Author(s)

C. Bantin

Abstract

The Alcatel automatic train control products make use of a single-board computer that has been designed specifically for the railway environment. The computer is based on the Pentium processor and is extensively used for automatic train operation and automatic train protection functions. It is also used as a security authentication gateway interfacing to the radio-based data communications system. The development of an automatic train control system must be accompanied by a detailed and extensive safety case in order to demonstrate that the required safety integrity level can be obtained. For the Pentium-based processor, the safety case must include the occurrences of errata, or faults in the design and implementation of the processor that are not discovered at the time of manufacture. It may be argued that, since errata are design and manufacturing errors, they are systematic. However, because of the way these faults manifest themselves it could be argued they are random. In fact, for any one processor, there is a random errata discovery process based on the fact that all the processors in use are operating simultaneously with different applications and/or different data. There is a particular probability that one of them will discover a fault, or errata. A statistical model is developed based on an in-depth analysis made of Pentium errata, and assumptions about the number of processors in use over the time period of the analysis. A probability is calculated that previously undiscovered errata will be found in one of the processors in an ATC system, and it is demonstrated to become lower than the required hazard probability well before any such ATC system containing these processors is out into revenue service.

Keywords