ControlSafe™ CCC/CCP EOL

ControlSafe Carbone Platform Compact SIL4 COTS Fail-Safe and Fault-Tolerant System for Train Control and Rail Signaling

Compact SIL4 COTS Fail-Safe and Fault-Tolerant System for Train Control and Rail Signaling. The SMART Embedded Computing ControlSafe Carbone Platform is a modular, scalable solution with best-in-class availability of 99.9999% and was certified to the highest safety level – SIL4 – by TÜV SÜD, one of the most trusted certification bodies worldwide. By leveraging the same safety architecture and technologies as the ControlSafe Platform, the cornerstone platform in the portfolio, and ControlSafe Expansion Box Platform, the ControlSafe Carborne Platform is a highly integrated and cost-effective solution mainly targeting onboard applications such as Automatic Train Protection (ATP), Automatic Train Operation (ATO), and Positive Train Control (PTC) with its design of a compact 4U chassis, front access I/O and DC power supply. The ControlSafe Carborne Platform provides a cost-effective and application-ready safety platform for implementation in a SIL4 application environment which is fully certified to EN 50126 for reliability, availability, maintainability and safety (RAMS) processes, EN 50128 for safety-related software and EN50129 for safety-related electronic systems.

The ControlSafe Carbone Platform consists of two redundant ControlSafe Carbone Computers (CCCs), each of which delivers fail-safe operations and together provide a highly available platform. They are linked by a Direct Connect Algorithm (DCA) that monitors the health of the two CCCs, designates one of the as "active" and the other as "standby", and controls fail-over operation between the two CCCs to deliver a high available fail-safe computing system. The "active" CCC controls the up to 12 I/O modules via a customer application, while the "standby" CCC runs the same applications but has no ability to drive any safety-relevant output.

The two identical CPU boards of each CCC run in data lock-step mode and implement a two-out-of-two (2oo2) voting mechanism. The field proven VxWorks 653 operating system from Wind River provides safe partitions for customers applications.

Any discrepancy between these two CPUs causes the active CCC to declare itself unhealthy and the standby CCC become active. The unhealthy CCC is taken out of operation and, once it has been repaired, can be brought back into service. This health-and-safety architecture guarantees that there is no possibility of an incorrect output being driven to external equipment.

The ControlSafe Carbone Platform is designed to deliver best-in-class system availability as high as 99.9999% which means that system downtime is limited to a few seconds a year.

Application processing is carried out on a modern Freescale QorIQ processor, delivering high performance, energy-efficient processing and supporting the extended life required by rail equipment.

The CCC's data lock-step architecture, which supports high performance modern processors, makes it possible to upgrade processors over time while retaining the same I/O.

Having implemented the 2oo2 voting facilities in hardware allows applications developers to migrate existing application software with minimal modifications. An extensive set of well documented application programming interfaces (API)s that provide access to system parameters and management facilities make it easy for application developers and system integrators to monitor and control the system.

The ControlSafe Carbone Platform includes I/O modules that provide interface to a range of communication protocols such as CAN, Ethernet, Ethernet Ring, MVB, GPS/Wireless, UART, digital and analog to easy handle a wide spectrum of developments. All intelligent I/O modules are accessed over Ethernet and support remote on-line software and firmware upgrade without risk of rendering a system inoperable. All I/O ports are user programmable as safety-relevant or non-safety relevant. In addition the Switch Module provides four 10/100/1000BASE-T ports with rugged M12 connectors via its rear transition module (RTM) for direct Ethernet/IP access to other processing nodes in the application's network or to the peer CCC.

The product is end of life. If you have any questions, please contact us.


Technical Description

  • SIL4 COTS Fail-Safe System
  • Processor module with Freescale P2020 1 GHz, 1 GB (opt. 4 GB) DDR3-800 ECC SDRAM, two 128 MB Flash, two 2 MB MRAM
  • Switch module and CAN IOU module with Freescale P10110 800 MHz, 512 MB (opt. 2 GB) DDR3-667 ECC SDRAM, two 64 MB Flash, 2 MB MRAM
  • UART and Digital IOU module with Altera Cyclone V SoC and FPGAs, 512 MB DDR3-800 ECC SDRAM, two 64 MB Flash, 512 KB MRAM
  • Certified to SIL4 (EN50126, EN50128, EN50129) and SIL3 (IEC61508) safety standards, issued by TÜV SÜD
  • Voltage and temperature sensors
  • 13 GbE fabric links
  • 12 front I/O slots
  • One 10/100/1000BASE-T and RS-232 maintenance port per CPU module and one 10/100/1000BASE-T and RS-232 maintenance port per switch module and CAN IOU module
  • Standard four 10/100/1000BASE-T ports
  • Opt. 4 CANbus ports per CAN IOU
  • Opt. 8 serial ports per UART IOU
  • Opt. 16 digital inputs per digital input IOU
  • Opt. 8 digital outputs per digital IOU
  • Vibration compliant with EN61373 cat. 1, class B (EN 50155 12.2.11)
  • Shock compliant with EN61373 cat. 1, class B (IEC 60068-2-27)
  • Compliant with EN50121, EN50124, EN50155, EN50126, EN50128, EN50129, EN55024, EN60529, EN60571, IEC61508
  • 24V DC PSU
  • -40°C .. +70°C operating temperature range in closed rack installation with required airflow or -40°C .. +50°C in open rack environment
  • VxWorks 653
  • 2 years warranty

Order Information


SIL4 ControlSafe Carbone Computer 4U System with one DC PSU, two CPUs, one switch module


SIL4 ControlSafe Carbone Computer 4U System with one DC PSU, two CPUs, one Switch module, one 1U budget fan cooling system


SIL4 ControlSafe Carbone Computer 4U System with one DC PSU, two CPUs, one Switch module, one 1U premium fan cooling system


4 port CAN I/O module


8 port UART I/O module


16 channel digital input module


8 channel digital output module


Budget replacement fan tray FRU


Premium replacement fan tray FRU


1U bay installation kit for fan tray


4HP filler panel


Filler panel for bay installation kit


Safety relay box


Replacement module for safety relay box


2 cables for direct connect (DCA) operation


Serial cable - micro D-Sub connector to standard DE9

Technical Documentation

ControlSafe™ CCC/CCP data sheet