ControlSafe™ CSC/CSP

ControlSafe Platform SIL4 COTS Fail-Safe System for Train Control and Rail Signaling

The SMART Embedded Computing ControlSafe Platform consists of two redundant ControlSafe Computers (CSCs), each of which delivers fail-safe operations. They are linked by a Safety Relay Box (SRB) that monitors the health of the two CSCs, designates one of the as "active" and the other as "standby", and controls fail-over operation between the two CSCs to deliver a fail-safe computing system. The "active" CSC controls the I/O via a customer application, while the "standby" CSC runs the same applications but has no ability to drive any output.

With all safety-related software certified to EN50128 SIL4 and all reliability, availability, maintainability and safety (RAMS) processes certified to EN50126, and hardware certified to EN50129 SIL4, the ControlSafe Platform (CSP) can be deployed in safety application environments to protect investment in rail infrastructure.

At the core of each CSC are two identical CPU boards that run in data lock-step mode and implement a two-out-of-two (2oo2) voting mechanism. The field proven VxWorks 653 operating system from Wind River provides safe partitions for customers applications.

Any discrepancy between these two CPUs causes the active CSC to declare itself unhealthy and signal its state to the SRB, which in turn causes the standby CSC to become active. The unhealthy CSC is taken out of operation and, once it has been repaired, can be brought back into service. This health-and-safety architecture guarantees that there is no possibility of an incorrect output being driven to external equipment.

The ControlSafe Platform is designed to deliver best-in-class system availability as high as 99.9999% which means that system downtime is limited to a few seconds a year.

Application processing is carried out on a modern Freescale QorIQ processor, delivering high performance, energy-efficient processing and supporting the extended life required by rail equipment.

The ControlSafe Platform's data lock-step architecture, which supports high performance modern processors, makes it possible to upgrade processors over time while retaining the same I/O.

Having implemented the 2oo2 voting facilities in hardware allows applications developers to migrate existing application software with minimal modifications. An extensive set of well documented application programming interfaces (API)s that provide access to system parameters and management facilities make it easy for application developers and system integrators to monitor and control the system.

The ControlSafe Platform includes I/O modules that provide interface to a range of communication protocols such as CAN, Ethernet, Ethernet Ring, MVB, GPS/Wireless, UART, digital and analog. All I/O modules have a common architecture based on the same Freescale CPU core and the same Wind River VxWorks 653 operating system, thus simplifying the software development environment. All I/O modules are accessed over Ethernet allowing a seamless distributed architecture where additional expansion can be contained in a remote chassis. All modules support remote online software and firmware upgrade without risk of rendering a system inoperable.


Technical Description

  • SIL4 COTS Fail-Safe System
  • Processor module with Freescale P2010 1 GHz, 1 GB (opt. 4 GB) DDR3-800 ECC SDRAM, two 128 MB Flash, two 2 MB MRAM
  • Switch module and I/O module with Freescale P1011 800 MHz, 512 MB (opt. 2 GB) DDR3-667 ECC SDRAM, two 64 MB Flash, 2 MB MRAM
  • Certified to SIL 4 safety standards
  • Slot and voltage management and temperature sensors
  • 1 GbE fabric
  • 6 front I/O slots
  • 6 rear I/O slots
  • Standard eight 10/100/1000BASE-T ports, opt. 2 per Ethernet I/O module
  • Opt. 2 Ethernet Ring ports per Ethernet Ring I/O module
  • Opt. 2 CANbus ports per CAN IO module
  • Vibration compliant with EN61373 (12.2.11)
  • Shock compliant with IEC 60068-2-27
  • AC power supply
  • Compliant with EN50121, EN50124, EN50155, EN50126, EN50128, EN50129, EN55024, EN60529, EN60571, IEC61508
  • -40°C .. +70°C operating temperature range, convection-cooled)
  • VxWorks 653
  • 2 years warranty

Order Information


SIL4 ControlSafe Computer System with two CPUs, AC PSUs, Switch module and VxWorks 653


Safety Relay Box


Replaceable module for Safety Relay Box


CAN I/O module


High Speed rear transition module for CAN I/O module


Ethernet Ring module


Rear transition module for Ethernet Ring module


Ethernet I/O module


Rear transition module for Ethernet I/O module


Mainteance cable kit


Power cord for Germany/Italy/France


2 cables to connect ControlSafe Computer to Safety Relay Box


2 cables to directly connect two ControlSafe Computers


Front filler panel


Rear filler panel

Technical Documentation

ControlSafe™ CSC/CSP data sheet