ControlSafe Compact Carbone Platform  Compact SIL4 COTS Fail-Safe and Fault-Tolerant System for Train Control and Rail Signaling



ControlSafe Compact Carbone Platform provides 15 years product life and 25 years of service


ControlSafe Compact Carbone Platform Front View


ControlSafe Compact Carbone Platform Rear View


ControlSafe Compact Carbone Platform Fan Tray


ControlSafe Compact Carbone Platform with Fan Tray Installation Bay


ControlSafe Compact Carbone Platform Dimensions

Modular, scalable solution with best-in-class availability of 99.9999%
The SMART Embedded Computing ControlSafe Compact Carbone Platform was certified to the highest safety level – SIL4 – by TÜV SÜD, one of the most trusted certification bodies worldwide. By leveraging the same safety architecture and technologies as the ControlSafe Platform, the cornerstone platform in the portfolio. The ControlSafe Compact Carborne Platform is a highly integrated and cost-effective solution mainly targeting onboard applications such as Automatic Train Protection (ATP), Automatic Train Operation (ATO), and Positive Train Control (PTC) with its design of a compact 4U chassis, front access I/O and DC power supply. The ControlSafe Compact Carborne Platform provides a cost-effective and application-ready safety platform for implementation in a SIL4 application environment which is fully certified to EN 50126 for reliability, availability, maintainability and safety (RAMS) processes, EN 50128 for safety-related software and EN50129 for safety-related electronic systems.

The ControlSafe Compact Carbone Platform consists of two redundant ControlSafe Compact Carbone Computers (C-CCCs), each of which delivers fail-safe operations and together provide a highly available platform. They are linked by a Direct Connect Algorithm (DCA) that monitors the health of the two C-CCCs, designates one of the as "active" and the other as "standby", and controls fail-over operation between the two C-CCCs to deliver a high available fail-safe computing system. The "active" C-CCC controls the up to 12 I/O modules via a customer application, while the "standby" C-CCC runs the same applications but has no ability to drive any safety-relevant output.

The two identical CPU boards of each C-CCC run in data lock-step mode and implement a two-out-of-two (2oo2) voting mechanism. The field proven VxWorks 653 operating system from Wind River provides safe partitions for customers applications.

Any discrepancy between these two CPUs causes the active C-CCC to declare itself unhealthy and the standby C-CCC become active. The unhealthy C-CCC is taken out of operation and, once it has been repaired, can be brought back into service. This health-and-safety architecture guarantees that there is no possibility of an incorrect output being driven to external equipment.

The ControlSafe Compact Carbone Platform is designed to deliver best-in-class system availability as high as 99.9999% which means that system downtime is limited to a few seconds a year.

Application processing is carried out on a modern Freescale QorIQ processor, delivering high performance, energy-efficient processing and supporting the extended life required by rail equipment.

The C-CCC's data lock-step architecture, which supports high performance modern processors, makes it possible to upgrade processors over time while retaining the same I/O.

Having implemented the 2oo2 voting facilities in hardware allows applications developers to migrate existing application software with minimal modifications. An extensive set of well documented application programming interfaces (API)s that provide access to system parameters and management facilities make it easy for application developers and system integrators to monitor and control the system.

The ControlSafe Compact Carbone Platform includes I/O modules that provide interface to a range of communication protocols such as CAN, Ethernet, Ethernet Ring, MVB, GPS/Wireless, UART, digital and analog to easy handle a wide spectrum of developments. All intelligent I/O modules are accessed over Ethernet and support remote on-line software and firmware upgrade without risk of rendering a system inoperable. All I/O ports are user programmable as safety-relevant or non-safety relevant. In addition the Switch Module provides four 10/100/1000BASE-T ports with rugged M12 connectors via its rear transition module (RTM) for direct Ethernet/IP access to other processing nodes in the application's network or to the peer C-CCC.

Product Specification

Compact SIL4 COTS Fail-Safe System

Processor module


Freescale P2020 1 GHz


1 GB (opt. 4 GB) DDR3-800 ECC SDRAM


Two 128 MB Flash



Switch module and CAN IOU module


Freescale P10110 800 MHz


512 MB (opt. 2 GB) DDR3-667 ECC SDRAM


Two 64 MB Flash



UART and Digital IOU module


Altera Cyclone V SoC and FPGAs




Two 64 MB Flash



Certified to SIL4 (EN50126, EN50128, EN50129) and SIL3 (IEC61508) safety standards, issued by TÜV SÜD

Voltage and temperature sensors

4 GbE fabric links

1 front I/O slot

One 10/100/1000BASE-T and RS-232 maintenance port per CPU module and one 10/100/1000BASE-T and RS-232 maintenance port per switch module and CAN IOU module

Standard four 10/100/1000BASE-T ports

Opt. 4 CANbus ports per CAN IOU

Opt. 8 serial ports per UART IOU

Opt. 16 digital inputs per digital input IOU

Opt. 8 digital outputs per digital IOU

Vibration compliant with EN61373 cat. 1, class B (EN 50155 12.2.11)

Shock compliant with EN61373 cat. 1, class B (IEC 60068-2-27)

Compliant with EN50121, EN50124, EN50155, EN50126, EN50128, EN50129, EN55024, EN60529, EN60571, IEC61508


-40°C .. +70°C operating temperature range in closed rack installation with required airflow or -40°C .. +50°C in open rack environment

VxWorks 653

2 years warranty



Ordering Information


SIL4 ControlSafe Compact Carbone Computer 4U System with one DC PSU, two CPUs, one Switch module


SIL4 ControlSafe Compact Carbone Computer 4U System with one DC PSU, two CPUs, one Switch module, one 1U budget fan cooling system


SIL4 ControlSafe Compact Carbone Computer 4U System with one DC PSU, two CPUs, one Switch module, one 1U premium fan cooling system



4 Port CAN I/O Module



8 Port UART I/O Module



16 Channel Digital Input Module



8 Channel Digital Output Module



Budget Replacement Fan Tray FRU



Premium Replacement Fan Tray FRU



1U Bay Installation Kit for Fan Tray



4HP Filler Panel



Filler Panel for bay installation kit



Safety Relay Box



Replacement Module for Safety Relay Box



2 cables for direct connect (DCA) operation



Serial cable - micro D-Sub connector to standard DE9