ControlSafe Platform  SIL4 COTS Fail-Safe System for Train Control and Rail Signaling



ControlSafe Platform provides 15 years product life and 25 years of service


ControlSafe Platform Front View


ControlSafe Platform Rear View


ControlSafe Platform Fan Cooling Subsystem


ControlSafe Platform System Rack Mounting Example


ControlSafe Platform Dimensions

Modular, scalable solution with best-in-class availability of 99.9999%
The SMART Embedded Computing ControlSafe Platform consists of two redundant ControlSafe Computers (CSCs), each of which delivers fail-safe operations. They are linked by a Safety Relay Box (SRB) that monitors the health of the two CSCs, designates one of the as "active" and the other as "standby", and controls fail-over operation between the two CSCs to deliver a fail-safe computing system. The "active" CSC controls the I/O via a customer application, while the "standby" CSC runs the same applications but has no ability to drive any output.

With all safety-related software certified to EN50128 SIL4 and all reliability, availability, maintainability and safety (RAMS) processes certified to EN50126, and hardware certified to EN50129 SIL4, the ControlSafe Platform (CSP) can be deployed in safety application environments to protect investment in rail infrastructure.

At the core of each CSC are two identical CPU boards that run in data lock-step mode and implement a two-out-of-two (2oo2) voting mechanism. The field proven VxWorks 653 operating system from Wind River provides safe partitions for customers applications.

Any discrepancy between these two CPUs causes the active CSC to declare itself unhealthy and signal its state to the SRB, which in turn causes the standby CSC to become active. The unhealthy CSC is taken out of operation and, once it has been repaired, can be brought back into service. This health-and-safety architecture guarantees that there is no possibility of an incorrect output being driven to external equipment.

The ControlSafe Platform is designed to deliver best-in-class system availability as high as 99.9999% which means that system downtime is limited to a few seconds a year.

Application processing is carried out on a modern Freescale QorIQ processor, delivering high performance, energy-efficient processing and supporting the extended life required by rail equipment.

The ControlSafe Platform's data lock-step architecture, which supports high performance modern processors, makes it possible to upgrade processors over time while retaining the same I/O.

Having implemented the 2oo2 voting facilities in hardware allows applications developers to migrate existing application software with minimal modifications. An extensive set of well documented application programming interfaces (API)s that provide access to system parameters and management facilities make it easy for application developers and system integrators to monitor and control the system.

The ControlSafe Platform includes I/O modules that provide interface to a range of communication protocols such as  CAN, Ethernet, Ethernet Ring, MVB, GPS/Wireless, UART, digital and analog. All I/O modules have a common architecture based on the same Freescale CPU core and the same Wind River VxWorks 653 operating system, thus simplifying the software development environment. All I/O modules are accessed over Ethernet allowing a seamless distributed architecture where additional expansion can be contained in a remote chassis. All modules support remote online software and firmware upgrade without risk of rendering a system inoperable.

Product Specification

SIL4 COTS Fail-Safe System

Processor module


Freescale P2010 1 GHz


1 GB (opt. 4 GB) DDR3-800 ECC SDRAM


Two 128 MB Flash



Switch module and I/O module


Freescale P1011 800 MHz


512 MB (opt. 2 GB) DDR3-667 ECC SDRAM


Two 64 MB Flash



Certified to SIL 4 safety standards

Slot and voltage management and temperature sensors

1 GbE fabric

6 front I/O slots

6 rear I/O slots

Standard eight 10/100/1000BASE-T ports, opt. 2 per Ethernet I/O module

Opt. 2 Ethernet Ring ports per Ethernet Ring I/O module

Opt. 2 CANbus ports per CAN IO module

Vibration compliant with EN61373 (12.2.11)

Shock compliant with IEC 60068-2-27

AC power supply

Compliant with EN50121, EN50124, EN50155, EN50126, EN50128, EN50129, EN55024, EN60529, EN60571, IEC61508

-40C .. +70C operating temperature range, convection-cooled)

VxWorks 653

2 years warranty



Ordering Information


SIL4 ControlSafe Computer System with two CPUs, AC PSUs, Switch module and VxWorks 653



Safety Relay Box



Replaceable module for Safety Relay Box



CAN I/O module



High Speed rear transition module for CAN I/O module



Ethernet Ring module



Rear transition module for Ethernet Ring module



Ethernet I/O module



Rear transition module for Ethernet I/O module



Mainteance cable kit



Power cord for Germany/Italy/France



2 cables to connect ControlSafe Computer to Safety Relay Box



2 cables to directly connect two ControlSafe Computers



Front filler panel



Rear filler panel