ControlSafe Platform  SIL4 COTS Fail-Safe System for Train Control and Rail Signaling

 


 



ControlSafe Platform provides 15 years product life and 25 years of service

 



ControlSafe Platform Front View

 



ControlSafe Platform Rear View

 



ControlSafe Platform Fan Cooling Subsystem

 



ControlSafe Platform System Rack Mounting Example

 



ControlSafe Platform Dimensions

Modular, scalable solution with best-in-class availability of 99.9999%
The ARTESYN Embedded Technologies ControlSafe Platform consists of two redundant ControlSafe Computers (CSCs), each of which delivers fail-safe operations. They are linked by a Safety Relay Box (SRB) that monitors the health of the two CSCs, designates one of the as "active" and the other as "standby", and controls fail-over operation between the two CSCs to deliver a fail-safe computing system. The "active" CSC controls the I/O via a customer application, while the "standby" CSC runs the same applications but has no ability to drive any output.

With all safety-related software certified to EN50128 SIL4 and all reliability, availability, maintainability and safety (RAMS) processes certified to EN50126, and hardware certified to EN50129 SIL4, the ControlSafe Platform (CSP) can be deployed in safety application environments to protect investment in rail infrastructure.

At the core of each CSC are two identical CPU boards that run in data lock-step mode and implement a two-out-of-two (2oo2) voting mechanism. The field proven VxWorks 653 operating system from Wind River provides safe partitions for customers applications.

Any discrepancy between these two CPUs causes the active CSC to declare itself unhealthy and signal its state to the SRB, which in turn causes the standby CSC to become active. The unhealthy CSC is taken out of operation and, once it has been repaired, can be brought back into service. This health-and-safety architecture guarantees that there is no possibility of an incorrect output being driven to external equipment.

The ControlSafe Platform is designed to deliver best-in-class system availability as high as 99.9999% which means that system downtime is limited to a few seconds a year.

Application processing is carried out on a modern Freescale QorIQ processor, delivering high performance, energy-efficient processing and supporting the extended life required by rail equipment.

The ControlSafe Platform's data lock-step architecture, which supports high performance modern processors, makes it possible to upgrade processors over time while retaining the same I/O.

Having implemented the 2oo2 voting facilities in hardware allows applications developers to migrate existing application software with minimal modifications. An extensive set of well documented application programming interfaces (API)s that provide access to system parameters and management facilities make it easy for application developers and system integrators to monitor and control the system.

The ControlSafe Platform includes I/O modules that provide interface to a range of communication protocols such as  CAN, Ethernet, Ethernet Ring, MVB, GPS/Wireless, UART, digital and analog. All I/O modules have a common architecture based on the same Freescale CPU core and the same Wind River VxWorks 653 operating system, thus simplifying the software development environment. All I/O modules are accessed over Ethernet allowing a seamless distributed architecture where additional expansion can be contained in a remote chassis. All modules support remote online software and firmware upgrade without risk of rendering a system inoperable.

Product Specification

SIL4 COTS Fail-Safe System

Processor module

 

Freescale P2010 1 GHz

 

1 GB (opt. 4 GB) DDR3-800 ECC SDRAM

 

Two 128 MB Flash

 

Two 2 MB MRAM

Switch module and I/O module

 

Freescale P1011 800 MHz

 

512 MB (opt. 2 GB) DDR3-667 ECC SDRAM

 

Two 64 MB Flash

 

2 MB MRAM

Certified to SIL 4 safety standards

Slot and voltage management and temperature sensors

1 GbE fabric

6 front I/O slots

6 rear I/O slots

Standard eight 10/100/1000BASE-T ports, opt. 2 per Ethernet I/O module

Opt. 2 Ethernet Ring ports per Ethernet Ring I/O module

Opt. 2 CANbus ports per CAN IO module

Vibration compliant with EN61373 (12.2.11)

Shock compliant with IEC 60068-2-27

AC power supply

Compliant with EN50121, EN50124, EN50155, EN50126, EN50128, EN50129, EN55024, EN60529, EN60571, IEC61508

-40C .. +70C operating temperature range, convection-cooled)

VxWorks 653

2 years warranty

 

 

Ordering Information

CSP-CSC-CORE-AC-01

SIL4 ControlSafe Computer System with two CPUs, AC PSUs, Switch module and VxWorks 653

 

CSP-CSC-SRB-01

Safety Relay Box

 

CSP-CSC-SRB-FRU-01

Replaceable module for Safety Relay Box

 

CSP-CSC-CAN-01

CAN I/O module

 

CSP-CSC-CAN-RTM-01

High Speed rear transition module for CAN I/O module

 

CSP-CSC-RING-01

Ethernet Ring module

 

CSP-CSC-RING-RTM-01

Rear transition module for Ethernet Ring module

 

CSP-CSC-ETH-01

Ethernet I/O module

 

CSP-CSC-ETH-RTM-01

Rear transition module for Ethernet I/O module

 

CSP-CBL-MAIN-01

Mainteance cable kit

 

CSP-CBL-PWR-EU-01

Power cord for Germany/Italy/France

 

CSP-CBL-SRB-01

2 cables to connect ControlSafe Computer to Safety Relay Box

 

CSP-CBL-DIRECT-01

2 cables to directly connect two ControlSafe Computers

 

CSP-CSC-FILL-01

Front filler panel

 

CSP-CSC-FILL-RTM-01

Rear filler panel