A Security Risk Assessment Method Based on Improved FTA-IAHP for Train Position System

Abstract

The positioning system based on satellite navigation can meet the requirements of CTCS-4 train control, improve the transportation efficiency, reduce the operation and maintenance costs, which is the trend of train positioning system in the future, and the security risk assessment is of great significance to the future application of this system. In this paper, combined with the self-developed train positioning system based on satellite navigation, and an improved fault tree-interval analytic hierarchy process (FTA-IAHP) method for evaluating the safety risk of train positioning system is proposed. Firstly, a security risk assessment model based on FTA-IAHP is established by combining FTA and IAHP. Secondly, two judgment matrices are constructed by using the basic events and structural importance based on FTA, and the IAHP model based on expert scoring, the difference between FTA and IAHP is adjusted by combining the weighting factor. The new method of trial of weighting can determine the degree of each factor in the system fault. This method has great significance to the safety design and protection of the new train positioning system based on satellite navigation.

1. Introduction

As the core subsystem of the train operation control system, the train positioning system plays an important role in the safe operation of trains. At present, with the rapid development of China’s railway industry, the traditional train positioning methods such as odometers, track circuits, and transponders have gradually exposed various disadvantages, which are difficult to meet the needs of the new train control system. At the same time, with the rapid development of railway modernization and intelligence, it will become a trend to reduce trackside equipment and vehicle-mounted trackside equipment [1]. Therefore, a new generation of low-cost vehicle-mounted train positioning systems is urgently needed. In June 2020, china successfully launched the last global networking satellite of beidou-3, marking the arrival of the Beidou global networking era. The train positioning system based on satellite navigation will become the development direction of the next generation of train positioning [2]. Different from the traditional vehicle integrated positioning system based on satellite navigation, the train positioning system has higher requirements for reliability and safety. Therefore, the safety risk analysis is particularly important, and it has important guiding significance for the later system safety design and system safety protection.

At present, a large number of studies on security risk analysis based on fault tree analysis (FTA) and analytic hierarchy process (AHP) have been conducted in China and abroad. The FTA method can trace the source of the causes and influence of the target risk events by establishing a model, in which the failure probability of the basic events is accurately expressed, but in fact, due to the lack of sufficient statistical calculation of events, such accuracy is not accurate. In view of this problem, An et al. [3] proposed a security risk analysis method based on FTA and fuzzy system combined with fuzzy logic. Mamdikar et al. [4] proposed a framework for the dynamic reliability assessment using the Fault Tree and the Dynamic Bayesian Network. Aiming at the problem of FTA cannot judge the overall security risk level of the target risk event, Liu et al. [5] introduced AHP into the security risk assessment, and took the basic cause event information calculated by FTA as the input data for establishing the AHP model, thereby improved the accuracy of risk assessment. In view of the problems of uncertainty and inaccuracy caused by observation and statistics of relevant data in AHP modeling, Bakır et al. [6] proposed an integrated Fuzzy Analytical Hierarchy Process (F-AHP) and Fuzzy Measurement Alternatives and Ranking according to Compromise Solution (F-MARCOS) approach. In order to effectively solve the problem of consistency of risk judgment matrix in AHP, su et al. [7] improved AHP and proposed to use neural network technology to build a neural network model corresponding to risk judgment matrix for objective risk assessment. Ma et al. [8] combined analytic hierarchy process (AHP) and CRITIC to assign weights, and entered the cloud model on this basis, providing a reference for evaluating the train operation control system based communication.

According to the above research contents and the particularity of research objects, this paper introduces the idea of interval number and improves the AHP method, combines FTA and IAHP to propose a safety risk assessment method for a train positioning system based on FTA-IAHP on the basis of the above literature research. It is used to solve the problems when applying one of the above methods for safety risk analysis, so that the analysis results can not only reflect the information of subjective evaluators, but also reasonably reflect the objective facts. This method is applicable to the risk analysis of system insecurity caused by internal fault factors of parts and external uncontrollable environmental factors.

In this paper, combined with the self-developed train positioning system based on satellite navigation and the safety evaluation system of train positioning system can be set up. Section 2 focuses on presenting the overall structure of train positioning system based on satellite navigation. Section 3 introduces the improved safety risk analysis method in detail. The safety evaluation system and safety risk analysis are established for the research object in Section 4, and the effectiveness and availability of the method are verifified through the analyses on actual examples. Finally, Section 5 concludes this paper with a summary.

2. Train Positioning System Based on Satellite Navigation

Carry out safety risk analysis on the train positioning system of satellite navigation, and the system diagram is shown in Figure 1.

Figure 1. Block diagram of train positioning system based on satellite navigation.

The whole hardware system is divided into four parts: multi-channel security power subsystem, sensor information acquisition subsystem, data fusion processing subsystem, and 3G wireless communication subsystem. The multi-channel safety power supply subsystem mainly realizes the power supply function for the whole system, and at the same time meets the functions of power short circuit, reverse connection, and overvoltage protection. The sensor information acquisition system mainly realizes the information acquisition and synchronous processing of inertial measurement unit (IMU), satellite navigation system (Beidou, GPS, GALNASS), and the vehicle odometer (ODO). The data fusion processing subsystem mainly completes the combined positioning algorithm processing and two out of two functions of two or three sets of sensor data collected from the bus. Considering the inertial navigation solution and algorithm processing, high-speed DSP is used here. The communication board mainly completing the final analysis of data and to complete the wireless communication function. The whole system adopts the double two out of two security design, which can achieve high-precision and fast positioning and velocity measurement while meeting reliability and security.

Figure 2 and Figure 3 are the front view of chassis and physical drawing for the independently developed train positioning system, respectively. According to the system risk assessment method proposed in this paper, the security risk of the system will be evaluated.

Figure 2. System front view based on 3U chassis design.

Figure 3. The physical map of the self-developed train positioning system.

3. Safety Risk Assessment Method Based on FTA-IAHP

Any reasonable and comprehensive analysis of complex systems is based on information and data of relevant factor, and the judgment matrix is an important form of information. To judge the importance of each factor, we can represent each factor as a numerical result and present the results in matrix form. This paper uses two different methods to construct the judgment matrix: one is FTA basic events based on ${\mathrm{I}}_{\varnothing }$($\mathrm{i}$), and the other one is expert scoring based on IAHP. The analysis results of the two judgment matrices are synthesized, a new risk analysis method is proposed.

Figure 4 is the flow chart of the risk evaluation method proposed in this paper. The whole method can be divided into two parts: FTA analysis and the improved IAHP method. Firstly, the target risk events of the system are determined, and the FTA model is established to determine the basic cause events. Secondly, the FTA judgment matrix is established by comparing the structural importance of basic cause events; IAHP method is used to further analyze the expert score and establish the interval judgment matrix; at the same time, this paper improves the weight of the traditional IAHP, and proposes new combined weight coefficient solution method by integrating the weight of FTA and IAHP judgment matrix. The comprehensive evaluation of the train positioning system’s target risk events is completed by comparing with the safety risk assessment standards of railway.

Figure 4. Flow chart of system security risk assessment method.

The detailed steps are as follows:

3.1. FTA Analysis Method

In order to estimate the security of the militia launch control system(MLCA), Watson first proposed the FTA analysis method in 1961. Later, the FTA method was improved quantitatively by using computers. At present, this method is widely used, such as aviation, nuclear engineering, and safety management. To adopt FTA method, we first need to analyze the system to determine the target risk events, etc. The specific steps are shown in Table 1.

Table 1. Specific FTA steps.

Step	Detailed Contents
1	Analysis System: understand system function, fault state and the fault mode.
2	Determine the Top Event: according to different requirements of the system, there can be different top events. The fault tree established from this is also different.
3	Construct a Fault Tree: find all the factors that cause the top event step by step, associate them with logical symbols and analyze them with logical operations.
4	Qualitative Inorganic Analysis: find the minimum cut set of fault tree (Descending Method).
5	Quantitative Analysis: calculate the failure probability of the system and the importance degree of the underlying events leading to the top event.

3.1.1. Building Fault Tree and Calculating Structural Importance

After establishing FTA model according to the specific steps in Table 1, qualitative or quantitative analysis can be carried out. Structural importance of basic cause events is the most direct indicator of the impact on target risk events [9]. The structure function of fault tree can be defined as

$$\varphi \left(x_1,x_2,\cdots ,x_n\right)=\left\{\begin{array}{l}1,occur\\ 0,nonoccur\end{array}\right.$$

(1)

where, $x_1,x_2,L,x_n$ stands for boolean variable for the state of the base-cause events; n represents the quantity of all basic cause events obtained from FTA analysis; 0 indicates that the target event did not occur; 1 represents the occurrence of the target risk event. The structural importance of the ith basic cause event can be expressed as:

$$I_{\varphi }\left(i\right)=\frac{1}{2^{n-1}}\cdot n_i$$

(2)

Among them, $I_{\varnothing }$($i$) represents the structural importance of the ith basic cause event; $n_i$ indicates that after adding ith basic cause event to $2^{n-1}$ combination based on cause event, the combination changes from a non-cut set to a cut set, which can be expressed as:

$$\begin{array}{l}{n}_i={\displaystyle \sum _{x_1,\cdots ,x_{i-1},x_{i+1},\cdots ,x_n}\left[\varphi \left(x_1,\cdots ,x_{i-1},1,x_{i+1},\cdots ,x_n\right)\right.}\\ \left.-\left(x_1,\cdots ,x_{i-1},0,x_{i+1},\cdots ,x_n\right)\right]\end{array}$$

(3)

From the above formula, we can get the quantitative influence degree of basic cause events on target risk events.

3.1.2. Establish the Safety Risk Hierarchy Model

The top event of the fault tree is taken as the target layer T (the highest layer) of the hierarchical structure model, and the basic cause event at the bottom of the fault tree is taken as the indicator layer E (the lowest layer) of the hierarchical structure. It is classified and summarized according to certain logic rules to form the criterion layer B (the middle layer).

3.1.3. Judgment Matrix Based on FTA

Formula (2) can provide the $I_{\varnothing }$($i$) of each basic event, and it is easy to obtain the least common multiple (LCM) of denominator (common characteristic) [10]. The judgment factor of basic events is calculated as follows:

$$\chi (i)=I_{\Phi }(I)·\mathit{LCM}$$

(4)

The judgment factors of basic events reflect the effectiveness of top-level events. Judgment matrix can be constructed by the ratio of two factors. Because each criterion layer contains some index factors, this paper summarizes the index factors of each criterion layer, not the judgment factors. Since each element of the judgment matrix must be an integer, the numbers in each matrix are rounded to the nearest integer. The formula of the criterion layer used to create the judgment matrix E is as follows:

$$\{\begin{array}{cc}{A}_{ij}=\frac{{\displaystyle \sum _{i=1}^m}\chi (i)}{{\displaystyle \sum _{i=1}^n}\chi (j)}& {\displaystyle \sum _{i=1}^m}\chi (i)\ge {\displaystyle \sum _{i=1}^n}\chi (j)\\ A_{ij}=\frac{{\displaystyle \sum _{i=1}^n}\chi (j)}{{\displaystyle \sum _{i=1}^m}\chi (i)}& {\displaystyle \sum _{i=1}^m}\chi (i)<{\displaystyle \sum _{i=1}^n}\chi (j)\end{array}$$

(5)

Among them, m and n is the number of indicator factors for each criterion, $i$ and j are the subscripts of the elements of the matrix, which respectively represents i Line and section j Column. Similarly, the method for creating the judgment matrix B of the index layer for each standard layer in the article is given in Formula (6).

$$\{\begin{array}{cc}{B}_{ij}=\frac{\chi (i)}{\chi (j)}& \chi (i)\ge \chi (j)\\ B_{ji}=\frac{\chi (j)}{\chi (i)}& \chi (i)<\chi (j)\end{array}$$

(6)

According to the $I_{\varnothing }$(i) of each basic event, it is easy to get the lowest common multiple and the judgment factors of criterion layer and index layer.

3.1.4. Consistency Test and Vector Calculation of Judgment Matrix

The judgment matrix is the basis for solving the weight. A chaotic and untenable matrix can lead to wrong results. Therefore, in order to improve the reliability of the judgment matrix, it is required that the judgment matrix be generally consistent. In consideration of the above, the consistency check of the judgment matrix shall be carried out by the following methods.

$$CI=\frac{{\lambda }_{\max }-n}{n-1}$$

(7)

Then the consistency test formula is:

$$CR=CI/RI$$

(8)

If CR < 0.1 is satisfied, the judgment matrix is considered to have good consistency; otherwise, the matrix needs to be readjusted until the consistency reaches the standard. Where n is the order of the judgment matrix, ${\lambda }_{max}$ is the maximum eigenvalue of each layer of the matrix, and RI can be queried from Table 2. For example, if the judgment matrix is a third-order matrix, the corresponding RI value is 0.58.

Table 2. RI Coefficient table.

n	1	2	3	4	5	6	7	8	9	10
$RI$	0	0	0.58	0.9	1.12	1.24	1.32	1.41	1.45	1.49

The maximum eigenvalue of the judgment matrix and the corresponding eigenvector can be calculated by MATLAB software (version: R2021b, creator: Jack little and clever moler, USA), the steps are as follows:

$$\begin{array}{c}{M}_i={\displaystyle \prod _{j=1}^n{a}_{ij}}\\ {\overline{W}}_i=\sqrt[n]{M_i}\\ {\lambda }_{\max }={\displaystyle \sum _{i=1}^n\frac{{\left(AW\right)}_i}{n{W}_i}}\end{array}$$

3.2. Interval Analytic Hierarchy Process (IAHP)

Analytic hierarchy process (AHP) is a multiple criteria decision-making method. In this method, the measurement theory is introduced into the quantification of subjective judgment of experts, and the combination of qualitative analysis and quantitative analysis is realized. However, due to the incompleteness and uncertainty of information, uncertain subjective judgment often appears in pairwise comparison in practice. Therefore, it is not reasonable to use the point value of traditional AHP method to describe the subjective judgment value. At this time, interval mathematics is most suitable for accurate description of subjective judgment value [11]. Therefore, IAHP (interval analytic hierarchy process) is proposed.

The IAHP method is based on the traditional AHP method and integrated with interval mathematics. The steps are as follows: the interval number is used to replace the point value to describe the experts’ assessment of the relative importance of various safety factors, and to construct the judgment matrix by pairwise comparison; after checking the consistency of interval, the weight vector of interval number is calculated; the interval comprehensive weight is obtained by calculating the judgment matrix and interval weight vector. Finally, it is sorted, and the specific implementation block diagram is shown in Figure 5. This method can well describe the uncertainty of judgment, so it can reflect the fuzziness of experts’ subjective judgment on the importance of events, and reduce the subjective influence of evaluation to a certain extent. Therefore, IAHP is used to describe the experts’ assessment of the relative importance of various safety factors. The following is a detailed introduction to the important steps:

Figure 5. Calculation flow of IAHP method.

3.2.1. Composition of Interval Judgment Matrix

If a real number satisfies $a=\left[a^{-},a^{+}\right]$, we call $a$ an interval number. If interval number is used to express the relative importance of each factor in pairwise comparison, the judgment matrix of interval sequence is formed [12].

Assuming that there are n safety factors in a certain level of the index system, experts use 1~9 scale method to evaluate the relative importance of safety factors.

According to the reciprocal 1–9 scale table [13], the qualitative description of expert pairwise comparison is scalar, as shown in Table 3, in which the language description degree of level 2, 4, 6, and 8 is the intermediate value of adjacent judgments in the table.

Table 3. Scale of reciprocity.

Grade	Degree Description Language
1	equal
3	slightly
5	obvious
7	strong
9	extreme

If the index judgment matrix $A={\left(a_{ij}\right)}_{n\times n}$ and $a_{ij}$ = [$a_{ij}^{-}$,$a_{ij}^{+}$] is satisfied, it indicates the importance of evaluation index i relative to evaluation index j. So, the comparison result of $a_{ji}$ is the reciprocal of to $a_{ij}, a_{ij}=\left[\frac{1}{a_{ij}^{+}},\frac{1}{a_{ij}^{-}}\right]. a_{ii}$ represents the result of comparing evaluation index i with itself, we can see that it is the same as that of itself [1,1].

Then, the expert opinions are synthesized, and the interval number judgment matrix is obtained.

$$\begin{array}{l}A={\left(A_{ij}\right)}_{n\times n}=\left[a_{ij},b_{ij}\right]=\\ \left[\begin{array}{cccc}\left[1,1\right]& \left[a_{12},b_{12}\right]& \cdots & \left[a_{1n},b_{1n}\right]\\ \left[\frac{1}{b_{12}},\frac{1}{a_{12}}\right]& \left[1,1\right]& \cdots & \left[a_{2n},b_{2n}\right]\\ ⋮& ⋮& ⋮& ⋮\\ \left[\frac{1}{b_{1n}},\frac{1}{a_{1n}}\right]& \left[\frac{1}{b_{2n}},\frac{1}{a_{2n}}\right]& \cdots & \left[1,1\right]\end{array}\right]\end{array}$$

(9)

3.2.2. Consistency Test of the Judgment Matrix

If there are more than two comparisons in the process of the expert pairwise comparison and judgment, there will be inconsistent judgments. When the amount of the pairwise comparison is large, this kind of inconsistency is more likely to occur, and sometimes totally inconsistent judgment results may be obtained. At this time, the reliability of the judgment information will be reduced. If the result is further calculated, it may lead to wrong results. In view of the above situation, it is necessary to check the consistency of the judgment matrix [14].

Set up $A={\left(a_{ij}\right)}_{n\times n}$, in which $a_{ij}=\left[a_{ij}^{-},a_{ij}^{+}\right]$, and take:

$$k=\sqrt{{\displaystyle \sum _{j=1}^n\frac{1}{{\displaystyle \sum _{i=1}^n{a}_{ij}^{-}}}}},\beta =\sqrt{{\displaystyle \sum _{j=1}^n\frac{1}{{\displaystyle \sum _{i=1}^n{a}_{ij}^{-}}}}}$$

(10)

If $k\le 1$ and $\beta \ge 1$ are satisfied, in this case, we consider that the judgment matrix has good consistency; on the contrary, if $k>$1 or $\beta <$1 is satisfied, it is considered that the consistency of judgment matrix is poor. At this time, we need to feed back to the experts to rejudge until the satisfactory consistency is obtained.

3.2.3. Solving the Weight o Judgment Matrix

Since the 1990s, the research on the weight calculation algorithm of interval number judgment matrix has been carried out successively, including iterative method, random simulation method, interval eigenvalue method [15], etc. In this paper, the eigenvalue method is used to solve the weight, and the specific steps are as follows:

Step 1: Assuming $A={\left(a_{ij}\right)}_{n\times n}$ represents the interval 1–9 scale reciprocal judgment matrix, where $a_{ij}$ = [$a_{ij}^{-}$,$a_{ij}^{+}$], and assuming that $A^{-}$ = ${\left(a_{ij}^{-}\right)}_{n\times n}$ and $A^{+}={\left(a_{ij}^{+}\right)}_{n\times n}$, A = [$A^{-}$,$A^{+}$] is available.

Step 2: Using the eigenvalue method to calculate the point value matrix $A^{-}$ and $A^{+}$, the weight vectors is obtained as follows:

$$\left\{\begin{array}{l}{x}^{-}=\left(x_1^{-},x_2^{-},\cdots ,x_n^{-}\right)\\ x^{+}=\left(x_1^{+},x_2^{+},\cdots ,x_n^{+}\right)\end{array}\right.$$

(11)

At this time, the weight vector of interval number is:

$$\omega =\left[k{x}^{-},\beta x^{+}\right]=\left({\omega }_1,{\omega }_2,\cdots ,{\omega }_n\right)$$

(12)

where, $w_i$ = [$k{x}_i^{-}$, $\beta x_i^{+}$], i = 1, 2, L, n.

3.3. IAHP-FTA Portfolio Evaluation

3.3.1. Solution of Combination Weight Coefficient

This paper studies the weight of FTA $\left(W\prime \right)$ and IAHP $\left(W\prime \prime \right)$. The former reflects the influence degree of basic factors on top-level events, while the latter describes experts’ assessment of relative importance of various safety factors. Therefore, it is feasible to combine the two risk assessment methods by using the following formula. Through this solution method of the combined weight coefficient, it can not only integrate the quantitative reflection of the impact of the event importance on the target event in the FTA method, but also weaken the subjectivity of the system evaluation. It is a new reasonable and accurate method of weight calculation.

$$W=\frac{\alpha W^{\prime }+\beta W^{″}}{\alpha +\beta }$$

(13)

Among them, α and $\beta$ are weighting coefficients, $\alpha$ is the sum of scale factor and consistency factor of FTA judgment matrix, and $\beta$ is the sum of scale factor and consistency factor of interval consistency approximation matrix.

Their calculation method is as follows:

3.3.2. Weighted Coefficient Solution

The consistency factor can be solved according to Formula (14), wherein the solution can be obtained by Formulas (7) and (8):

$$\epsilon =1-10CR$$

(14)

Supposing there are two sets of number $a_1,\cdots , a_n$ and $b_1,\cdots , b_n$, the square root of two groups of average square error is expressed by RMS (risk matrix proportion) as follows:

$$RMS=\sqrt{\frac{1}{n}{\displaystyle \sum _{i=1}^n{\left(a_i-b_i\right)}^2}}$$

(15)

Then, the following formula can be used to calculate the scale factor.

$$\phi =1-\frac{RMS-R_{\min }}{R_{\max }-R_{\min }}$$

(16)

where $R_{\max }$ and $R_{\min }$ are the maximum RMS value and the minimum RMS value corresponding to the scale, and are the values corresponding to the 1–90 scale and the 1–9 scale respectively.

Calculate the RMS value under different scales, and the scale factor under different scales can be obtained according to Equation (16). The different scale factors are shown in Table 4. The scaling factor of the intermediate scale can be obtained by interpolation.

Table 4. Scale factor at different scales.

Scale	3	5	7	9	11	13	15	17	18	20
$\phi$	0.461	0.760	0.929	1.000	0.851	0.747	0.695	0.623	0.584	0.409
Scale	30	34	36	44	52	60	68	75	85	90
$\phi$	0.383	0.318	0.292	0.208	0.169	0.143	0.091	0.078	0.033	0

3.3.3. Final Overall Assessment

Referring to EN50126 standard and the current research results, when formulating the scoring rules, the safety risk assessment standard of the train positioning system is divided into four levels due to the involvement of the train signal safety system, and the four grade indexes are quantified [16]. The scoring range is as shown in the Table 5.

Table 5. Safety risk assessment standard of train positioning system.

Grade	Quantized Value	Describe
1	0~3	The safety level is not acceptable
2	3~6	The safety level is acceptable
3	6~8	The safety level is good
4	8~10	High level of safety

Combined with the fault of the train positioning system and the experience of relevant experts, relevant experts are organized to evaluate and score the safety risk of each factor of the index layer. The evaluation standard is scored according to the score value in Table 5. Then the safety assessment score of the criterion layer is calculated according to Equation (17).

$$y={\displaystyle \sum _{i=1}^n{w}_i}$$

(17)

Among them, $w_i$ refers to the final weight vector of the ith factor in the index layer obtained according to the combined weight method. Through this formula, the safety risk of the factors on the upper layer can be calculated. According to this law, it can be calculated to the target level. Finally, the comprehensive safety risk assessment results of the target layer factors of the train positioning system can be obtained.

4. Safety Risk Assessment of the Train Positioning System Based on Satellite Navigation (Example Verification)

4.1. Establishment and Analysis of the System FTA Model

According to the self-developed train positioning system based on satellite navigation as the research object, the FTA model is established and analyzed by using the above method. Taking the fault of the train positioning system as the target risk event [17], the FTA model (taking the two-out-of-two system as an example) is established as shown in Figure 6.

Figure 6. FTA model of the train positioning system.

Wherein the structural importance of each basic cause event is obtained according to Equation (2). As shown in Table 6.

Table 6. List of basic cause events.

Event Number	Basic Event Meaning	Structural Importance (× 10−8)	Event Number	Basic Event Meaning	Structural Importance (× 10−8)
E1	Power board discrete device fault	1.850	E14	Peripheral IMU fault	1.790
E2	Power board A fault	0.596	E15	IMU B chip fault	1.193
E3	Power board B fault	0.596	E16	ODO B peripheral fault	1.193
E4	GNSS module A fault	1.790	E17	ODO B chip fault	1.790
E5	Peripheral device fault of acquisition board chip A	1.790	E18	DSP A1 peripheral device fault	1.631
E6	fault of microprocessor chip A of acquisition board	1.193	E19	DSP A1 fault	1.255
E7	IMU A peripheral fault	1.790	E20	DSP A2 peripheral device fault	1.631
E8	IMU A chip fault	1.193	E21	DSP A2 fault	1.255
E9	ODO A peripheral fault	1.193	E22	Communication processing CPU A fault	1.583
E10	ODO A chip fault	1.790	E23	Communication processing CPU B fault	1.583
E11	GNSS module B fault	1.790	E24	3G module processor fault	1.256
E12	Peripheral device fault of acquisition board B chip	1.790	E25	External 3G device fault	1.256
E13	Acquisition board microprocessor chip B fault	1.193

4.2. Establishment of Hierarchical Model for Safety Risk Analysis of Train Positioning System

Taking the train positioning system based on satellite navigation as the target level factor, combined with the analysis results of FTA model, the safety evaluation hierarchy system of train positioning system based on satellite navigation is constructed, which is composed of target layer, criterion layer and index layer. The basic cause events in FTA model are divided into four categories, corresponding to the factors $B_1,B_2,B_3,B_4$ in the criteria layer of the positioning system model respectively. The correspondence of each factor is shown in Table 7.

Table 7. Safety evaluation system of train positioning system.

Target Layer	Criterion Level Factors	Index Layer Factors
Positioning system fault T	Safety power supply system $B_1$	E1, E2, E3
	Sensor acquisition system $B_2$	E4, E5, E6, E7, E8, E9, E10, E11, E12, E13, E14, E15, E16, E17
	Data fusion system $B_3$	E18, E19, E20, E21
	communication system $B_4$	E22, E23, E24, E25

4.3. Establishment of Judgment Matrix and Weight Solution

4.3.1. The Judgment Matrix Based on FTA and Weight Solution

Taking the fault of positioning unit as the target layer factor, combining with the basic cause events obtained by fault tree analysis, it is divided into four categories, corresponding to quasi lateral layer factors respectively. The basic cause events are taken as the index layer factors. According to Table 6, the $I_{\varnothing }\left(i\right)$ of each basic event can be provided, and the least common multiple (LCM) of denominator (common characteristic) is easily obtained is 32. The judgment factor of each basic cause event is calculated by Formula (4).

Then according to Formulas (5) and (6), the judgment matrix of each layer and the judgment matrix of target layer and the weight vector of each layer factor are constructed respectively. As shown in Table 8. This paper uses MATLAB software to carry out consistency test according to Formulas (7) and (8), and the judgment matrix has good consistency, $CR=2.8651\times {10}^{-16}<0.1$. According to the above method, the weights of the indexes of each layer can be obtained in sequence.

Table 8. Judgment Matrix and Weight Vector of Criterion Layer.

	B1	B2	B3	B4	Weight
B1	1	1/3	1/2	6	0.1522
B2	3	1	5	4	0.3812
B3	2	1/5	1	1/5	0.1848
B4	1/6	1/4	5	1	0.0896

The judgment matrix of each index layer under the criterion layer can be obtained according to Equation (6). The calculation process is described by the index of criterion layer B₁, as shown in Table 9.

Table 9. B₁ Index Layer Judgment Matrix.

B1	E1	E2	E3	W
E1	1	1	1/3	0.1964
E2	1/3	1/3	1	0.0503
E3	1/3	1	1/3	0.0502

The consistency inspection index CR = $1.53\times {10}^{-16}$ meets the requirements of CR < 0.1, that is to say, it meets the consistency test. B₂, B₃ and B₄ weight vectors are obtained by the same method, and the final results are listed in Table 10.

Table 10. Calculation results of combined weight method.

Criterion Level Factors	Influence Factor	W′	Sort	W″	Sort	W	Sort
Safety power supply system $B_1$	Power board discrete device fault E1	0.1964	1	0.2802	3	0.288711	1
	Power board A fault E2	0.0503	24	0.1453	20	0.12999	24
	Power board B fault E3	0.0502	25	0.1426	21	0.127126	25
Sensor acquisition system $B_2$	GNSS module A fault E4	0.1843	3	0.2246	4	0.24212	4
	Peripheral device fault E5 of acquisition board chip A	0.1823	4	0.2236	5	0.240572	5
	Acquisition board microprocessor chip A fault E6	0.1087	14	0.2228	6	0.210672	12
	IMU A peripheral fault E7	0.1553	12	0.1889	16	0.203752	14
	IMU A chip fault E8	0.0993	18	0.1756	17	0.171466	17
	ODO A peripheral fault E9	0.1576	11	0.2045	9	0.216389	11
	ODO A chip fault E10	0.1076	15	0.1998	14	0.192953	16
	GNSS module B fault E11	0.1857	2	0.2009	12	0.22487	7
	Peripheral device fault E12 of acquisition board B chip	0.1519	13	0.1976	15	0.208935	13
	E13 microprocessor fault acquisition board	0.1034	16	0.2032	11	0.193836	15
	IMU B peripheral fault E14	0.1634	9	0.2034	10	0.217871	10
	IMU B chip fault E15	0.0925	19	0.1474	19	0.147571	19
	ODO B peripheral fault E16	0.1634	10	0.2067	8	0.22035	8
	ODO B chip fault E17	0.0997	17	0.1543	18	0.155622	18
Data fusion system $B_3$	DSP A1 peripheral device fault E18	0.1753	5	0.2172	7	0.232977	6
	DSP A1 fault E19	0.0689	22	0.1413	25	0.133593	23
	DSP A2 peripheral device fault E20	0.1693	6	0.2005	13	0.17296	9
	DSP A2 fault E21	0.0689	23	0.1423	22	0.134345	22
communication system $B_4$	Communication processing CPU A fault E22	0.1676	7	0.2833	2	0.279575	3
	Communication processing CPU B fault E23	0.1663	8	0.2882	1	0.28274	2
	3G module processor fault E24	0.0869	20	0.1423	23	0.14151	20
	External device fault of 3G module E25	0.0826	21	0.1423	24	0.139798	21

4.3.2. The Judgment Matrix Based on IAHP Expert Rating

Firstly, 10 experienced experts are invited to compare the safety status of 25 underlying index factors of the evaluation system. Interval judgment matrix is established by layers one by one to check whether the matrix meets the consistency, and the weight vector of interval number is calculated according to Formulas (11) and (12). The calculation process is illustrated by the criterion layer index B₃. Through expert discussion on the index factors E18, E19, E20 and E21 of B₃ criterion layer, the expert score judgment matrix is obtained according to Formula (9):

$$B_3=\left[\begin{array}{cccc}\left[1,1\right]& \left[5,7\right]& \left[3,5\right]& \left[3,5\right]\\ \left[\frac{1}{7},\frac{1}{5}\right]& \left[1,1\right]& \left[\frac{1}{3},1\right]& \left[\frac{1}{3},1\right]\\ \left[\frac{1}{5},\frac{1}{3}\right]& \left[1,3\right]& \left[1,1\right]& \left[5,7\right]\\ \left[\frac{1}{5},\frac{1}{3}\right]& \left[1,3\right]& \left[\frac{1}{7},\frac{1}{5}\right]& \left[1,1\right]\end{array}\right]$$

The judgment matrix of other criterion layers can be obtained in turn.

Finally, the weight of expert on the evaluation of the underlying influencing factors is obtained. It is shown in the table below. The calculation is as follows: the interval number judgment matrix shown in B₃ is divided into two matrices, which are

$${B_3}^{-}=\left[\begin{array}{cccc}1& 5& 3& 3\\ \frac{1}{7}& 1& \frac{1}{3}& \frac{1}{3}\\ \frac{1}{5}& 1& 1& 5\\ \frac{1}{5}& 1& \frac{1}{7}& 1\end{array}\right],{B_3}^{+}=\left[\begin{array}{cccc}1& 7& 5& 5\\ \frac{1}{5}& 1& 1& 1\\ \frac{1}{3}& 3& 1& 7\\ \frac{1}{3}& 3& \frac{1}{5}& 1\end{array}\right].$$

According to Equation (11), the eigenvector is

$$\left\{\begin{array}{l}{x}_5^{-}={\left[0.673,0.112,0.524,0.241\right]}^T\\ x_5^{+}={\left[0.565,0.087,0.653,0.245\right]}^T\end{array}\right..$$

According to Formula (10): $k$ = 0.928, $\beta =1.069$, the interval weight vector calculated by substituting into Equation (12) is: $W_{B3}=\left(k{x}^{-}, \beta x^{+}\right)={\left(0.217, 0.141, 0.200, 0.142\right)}^T$. The consistency test index CR = $8.7\times {10}^{-17}$ meets the requirements of CR < 0.1, that is to say, it meets the consistency test. According to the same method, B1, B2, B4 weight vectors are obtained, and the final results are listed in Table 10.

4.4. Overall Safety Risk Assessment of Positioning System

According to the weight of the judgment matrix based on FTA and IAHP experts evaluation, combined with the combination weight method proposed in this paper, according to Formulas (14) and (16), matlab is used to get the result $\alpha =0.1332$ and $\beta =0.2514$. Finally, the final weight factor calculated according to Formula (13) is shown in Table 10.

According to Formula (17), the comprehensive safety evaluation score of the whole positioning system is 4.95, which meets the second level of the safety risk evaluation standard of the train positioning system. According to reference [18], most scholars at home and abroad believe that the security goal of GNSS based positioning subsystem is SIL2. However, others say that higher levels of security, such as achieving the target SIL3 or SIL4, may limit the implementation of high precision. Therefore, it can be concluded that the system can meet the requirements of the current train positioning system SIL2 level safety requirements.

5. Conclusions

This paper applies the proposed security risk analysis method based on FTA-IAHP to conduct comprehensive security risk analysis on the independently developed positioning system hardware. It is of great significance to discover the potential risks of the system, optimize the system structure, and ensure the high security of the system. By constructing a hierarchical security risk security model, two judgment matrixes are constructed based on the structural importance of FTA basic events and expert evaluation based on IAHP model, and the difference between the two judgment matrixes is adjusted by weighting factor. The method combines the weights of the two judgment matrices to determine the priorities of the risks that lead to the system failure, and reflect the security risk status of the entire system. The results show that the hardware random safety integrity level of the train positioning system based on GNSS designed in this paper is SIL2, which meets the integrity risk objective required by EN56102. Through the safety risk assessment, we can know the basic causes of the hazard sources that cause the failure of the positioning system, and make it clear that the components that have a great impact on the safety risk status of the positioning system are the power supply board and the communication processing CPU. The weak links of the system structure are found, which provides a basis for the structural optimization of the system. The authors believes that the hazard identification methods in the actual application of the positioning system can also be analyzed in the future research through the methods proposed in this paper, to further provide scientific basis for the follow-up safety risk control. The limitation of this study is that the impact of safety related application requirements on risk assessment parameters in the train control system was not fully considered. In the future, in combination with this study, further consider the impact of the location-based service application requirements on the positioning unit in the train control system, study the safety integrity monitoring algorithm, etc., to further reduce the system safety risk, and better meet the safety requirements of the high-speed railway for the positioning system.