Safety Critical Systems

This paper presents a holistic methodology for the design of medical device software, which encompasses a new way of eliciting requirements, system design process, security design guideline, cloud architecture design, combinatorial testing process and agile project management. The paper uses point of care diagnostics as a case study where the software and hardware must be robust, reliable to provide accurate diagnosis of diseases. As software and software intensive systems are becoming increasingly complex, the impact of failures can lead to significant property damage, or damage to the environment. Within the medical diagnostic device software domain such failures can result in misdiagnosis leading to clinical complications and in some cases death. Software faults can arise due to the interaction among the software, the hardware, third party software and the operating environment. Unanticipated environmental changes and latent coding errors lead to operation faults despite the fact that usually a significant effort has been expended in the design, verification and validation of the software system. It is becoming increasingly more apparent that one needs to adopt different approaches, which will guarantee that a complex software system meets all safety, security, and reliability requirements, in addition to complying with standards such as IEC 62304. There are many initiatives taken to develop safety and security critical systems, at different development phases and in different contexts, ranging from infrastructure design to device design. Different approaches are implemented to design error free software for safety critical systems. By adopting the strategies and processes presented in this paper one can overcome the challenges in developing error free software for medical devices (or safety critical systems).

This paper presents an overview and discusses the role of certification in safety-critical computer systems focusing on software, and partially hardware, used in the civil aviation domain. It discusses certification activities according to RTCA DO-178B "Software Considerations in Airborne Systems and Equipment Certification" and touches on tool qualification according to RTCA DO-254 "Design Assurance Guidance for Airborne Electronic Hardware." Specifically, certification issues as related to real-time operating systems and programming languages are reviewed, as well as software development tools and complex electronic hardware tool qualification processes are discussed. Results of an independent industry survey done by the authors are also presented.

The Cognitive Function Analysis is a methodology supported by a mediating tool for the human-centered automation of safety-critical systems . It is based on a socio-cognitive model linking the artifact being designed, the user's activity, the task to be performed, and the organizational environment. Cognitive functions can be allocated to humans or machines. They are characterized by their role, context definition and associated resources. The methodology is supported by active design documents as mediating representations of the amfact, the interaction description and cognitive function descriptors being designed, redesigned and used as usability criteria to evahrate the distribution of cognitive functions among humans and machines. This methodolo,y enhances usercentered and participatory design, and traceability of design decisions. It was successfully tested on three main applications in the aeronautics domain. One of them is presented.

Increasingly, licensing and safety regulatory bodies require the suppliers of software-intensive, safety-critical systems to provide an explicit software safety case -a structured set of arguments based on objective evidence to demonstrate that the software elements of a system are acceptably safe. Existing research on safety cases has mainly focused on how to build the arguments in a safety case based on available evidence; but little has been done to precisely characterize what this evidence should be. As a result, system suppliers are left with practically no guidance on what evidence to collect during software development. This has led to the suppliers having to recover the relevant evidence after the fact -an extremely costly and sometimes impractical task. Although standards such as the IEC 61508 -which is widely viewed as the best available generic standard for managing functional safety in software -provide some guidance for the collection of relevant safety and certification information, this guidance is mostly textual, not expressed in a precise and structured form, and is not easy to specialize to context-specific needs. To address these issues, we present a conceptual model to characterize the evidence for arguing about software safety. Our model captures both the information requirements for demonstrating compliance with IEC 61508 and the traceability links necessary to create a seamless chain of evidence. We further describe how our generic model can be specialized according to the needs of a particular context, and discuss some important ways in which our model can facilitate software certification.

This report describes a formal approach to verification and validation of safety requirements for embedded software, by application to a simple control-logic case study. The logic is formally specified in Z. System safety properties are formalised by defining an abstract model of the system’s physical behaviour in Z, including its hazardous states and dominant sensor failures. The Possum specification-animation tool is then used to check that the logic meets its safety requirements. Finally, the logic is implemented in SPARK Ada and SPARK Examiner is used to formally verify the implementation meets its specification. Design safety validation and source code verification are completely automated, removing the need for

The adoption of systems-focused risk assessment techniques has not led to measurable improvement in the rate of patient harm. Why? In part, because these tools focus solely on understanding problems, and provide no direct support for designing and managing solutions (i.e., risk control). This second installment of a 2-part series on rebalancing risk management describes a structured approach to bridging this gap: The Active Risk Control (ARC) Toolkit. A pilot study is presented to show how ARC Toolkit can improve the quality of risk management practice.

Integrating modern aircraft stores, particularly weapons, creates a complex system of systems challenge. The traditional approach to such integrations was for each to be a stand-alone program. For each program a unique interface would usually be implemented, usually also with a set of unique problems, such as the missile ‘ghosting’ problems experienced during the F-16 to AMRAAM integration (Ward 1993). In response to the problems of such an approach MIL-STD-1760 an Interface Standard for Aircraft to Store Electrical Interconnection System was released by the US DoD to standardise aircraft/store interfaces. This paper discusses the advantages and limitations of the architectural techniques of MIL-STD-1760. A hierarchical method for integrating the use of the standard into a safety case is also described.

Keywords: Safety, architecture, software, MIL-STD-1760.

This paper discusses issues related to the RTCA document DO-254 Design Assurance Guidance for Airborne Electronic Hardware and its consequences for hardware certification. In particular, problems related to circuits’ compliance with DO-254 in avionics and other industries are considered. Extensive literature review of the subject is given, including current views on and experiences of chip manufacturers and EDA industry with qualification of hardware design tools, including formal approaches to hardware verification. Some results of the authors’ own study on tool qualification are presented.

Caches have become increasingly important with the widening gap between main memory and processor speeds. However, they are a source of unpredictability due to their characteristics, resulting in programs behaving in a different way than expected.Cache locking mechanisms adapt caches to the needs of real-time systems. Locking the cache is a solution that trades performance for predictability: at a cost of generally lower performance, the time of accessing the memory becomes predictable.This paper combines compile-time cache analysis with data cache locking to estimate the worst-case memory performance (WCMP) in a safe, tight and fast way. In order to get predictable cache behavior, we first lock the cache for those parts of the code where the static analysis fails. To minimize the performance degradation, our method loads the cache, if necessary, with data likely to be accessed.Experimental results show that this scheme is fully predictable, without compromising the performance of t...

Current practice in healthcare risk management is supported by many tools for risk assessment (understanding problems), but none for risk control (solving problems).  The results: a failure to improve safety, and a waste of the investment made in risk assessment.  The Active Risk Control (ARC) Toolkit, available for free, fills this void with a systematic, structured approach to risk control.

Context: Critical systems in domains such as aviation, railway, and automotive are often subject to a formal process of safety certification. The goal of this process is to ensure that these systems will operate safely without posing undue risks to the user, the public, or the environment. Safety is typically ensured via complying with safety standards. Demonstrating compliance to these standards involves providing evidence to show that the safety criteria of the standards are met.

This paper presents an overview and discusses the role of certification in safety-critical computer systems focusing on software, and partially hardware, used in the civil aviation domain. It discusses certification activities according to RTCA DO-178B “Software Considerations in Airborne Systems and Equipment Certification” and touches on tool qualification according to RTCA DO-254 “Design Assurance Guidance for Airborne Electronic Hardware.” Specifically, certification issues as related to real-time operating systems and programming languages are reviewed, as well as software development tools and complex electronic hardware tool qualification processes are discussed. Results of an independent industry survey done by the authors are also presented.

In this article we call for a new approach to patient safety improvement, one based on the emerging field of evidence-based healthcare risk management (EBHRM). We explore EBHRM in the broader context of the evidence-based healthcare movement, assess the benefits and challenges that might arise in adopting an evidence-based approach, and make recommendations for meeting those challenges and realizing the benefits of a more scientific approach.

Pressure oxidation is increasingly being used for processing refractory sulphide ores and concentrates because it offers highly effective base metal and precious metal extraction while minimizing elemental sulphur, arsenic & mercury emissions. Yet pressure oxidation processes introduce new safety concerns and process risks as demonstrated by a number of safety incidents over the last 20 years, including overfilling, oxygen-metal fires, nozzle/sparger failures, and uncontrolled pressure relief events. Chemical Process Safety regulations in the United States and Canada mandate that companies constructing or operating chemical process facilities perform a rigorous hazard and risk analysis based on either ANSI/ISA-84.00.01 or IEC 61511 safety standards to determine the level of protection required for each hazard in the plant. This paper describes the application and implementation of three (3) unique safety instrumented systems developed by Hatch for ensuring the safe operation of three different pressure oxidation processes.

"Based on analysis of Operating Cycle of airplane the model to evaluate level of safety was introduced. Steps of modernization existed system of safety was introduced and requirements to hardware and software presented. On-board hardware functions and reliability requirements have been analyzed and the structure of hardware was presented and realized. The structure of full size system to provide the Concept of Dynamic Safety was developed and presented. Economics of the Concept realisation was presented, it was proved that substantial profit and higher level of safety may be achieved provided the Concept of Dynamic Safety."

on 12th of April 2021 accordingly requests from Russian native speakers this paper  was translated with minimal corrections. The file is included. Unfortunately, is spite that Boeing was sorry to say "educated " by me personally in 1999 regarding 737 reliability and maintenance of reliability issues for 3 (three) months and in spite of EC DG Research grant 2004-2009  to follow and develop proposed concept up to industrial implementation Neither Boeing nor Airbus nor Russian Commercial aviation did not get any serious step to save lives of us passengers. They knew and ignore...

Systems whose failure can lead to the damage of property or the environment, or loss of human life are regarded as safety-critical systems. It is no longer adequate to build safety-critical systems based on the control of errors and failures alone. Safetycritical systems must also deal with securing the data that is used in their operation. While safety and security engineering have evolved separately, there are a number of similarities. These similarities and efforts to integrate safety and security are identified. A project looking at securing safety-critical communications for the Australian rail network is also discussed.

Model-Driven Engineering (MDE) promises to enhance system development by reducing development time, and increasing productivity and quality. MDE is gaining popularity in several industry sectors, and is attractive also for critical systems where they can reduce efforts and costs for verification and validation (V&V), and can ease certification. Incorporating model-driven techniques into a legacy well-proven development cycle is not simply a matter of placing models and transformations in the design and implementation phases. We present the experience in the model-driven design and V&V of a safety-critical system in the railway domain, namely the Prolan Block, a railway interlocking system manufactured by the Hungarian company Prolan Co., required to be CENELEC SIL-4 compliant. The experience has been carried out in an industrial-academic partnership within the EU project CECRIS. We discuss the challenges and the lessons learnt in this pilot project of introducing MD design and testi...

Abstract. Roboethics is a recently developed field of applied ethics which deals with the ethical aspects of technologies such as robots, ambient intelligence, direct neural interfaces and invasive nano-devices and intelligent soft bots. In this article we look specifically at the issue of (moral) responsibility in artificial intelligent systems. We argue for a pragmatic approach, where responsibility is seen as a social regulatory mechanism. We claim that having a system which takes care of certain tasks intelligently, learning from experience ...

A fundamental problem in the design and development of embedded control systems is the verification of safety requirements. Formal methods, offering a mathematical way to specify and analyze the behavior of a system, together with the related support tools can successfully be applied in the formal proof that a system is safe. However, the complexity of real systems is such that automated tools often fail to formally validate such systems.

In this paper, we analyse twelve cases of deviations from prescribed procedures during scheduled/unscheduled maintenance checks, carried out by an aircraft maintenance organization in Greece. The detailed analysis of these cases let us identify specific factors that guided maintenance technicians towards alternative courses of action. Our focus is not on the material aetiology of deviations but on the underlying factors that determined the actual decision action path by the air maintenance technicians. A generalization of factors is then being made, out of the specific factors identified for each case.

A fundamental problem in the design and development of embedded control systems is the verification of safety requirements. Formal methods, offering a mathematical way to specify and analyze the behavior of a system, together with the related support tools can successfully be applied in the formal proof that a system is safe. However, the complexity of real systems is such that automated tools often fail to formally validate such systems.

Designing Safety-critical interfaces entails proving the safety and operational usability of each component. Largely taken for granted in everyday interface design, the typographical component, through its legibility and aesthetics, weighs heavily on the ubiquitous reading task at the heart of most visualizations and interactions. In this paper, we present a research project whose goal is the creation of a new typeface to display textual information on future aircraft interfaces. After an initial task analysis leading to the definition of specific needs, requirements and design principles, the design constantly evolves from an iterative cycle of design and experimentation. We present three experiments (laboratory and cockpit) used mainly to validate initial choices and fine-tune font properties. Results confirm the importance of rigorously testing the typographical component as a part of text output evaluation in interactive systems.

Systems whose failure can lead to the damage of property or the environment, or loss of human life are regarded as safety-critical systems. It is no longer adequate to build safety-critical systems based on the control of errors and failures alone. Safetycritical systems must also deal ...

This report discusses architectures for safety-critical systems. The report summarises the existing literature in the area as well as the guidance provided by existing safety-critical system development standards. We discuss the three constituent functions of fault tolerant architectures: error detection, damage assessment and confinement and error recovery. We also consider methods for fault prevention.

It is becoming widely accepted that along with the formal specification of functional properties it is necessary, in some systems, to provide a specification of timeliness properties. Unfortunately, the main methods which would seem to provide this form of requirement appear to be targeted at specifying communication protocols. While it is possible to adapt these methods for simple timeliness properties, their use for describing constraints on distributed systems would be impractical This paper introduces a set of definitions for the Z specification language which enables timeliness properties to be represented formally. The toolkit provides a method of framing the temporal specifications, which enables these specifications to be looked at from multiple viewpoints, a feature which facilitates the specification of distributed systems. A formal basis for the toolkit is given, together with justification for the features of the model of time that has been adopted.

We present the modelling of a monitoring system which provides nighttime care by detecting situations of concern and therapeutic interventions as the core technological component within an Ambient Assisted Living project. The modelling of processes and interactions allows early detection of problems in the strategy to be implemented through simulation and verification.

The overall safety integrity of a safety critical system, comprising both software and hardware, is typically specified quantitatively, e.g., in terms of failure rates. However, for software, it is widely accepted that there is a limit on what can be quantitatively demonstrated, e.g., by means of statistical testing and operational experience. To address this limitation, many software standards appeal instead to the quality of the process to assure the sufficient implementation of the software. In this paper, we contend that there is a large inductive gap between the quantitative software integrity required for a safety function and the assurance of the software development process for that function. We propose that this large inductive gap between software integrity and software process assurance could be narrowed down by an explicit definition of a product-based software argument. The role of this argument is to justify the transition from arguing about software integrity to arguing about software assurance by showing how the evidence, in the context of the software product-based argument, provides assurance which is commensurate with the required integrity.

A Trace Matrix (TM) represents the relationship between software engineering artifacts and is foundational for many software assurance techniques such as criticality analysis. In a large project, a TM might represent the relationships between thousands of elements of dozens of artifacts (for example, between design elements and code elements, between requirements and test cases). In mission-and safety-critical systems, a third party agent may be given the job to assess a TM prepared by the developer. Due to the size and complexity of the task, automated techniques are needed. We have developed a technique for analyzing a TM, called Trace Matrix Analyzer (TMA), so that third party agents can perform their work faster and more effectively. To validate, we applied TMA to two TMs with known problems and golden answersets: MoonLander and MODIS. We also asked an experienced software engineer to manually review the TM. We found that TMA properly identified TM issues and was much faster than manual review, but also falsely identified issues for one dataset. This work addresses the Trusted Grand Challenge, research projects 3, 5, and 6.

Reliability of medical devices such as the CARA Infusion Pump Control System is of extreme importance given that these devices are being used on patients in critical condition. The Infusion Pump Control System includes embedded processors and accompanying embedded software for monitoring as well as controlling sensors and actuators that allow the embedded systems to interact with their environments. This nature of the Infusion Pump Control System adds to the complexity of assuring the reliability of the total system. The traditional methods of developing embedded systems are inadequate for such safety-critical devices. In this paper, we study the application of formal methods to the requirements capture and analysis of the Infusion Pump Control System. Our approach consists of two phases. The first phase is to convert the informal design requirements into a set of reference specifications using a formal system, in this case EFSMs (Extended Finite State Machines). The second phase is to translate the reference specifications to the tools supporting formal analysis, such as SCR and Hermes. This allows us to conclude properties of the reference specifications. Our research goal is to develop a framework and methodology for the integrated use of formal methods in the development of embedded medical systems that require high assurance and confidence.

Saarland Univ., 5: Uppsala Univ., 6: TU Dortmund, 7: Univ. of Toulouse, 8: CAU Kiel A large class of embedded systems is distinguished from general-purpose computing systems by the need to satisfy strict requirements on timing, often under constraints on available resources. Predictable system design is concerned with the challenge of building systems for which timing requirements can be guaranteed a priori. Perhaps paradoxically, this problem has become more difficult by the introduction of performanceenhancing architectural elements, such as caches, pipelines, and multithreading, which introduce a large degree of uncertainty and make guarantees harder to provide. The intention of this paper is to summarize the current state of the art in research concerning how to build predictable yet performant systems. We suggest precise definitions for the concept of "predictability", and present predictability concerns at different abstraction levels in embedded system design. First, we consider timing predictability of processor instruction sets. Thereafter, we consider how programming languages can be equipped with predictable timing semantics, covering both a language-based approach using the synchronous programming paradigm, as well as an environment that provides timing semantics for a mainstream programming language (in this case C). We present techniques for achieving timing predictability on multicores. Finally, we discuss how to handle predictability at the level of networked embedded systems where randomly occurring errors must be considered.

Paper discusses principles of the redundancy classification for the design of fault tolerant computer systems. The basic functions of classification: definitive, characteristic and predictive are presented. Shown that proposed classification of redundancy posses a substantial predictive power. Proposed classification suits for the analysis of roles of hardware and software to achieve fault tolerance of the system.

The European ARTEMIS ACROSS project aims to overcome the limitations of existing Multi-Processor Systemson-a-Chip (MPSoC) architectures with respect to safety-critical applications. MPSoCs have a tremendous potential in the domain of embedded systems considering their enormous computational capacity and energy efficiency. However, the currently existing MPSoC architectures have significant limitations with respect to safety-critical applications. These limitations include difficulties in the certification process due to the high complexity of MPSoCs, the lacking temporal determinism and problems related to error propagation between subsystems. These limitations become even more severe, when subsystems of different criticality levels have to be integrated on the same computational platform. Examples of such mixed-criticality integration are found in the avionics and automotive industry with their desire to integrate safety-critical, mission critical and non-critical subsystems on the same platform in order to minimize size, weight, power and cost. The main objective of ACROSS is to develop a new generation of multicore processors designed specially for safety-critical embedded systems; the ACROSS MPSoC. In this paper we will show how the ACROSS MPSoC overcomes the limitations of existing MPSoC architectures in order to make the multi-core technology available to the safety-critical domain.

The cost of finding and correcting defects represents one of the most expensive software development activities. And that too, if the errors get carried away till the final acceptance testing stage of the project life cycle, then the project is at a greater risk in terms of its Time and Cost factors. A small amount of effort spent on quality assurance will see good amount of cost savings in terms of detecting and eliminating the defects. The purpose of defect prevention is to identify those defects in the beginning of the life cycle and prevent them from recurring so that the defect may not surface again. Software for safety-critical systems must deal with the hazards identified by safety analysis in order to make the system safe, risk-free and fail-safe. Certain faults in critical systems can result in catastrophic consequences such as death, injury or environmental harm. The focus of this paper is an approach to software safety analysis based on a combination of two existing fault...

This paper presents a holistic methodology for the design of medical device software, which encompasses a new way of eliciting requirements, system design process, security design guideline, cloud architecture design, combinatorial testing process and agile project management. The paper uses point of care diagnostics as a case study where the software and hardware must be robust, reliable to provide accurate diagnosis of diseases. As software and software intensive systems are becoming increasingly complex, the impact of failures can lead to significant property damage, or damage to the environment. Within the medical diagnostic device software domain such failures can result in misdiagnosis leading to clinical complications and in some cases death. Software faults can arise due to the interaction among the software, the hardware, third party software and the operating environment. Unanticipated environmental changes and latent coding errors lead to operation faults despite the fact that usually a significant effort has been expended in the design, verification and validation of the software system. It is becoming increasingly more apparent that one needs to adopt different approaches, which will guarantee that a complex software system meets all safety, security, and reliability requirements, in addition to complying with standards such as IEC 62304. There are many initiatives taken to develop safety and security critical systems, at different development phases and in different contexts, ranging from infrastructure design to device design. Different approaches are implemented to design error free software for safety critical systems. By adopting the strategies and processes presented in this paper one can overcome the challenges in developing error free software for medical devices (or safety critical systems).

This paper gives an overview of a holistic project dealing with the consistent design of embedded control systems falling into the first level of safety integrity requirements (SIL l) . It shows how existing methods can be adapted and reasonably employed, whenever possible, without having to resort to new innovations. Firstly, the hardware issues are dealt with and extensively elaborated, particularly the peripheral interfaces with integrated processing capabilities. Secondly, the proven correct real-time operating system executing on its own dedicated processor is briefly addressed, and finally, programming issues including descriptions of the specific programming language, time bounded handling of exceptions, and how to deal with temporal overload.

Failure Modes and Effects Analysis (FMEA) is a classical system safety analysis technique which is currently widely used in the automotive, aerospace and other safety critical industries. In the process of an FMEA, analysts compile lists of component failure modes and try to infer the effects of those failure modes on the system. System models, typically simple engineering diagrams, assist analysts in understanding how the local effects of component failures propagate through complex architectures and ultimately cause hazardous effects at system level.

As VLSI geometry continues to shrink and the level of integration increases, it is expected that the probability of faults, particularly transient faults, will increase in future microprocessors. So far, fault tolerance has chiefly been considered for special purpose or safety critical systems, but future technology will likely require integrating fault tolerance techniques into commercial systems. Such systems require low cost solutions that are transparent to the system operation and do not degrade overall performance. This paper introduces a new superscalar architecture, termed as 03RS that aims to incorporate such simple fault tolerance mechanisms as part of the basic architecture.

Human safety in the Middle East is a crucial aspect especially when working on critical mission systems. Any trivial error may result in inevitable dangerous causalities that lead to loss of innocent souls. The main objective of this paper is to introduce a complete study of a system that automates the currently adopted manual process of having dedicated men to control the barriers at the railway crossings when trains pass, the main objective is to reduce the possible human errors resulting from manual control. This study aims to provide a robust solution that adheres to a formal, systematic and new procedure to enhance the overall quality of requirements gathered for critical systems. In addition, it reflects how effective is the usage of goal oriented modelling in requirements elicitation stage for critical systems to define a clear scope and validate requirements against any missing, inconsistent or vague requirements at early stage.

Applications of intelligent software systems are proliferating. As these systems proliferate, understanding and measuring their complexity becomes vital, especially in safety-critical environments. This paper proposes a model assessing the impacts of complexity for a particular type of intelligent software system, embedded intelligent real-time systems (EIRTS), and answers two research questions. (1) How should the complexity of embedded intelligent real-time systems be measured?, and (2) What are the impacts of differing levels of EIRTS complexity on software, operator and system performance when EIRTS are deployed in a safety-critical large-scale system? The model is tested and operationalized using an operational EIRTS in a safety-critical environment. The results suggest that users significantly prefer simple decision support and user interfaces, even when sophisticated user interfaces and complex decision support capabilities have been embedded in the system. These results have interesting implications for operators using complex EIRTS in safety-critical settings.

Technology has improved to the point that system designers have the ability to trade-off implementing complex functions in either hardware or software. However, clear distinctions exist in the design tools. This paper examines what is unique to hardware design, areas where formal methods can be applied to advantage in hardware design and how errors can exist in the hardware even if formal methods are used to prove the design is correct.

This paper discusses issues related to the RTCA document DO-254 Design Assurance Guidance for Airborne Electronic Hardware and its consequences for hardware certification. In particular, problems related to circuits’ compliance with DO-254 in avionics and other industries are considered. Extensive literature review of the subject is given, including current views on and experiences of chip manufacturers and EDA industry with

Power grids are prone to failure. Time series of reliability measures such as total power loss or energy not supplied can give significant account of the underlying dynamical behavior of these systems, specially when the resulting probability distributions present remarkable features such as an algebraic tail, for example. In this paper, seven years (from 2002 to 2008) of Europe's transport of electricity network failure events have been analyzed and the best fit for this empirical data probability distribution is presented. With the actual span of available data and although there exists a moderate support for the power law model, the relatively small amount of events contained in the function's tail suggests that other causal factors might be significantly ruling the system's dynamics.

Designing and developing a point automation system is a challenging task since railway transportation systems are required to be highly secure and safe systems. Nowadays point automation systems are usually designed manually, this results in a waste of personnel, time and resources. So in this study, we developed and established a software tool in order to automatically generate formal models for point automation systems. The novelty of our study is that our models are created automatically by a software. Here designing time and human errors are reduced to a minimum thus safe, reliable and secure system models are generated. The developed software has a built in graphical interface which is used to model the basic station topology and using this model, software generates a point automation system's Timed-Arc Petri Net (TAPN) models, which is a strongly recommended formal method by CENELEC EN50128 standard, automatically. Generated TAPN models are also verified automatically for specified safety requirements by using Computational Tree Logic (CTL), which is also a formal proof method strongly recommended by CENELEC EN50128 standard. The TAPN models were automatically generated and verified with 100% success by taking the point automation systems of stations on M1 Aksaray-Airport line, operated by Istanbul Transportation Co., as the reference.