Cyber-Physical Systems are networked, component-based, real-time systems that control and monitor the physical world. We need software architectures that limit fault-propagation across unreliable components. This paper introduces our Simplex reference model which is distinguished by: a Plant being controlled in an external context, a Machine performing the control, a Domain Model that estimates the Plant state, and the Safety Requirements that must be met. The Simplex reference model assists with constructing CPS architectures which limit fault-propagation. We present a representative case study to highlight the ideas behind the model and our particular decomposition.