ControlSafe™ CSC/CSP

ControlSafe Platform SIL4 COTS Fail-Safe System for Train Control and Rail Signaling

The SMART Embedded Computing ControlSafe Platform consists of two redundant ControlSafe Computers (CSCs), each of which delivers fail-safe operations. They are linked by a Safety Relay Box (SRB) that monitors the health of the two CSCs, designates one of the as "active" and the other as "standby", and controls fail-over operation between the two CSCs to deliver a fail-safe computing system. The "active" CSC controls the I/O via a customer application, while the "standby" CSC runs the same applications but has no ability to drive any output.

With all safety-related software certified to EN50128 SIL4 and all reliability, availability, maintainability and safety (RAMS) processes certified to EN50126, and hardware certified to EN50129 SIL4, the ControlSafe Platform (CSP) can be deployed in safety application environments to protect investment in rail infrastructure.

At the core of each CSC are two identical CPU boards that run in data lock-step mode and implement a two-out-of-two (2oo2) voting mechanism. The field proven VxWorks 653 operating system from Wind River provides safe partitions for customers applications.

Any discrepancy between these two CPUs causes the active CSC to declare itself unhealthy and signal its state to the SRB, which in turn causes the standby CSC to become active. The unhealthy CSC is taken out of operation and, once it has been repaired, can be brought back into service. This health-and-safety architecture guarantees that there is no possibility of an incorrect output being driven to external equipment.

The ControlSafe Platform is designed to deliver best-in-class system availability as high as 99.9999% which means that system downtime is limited to a few seconds a year.

Application processing is carried out on a modern Freescale QorIQ processor, delivering high performance, energy-efficient processing and supporting the extended life required by rail equipment.

The ControlSafe Platform's data lock-step architecture, which supports high performance modern processors, makes it possible to upgrade processors over time while retaining the same I/O.

Having implemented the 2oo2 voting facilities in hardware allows applications developers to migrate existing application software with minimal modifications. An extensive set of well documented application programming interfaces (API)s that provide access to system parameters and management facilities make it easy for application developers and system integrators to monitor and control the system.

The ControlSafe Platform includes I/O modules that provide interface to a range of communication protocols such as CAN, Ethernet, Ethernet Ring, MVB, GPS/Wireless, UART, digital and analog. All I/O modules have a common architecture based on the same Freescale CPU core and the same Wind River VxWorks 653 operating system, thus simplifying the software development environment. All I/O modules are accessed over Ethernet allowing a seamless distributed architecture where additional expansion can be contained in a remote chassis. All modules support remote online software and firmware upgrade without risk of rendering a system inoperable.