in safety and security, with efficiency


A miracle is never coming alone, its

needs to be facilitated

If we don’t think of the future, we will

pay for it

Power is the control of the

incertitude's of the other...

Thank you for your kind

attention

Dr. Marc Antoni UIC Rail System Director [email protected]

UIC – Rail System Department – Dr. Marc ANTONI 21

ERTMS Level 2 with

moving block

Fall-back track-

mobile system

mailto:[email protected]

International maintenance from international perspective · International maintenance from...

Documents

Transcript of International maintenance from international perspective · International maintenance from...