In: 15th International Conference on Computer Safety, Reliability and Security (SAFECOMP'96), Vienna (Austria), pages 219-229. October 1996.
Abstract: The French Air Traffic Control is based on an automated system referred to as CAUTRA (Coordinateur AUtomatisé du Trafic Aérien). The CAUTRA is implemented on a distributed fault-tolerant computing system installed on five en-route traffic control centers and one centralized operating center, that are connected through an aeronautical telecommunication network. The CAUTRA mission is to provide computerized means for the safe and efficient movement of aircrafts. The main services provided are flight plans processing, radar data processing and air traffic flow management. However, the computing system failures could temporarily prevent the system from performing some or all of its required functions. The impacts of failures on the traffic safety depend on the criticality of the affected functions and the duration of the service interruption. In order to analyse and evaluate these impacts, we have defined a global approach that can be decomposed into two parts. The first part is aimed at a preliminary Failure Modes Effects and Criticality Analysis of the global CAUTRA: this study led us to identify the main subsystems that have a significant impact on the traffic safety. The second part of the approach focuses on the dependability modeling and evaluation of each subsystem and the combination of the dependability measures evaluated for each subsystem to obtain global measures characterizing the impact of the CAUTRA failures on the traffic safety. This approach is presented in [1]. In this paper, we focus on one subsystem of the CAUT! RA centralized operating center, referred to as "STIP", which performs the centralized acquisition, processing and distribution of the flight plan information to the en-route traffic control centers. This paper is decomposed into seven sections. Section 2 presents the STIP architecture. Section 3 outlines the failure and repair assumptions considered. Section 4 discusses the classification of the STIP failures according to their impact on the traffic safety. Section 5 summarizes the modeling approach used to describe the STIP behaviour and evaluate dependability measures. Section 6 comments some quantitative results. Finally, Section 7 concludes and outlines some directions for the future work.
Keywords: Air Traffic Control; Safety; Dependability analysis; Stochastic Petri nets; Markov modeling.