As air traffic over France is growing rapidly, the existing air traffic con
trol (ATC) system has to evolve to satisfy the increasing demand. The selec
tion of the new automated computing system (denoted CAUTRA) is based, among
other things, on dependability evaluation. This paper is devoted to the de
pendability evaluation of the CAUTRA, however, emphasis is put on a subset:
the regional control center (RCC). Starting from the analysis of the impac
t of CAUTRA failures on air traffic safety, five levels of service degradat
ion are defined for the global system grading the effects of these failures
on the service delivered to the controllers to ensure traffic safety. The
RCC failure modes leading to these degradation levels are then defined and
evaluated using stochastic Petri nets. The modeling approach consists in mo
deling the system as a set of modules interconnected via coupling mechanism
s. The system model is constructed in several steps according to an increme
ntal approach. Each step integrates the failure and recovery assumptions of
an additional component and updates the model of the previous step by acco
unting for the impact of the new component on the behavior of those already
included in the model. The application of this approach to the CAUTRA allo
wed us to analyze several configurations of the CAUTRA architecture and to
identify improvement areas to minimize the impact of CAUTRA failures on air
traffic safety. (C) 1999 Elsevier Science B.V. All rights reserved.