ControlSafe Platform provides 15 years product life and 25 years of service
ControlSafe Platform front view
ControlSafe Platform rear view
ControlSafe Platform fan tray
ControlSafe Platform with an tray cooling subsystem
ControlSafe Platform system rack mounting example
ControlSafe platform dimensions
ControlSafe Platform SIL4 COTS Fail-Safe System for Train Control and Rail Signaling
The SMART Embedded Computing ControlSafe Platform consists of two redundant ControlSafe Computers (CSCs), each of which delivers fail-safe operations. They are linked by a Safety Relay Box (SRB) that monitors the health of the two CSCs, designates one of the as "active" and the other as "standby", and controls fail-over operation between the two CSCs to deliver a fail-safe computing system. The "active" CSC controls the I/O via a customer application, while the "standby" CSC runs the same applications but has no ability to drive any output.
With all safety-related software certified to EN50128 SIL4 and all reliability, availability, maintainability and safety (RAMS) processes certified to EN50126, and hardware certified to EN50129 SIL4, the ControlSafe Platform (CSP) can be deployed in safety application environments to protect investment in rail infrastructure.
At the core of each CSC are two identical CPU boards that run in data lock-step mode and implement a two-out-of-two (2oo2) voting mechanism. The field proven VxWorks 653 operating system from Wind River provides safe partitions for customers applications.
Any discrepancy between these two CPUs causes the active CSC to declare itself unhealthy and signal its state to the SRB, which in turn causes the standby CSC to become active. The unhealthy CSC is taken out of operation and, once it has been repaired, can be brought back into service. This health-and-safety architecture guarantees that there is no possibility of an incorrect output being driven to external equipment.
The ControlSafe Platform is designed to deliver best-in-class system availability as high as 99.9999% which means that system downtime is limited to a few seconds a year.
Application processing is carried out on a modern Freescale QorIQ processor, delivering high performance, energy-efficient processing and supporting the extended life required by rail equipment.
The ControlSafe Platform's data lock-step architecture, which supports high performance modern processors, makes it possible to upgrade processors over time while retaining the same I/O.
Having implemented the 2oo2 voting facilities in hardware allows applications developers to migrate existing application software with minimal modifications. An extensive set of well documented application programming interfaces (API)s that provide access to system parameters and management facilities make it easy for application developers and system integrators to monitor and control the system.
The ControlSafe Platform includes I/O modules that provide interface to a range of communication protocols such as CAN, Ethernet, Ethernet Ring, MVB, GPS/Wireless, UART, digital and analog. All I/O modules have a common architecture based on the same Freescale CPU core and the same Wind River VxWorks 653 operating system, thus simplifying the software development environment. All I/O modules are accessed over Ethernet allowing a seamless distributed architecture where additional expansion can be contained in a remote chassis. All modules support remote online software and firmware upgrade without risk of rendering a system inoperable.
- SIL4 COTS Fail-Safe System
- Processor module with Freescale P2010 1 GHz, 1 GB (opt. 4 GB) DDR3-800 ECC SDRAM, two 128 MB Flash, two 2 MB MRAM
- Switch module and I/O module with Freescale P1011 800 MHz, 512 MB (opt. 2 GB) DDR3-667 ECC SDRAM, two 64 MB Flash, 2 MB MRAM
- Certified to SIL 4 safety standards
- Slot and voltage management and temperature sensors
- 1 GbE fabric
- 6 front I/O slots
- 6 rear I/O slots
- Standard eight 10/100/1000BASE-T ports, opt. 2 per Ethernet I/O module
- Opt. 2 Ethernet Ring ports per Ethernet Ring I/O module
- Opt. 2 CANbus ports per CAN IO module
- Vibration compliant with EN61373 (12.2.11)
- Shock compliant with IEC 60068-2-27
- AC power supply
- Compliant with EN50121, EN50124, EN50155, EN50126, EN50128, EN50129, EN55024, EN60529, EN60571, IEC61508
- -40°C .. +70°C operating temperature range, convection-cooled)
- VxWorks 653
- 2 years warranty
SIL4 ControlSafe Computer System with two CPUs, AC PSUs, Switch module and VxWorks 653
Safety Relay Box
Replaceable module for Safety Relay Box
CAN I/O module
High Speed rear transition module for CAN I/O module
Ethernet Ring module
Rear transition module for Ethernet Ring module
Ethernet I/O module
Rear transition module for Ethernet I/O module
Mainteance cable kit
Power cord for Germany/Italy/France
2 cables to connect ControlSafe Computer to Safety Relay Box
2 cables to directly connect two ControlSafe Computers
Front filler panel
Rear filler panel