A vital digital control system with a calculable probability of an unsafe failure

The numerically integrated safety assurance logic concept, which allows the closed-form calculation of an upper bound on the probability of an unsafe (i.e., potentially hazardous or wrongside) failure for circumscribed portions of a control system, including CPU, most ancillary digital components and software, is reviewed by describing its implementation in a railroad interlocking controller. The interlocking controller is a Boolean expression evaluation device in which the primordial logic of the interlocking has been stated as a set of expressions. The fail-safe evaluation of the expression set and the subsequent control of the switches and signals by the processor-based controller are discussed. The discussion covers system design objectives, a system description, the vital input and output circuits, vital erasure of buffer data, vital verification of output states, the requirements of the vital power source, data structure generation, verification of data structure integrity, and implications of the system design.<>