||Comment utiliser le site / How to use this site
Comment y participer / How to contribute
Defense In Depth: Modeling Defense Elements for a Transport System|
CSER 2005 - Stevens Institute of Technology
13 March 2005 ,
voir la présentation équivalente en français
RATP has been providing passenger transportation in Paris for more than a hundred years: Despite its huge experience in term of safety, it keeps facing problems related to complex system, due to actual requirements and constraints. It has progressively installed safety barriers within the system, written procedures, carried out inspections and audits, managed a system safety network composed of experts, taken into account human factors (ergonomic, formalized experience feedback) and optimized its design approaches in order to fit safety requirements related to equipment and software. Despite these preventive and corrective measures, serious breakdowns still appear but less often and their consequences are better controlled.
Still, in order to always improve the safety and to anticipate new hazardous situations, RATP has decided to complete its risk control policy by developing the "defense in depth " concept.
To ensure risk identification and preliminary analyze, RATP wish to formalize and elaborate a referential of defense for the transport system. This means creating database of defense element and defining a way to represent these different elements.
This referential, in order to be elaborated, needs two previous steps:
One methodology to identify and characterize the defense elements participating to risk prevention and protection within the existing transportation system,
One specification to describe the structure and illustration of the defense referential.
This presentation deals with the methodology of defense element identification and will be illustrated through an example.
to download the presentation (3,5 Mo)
A transport system, as any complex system, must take into account a certain number of aspects such as:
The undergone risk is less and less accepted: We notice the following paradox; while a high number of persons have a natural trend to live more risky, they do not accept a risk imposed by someone else.
Everything is not expectable: Despite evolution of technology, failures will ever occur, human will ever take a major place within systems.
The environment evolutes: These evolutions are linked to human behavior and culture, but also to elements located in system environment.
It is necessary to maintain in parallel more and more diverse technologies: Complex systems are evolutionary by nature and old technology must deal with the new ones.
Internal organization: The company also constitutes a complex system which must constantly adjust its management processes to internal and external requests and new economical constrains imposed by the competition.
Put in place within RATP’s Company for several years, the "feedback of experience" process which integrates also human factors has been rich in learning allowing the detection of numerous failures and a better risk consciousness by company’s leaders.
Many aspects have been highlighted through the feedback of experience as follow:
Some barriers (lines of defense), which had been placed progressively to eliminate or reduce risk following identified bad functioning, may have lost their meaning for staff and then become less efficient. Complex interactions between technical parts, procedures and staff could lead to unexpected effects.
In certain case, barriers can be deleted for economical reasons supposing that their absence can not directly cause accident,
Evolutions of system, more frequent and quicker, can lead to weak barriers because associated requirements are not respected. It easier to forget the requirements when they are badly explicited, formalized, written, and parameters which have been forgotten in the beginning become dominating.
The global coherence regarding the safety is a major concern. A transport system is by nature composed with different elements (equipments, staff, document, organization,..) and is operated following different modes (normal operation, degraded conditions). Degraded modes are often neglected when they present dangerous situations and important risks (operation staff is not used to operate in such conditions, minimum of safety level). Attention in design is mainly given to the technical elements of the system instead of staff, procedures and organization
To take into account these various factors which could question safety, RATP has established its Risk Management Policy based on principles, which are destined to help the leading of Railway System Safety Studies.
No regression of safety level: New system are design to reach at least the same safety level as existing system,
Evolution of system are mandatory: Balance between efficiency expected and cost.
This policy is declined in several objectives. One comes from the “DEFENSE IN-DEPTH” concept and aims:
to identify elements of defense within the existing system,
to measure their efficiency and then to propose evolutions,
to constitute a referential of defense.
Intervention takes place in the context rapidly described before. It will be structured as follow:
First part: focused on “DEFENSE IN-DEPTH” concept, way of appropriation and interest for a transport system
Second part: focused on methodology to identify the elements contributing to the defense and allowing to elaborate a referential of defense
Defense In Depth Concept: Way of Appropriation
As it is mentioned before, a transport system is a complex system, subjected to a lot of constraints. Among them we can listed:
transport authorities requirements,
rules and regulation,
cohabitation of various technologies,
Consequences on the system are also numerous in term of:
staff and knowledge,
The set of constraints and consequences generate more risks and it is more and more difficult to guarantee the appropriate safety level of the transport system.
With regard to the wide aspects of this problem, it is necessary to develop:
a systemic approach to guarantee the global coherence between the system components and environment,
a model of the system of defense.
A transport system fulfils at least one function: “To transport passenger from one point to another” with criteria such as comfort, journey duration, safety, etc...
Designing and building a transport system from this function impose to make choices and to decide what functional and technical organization the system will have. Those choices may create danger.
To decide using electrical motor cars creates electrical power dangers.
To decide that trains will run on the same track with a minimum of headway creates danger of collision.
To face identified dangers, the risk engineers provide barriers to prevent and/or to reduce consequences. All of these barriers fulfill defense functions and therefore constitute a system of defense.
Figure 1 : Functional approach
Base of methodology
The methodology for identifying the defense elements within the transport system relies on the “DEFENSE IN-DEPTH” concept.
The analysis of relevant document coming from various domains such as military, nuclear, chemical and also IT, highlights four major principles for a system of defense:
Several lines of defense,
Each line is independent,
Each line participate to the global defense,
Defense relates to type of threat (or attack).
Therefore, it is preferable to talk about “Defense” instead of “Safety” because this word includes notions of dynamics and initiative, global approach and systemic. The expression ‘In Depth” covers different aspects; internal or external threats, several lines of defense and also the taking into account of all the phases of life of the system considered.
In term of approach, “DEFENSE IN-DEPTH” is more oriented to the search of potential consequences than the causes. It combines inductive approach and deductive approach. The gravity of incident depends mainly on the residual means of defense than those which have been broken through.
Modeling principles of a “Defense in depth” system
Preliminary note on the concept of system
The study of the defense in depth for a transport system takes place in the framework of a systemic approach.
The ISO/IEC 15288 (System engineering - System Life Cycle Processes) provides a definition for the system such as “a set of elements in interaction, organized to reach one or several declared results”.
The notion of interaction is at the base of a fundamental feature of a system, namely, the whole is more than the sum of the parts.
A system is defined by its finalities according to users in a given context in evolution.
Goals and definitions of a “Defense In-Depth” system
The defense of a transport system has the aim of insuring all the time, in all circumstances and against all forms of aggression, the necessary safety and the integrity of men, system, company and its environment.
“DEFENSE IN-DEPTH” is a global and dynamic defense, implementing several coordinated lines of defense, against internal and external aggressions, potential or proven - and that on all the cycle of life of the transport system.
A “DEFENSE IN-DEPTH SYSTEM” is the set of the provisions and means organized, implemented to satisfy, at the required levels, the finality of defense defined for a given transport system.
And more precisely a “DEFENSE IN-DEPTH SYSTEM” is the set of the provisions and means organized, contributing to the control of the potential final effects susceptible to be created by all forms of aggressions on sensitive elements (men, system, company and/or environment).
Any system of “DEFENSE IN-DEPTH” is integrated in contexts where are present at least three types “of actors”:
One or more attackers,
One or more aggressive flow, emitted by these attackers,
One or more sensitive elements being able to suffer a damage from these aggressions,
The functions of the system of defense result of these elements, and other entities present in the environment in the context considered.
Figure 2 : Functions of a Defense System
A sensitive element (SE) is an element (material, immaterial or human) which, in reaction to a cause which is external for him, is susceptible to undergo a not desired final effect on itself.
An attacker is an element which generates at least one potentially aggressive flow (that the element is in nominal mode or failing mode, internal or external with the system considered).
A potentially aggressive flow is a flow which can act on an element which is sensitive for him, and thus susceptible to create a not desired final effect for this element.
A final effect is the result of an action (or a set of actions) on a sensitive element (men, system, company, and environment).
The main functions of a “DEFENSE IN-DEPTH SYSTEM” are expressed according to the implied entities: aggressive flow, the element attacker, sensitive elements being able to be exposed to this flow, and sensitive to its action.
The provisions and means of defense depend on nature of flow, position and behavior of the sensitive element faced to this aggression, sensitivity of the element.
Also, to each couple (aggressive flow/sensitive element) corresponds an awaited function of the defense system.
Mode and state of a “Defense In-Depth” system
The concept of “DEFENSE IN-DEPTH” is centered on the control of the final effects.
Therefore, level of requirements associated to functions fulfilled by the “DEFENSE IN-DEPTH SYSTEM” relies on the notion of acceptability of final effect.
Levels of acceptability are determined by category of final effect (human or material integrity, company image, quality of awaited services, integrity of environment, ...) and beside risk (likelihood and gravity of this final effect).
These acceptability levels must be defined for each category of effect and also in taking into account the possible combination of final effects.
Figure 3 : Class of acceptability and combination
Regarding the “DEFENSE IN-DEPTH SYSTEM” and compared to each one of its functions, three modes are retained: Success, Failure or Semi-failure.
The success of the DDS, for the considered function of defense, means that the set of the implemented defense elements made it possible to satisfy this function, and thus:
whether the sensitive elements did not undergo any final effect in the presence of the aggression,
whether the final effect undergone by the sensitive elements remains within the limits of the effects considered to be acceptable.
The failure of the DDS, for the considered function of defense, is proven as soon as:
the implementation of the set of the defense elements did not make it possible to satisfy this function,
the final effect undergone by the sensitive elements is in the levels of the effects considered to be unacceptable.
The concept of semi-failure of the DDS, for the considered function of defense, relates to a situation where:
the implementation of the set of the defense elements did not make it possible to satisfy this function, within the limits of the effects considered to be acceptable
and the final effect undergone by the sensitive elements is in the levels of the effects considered to be tolerated.
A semi-failure can create types of complementary final effects to take into account (example: mediatization of the event with impact on the image of the company).
Architecture principles of a “Defense in Depth System”
The aim of defining the principles of architecture is to facilitate the system design, or the modeling of an existing system: they constitute assistances with the reflection.
As any logic of modeling, these principles of architecture are linked to the point of view adopted (compared to what) and to the exploitation that one wishes to make of this representation (for what to make). In this present context, it is the analysis of the system effectiveness to reach the finality of defense.
Moreover, these principles, structuring the representation of the system, provide a generic and simple framework for the development of a reference frame on the existing system of defense.
In order to precisely identify the defense elements, which are components of the “DEFENSE IN-DEPTH SYSTEM”, a logic in three levels, connected with an approach of engineering systems, is proposed here.
Level A: With high level, defense elements compared to their contribution to the finalities of defense This approach leads to a structuring of the DDS by lines of defense. This level is comparable to the definition of a functional architecture of level subsystem.
Level B: Then, compared to the awaited actions of each defense element: This approach ensures an identification of the defense elements by determination: Principles of action implemented, interactions between defense elements of the same line, and of their “planning”, functions awaited by line of defense. This level is comparable to the definition of a logical architecture of the SDD.
Level C: Finally compared to the devices implemented by each defense element. This approach ensures a definition of each defense element by description: means of action implemented, modes of activation and control of these means, functions awaited by the defense element. This level is comparable to the definition of a technical architecture of the DDS.
Figure 4 : Principles of architecture
First level: Lines of defense
The concept of “DEFENSE IN-DEPTH” consists in taking into account all forms of aggressions (of which potentialities of technical, human or organizational failures), and to secure them by the installation of “lines of defense”, successive and autonomous parades, in order to avoid any incident (or in the worst case, to limit the consequences of them).
The concept of “LINE OF DEFENSE”, makes it possible to classify the defense elements set up within the system according to their contexts of use and their contribution to the finality of defense.
Three major principles melt these lines of defense: the principle of prevention, the principle of protection, and the principle of safeguard.
Line of prevention: This line (and elements constituting it) is implemented to avoid (or limit the probability of) the apparition of an event susceptible to create a not desired final effect.
Line of protection: This line (and elements constituting it) is implemented to keep the final effects within the acceptable limits, that the dreaded event occurs or not.
Line of safeguard: This line (and elements constituting it) is implemented to limit the extent of the final effects whenever the dreaded context cannot be avoided. One acts primarily here on the gravity of the final effect and the not-combination with other final effects.
Figure 5 : Principles of defense
Second level: Principle of action
The principles of action result from the generic components of any context of potential aggression, namely:
The sensitive element,
Flow and its characteristics: nature, value, trajectory.
Class A: - Elements of defense aiming TO ACT ON the ATTACKER. Two subcategories belong to this class:
A.1 - those which prevent the PRESENCE of the attacker, in regard to the sensitive element.
A.2 - those which prevent the GENERATION of aggressive flow by the attacker
Class E: - Elements of defense aiming TO ACT ON the SENSITIVE ELEMENT. Two subcategories belong to this class:
E.1 - those which prevent the presence of the sensitive element on the trajectory of aggressive flow.
E.2 - those which make the element insensitive with aggressive flow.
Class F: - Elements of defense aiming TO ACT ON AGGRESSIVE FLOW: Five subcategories belong to this class:
F.1 - those which cancel the VALUE of aggressive flow,
F.2 - those which reduce the VALUE of aggressive flow,
F.3 - those which deviate the TRAJECTORY of aggressive flow,
F.4 - those which stop/remove the TRAJECTORY of aggressive flow,
F.5 - those which transform the NATURE of aggressive flow.
Third level: Action means
For an identified defense element, that it is of prevention, protection or safeguard, the point of view is here related to the implemented necessary means to satisfy the principle of action that it must implement or in which it takes part.
With the aim of analyzing a “DEFENSE IN-DEPTH SYSTEM”, certain characteristics of the means of action appear interesting to put forward:
The fact that one chooses, according to the transport system considered, internal or external means, or a combination of internal and external means (mixed means): This characteristic is important because it influences the methods of mobilization of the means and responsibility for the action. Indeed the “DEFENSE IN-DEPTH SYSTEM” can implement as well internal means at the transport system as external means (persons, equipment.).
The nature of the means, which it is equipment, man or groups men, procedures, an information system (example: automatisms), or a combination of these elements. The interest of this characteristic rests on the fact that:
- the actions being able to be carried out by each type of means are not the same ones,
- the modes and probabilities of failure also differ,
- the associated analyses of risks can not require the same approaches and expertise. The term “Man” designates here a man alone or a group of men, acting within an organizational framework (responsibilities within the organization), with or without assistance of the procedures describing to him a set of tasks (logic of execution): one will speak about human action. The term “Equipment” indicates a technical element, fulfilling functions specified by implementation of the primarily material components (within the system or with regard to the system): one will speak about action reflex (of actuator type). The term “Information system” indicates an element performing specified functions by implementation of process: one will speak about autonomous action (of automatisms type).
The tool of reference proposed here is the generic tree of the means of action, provided hereafter:
Figure 6 : “means of action” tree
Compared to a given system (example: the system of transport), the “DEFENSE IN-DEPTH SYSTEM” can be a component of the global system.
But most generally, it is an entity having a part integrated into the system and another external part: indeed, the “DEFENSE IN-DEPTH SYSTEM”, in particular via the line of safeguard, often relies on external means.
Figure 7 : Systems
Model of architecture
Thus, a “DEFENSE IN-DEPTH SYSTEM” can be modeled on structuring concepts:
Of environment, at least including an attacker, an aggressive flow that it is able to emit, and a sensitive element (interactions between these elements constituting the functions of the DDS).
Lines of defense, that they are of prevention, protection and/or safeguard,
Elements of defense coordinated within each line, implementing internal or external means of action.
The following diagram aims to provide a generic modeling of a DDS, and to visualize the relations between the various concepts and terms employed:
Figure 8 : Architecture of DDS
Methodology to Identify Elements of Defense
When one carries out study on an existing system in the aim of identifying the elements of defense and to evaluate the DDS efficiency, four main steps will be followed to go through the methodology.
The first step could be named “Requirements” or “Functional Specification” because of the main goal is to find out the functions of defense for a concerned system. Engineers should raise questions as follow:
What is (or are) the sensitive element(s) in the context?
For one specific sensitive element, what is (or are) the aggressive flow(s) which is (or are) susceptible to create a final effect?
For one specific aggressive flow, what is the potential attacker which is susceptible to generate this flow?.
When sensitive elements, aggressive flow, attacker have been identified, it is possible to describe the function of defense linking sensitive element and attacker.
According to features of sensitive elements, aggressive flow and attackers it is now possible to attach requirements (or performances) to each function of defense, including of course level of acceptability for final effect.
Figure 9 : System of defense and functions
In this example, where car of trains are shifted in the workshop area to configure an other train or to allow a specific maintenance task on one specific car.
FP1 will be formalized such as:
To ensure physical integrity of staff against the kinetic flow created by the convoy in motion.
And FP2 will be formalized such as:
To ensure integrity of the other trains present on site against the kinetic flow created by the convoy in motion
Identification of defense elements within the system (typology)
This step aims to identify the defense elements which compose the different line of defense through questions as follow:
What are the set of defense elements implemented within the system to fulfill functions?
What are the relationships between defense elements?
What principle of action is activated by the defense element?
What are the means that defense element use to perform the principle of action?
Figure 10 : Elements of defense and links
Analyze of the existing system of defense (efficiency)
This step aims to evaluate the level of efficiency of the defense system. For one specific line of defense and function by function it is necessary to make sure that requirements are covered.
Therefore, inadequacy must be highlighted to be able to provide recommendations according to the level of acceptability of final effect.
In case of real incident it is also interesting to verify if non respect of requirements could not be one of the cause of incident. Recommendations can be also provided.
Are the respect of the electric standards and the program of maintenance sufficient to cover the requirements of the function of defense for a passenger against the danger of electrification?
As a Conclusion: Interest for RATP to Appropriate the Concept of “Defense In Depth”
Use of the model of DDS
The suggested logics to define the concept of “DEFENSE IN-DEPTH”, as well as the principles of architecture of a DDS, provide a tool of reasoning to model an existing system of defense or to conceive.
The will of RATP as regards control of the system risks is translated firstly on the CONTROL OF WHAT EXISTS, to which the formalization of a reference frame of “defense in-depth” within the existing transport system contributes.
According to this framework, the logic of modeling of a “DEFENSE IN-DEPTH SYSTEM” can be exploited for:
To specify a system of defense (or coherent component of this system),
To identify and characterize the elements of in-depth defense implemented for the existing system
To diagnose this system of defense existing compared to the requirements defined within the schedule of conditions,
To establish, on these bases of the recommendations to improve the existing system of defense,
Approach, suggested here, of modeling of a “DEFENSE IN-DEPTH SYSTEM” can be applied, in a fractal manner, at various levels, each one analyzes a complete system or a component of this system:
the DDS of a transport system or a subway line can be modeled by three lines of defense,
the DDS related to an operation of a train in maintenance workshop, or that related to the adherence of the trains on the rail (problem of pollution of the rail) can also be modeled by this principle of architecture.
Interest of concept appropriation
Taking into account the complexity of a transport system, its total coherence with regards to safety is very important.
The transport system (and its defense in-depth system) cannot be any more, only seen like an assembly of components: their understanding and their control impose a global solution.
Since a certain number of years, RATP has adopted a systemic approach to control the risks inherent in the system, not only technological but also human, organizational, economic and environmental. This approach also takes into account:
The complete system in its environment, with all its interactions like their evolutions,
The whole of the cycles of life of the total system and of each one of its components.
The concept of “DEFENSE IN-DEPTH” is in perfect coherence with the systemic approach thus adopted by RATP: Its definition provides a logic of modeling making it possible to identify or design elements with very diverse nature contributing to the finalities of defense, to understand their interactions - that, in order to control the relevance and the effectiveness of it.
This logic of modeling is based on steps of Engineering systems: functional architecture, logical and technical of the DDS, through the concepts of, linesofdefense,element of defense and means of action.
An approach “DEFENSEIN-DEPTH” does not oppose to the traditional steps of: risk analysis, the system safety and experience feedback. At the same time, it supplements them, and it is nourished from them.
The purpose of “DEFENSE IN-DEPTH”, is mainly the control of the final effects in regards to the elements declared sensitive. Its logic is centered on the control of the elements contributing to the maintenance of the final effects within the limits of acceptability fixed in a given system of values.
Itis a question of supplementing the management of risks via the dreaded events and their causes (generally with a probabilistic approach), by a point of view of control of the effects and sensitive elements (more deterministic and systemic approach, by level of acceptability).
Interest for experts
Like any modeling, this proposed for a “defense in-depth system” makes it possible for the actors to have a common representation of the system. This modeling is finalized on the structured identification of the DDS:
in order to constitute a reference frame on the DDS,
but also of analyses of the relevance of the means implemented compared to the awaited services of this system.
According to objectives’ of analysis, it can:
include one or more levels of representation (level line, level elements of defense, level means of actions.),
continue to take into account the steps of engineering systems from which it integrates, on finer levels: elementary functions of the means of action, technologies implemented,
The structuring suggested allows:
To lay out (or find), permanently, of the traceability between the system requirements and the solution,
To identify the interfaces between lines, elements of defense or means of defense,
To distinguish the internal and external means from the transport system, operated by the DDS,
To facilitate the analyses of impact in the case of evolutions of attacker, flow, sensitive elements or of their environment, principles and means implemented, contextual elements susceptible to lead to an event or a dreaded context.
It also makes it possible to distinguish the concepts of indicators and precursors: the first falling under an objective of follow-up of effectiveness of the implemented elements of defense, the second being centered on the appearance of contextual element being able to lead to an event or a dreaded context (susceptible to create unacceptable final effects on sensitive elements).
Interest for managers
Proposed modeling makes it possible toprovide to the decision makers a synthetic representation of the system of defense.
This logic of structuring the defense elements by lines, principles and means of action is easily comprehensible by a non-specialist of the risks analysis.
Centered on the control of the final effects and the concept of acceptability, it is coherent with logics of decision of the decision makers:
final effects treat consequences in the fields concerned with their field of responsibility: awaited services of the transport systems, safety of the people, environmental protection, financial resources of the company, image of the company.
concept of acceptability facilitates a multi-criteria, reasoning specific to any decision-making process.
For this reason, the concept of “defense” is broader than the concept of safety.
determination of the final effects and the levels of necessary acceptability falls under a system of given values, and is integral part of the definition of the control of the risks policy.
distinction of the lines of prevention, protection and safeguard makes it possible to show the engagement of RATP, with regard to the safety of the transport system, and the company: to avoid any final effect, and even if certain situations occur for reasons being able to be external for him, to contribute to limit its consequences.
We thank the company APTE System for the methodological assistance brought to this study.
 INERIS : Analyse des risques et prévention des accidents majeurs (DRA-07), juin 2001.
 Guy PLANCHETTE - Jacques VALANCOGNE - Jean Louis NICOLET - Book " Et si les risques m’étaient comptés " éditions Octarès 2002.
 INERIS : Eléments importants pour la sécurité (DRA-35),mai 2003
 Jacques VALANCOGNE - Jean-Louis NICOLET : Communication congrès lamdamu 13 " Defence-in-depth : a new systematic and global approach in socio-technical system design to better guarantee the timelessness safety in operation "
Alain COINTET has been working for RATP since 1975. He has developed a strong knowledge on different railway rolling stocks and participated to innovative projects regarding the maintenance engineering and management (eg: integrated logistic support, electronic documentation,..).
He has also worked as a consultant for different Railway networks around the word through short or long duration missions (Taipeh, Singapore, Shanghai, Canton, Bangkok, Stockholm, Cairo,..).
Back to Paris, within a group of experts of system engineering, he is actually in charge of developing methods and tools to implement “Defense in Depth” concept on transport system.
EVACES 2005 - Experimental Vibration Analysis For Civil Engineering Structures
ELU-ULS 2006 - Ultimate limit states of geotechnical structures
2015 - ENPC’s International Seminars
Requirements of administrative framework & procurement methods for public private partnership
Financing of major infrastructure and public service projects
Eugène Freyssinet - A revolution in the art of construction
23rd World Road Congress - Paris 2007 - September 17th - 21th
ENPC’s International Seminars 2014, 2013, 2012, 2011, 2010, 2009, 2008, 2007, 2006, 2005, 2004, 2003 & 2002/2
Fear and the American Psyche : Advice to U.S. Allies in a Unipolar World
2016 - ENPC’s International Seminars