Po-Chi Huang
TU Braunschweig, Institut für Eisenbahnwesen und Verkehrssicherung
Po-Chi Huang has studied Railway System Engineering at the Techische Universität Dresden, Germany, specialising in railway operation. Since 2010 he is working in the field of railway operational planning and operational risk assessment. He is now a research fellow and Ph.D. candidate at the Institute for Railway Systems Engineering and Traffic Safety at the TU Braunschweig. His main research interest lies with all questions concering the systematic of operational rules and its related risk in the railway operation.
Birgit Milius
TU Braunschweig, Institut für Eisenbahnwesen und Verkehrssicherung
Birgit Milius has studied Civil Engineering at the Technische Universität Braunschweig, Germany, specialising in railway engineering. Since 2000 she is working in the field of railway risk and safety analysis. She is now an assistant professor at the Institute for Railway Systems Engineering and Traffic Safety at the TU Braunschweig. Her main research interest still lies with all questions concerning risk and risk assessment. Furthermore, she has a research interest in human factors in railways with a focus on the application of human factors research in engineering.
Information Technology (IT) systems have been widely used in industrial facilities and also in critical infrastructures like the railway system. With it, it became necessary to prepare for IT security attacks. The importance of operational continuity under/after IT security attacks has gained much attention in the last decade. Today, it is often tried to solve the IT security issue by technology only. The main work of today’s railway IT security activities is focused on, e.g. secure programming, developing IT security management systems or setting up standards for certificating components.
However, even with all those technical measures in place, railway operations cannot be completely secure indefinitely. When the railway system is under attack or has been breached, staff with skills and training will be needed to ensure the continuity of operations by using defined degraded procedures. We argue that today’s operational procedures in degraded operations are not completely suitable as they were developed mainly under the consideration of safety issues.
In our paper, we begin with a brief overview of our ongoing Project SysRULES. The main focus of this project is to develop a complete set of operational procedures for degraded operational mode, which is applicable after safety and IT security issues have occurred or are suspected.
The main argument of this paper is that due to the increase in IT attacks, the train operator will need to run railway operations in degraded mode more frequently. We can assume that the frequency of safety-related events during degraded mode stays the same. This will lead to an overall increase in the number of safety-related events and therefore also an increase in the associated risk. In this paper, we focus on discussing how safe and reliable our existing procedures for degraded mode are and how to make the procedures safer and more secure. As railway operators are mostly at the core of the procedures, we will deal with human factor issues as input and solution for our analysis.
We perform an adapted risk assessment based on the system definition for degraded mode as given in the German railway rulebook. We begin with a Failure Mode and Effects Analysis (FMEA) based on the different tasks a train operator has to perform. We broaden the FMEA to look more in detail at the safety barriers installed to prevent the train operator making mistakes.
In a second step, we further extend the FMEA and consider possible IT attacks. We use a catalogue of typical attack scenarios as given in standard 0831-102 to analyse, which tasks of the train operator are vulnerable.
Using a qualitative risk assessment method, we rank the risks associated with the tasks. Starting with tasks which are especially risky, we look at the barriers and suggest changes in the procedures for degraded mode, making operations safer and more secure. These changes will be focussing on the performance of the train operator, but will also include suggestion for technical measures.
Systems safety, risk management and incident reporting , Human error and human reliability