Download:
doc |
pdf
49 CFR
Part
236—Rules, Standards, and Instructions Governing the
Installation, Inspection, Maintenance, and Repair of Signal and Train
Control Systems, Devices, and Appliances
General
§236.18
Software management control plan.
(a)
Within 6 months of June 6, 2005, each railroad shall develop and
adopt a software management control plan for its signal and train
control systems. A railroad commencing operations after June 6, 2005,
shall adopt a software management control plan for its signal and
train control systems prior to commencing operations.
(b)
Within 30 months of the completion of the software management control
plan, each railroad shall have fully implemented such plan.
(c)
For purposes of this section, "software management control plan"
means a plan designed to ensure that the proper and intended software
version for each specific site and location is documented (mapped)
and maintained through the life-cycle of the system. The plan must
further describe how the proper software configuration is to be
identified and confirmed in the event of replacement, modification,
or disarrangement of any part of the system.
[70
FR 11052, March 07, 2005]
§236.110
Results of tests.
(a)
Results of tests made in compliance with § 236.102 to
236.109, inclusive; 236.376 to 236.387, inclusive; 236.576; 236.577;
236.586 to 236.589, inclusive; and 236.917(a) must be recorded on
preprinted forms provided by the railroad or by electronic means,
subject to approval by the FRA Associate Administrator for Safety.
These records must show the name of the railroad, place and date,
equipment tested, results of tests, repairs, replacements,
adjustments made, and condition in which the apparatus was left. Each
record must be:
(1)
Signed by the employee making the test, or electronically coded or
identified by number of the automated test equipment (where
applicable);
(2)
Unless otherwise noted, filed in the office of a supervisory official
having jurisdiction; and
(3)
Available for inspection and replication by FRA and FRA-certified
State inspectors.
(b)
Results of tests made in compliance with § 236.587 must be
retained for 92 days.
(c)
Results of tests made in compliance with § 236.917(a) must
be retained as follows:
(1)
Results of tests that pertain to installation or modification must be
retained for the life-cycle of the equipment tested and may be kept
in any office designated by the railroad; and
(2)
Results of periodic tests required for maintenance or repair of the
equipment tested must be retained until the next record is filed but
in no case less than one year.
(d)
Results of all other tests listed in this section must be retained
until the next record is filed but in no case less than one year.
(e)
Electronic or automated tracking systems used to meet the
requirements contained in paragraph (a) of this section must be
capable of being reviewed and monitored by FRA at any time to ensure
the integrity of the system. FRA's Associate Administrator for Safety
may prohibit or revoke a railroad's authority to utilize an
electronic or automated tracking system in lieu of preprinted forms
if FRA finds that the electronic or automated tracking system is not
properly secured, is inaccessible to FRA, FRA-certified State
inspectors, or railroad employees requiring access to discharge their
assigned duties, or fails to adequately track and monitor the
equipment. The Associate Administrator for Safety will provide the
affected railroad with a written statement of the basis for his or
her decision prohibiting or revoking the railroad from utilizing an
electronic or automated tracking system.
Amended:
[53 FR 37313, Sept. 26, 1988; 70 FR 11052, March 07, 2005]
Part
236 Subpart H
Subpart
H—Standards for Processor-Based Signal and Train Control
Systems
§236.901 Purpose
and scope.
§236.903 Definitions.
§236.905 Railroad
Safety Program Plan (RSPP).
§236.907 Product
Safety Plan (PSP).
§236.909 Minimum
performance standard.
§236.911 Exclusions.
§236.913 Filing
and approval of PSPs.
§236.915 Implementation
and operation.
§236.917 Retention
of records.
§236.919 Operations
and Maintenance Manual.
§236.921 Training
and qualification program, general.
§236.923 Task
analysis and basic requirements.
§236.925 Training
specific to control office personnel.
§236.927 Training
specific to locomotive engineers and other operating personnel.
§236.929 Training
specific to roadway workers.
Source:
70 FR 11052, March 07, 2005
§236.901
Purpose and scope.
(a)
What is the purpose of this subpart? The purpose of this subpart is
to promote the safe operation of processor-based signal and train
control systems, subsystems, and components that are safety-critical
products, as defined in § 236.903, and to facilitate the
development of those products.
(b)
What topics does it cover? This subpart prescribes minimum,
performance-based safety standards for safety-critical products,
including requirements to ensure that the development, installation,
implementation, inspection, testing, operation, maintenance, repair,
and modification of those products will achieve and maintain an
acceptable level of safety. This subpart also prescribes standards to
ensure that personnel working with safety-critical products receive
appropriate training. Each railroad may prescribe additional or more
stringent rules, and other special instructions, that are not
inconsistent with this subpart.
(c)
What other rules apply?
(1)
This subpart does not exempt a railroad from compliance with the
requirements of subparts A through G of this part, except to the
extent a PSP explains to FRA Associate Administrator for Safety's
satisfaction the following:
(i)
How the objectives of any such requirements are met by the product;
(ii)
Why the objectives of any such requirements are not relevant to the
product; or
(iii)
How the requirement is satisfied using alternative means. (See
§ 236.907(a)(14)).
(2)
Products subject to this subpart are also subject to applicable
requirements of parts 233, 234 and 235 of this chapter. See § 234.275
of this chapter with respect to use of this subpart to qualify
certain products for use within highway-rail grade crossing warning
systems.
(3)
Information required to be submitted by this subpart that a submitter
deems to be trade secrets, or commercial or financial information
that is privileged or confidential under Exemption 4 of the Freedom
of Information Act, 5 U.S.C. 552(b)(4), shall be so labeled in
accordance with the provisions of § 209.11 of this chapter.
FRA handles information so labeled in accordance with the provisions
of § 209.11 of this chapter.
§236.903
Definitions.
As
used in this subpart-
Associate
Administrator for Safety means the Associate Administrator for
Safety, FRA, or that person's delegate as designated in writing.
Component
means an element, device, or appliance (including those whose nature
is electrical, mechanical, hardware, or software) that is part of a
system or subsystem.
Configuration
management control plan means a plan designed to ensure that the
proper and intended product configuration, including the hardware
components and software version, is documented and maintained through
the life-cycle of the products in use.
Employer
means a railroad, or contractor to a railroad, that directly engages
or compensates individuals to perform the duties specified in
§ 236.921(a).
Executive
software means software common to all installations of a given
product. It generally is used to schedule the execution of the
site-specific application programs, run timers, read inputs, drive
outputs, perform self-diagnostics, access and check memory, and
monitor the execution of the application software to detect
unsolicited changes in outputs.
FRA
means the Federal Railroad Administration.
Full
automatic operation means that mode of an automatic train control
system capable of operating without external human influence, in
which the locomotive engineer/operator may act as a passive system
monitor, in addition to an active system controller.
Hazard
means an existing or potential condition that can result in an
accident.
High
degree of confidence, as applied to the highest level of aggregation,
means there exists credible safety analysis supporting the conclusion
that the likelihood of the proposed condition associated with the new
product being less safe than the previous condition is very small.
Human
factors refers to a body of knowledge about human limitations, human
abilities, and other human characteristics, such as behavior and
motivation, that must be considered in product design.
Human-machine
interface (HMI) means the interrelated set of controls and displays
that allows humans to interact with the machine.
Initialization
refers to the startup process when it is determined that a product
has all required data input and the product is prepared to function
as intended.
Mandatory
directive has the meaning set forth in § 220.5 of this
chapter.
Materials
handling refers to explicit instructions for handling safety-critical
components established to comply with procedures specified in the
PSP.
Mean
Time To Hazardous Event (MTTHE) means the average or expected time
that a subsystem or component will operate prior to the occurrence of
an unsafe failure.
New
or next-generation train control system means a train control system
using technologies not in use in revenue service at the time of PSP
submission or without established histories of safe practice.
Petition
for approval means a petition to FRA for approval to use a product on
a railroad as described in its PSP. The petition for approval is to
contain information that is relevant to determining the safety of the
resulting system; relevant to determining compliance with this part;
and relevant to determining the safety of the product, including a
complete copy of the product's PSP and supporting safety analysis.
Predefined
change means any post-implementation modification to the use of a
product that is provided for in the PSP (see § 236.907(b)).
Previous
Condition refers to the estimated risk inherent in the portion of the
existing method of operation that is relevant to the change under
analysis (including the elements of any existing signal or train
control system relevant to the review of the product).
Processor-based,
as used in this subpart, means dependent on a digital processor for
its proper functioning.
Product
means a processor-based signal or train control system, subsystem, or
component.
Product
Safety Plan (or PSP) refers to a formal document which describes in
detail all of the safety aspects of the product, including but not
limited to procedures for its development, installation,
implementation, operation, maintenance, repair, inspection, testing
and modification, as well as analyses supporting its safety claims,
as described in § 236.907.
Railroad
Safety Program Plan (or RSPP) refers to a formal document which
describes a railroad's strategy for addressing safety hazards
associated with operation of products under this subpart and its
program for execution of such strategy though the use of PSP
requirements, as described in § 236.905.
Revision
control means a chain of custody regimen designed to positively
identify safety-critical components and spare equipment availability,
including repair/replacement tracking in accordance with procedures
outlined in the PSP.
Risk
means the expected probability of occurrence for an individual
accident event (probability) multiplied by the severity of the
expected consequences associated with the accident (severity).
Risk
assessment means the process of determining, either quantitatively or
qualitatively, the measure of risk associated with use of the product
under all intended operating conditions or the previous condition.
Safety-critical,
as applied to a function, a system, or any portion thereof, means the
correct performance of which is essential to safety of personnel or
equipment, or both; or the incorrect performance of which could cause
a hazardous condition, or allow a hazardous condition which was
intended to be prevented by the function or system to exist.
Subsystem
means a defined portion of a system.
System
refers to a signal or train control system and includes all
subsystems and components thereof, as the context requires.
System
Safety Precedence means the order of precedence in which methods used
to eliminate or control identified hazards within a system are
implemented.
Validation
means the process of determining whether a product's design
requirements fulfill its intended design objectives during its
development and life-cycle. The goal of the validation process is to
determine "whether the correct product was built."
Verification
means the process of determining whether the results of a given phase
of the development cycle fulfill the validated requirements
established at the start of that phase. The goal of the verification
process is to determine "whether the product was built
correctly."
§236.905
Railroad Safety Program Plan (RSPP).
(a)
What is the purpose of an RSPP?
A
railroad subject to this subpart shall develop an RSPP, subject to
FRA approval, that serves as its principal safety document for all
safety-critical products. The RSPP must establish the minimum PSP
requirements that will govern the development and implementation of
all products subject to this subpart, consistent with the provisions
contained in § 236.907.
(b)
What subject areas must the RSPP address?
The
railroad's RSPP must address, at a minimum, the following subject
areas:
(1)
Requirements and concepts. The RSPP must require a description of the
preliminary safety analysis, including:
(i)
A complete description of methods used to evaluate a system's
behavioral characteristics;
(ii)
A complete description of risk assessment procedures;
(iii)
The system safety precedence followed; and
(iv)
The identification of the safety assessment process.
(2)
Design for verification and validation. The RSPP must require
the identification of verification and validation methods for the
preliminary safety analysis, initial development process, and future
incremental changes, including standards to be used in the
verification and validation process, consistent with Appendix C to
this part. The RSPP must require that references to any non-published
standards be included in the PSP.
(3)
Design for human factors. The RSPP must require a description
of the process used during product development to identify human
factors issues and develop design requirements which address those
issues.
(4)
Configuration management control plan. The RSPP must specify
requirements for configuration management for all products to which
this subpart applies.
(c)
How are RSPP's approved?
(1)
Each railroad shall submit a petition for approval of an RSPP in
triplicate to the Associate Administrator for Safety, FRA, 1120
Vermont Avenue, NW., Mail Stop 25, Washington, DC 20590. The petition
must contain a copy of the proposed RSPP, and the name, title,
address, and telephone number of the railroad's primary contact
person for review of the petition.
(2)
Normally within 180 days of receipt of a petition for approval of an
RSPP, FRA:
(i)
Grants the petition, if FRA finds that the petition complies with
applicable requirements of this subpart, attaching any special
conditions to the approval of the petition as necessary to carry out
the requirements of this subpart;
(ii)
Denies the petition, setting forth reasons for denial; or
(iii)
Requests additional information.
(3)
If no action is taken on the petition within 180 days, the petition
remains pending for decision. The petitioner is encouraged to contact
FRA for information concerning its status.
(4)
FRA may reopen consideration of any previously-approved petition for
cause, providing reasons for such action.
(d)
How are RSPP's modified?
(1)
Railroads shall obtain FRA approval for any modification to their
RSPP which affects a safety-critical requirement of a PSP. Other
modifications do not require FRA approval.
(2)
Petitions for FRA approval of RSPP modifications are subject to the
same procedures as petitions for initial RSPP approval, as specified
in paragraph (c) of this section. In addition, such petitions must
identify the proposed modification(s) to be made, the reason for the
modification(s), and the effect of the modification(s) on safety.
§236.907
Product Safety Plan (PSP).
(a)
What must a PSP contain?
The
PSP must include the following:
(1)
A complete description of the product, including a list of all
product components and their physical relationship in the subsystem
or system;
(2)
A description of the railroad operation or categories of operations
on which the product is designed to be used, including train movement
density, gross tonnage, passenger train movement density, hazardous
materials volume, railroad operating rules, and operating speeds;
(3)
An operational concepts document, including a complete description of
the product functionality and information flows;
(4)
A safety requirements document, including a list with complete
descriptions of all functions which the product performs to enhance
or preserve safety;
(5)
A document describing the manner in which product architecture
satisfies safety requirements;
(6)
A hazard log consisting of a comprehensive description of all
safety-relevant hazards to be addressed during the life cycle of the
product, including maximum threshold limits for each hazard (for
unidentified hazards, the threshold shall be exceeded at one
occurrence);
(7)
A risk assessment, as prescribed in § 236.909 and Appendix
B to this part;
(8)
A hazard mitigation analysis, including a complete and comprehensive
description of all hazards to be addressed in the system design and
development, mitigation techniques used, and system safety precedence
followed, as prescribed by the applicable RSPP;
(9)
A complete description of the safety assessment and verification and
validation processes applied to the product and the results of these
processes, describing how subject areas covered in Appendix C to this
part are either: addressed directly, addressed using other safety
criteria, or not applicable;
(10)
A complete description of the safety assurance concepts used in the
product design, including an explanation of the design principles and
assumptions;
(11)
A human factors analysis, including a complete description of all
human-machine interfaces, a complete description of all functions
performed by humans in connection with the product to enhance or
preserve safety, and an analysis in accordance with Appendix E to
this part or in accordance with other criteria if demonstrated to the
satisfaction of the Associate Administrator for Safety to be equally
suitable;
(12)
A complete description of the specific training of railroad and
contractor employees and supervisors necessary to ensure the safe and
proper installation, implementation, operation, maintenance, repair,
inspection, testing, and modification of the product;
(13)
A complete description of the specific procedures and test equipment
necessary to ensure the safe and proper installation, implementation,
operation, maintenance, repair, inspection, testing, and modification
of the product. These procedures, including calibration requirements,
shall be consistent with or explain deviations from the equipment
manufacturer's recommendations;
(14)
An analysis of the applicability of the requirements of subparts A
through G of this part to the product that may no longer apply or are
satisfied by the product using an alternative method, and a complete
explanation of the manner in which those requirements are otherwise
fulfilled (see § 234.275 of this chapter and § 236.901(c));
(15)
A complete description of the necessary security measures for the
product over its life-cycle;
(16)
A complete description of each warning to be placed in the
Operations and Maintenance Manual identified in § 236.919,
and of all warning labels required to be placed on equipment as
necessary to ensure safety;
(17)
A complete description of all initial implementation testing
procedures necessary to establish that safety-functional requirements
are met and safety-critical hazards are appropriately mitigated;
(18)
A complete description of:
(i)
All post-implementation testing (validation) and monitoring
procedures, including the intervals necessary to establish that
safety-functional requirements, safety-critical hazard mitigation
processes, and safety-critical tolerances are not compromised over
time, through use, or after maintenance (repair, replacement,
adjustment) is performed; and
(ii)
Each record necessary to ensure the safety of the system that is
associated with periodic maintenance, inspections, tests, repairs,
replacements, adjustments, and the system's resulting conditions,
including records of component failures resulting in safety-relevant
hazards (see § 236.917(e)(3));
(19)
A complete description of any safety-critical assumptions regarding
availability of the product, and a complete description of all backup
methods of operation; and
(20)
A complete description of all incremental and predefined changes
(see paragraphs (b) and (c) of this section).
(b)
What requirements apply to predefined changes?
(1)
Predefined changes are not considered design modifications requiring
an entirely new safety verification process, a revised PSP, and an
informational filing or petition for approval in accordance with
§ 236.915. However, the risk assessment for the product
must demonstrate that operation of the product, as modified by any
predefined change, satisfies the minimum performance standard.
(2)
The PSP must identify configuration/revision control measures
designed to ensure that safety-functional requirements and
safety-critical hazard mitigation processes are not compromised as a
result of any such change. (Software changes involving safety
functional requirements or safety critical hazard mitigation
processes for components in use are also addressed in paragraph (c)
of this section.)
(c)
What requirements apply to other product changes?
(1)
Incremental changes are planned product version changes described in
the initial PSP where slightly different specifications are used to
allow the gradual enhancement of the product's capabilities.
Incremental changes shall require verification and validation to the
extent the changes involve safety-critical functions.
(2)
Changes classified as maintenance require validation.
(d)
What are the responsibilities of the railroad and product supplier
regarding communication of hazards?
(1)
The PSP shall specify all contractual arrangements with hardware and
software suppliers for immediate notification of any and all safety
critical software upgrades, patches, or revisions for their
processor-based system, sub-system, or component, and the reasons for
such changes from the suppliers, whether or not the railroad has
experienced a failure of that safety-critical system, sub-system, or
component.
(2)
The PSP shall specify the railroad's procedures for action upon
notification of a safety-critical upgrade, patch, or revision for
this processor-based system, sub-system, or component, and until the
upgrade, patch, or revision has been installed; and such action shall
be consistent with the criterion set forth in § 236.915(d)
as if the failure had occurred on that railroad.
(3)
The PSP must identify configuration/revision control measures
designed to ensure that safety-functional requirements and
safety-critical hazard mitigation processes are not compromised as a
result of any such change, and that any such change can be audited.
(4)
Product suppliers entering into contractual arrangements for product
support described in a PSP must promptly report any safety-relevant
failures and previously unidentified hazards to each railroad using
the product.
§236.909
Minimum performance standard.
(a)
What is the minimum performance standard for products covered by this
subpart?
The
safety analysis included in the railroad's PSP must establish with a
high degree of confidence that introduction of the product will not
result in risk that exceeds the previous condition. The railroad
shall determine, prior to filing its petition for approval or
informational filing, that this standard has been met and shall make
available the necessary analyses and documentation as provided in
this subpart.
(b)
How does FRA determine whether the PSP requirements for products
covered by subpart H have been met?
With
respect to any FRA review of a PSP, the Associate Administrator for
Safety independently determines whether the railroad's safety case
establishes with a high degree of confidence that introduction of the
product will not result in risk that exceeds the previous condition.
In evaluating the sufficiency of the railroad's case for the product,
the Associate Administrator for Safety considers, as applicable, the
factors pertinent to evaluation of risk assessments, listed in
§ 236.913(g)(2).
(c)
What is the scope of a full risk assessment required by this section?
A
full risk assessment performed under this subpart must address the
safety risks affected by the introduction, modification, replacement,
or enhancement of a product. This includes risks associated with the
previous condition which are no longer present as a result of the
change, new risks not present in the previous condition, and risks
neither newly created nor eliminated whose nature (probability of
occurrence or severity) is nonetheless affected by the change.
(d)
What is an abbreviated risk assessment, and when may it be used?
(1)
An abbreviated risk assessment may be used in lieu of a full risk
assessment to show compliance with the performance standard if:
(i)
No new hazards are introduced as a result of the change;
(ii)
Severity of each hazard associated with the previous condition does
not increase from the previous condition; and
(iii)
Exposure to such hazards does not change from the previous
condition.
(2)
An abbreviated risk assessment supports the finding required by
paragraph (a) of this section if it establishes that the resulting
MTTHE for the proposed product is greater than or equal to the MTTHE
for the system, component or method performing the same function in
the previous condition. This determination must be supported by
credible safety analysis sufficient to persuade the Associate
Administrator for Safety that the likelihood of the new product's
MTTHE being less than the MTTHE for the system, component, or method
performing the same function in the previous condition is very small.
(3)
Alternatively, an abbreviated risk assessment supports the finding
required by paragraph (a) of this section if:
(i)
The probability of failure for each hazard of the product is equal to
or less the corresponding recommended Specific Quantitative Hazard
Probability Ratings classified as more favorable than "undesirable"
by AREMA Manual Part 17.3.5 (Recommended Procedure for Hazard
Identification and Management of Vital Electronic/Software-Based
Equipment Used in Signal and Train Control Applications), or-in the
case of a hazard classified as undesirable-the Associate
Administrator for Safety concurs that mitigation of the hazard within
the framework of the electronic system is not practical and the
railroad proposes reasonable steps to undertake other mitigation. The
Director of the Federal Register approves the incorporation by
reference of the entire AREMA Communications and Signal Manual,
Volume 4, Section 17-Quality Principles (2005) in this section in
accordance with 5 U.S.C. 552(a) and 1 CFR part 51. You may obtain a
copy of the incorporated standard from American Railway Engineering
and Maintenance of Way Association, 8201 Corporation Drive, Suite
1125, Landover, MD 20785-2230. You may inspect a copy of the
incorporated standard at the Federal Railroad Administration, Docket
Clerk, 1120 Vermont Ave., NW., Suite 7000, or at the National
Archives and Records Administration (NARA). For information on the
availability of this material at NARA, call 202-741-6030, or go to
http://www.archives.gov/federal-register/code-of-federal-regulations/ibr-locations.html;
(ii)
The product is developed in accordance with:
(A)
AREMA Manual Part 17.3.1 (Communications and Signal Manual of
Recommended Practices, Recommended Safety Assurance Program for
Electronic/Software Based Products Used in Vital Signal
Applications);
(B)
AREMA Manual Part 17.3.3 (Communications and Signal Manual of
Recommended Practices, Recommended Practice for Hardware Analysis for
Vital Electronic/Software-Based Equipment Used in Signal and Train
Control Applications);
(C)
AREMA Manual Part 17.3.5 (Communications and Signal Manual of
Recommended Practices, Recommended Practice for Hazard Identification
and Management of Vital Electronic/Software-Based Equipment Used in
Signal and Train Control Applications);
(D)
Appendix C
(iii)
Analysis supporting the PSP suggests no credible reason for
believing that the product will be less safe than the previous
condition.
(e)
How are safety and risk measured for the full risk assessment?
Risk
assessment techniques, including both qualitative and quantitative
methods, are recognized as providing credible and useful results for
purposes of this section if they apply the following principles:
(1)
Safety levels must be measured using competent risk assessment
methods and must be expressed as the total residual risk in the
system over its expected life-cycle after implementation of all
mitigating measures described in the PSP. Appendix B to this part
provides criteria for acceptable risk assessment methods. Other
methods may be acceptable if demonstrated to the satisfaction of the
Associate Administrator for Safety to be equally suitable.
(2)
For the previous condition and for the life-cycle of the product,
risk levels must be expressed in units of consequences per unit of
exposure.
(i)
In all cases exposure must be expressed as total train miles traveled
per year. Consequences must identify the total cost, including
fatalities, injuries, property damage, and other incidental costs,
such as potential consequences of hazardous materials involvement,
resulting from preventable accidents associated with the function(s)
performed by the system. A railroad may, as an alternative, use a
risk metric in which consequences are measured strictly in terms of
fatalities.
(ii)
In those cases where there is passenger traffic, a second risk
metric must be calculated, using passenger-miles traveled per year as
the exposure, and total societal costs of passenger injuries and
fatalities, resulting from preventable accidents associated with the
function(s) performed by the system, as the consequences.
(3)
If the description of railroad operations for the product required by
§ 236.907(a)(2) involves changes to the physical or
operating conditions on the railroad prior to or within the expected
life cycle of the product subject to review under this subpart, the
previous condition shall be adjusted to reflect the lower risk
associated with systems needed to maintain safety and performance at
higher speeds or traffic volumes. In particular, the previous
condition must be adjusted for assumed implementation of systems
necessary to support higher train speeds as specified in § 236.0,
as well as other changes required to support projected increases in
train operations. The following specific requirements apply:
(i)
If the current method of operation would not be adequate under
§ 236.0 for the proposed operations, then the adjusted
previous condition must include a system as required under § 236.0,
applied as follows:
(A)
The minimum system where a passenger train is operated at a speed of
60 or more miles per hour, or a freight train is operated at a speed
of 50 or more miles per hour, shall be a traffic control system;
(B)
The minimum system where a train is operated at a speed of 80 or more
miles per hour, but not more than 110 miles per hour, shall be an
automatic cab signal system with automatic train control; and
(C)
The minimum system where a train is operated at a speed of more than
110 miles per hour shall be a system determined by the Associate
Administrator for Safety to provide an equivalent level of safety to
systems required or authorized by FRA for comparable operations.
(ii)
If the current method of operation would be adequate under § 236.0
for the proposed operations, but the current system is not at least
as safe as a traffic control system, then the adjusted previous
condition must include a traffic control system in the event of any
change that results in:
(A)
An annual average daily train density of more than twelve trains per
day; or
(B)
An increase in the annual average daily density of passenger trains
of more than four trains per day.
(iii)
Paragraph (e)(3)(ii)(A) of this section shall apply in all
situations where train volume will exceed more than 20 trains per day
but shall not apply to situations where train volume will exceed 12
trains per day but not exceed 20 trains per day, if in its PSP the
railroad makes a showing sufficient to establish, in the judgment of
the Associate Administrator for Safety, that the current method of
operation is adequate for a specified volume of traffic in excess of
12 trains per day, but not more than 20 trains per day, without
material delay in the movement of trains over the territory and
without unreasonable expenditures to expedite those movements when
compared with the expense of installing and maintaining a traffic
control system.
(4)
In the case review of a PSP that has been consolidated with a
proceeding pursuant to part 235 of this subchapter (see
§ 236.911(b)), the base case shall be determined as
follows:
(i)
If FRA determines that discontinuance or modification of the system
should be granted without regard to whether the product is installed
on the territory, then the base case shall be the conditions that
would obtain on the territory following the discontinuance or
modification. Note: This is an instance in which the base case is
posited as greater risk than the actual (unadjusted) previous
condition because the railroad would have obtained relief from the
requirement to maintain the existing signal or train control system
even if no new product had been proffered.
(ii)
If FRA determines that discontinuance or modification of the system
should be denied without regard to whether the product is installed
on the territory, then the base case shall remain the previous
condition (unadjusted).
(iii)
If, after consideration of the application and review of the PSP,
FRA determines that neither paragraph (e)(4)(i) nor paragraph
(e)(4)(ii) of this section should apply, FRA will establish a base
case that is consistent with safety and in the public interest.
§236.911
Exclusions.
(a)
Does this subpart apply to existing systems? The requirements of this
subpart do not apply to products in service as of June 6, 2005.
Railroads may continue to implement and use these products and
components from these existing products.
(b)
How will transition cases be handled?
Products
designed in accordance with subparts A through G of this part which
are not in service but are developed or are in the developmental
stage prior to March 7, 2005, may be excluded upon notification to
FRA by June 6, 2005, if placed in service by March 7, 2008. Railroads
may continue to implement and use these products and components from
these existing products. A railroad may at any time elect to have
products that are excluded made subject to this subpart by submitting
a PSP as prescribed in § 236.913 and otherwise complying
with this subpart.
(c)
How are office systems handled?
The
requirements of this subpart do not apply to existing office systems
and future deployments of existing office system technology. However,
a subsystem or component of an office system must comply with the
requirements of this subpart if it performs safety-critical functions
within, or affects the safety performance of, a new or
next-generation train control system. For purposes of this section,
"office system" means a centralized computer-aided
train-dispatching system or centralized traffic control board.
(d)
How are modifications to excluded products handled?
Changes
or modifications to products otherwise excluded from the requirements
of this subpart by this section are not excluded from the
requirements of this subpart if they result in a degradation of
safety or a material increase in safety-critical functionality.
(e)
What other rules apply to excluded products?
Products
excluded by this section from the requirements of this subpart remain
subject to subparts A through G of this part as applicable.
§236.913
Filing and approval of PSPs.
(a)
Under what circumstances must a PSP be prepared?
A
PSP must be prepared for each product covered by this subpart. A
joint PSP must be prepared when:
(1)
The territory on which a product covered by this subpart is normally
subject to joint operations, or is operated upon by more than one
railroad; and
(2)
The PSP involves a change in method of operation.
(b)
Under what circumstances must a railroad submit a petition for
approval for a PSP or PSP amendment, and when may a railroad submit
an informational filing?
Depending
on the nature of the proposed product or change, the railroad shall
submit either an informational filing or a petition for approval.
Submission of a petition for approval is required for PSPs or PSP
amendments concerning installation of new or next-generation train
control systems. All other actions that result in the creation of a
PSP or PSP amendment require an informational filing and are handled
according to the procedures outlined in paragraph (c) of this
section. Applications for discontinuance and material modification of
signal and train control systems remain governed by parts 235 and 211
of this chapter; and petitions subject to this section may be
consolidated with any relevant application for administrative
handling.
(c)
What are the procedures for informational filings?
The
following procedures apply to PSPs and PSP amendments which do not
require submission of a petition for approval, but rather require an
informational filing:
(1)
Not less than 180 days prior to planned use of the product in revenue
service as described in the PSP or PSP amendment, the railroad shall
submit an informational filing to the Associate Administrator for
Safety, FRA, 1200 New Jersey Avenue, SE., Mail Stop 25, Washington,
DC 20590. The informational filing must provide a summary description
of the PSP or PSP amendment, including the intended use of the
product, and specify the location where the documentation as
described in § 236.917(a)(1) is maintained.
(2)
Within 60 days of receipt of the informational filing, FRA:
(i)
Acknowledges receipt of the filing;
(ii)
Acknowledges receipt of the informational filing and requests
further information; or
(iii)
Acknowledges receipt of the filing and notifies the railroad, for
good cause, that the filing will be considered as a petition for
approval as set forth in paragraph (d) of this section, and requests
such further information as may be required to initiate action on the
petition for approval. Examples of good cause, any one of which is
sufficient, include: the PSP describes a product with unique
architectural concepts; the PSP describes a product that uses design
or safety assurance concepts considered outside existing accepted
practices (see Appendix C); and the PSP describes a locomotive-borne
product that commingles safety-critical train control processing
functions with locomotive operational functions. In addition, good
cause includes any instance where the PSP or PSP amendment does not
appear to support its safety claim of satisfaction of the performance
standard, after FRA has requested further information as provided in
paragraph (c)(2)(ii) of this section.
(d)
What procedures apply to petitions for approval?
The
following procedures apply to PSPs and PSP amendments which require
submission of a petition for approval:
(1)
Petitions for approval involving prior FRA consultation.
(i)
The railroad may file a Notice of Product Development with the
Associate Administrator for Safety not less than 30 days prior to the
end of the system design review phase of product development and 180
days prior to planned implementation, inviting FRA to participate in
the design review process and receive periodic briefings and updates
as needed to follow the course of product development. At a minimum,
the Notice of Product Development must contain a summary description
of the product to be developed and a brief description of goals for
improved safety.
(ii)
Within 15 days of receipt of the Notice of Product Development, the
Associate Administrator for Safety either acknowledges receipt or
acknowledges receipt and requests more information.
(iii)
If FRA concludes that the Notice of Product Development contains
sufficient information, the Associate Administrator for Safety
determines the extent and nature of the assessment and review
necessary for final product approval. FRA may convene a technical
consultation as necessary to discuss issues related to the design and
planned development of the product.
(iv)
Within 60 days of receiving the Notice of Product Development, the
Associate Administrator for Safety provides a letter of preliminary
review with detailed findings, including whether the design concepts
of the proposed product comply with the requirements of this subpart,
whether design modifications are necessary to meet the requirements
of this subpart, and the extent and nature of the safety analysis
necessary to comply with this subpart.
(v)
Not less than 60 days prior to use of the product in revenue service,
the railroad shall file with the Associate Administrator for Safety a
petition for final approval.
(vi)
Within 30 days of receipt of the petition for final approval, the
Associate Administrator for Safety either acknowledges receipt or
acknowledges receipt and requests more information. Whenever
possible, FRA acts on the petition for final approval within 60 days
of its filing by either granting it or denying it. If FRA neither
grants nor denies the petition for approval within 60 days, FRA
advises the petitioner of the projected time for decision and
conducts any further consultations or inquiries necessary to decide
the matter.
(2)
Other petitions for approval. The following procedures apply to
petitions for approval of PSPs which do not involve prior FRA
consultation as described in paragraph (d)(1) of this section.
(i)
Not less than 180 days prior to use of a product in revenue service,
the railroad shall file with the Associate Administrator for Safety a
petition for approval.
(ii)
Within 60 days of receipt of the petition for approval, FRA either
acknowledges receipt, or acknowledges receipt and requests more
information.
(iii)
Whenever possible, considering the scope, complexity, and novelty of
the product or change, FRA acts on the petition for approval within
180 days of its filing by either granting it or denying it. If FRA
neither grants nor denies the petition for approval within 180 days,
it remains pending, and FRA provides the petitioner with a statement
of reasons why the petition has not yet been approved.
(e)
What role do product users play in the process of safety review?
(1)
FRA will publish in the Federal Register periodically a topic list
including docket numbers for informational filings and a petition
summary including docket numbers for petitions for approval.
(2)
Interested parties may submit to FRA information and views pertinent
to FRA's consideration of an informational filing or petition for
approval. FRA considers comments to the extent practicable within the
periods set forth in this section. In a proceeding consolidated with
a proceeding under part 235 of this chapter, FRA considers all
comments received.
(f)
Is it necessary to complete field testing prior to filing the
petition for approval?
A
railroad may file a petition for approval prior to completion of
field testing of the product. The petition for approval should
additionally include informationsufficient for FRA to arrange
monitoring of the tests. The Associate Administrator for Safety may
approve a petition for approval contingent upon successful completion
of the test program contained in the PSP or hold the petition for
approval pending completion of the tests.
(g)
How are PSPs approved?
(1)
The Associate Administrator for Safety grants approval of a PSP when:
(i)
The petition for approval has been properly filed and contains the
information required in § 236.907;
(ii)
FRA has determined that the PSP complies with the railroad's
approved RSPP and applicable requirements of this subpart; and
(iii)
The risk assessment supporting the PSP demonstrates that the
proposed product satisfies the minimum performance standard stated in
§ 236.909.
(2)
The Associate Administrator for Safety considers the following
applicable factors when evaluating the risk assessment:
(i)
The extent to which recognized standards have been utilized in
product design and in the relevant safety analysis;
(ii)
The availability of quantitative data, including calculations of
statistical confidence levels using accepted methods, associated with
risk estimates;
(iii)
The complexity of the product and the extent to which it will
incorporate or deviate from design practices associated with
previously established histories of safe operation;
(iv)
The degree of rigor and precision associated with the safety
analyses, including the comprehensiveness of the qualitative
analyses, and the extent to which any quantitative results
realistically reflect appropriate sensitivity cases;
(v)
The extent to which validation of the product has included
experiments and tests to identify uncovered faults in the operation
of the product;
(vi)
The extent to which identified faults are effectively addressed;
(vii)
Whether the risk assessment for the previous condition was conducted
using the same methodology as that for operation under the proposed
condition; and
(viii)
If an independent third-party assessment is required or is performed
at the election of the supplier or railroad, the extent to which the
results of the assessment are favorable.
(3)
The Associate Administrator for Safety also considers when assessing
PSPs the safety requirements for the product within the context of
the proposed method of operations, including:
(i)
The degree to which the product is relied upon as the primary safety
system for train operations; and
(ii)
The degree to which the product is overlaid upon and its operation
is demonstrated to be independent of safety-relevant rules, practices
and systems that will remain in place following the change under
review.
(4)
As necessary to ensure compliance with this subpart and with the
RSPP, FRA may attach special conditions to the approval of the
petition.
(5)
Following the approval of a petition, FRA may reopen consideration of
the petition for cause. Cause for reopening a petition includes such
circumstances as a credible allegation of error or fraud, assumptions
determined to be invalid as a result of in-service experience, or one
or more unsafe events calling into question the safety analysis
underlying the approval.
(h)
Under what circumstances may a third-party assessment be required,
and by whom may it be conducted?
(1)
The PSP must be supported by an independent third party assessment of
the product when FRA concludes it is necessary based upon
consideration of the following factors:
(i)
Those factors listed in paragraphs (g)(2)(i) through (g)(2)(vii) of
this section;
(ii)
The sufficiency of the assessment or audit previously conducted at
the election of a supplier or railroad; and
(iii)
Whether applicable requirements of subparts A through G of this part
are satisfied.
(2)
As used in this section, “independent third party” means
a technically competent entity responsible to and compensated by the
railroad (or an association on behalf of one or more railroads) that
is independent of the supplier of the product. An entity that is
owned or controlled by the supplier, that is under common ownership
or control with the supplier, or that is otherwise involved in the
development of the product is not considered “independent”
within the meaning of this section. FRA may maintain a roster of
recognized technically competent entities as a service to railroads
selecting reviewers under this section; however, a railroad is not
limited to entities currently listed on any such roster.
(3)
The third-party assessment must, at a minimum, consist of the
activities and result in production of documentation meeting the
requirements of Appendix D to this part. However, when requiring an
assessment pursuant to this section, FRA specifies any requirements
in Appendix D to this part which the agency has determined are not
relevant to its concerns and, therefore, need notbe included in the
assessment. The railroad shall make the final assessment report
available to FRA upon request.
(i)
How may a PSP be amended?
A
railroad may submit an amendment to a PSP at any time in the same
manner as the initial PSP. Notwithstanding the otherwise applicable
requirements found in this section and § 236.915, changes
affecting the safety-critical functionality of a product may be made
prior to the submission and approval of the PSP amendment as
necessary in order to mitigate risk.
(j)
How may field testing be conducted prior to PSP approval?
(1)
Field testing of a product may be conducted prior to the approval of
a PSP by the submission of an informational filing by a railroad. The
FRA will arrange to monitor the tests based on the information
provided in the filing, which must include:
(i)
A complete description of the product;
(ii)
An operational concepts document;
(iii)
A complete description of the specific test procedures, including
the measures that will be taken to protect trains and on-track
equipment;
(iv)
An analysis of the applicability of the requirements of subparts A
through G of this part to the product that will not apply during
testing;
(v)
The date testing will begin;
(vi)
The location of the testing; and
(vii)
A description of any effect the testing will have on the current
method of operation.
(2)
FRA may impose such additional conditions on this testing as may be
necessary for the safety of train operations. Exemptions from
regulations other than those contained in this part must be requested
through waiver procedures in part 211 of this chapter.
Amended:
[70 FR 72385, Dec. 5, 2005; 74 FR 25174, May 27, 2009]
§236.915
Implementation and operation.
(a)
When may a product be placed or retained in service?
(1)
Except as stated in paragraphs (a)(2) and (a)(3) of this section, a
railroad may operate in revenue service any product 180 days after
filing with FRA the informational filing for that product. The FRA
filing date can be found in FRA's acknowledgment letter referred to
in § 236.913(c)(2).
(2)
Except as stated in paragraph (a)(3) of this section, if FRA approval
is required for a product, the railroad shall not operate the product
in revenue service until after the Associate Administrator for Safety
has approved the petition for approval for that product pursuant to
§ 236.913.
(3)
If after product implementation FRA elects, for cause, to treat the
informational filing for the product as a petition for approval, the
product may remain in use if otherwise consistent with the applicable
law and regulations. FRA may impose special conditions for use of the
product during the period of review for cause.
(b)
How does the PSP relate to operation of the product? Each railroad
shall comply with all provisions in the PSP for each product it uses
and shall operate within the scope of initial operational assumptions
and predefined changes identified by the PSP. Railroads may at any
time submit an amended PSP according to the procedures outlined in
§ 236.913.
(c)
What precautions must be taken prior to interference with the normal
functioning of a product? The normal functioning of any
safety-critical product must not be interfered with in testing or
otherwise without first taking measures to provide for safe movement
of trains, locomotives, roadway workers and on-track equipment that
depend on normal functioning of such product.
(d)
What actions must be taken immediately upon failure of a
safety-critical component? When any safety-critical product component
fails to perform its intended function, the cause must be determined
and the faulty component adjusted, repaired, or replaced without
undue delay. Until repair of such essential components are completed,
a railroad shall take appropriate action as specified in the PSP. See
also § § 236.907(d), 236.917(b).
§
236.917 Retention of records.
(a)
What life-cycle and maintenance records must be maintained?
(1)
The railroad shall maintain at a designated office on the railroad:
(i)
For the life-cycle of the product, adequate documentation to
demonstrate that the PSP meets the safety requirements of the
railroad's RSPP and applicable standards in this subpart, including
the risk assessment; and
(ii)
An Operations and Maintenance Manual, pursuant to § 236.919;
and
(iii)
Training records pursuant to § 236.923(b).
(2)
Results of inspections and tests specified in the PSP must be
recorded as prescribed in § 236.110.
(3)
Contractors of the railroad shall maintain at a designated office
training records pursuant to § 236.923(b).
(b)
What actions must the railroad take in the event of occurrence of a
safety-relevant hazard?
After
the product is placed in service, the railroad shall maintain a
database of all safety-relevant hazards as set forth in the PSP and
those that had not been previously identified in the PSP. If the
frequency of the safety-relevant hazards exceeds the threshold set
forth in the PSP (see § 236.907(a)(6)), then the railroad
shall:
(1)
Report the inconsistency in writing (by mail, facsimile, e-mail, or
hand delivery to the Director, Office of Safety Assurance and
Compliance, FRA, 1120 Vermont Ave., NW., Mail Stop 25, Washington, DC
20590, within 15 days of discovery. Documents that are hand delivered
must not be enclosed in an envelope;
(2)
Take prompt countermeasures to reduce the frequency of the
safety-relevant hazard(s) below the threshold set forth in the PSP;
and
(3)
Provide a final report to the FRA Director, Office of Safety
Assurance and Compliance, on the results of the analysis and
countermeasures taken to reduce the frequency of the safety-relevant
hazard(s) below the threshold set forth in the PSP when the problem
is resolved.
§236.919
Operations and Maintenance Manual.
(a)
The railroad shall catalog and maintain all documents as specified in
the PSP for the installation, maintenance, repair, modification,
inspection, and testing of the product and have them in one
Operations and Maintenance Manual, readily available to persons
required to perform such tasks and for inspection by FRA and
FRA-certified State inspectors.
(b)
Plans required for proper maintenance, repair, inspection, and
testing of safety-critical products must be adequate in detail and
must be made available for inspection by FRA and FRA-certified State
inspectors where such products are deployed or maintained. They must
identify all software versions, revisions, and revision dates. Plans
must be legible and correct.
(c)
Hardware, software, and firmware revisions must be documented in the
Operations and Maintenance Manual according to the railroad's
configuration management control plan and any additional
configuration/revision control measures specified in the PSP.
(d)
Safety-critical components, including spare equipment, must be
positively identified, handled, replaced, and repaired in accordance
with the procedures specified in the PSP.
§236.921
Training and qualification program, general.
(a)
When is training necessary and who must be trained?
Employers
shall establish and implement training and qualification programs for
products subject to this subpart. These programs must meet the
minimum requirements set forth in the PSP and in § § 236.923
through 236.929 as appropriate, for the following personnel:
(1)
Persons whose duties include installing, maintaining, repairing,
modifying, inspecting, and testing safety-critical elements of the
railroad's products, including central office, wayside, or onboard
subsystems;
(2)
Persons who dispatch train operations (issue or communicate any
mandatory directive that is executed or enforced, or is intended to
be executed or enforced, by a train control system subject to this
subpart);
(3)
Persons who operate trains or serve as a train or engine crew member
subject to instruction and testing under part 217 of this chapter, on
a train operating in territory where a train control system subject
to this subpart is in use;
(4)
Roadway workers whose duties require them to know and understand how
a train control system affects their safety and how to avoid
interfering with its proper functioning; and
(5)
The direct supervisors of persons listed in paragraphs (a)(1) through
(a)(4) of this section.
(b)
What competencies are required?
The
employer's program must provide training for persons who perform the
functions described in paragraph (a) of this section to ensure that
they have the necessary knowledge and skills to effectively complete
their duties related to processor-based signal and train control
equipment.
§236.923
Task analysis and basic requirements.
(a)
How must training be structured and delivered?
As
part of the program required by § 236.921, the employer
shall, at a minimum:
(1)
Identify the specific goals of the training program with regard to
the target population (craft, experience level, scope of work, etc.),
task(s), and desired success rate;
(2)
Based on a formal task analysis, identify the installation,
maintenance, repair, modification, inspection, testing, and operating
tasks that must be performed on a railroad's products. This includes
the development of failure scenarios and the actions expected under
such scenarios;
(3)
Develop written procedures for the performance of the tasks
identified;
(4)
Identify the additional knowledge, skills, and abilities above those
required for basic job performance necessary to perform each task;
(5)
Develop a training curriculum that includes classroom, simulator,
computer-based, hands-on, or other formally structured training
designed to impart the knowledge, skills, and abilitiesidentified as
necessary to perform each task;
(6)
Prior to assignment of related tasks, require all persons mentioned
in § 236.921(a) to successfully complete a training
curriculum and pass an examination that covers the product and
appropriate rules and tasks for which they are responsible (however,
such persons may perform such tasks under the direct onsite
supervision of a qualified person prior to completing such training
and passing the examination);
(7)
Require periodic refresher training at intervals specified in the PSP
that includes classroom, simulator, computer-based, hands-on, or
other formally structured training and testing, except with respect
to basic skills for which proficiency is known to remain high as a
result of frequent repetition of the task; and
(8)
Conduct regular and periodic evaluations of the effectiveness of the
training program specified in § 236.923(a)(1) verifying the
adequacy of the training material and its validity with respect to
current railroads products and operations.
(b)
What training records are required?
Employers
shall retain records which designate persons who are qualified under
this section until new designations are recorded or for at least one
year after such persons leave applicable service. These records shall
be kept in a designated location and be available for inspection and
replication by FRA and FRA-certified State inspectors.
§236.925
Training specific to control office personnel.
Any
person responsible for issuing or communicating mandatory directives
in territory where products are or will be in use must be trained in
the following areas, as applicable:
(a)
Instructions concerning the interface between the computer-aided
dispatching system and the train control system, with respect to the
safe movement of trains and other on-track equipment;
(b)
Railroad operating rules applicable to the train control system,
including provision for movement and protection of roadway workers,
unequipped trains, trains with failed or cut-out train control
onboard systems, and other on-track equipment; and
(c)
Instructions concerning control of trains and other on-track
equipment in case the train control system fails, including periodic
practical exercises or simulations, and operational testing under
part 217 of this chapter to ensure the continued capability of the
personnel to provide for safe operations under the alternative method
of operation.
§236.927
Training specific to locomotive engineers and other operating
personnel.
(a)
What elements apply to operating personnel?
Training
provided under this subpart for any locomotive engineer or other
person who participates in the operation of a train in train control
territory must be defined in the PSP and the following elements must
be addressed:
(1)
Familiarization with train control equipment onboard the locomotive
and the functioning of that equipment as part of the system and in
relation to other onboard systems under that person's control;
(2)
Any actions required of the onboard personnel to enable, or enter
data to, the system, such as consist data, and the role of that
function in the safe operation of the train;
(3)
Sequencing of interventions by the system, including pre-enforcement
notification, enforcement notification, penalty application
initiation and post-penalty application procedures;
(4)
Railroad operating rules applicable to the train control system,
including provisions for movement and protection of any unequipped
trains, or trains with failed or cut-out train control onboard
systems and other on-track equipment;
(5)
Means to detect deviations from proper functioning of onboard train
control equipment and instructions regarding the actions to be taken
with respect to control of the train and notification of designated
railroad personnel; and
(6)
Information needed to prevent unintentional interference with the
proper functioning of onboard train control equipment.
(b)
How must locomotive engineer training be conducted?
Training
required under this subpart for a locomotive engineer, together with
required records, must be integrated into the program of training
required by part 240 of this chapter.
(c)
What requirements apply to full automatic operation?
The
following special requirements apply in the event a train control
system is used to effect full automatic operation of the train:
(1)
The PSP must identify all safety hazards to be mitigated by the
locomotive engineer.
(2)
The PSP must address and describe the training required with
provisions for the maintenance of skills proficiency. As a minimum,
the training program must:
(i)
As described in § 236.923(a)(2), develop failure scenarios
which incorporate the safety hazards identified in the PSP, including
the return of train operations to a fully manual mode;
(ii)
Provide training, consistent with § 236.923(a), for safe
train operations under all failure scenarios and identified safety
hazards that affect train operations;
(iii)
Provide training, consistent with § 236.923(a), for safe
train operations under manual control; and
(iv)
Consistent with § 236.923(a), ensure maintenance of manual
train operating skills by requiring manual starting and stopping of
the train for an appropriate number of trips and by one or more of
the following methods:
(A)
Manual operation of a train for a 4-hour work period;
(B)
Simulated manual operation of a train for a minimum of 4 hours in a
Type I simulator as required; or
(C)
Other means as determined following consultation between the railroad
and designated representatives of the affected employees and approved
by the FRA. The PSP must designate the appropriate frequency when
manual operation, starting, and stopping must be conducted, and the
appropriate frequency of simulated manual operation.
§236.929
Training specific to roadway workers.
(a)
How is training for roadway workers to be coordinated with part 214?
Training
required under this subpart for a roadway worker must be integrated
into the program of instruction required under part 214, subpart C of
this chapter ("Roadway Worker Protection"), consistent with
task analysis requirements of § 236.923. This training must
provide instruction for roadway workers who provide protection for
themselves or roadway work groups.
(b)
What subject areas must roadway worker training include?
(1)
Instruction for roadway workers must ensure an understanding of the
role of processor-based signal and train control equipment in
establishing protection for roadway workers and their equipment.
(2)
Instruction for roadway workers must ensure recognition of
processor-based signal and train control equipment on the wayside and
an understanding of how to avoid interference with its proper
functioning.
(3)
Instructions concerning the recognition of system failures and the
provision of alternative methods of on-track safety in case the train
control system fails, including periodic practical exercises or
simulations and operational testing under part 217 of this chapter to
ensure the continued capability of roadway workers to be free from
the danger of being struck by a moving train or other on-track
equipment.
Appendix
B to Part 236—Risk Assessment Criteria
The
safety-critical performance of each product for which risk assessment
is required under this part must be assessed in accordance with the
following criteria or other criteria if demonstrated to the Associate
Administrator for Safety to be equally suitable:
(a)
How are risk metrics to be expressed? The risk metric for the
proposed product must describe with a high degree of confidence the
accumulated risk of a train system that operates over a life-cycle of
25 years or greater. Each risk metric for the proposed product must
be expressed with an upper bound, as estimated with a sensitivity
analysis, and the risk value selected must be demonstrated to have a
high degree of confidence.
(b)
How does the risk assessment handle interaction risks for
interconnected subsystems/components? The safety-critical assessment
of each product must include all of its interconnected subsystems and
components and, where applicable, the interaction between such
subsystems.
(c)
How is the previous condition computed? Each subsystem or component
of the previous condition must be analyzed with a Mean Time To
Hazardous Event (MTTHE) as specified subject to a high degree of
confidence.
(d)
What major risk characteristics must be included when relevant to
assessment? Each risk calculation must consider the total signaling
and train control system and method of operation, as subjected to a
list of hazards to be mitigated by the signaling and train control
system. The methodology requirements must include the following major
characteristics, when they are relevant to the product being
considered:
(1)
Track plan infrastructure;
(2)
Total number of trains and movement density;
(3)
Train movement operational rules, as enforced by the dispatcher and
train crew behaviors;
(4)
Wayside subsystems and components; and
(5)
Onboard subsystems and components.
(e)
What other relevant parameters must be determined for the subsystems
and components? The failure modes of each subsystem or component, or
both, must be determined for the integrated hardware/software (where
applicable) as a function of the Mean Time To Failure (MTTF) failure
restoration rates, and the integrated hardware/software coverage of
all processor-based subsystems or components, or both. Train
operating and movement rules, along with components that are layered
in order to enhance safety-critical behavior, must also be
considered.
(f)
How are processor-based subsystems/components assessed?
(1)
An MTTHE value must be calculated for each processor-based subsystem
or component, or both, indicating the safety-critical behavior of the
integrated hardware/software subsystem or component, or both. The
human factor impact must be included in the assessment, whenever
applicable, to provide an integrated MTTHE value. The MTTHE
calculation must consider the rates of failures caused by permanent,
transient, and intermittent faults accounting for the fault coverage
of the integrated hardware/software subsystem or component,
phased-interval maintenance, and restoration of the detected
failures.
(2)
MTTHE compliance verification and validation must be based on the
assessment of the design for verification and validation process,
historical performance data, analytical methods and experimental
safety-critical performance testing performed on the subsystem or
component. The compliance process must be demonstrated to be
compliant and consistent with the MTTHE metric and demonstrated to
have a high degree of confidence.
(g)
How are non-processor-based subsystems/components assessed?
(1)
The safety-critical behavior of all non-processor-based components,
which are part of a processor-based system or subsystem, must be
quantified with an MTTHE metric. The MTTHE assessment methodology
must consider failures caused by permanent, transient, and
intermittent faults, phase-interval maintenance and restoration of
failures and the effect of fault coverage of each non-processor-based
subsystem or component.
(2)
MTTHE compliance verification and validation must be based on the
assessment of the design for verification and validation process,
historical performance data, analytical methods and experimental
safety-critical performance testing performed on the subsystem or
component. The non-processor-based quantification compliance must be
demonstrated to have a high degree of confidence.
(h)
What assumptions must be documented?
(1)
The railroad shall document any assumptions regarding the reliability
or availability of mechanical, electric, or electronic components.
Such assumptions must include MTTF projections, as well as Mean Time
To Repair (MTTR) projections, unless the risk assessment specifically
explains why these assumptions are not relevant to the risk
assessment. The railroad shall document these assumptions in such a
form as to permit later automated comparisons with in-service
experience (e.g., a spreadsheet).
(2)
The railroad shall document any assumptions regarding human
performance. The documentation shall be in such a form as to
facilitate later comparisons with in-service experience.
(3)
The railroad shall document any assumptions regarding software
defects. These assumptions shall be in a form which permits the
railroad to project the likelihood of detecting an in-service
software defect. These assumptions shall be documented in such a form
as to permit later automated comparisons with in-service experience.
(4)
The railroad shall document all of the identified safety-critical
fault paths. The documentation shall be in such a form as to
facilitate later comparisons with in-service faults.
[70 FR 11052, March 07, 2005]
Appendix
C to Part 236—Safety Assurance Criteria and Processes
(a)
What is the purpose of this appendix?
This
appendix seeks to promote full disclosure of safety risk to
facilitate minimizing or eliminating elements of risk where
practicable by providing minimum criteria and processes for safety
analyses conducted in support of PSPs. The analysis required by this
appendix is intended to minimize the probability of failure to an
acceptable level, helping to optimize the safety of the product
within the limitations of the available engineering science, cost,
and other constraints. FRA uses the criteria and processes set forth
in this appendix to evaluate analyses, assumptions, and conclusions
provided in RSPP and PSP documents. An analysis performed under this
appendix must:
(1)
Address each area of paragraph (b) of this appendix, explaining how
such objectives are addressed or why they are not relevant, and
(2)
Employ a validation and verification process pursuant to paragraph
(c) of this appendix.
(b)
What categories of safety elements must be addressed?
The
designer shall address each of the following safety considerations
when designing and demonstrating the safety of products covered by
subpart H of this part. In the event that any of these principles are
not followed, the PSP shall state both the reason(s) for departure
and the alternative(s) utilized to mitigate or eliminate the hazards
associated with the design principle not followed.
(1)
Normal operation. The system (including all hardware and software)
must demonstrate safe operation with no hardware failures under
normal anticipated operating conditions with proper inputs and within
the expected range of environmental conditions. All safety-critical
functions must be performed properly under these normal conditions.
Absence of specific operator actions or procedures will not prevent
the system from operating safely. There must be no hazards that are
categorized as unacceptable or undesirable. Hazards categorized as
unacceptable must be eliminated by design.
(2)
Systematic failure. It must be shown how the product is designed to
mitigate or eliminate unsafe systematic failures-those conditions
which can be attributed to human error that could occur at various
stages throughout product development. This includes unsafe errors in
the software due to human error in the software specification, design
or coding phases, or both; human errors that could impact hardware
design; unsafe conditions that could occur because of an improperly
designed human-machine interface; installation and maintenance
errors; and errors associated with making modifications.
(3)
Random failure.
(i)
The product must be shown to operate safely under conditions of
random hardware failure. This includes single as well as multiple
hardware failures, particularly in instances where one or more
failures could occur, remain undetected (latent) and react in
combination with a subsequent failure at a later time to cause an
unsafe operating situation. In instances involving a latent failure,
a subsequent failure is similar to there being a single failure. In
the event of a transient failure, and if so designed, the system
should restart itself if it is safe to do so. Frequency of attempted
restarts must be considered in the hazard analysis required by
§ 236.907(a)(8).
(ii)
There shall be no single point failures in the product that can
result in hazards categorized as unacceptable or undesirable.
Occurrence of credible single point failures that can result in
hazards must be detected and the product must achieve a known safe
state before falsely activating any physical appliance.
(iii)
If one non-self-revealing failure combined with a second failure can
cause a hazard that is categorized as unacceptable or undesirable,
then the second failure must be detected and the product must achieve
a known safe state before falsely activating any physical appliance.
(4)
Common Mode failure. Another concern of multiple failure involves
common mode failures in which two or more subsystems or components
intended to compensate one another to perform the same function all
fail by the same mode and result in unsafe conditions. This is of
particular concern in instances in which two or more elements
(hardware or software, or both) are used in combination to ensure
safety. If a common mode failure exists, then any analysis performed
under this appendix cannot rely on the assumption that failures are
independent. Examples include: the use of redundancy in which two or
more elements perform a given function in parallel and when one
(hardware or software) element checks/monitors another element (of
hardware or software) to help ensure its safe operation. Common mode
failure relates to independence, which must be ensured in these
instances. When dealing with the effects of hardware failure, the
designer shall address the effects of the failure not only on other
hardware, but also on the execution of the software, since hardware
failures can greatly affect how the software operates.
(5)
External influences. The product must be shown to operate safely when
subjected to different external influences, including:
(i)
Electrical influences such as power supply anomalies/transients,
abnormal/improper input conditions (e.g., outside of normal range
inputs relative to amplitude and frequency, unusual combinations of
inputs) including those related to a human operator, and others such
as electromagnetic interference or electrostatic discharges, or both;
(ii)
Mechanical influences such as vibration and shock; and
(iii)
Climatic conditions such as temperature and humidity.
(6)
Modifications. Safety must be ensured following modifications to the
hardware or software, or both. All or some of the concerns identified
in this paragraph may be applicable depending upon the nature and
extent of the modifications.
(7)
Software. Software faults must not cause hazards categorized as
unacceptable or undesirable.
(8)
Closed Loop Principle. The product design must require positive
action to be taken in a prescribed manner to either begin product
operation or continue product operation.
(9)
Human Factors Engineering: The product design must sufficiently
incorporate human factors engineering that is appropriate to the
complexity of the product; the educational, mental, and physical
capabilities of the intended operators and maintainers; the degree of
required human interaction with the component; and the environment in
which the product will be used.
(c)
What standards are acceptable for verification and validation?
(1)
The standards employed for verification or validation, or both, of
products subject to this subpart must be sufficient to support
achievement of the applicable requirements of subpart H of this part.
(2)
U.S. Department of Defense Military Standard (MIL-STD) 882C, "System
Safety Program Requirements" (January 19, 1993), is recognized
as providing appropriate risk analysis processes for incorporation
into verification and validation standards.
(3)
The following standards designed for application to processor-based
signal and train control systems are recognized as acceptable with
respect to applicable elements of safety analysis required by subpart
H of this part. The latest versions of the standards listed below
should be used unless otherwise provided.
(i)
IEEE 1483-2000, Standard for the Verification of Vital Functions in
Processor-Based Systems Used in Rail Transit Control.
(ii)
CENELEC Standards as follows:
(A)
EN50126: 1999, Railway Applications: Specification and Demonstration
of Reliability, Availability, Maintainability and Safety (RAMS);
(B)
EN50128 (May 2001), Railway Applications: Software for Railway
Control and Protection Systems;
(C)
EN50129: 2003, Railway Applications: Communications, Signaling, and
Processing Systems-Safety Related Electronic Systems for Signaling;
and
(D)
EN50155:2001/A1:2002, Railway Applications: Electronic Equipment Used
in Rolling Stock.
(iii)
ATCS Specification 140, Recommended Practices for Safety and Systems
Assurance.
(iv)
ATCS Specification 130, Software Quality Assurance.
(v)
AAR-AREMA 2005 Communications and Signal Manual of Recommended
Practices, Part 17.
(vi)
Safety of High Speed Ground Transportation Systems. Analytical
Methodology for Safety Validation of Computer Controlled Subsystems.
Volume II: Development of a Safety Validation Methodology. Final
Report September 1995. Author: Jonathan F. Luedeke, Battelle.
DOT/FRA/ORD-95/10.2.
(vii)
IEC 61508 (International Electrotechnical Commission), Functional
Safety of Electrical/Electronic/Programmable/Electronic Safety
(E/E/P/ES) Related Systems, Parts 1-7 as follows:
(A)
IEC 61508-1 (1998-12) Part 1: General requirements and IEC 61508-1
Corr. (1999-05) Corrigendum 1-Part 1:General Requirements.
(B)
IEC 61508-2 (2000-05) Part 2: Requirements for
electrical/electronic/programmable electronic safety-related systems.
(C)
IEC 61508-3 (1998-12) Part 3: Software requirements and IEC 61508-3
Corr.1(1999-04) Corrigendum 1-Part3: Software requirements.
(D)
IEC 61508-4 (1998-12) Part 4: Definitions and abbreviations and IEC
61508-4 Corr.1(1999-04) Corrigendum 1-Part 4: Definitions and
abbreviations.
(E)
IEC 61508-5 (1998-12) Part 5: Examples of methods for the
determination of safety integrity levels and IEC 61508-5 Corr.1
(1999-04) Corrigendum 1 Part 5: Examples of methods for determination
of safety integrity levels.
(F)
IEC 61508-6 (2000-04) Part 6: Guidelines on the applications of IEC
61508-2 and -3.
(G)
IEC 61508-7 (2000-03) Part 7: Overview of techniques and measures.
(4)
Use of unpublished standards, including proprietary standards, is
authorized to the extent that such standards are shown to achieve the
requirements of this part. However, any such standards shall be
available for inspection and replication by FRA and for public
examination in any public proceeding before the FRA to which they are
relevant.
[70 FR 11052, March 07, 2005]
Appendix
D to Part 236—Independent Review of Verification and
Validation
(a)
What is the purpose of this appendix?
This
appendix provides minimum requirements for independent third-party
assessment of product safety verification and validation pursuant to
subpart H of this part. The goal of this assessment is to provide an
independent evaluation of the product manufacturer's utilization of
safety design practices during the product's development and testing
phases, as required by the applicable railroad's RSPP, the product
PSP, the requirements of subpart H of this part, and any other
previously agreed-upon controlling documents or standards.
(b)
What general requirements apply to the conduct of third party
assessments?
(1)
The supplier may request advice and assistance of the reviewer
concerning the actions identified in paragraphs (c) through (g) of
this appendix. However, the reviewer should not engage in design
efforts, in order to preserve the reviewer's independence and
maintain the supplier's proprietary right to the product.
(2)
The supplier shall provide the reviewer access to any and all
documentation that the reviewer requests and attendance at any design
review or walkthrough that the reviewer determines as necessary to
complete and accomplish the third party assessment. The reviewer may
be accompanied by representatives of FRA as necessary, in FRA's
judgment, for FRA to monitor the assessment.
(c)
What must be done at the preliminary level?
The
reviewer shall evaluate with respect to safety and comment on the
adequacy of the processes which the supplier applies to the design
and development of the product. At a minimum, the reviewer shall
compare the supplier processes with acceptable methodology and employ
any other such tests or comparisons if they have been agreed to
previously with FRA. Based on these analyses, the reviewer shall
identify and document any significant safety vulnerabilities which
are not adequately mitigated by the supplier's (or user's) processes.
Finally, the reviewer shall evaluate the adequacy of the railroad's
RSPP, the PSP, and any other documents pertinent to the product being
assessed.
(d)
What must be done at the functional level?
(1)
The reviewer shall analyze the Preliminary Hazard Analysis (PHA) for
comprehensiveness and compliance with the railroad's RSPP.
(2)
The reviewer shall analyze all Fault Tree Analyses (FTA), Failure
Mode and Effects Criticality Analysis (FMECA), and other hazard
analyses for completeness, correctness, and compliance with the
railroad's RSPP.
(e)
What must be done at the implementation level?
The
reviewer shall randomly select various safety-critical software
modules for audit to verify whether the requirements of the RSPP were
followed. The number of modules audited must be determined as a
representative number sufficient to provide confidence that all
unaudited modules were developed in compliance with the RSPP.
(f)
What must be done at closure?
(1)
The reviewer shall evaluate and comment on the plan for installation
and test procedures of the product for revenue service.
(2)
The reviewer shall prepare a final report of the assessment. The
report shall be submitted to the railroad prior to the commencement
of installation testing and contain at least the following
information:
(i)
Reviewer's evaluation of the adequacy of the PSP, including the
supplier's MTTHE and risk estimates for the product, and the
supplier's confidence interval in these estimates;
(ii)
Product vulnerabilities which the reviewer felt were not adequately
mitigated, including the method by which the railroad would assure
product safety in the event of a hardware or software failure (i.e.,
how does the railroad assure that all potentially hazardous failure
modes are identified?) and the method by which the railroad addresses
comprehensiveness of the product design for the requirements of the
operations it will govern (i.e., how does the railroad assure that
all potentially hazardous operating circumstances are identified? Who
records any deficiencies identified in the design process? Who tracks
the correction of these deficiencies and confirms that they are
corrected?);
(iii)
A clear statement of position for all parties involved for each
product vulnerability cited by the reviewer;
(iv)
Identification of any documentation or information sought by the
reviewer that was denied, incomplete, or inadequate;
(v)
A listing of each RSPP procedure or process which was not properly
followed;
(vi)
Identification of the software verification and validation
procedures for the product's safety-critical applications, and the
reviewer's evaluation of the adequacy of these procedures;
(vii)
Methods employed by the product manufacturer to develop
safety-critical software, such as use of structured language, code
checks, modularity, or other similar generally acceptable techniques;
and
(viii)
Method by which the supplier or railroad addresses comprehensiveness
of the product design which considers the safety elements listed in
paragraph (b) of appendix C to this part.
[70
FR 11052, March 07, 2005]
§236.1001 Purpose and scope.
(a) This subpart prescribes minimum, performance-based safety
standards for PTC systems required by 49 U.S.C. 20157, this subpart,
or an FRA order, including requirements to ensure that the
development, functionality, architecture, installation,
implementation, inspection, testing, operation, maintenance, repair,
and modification of those PTC systems will achieve and maintain an
acceptable level of safety. This subpart also prescribes standards to
ensure that personnel working with, and affected by, safety-critical
PTC system related products receive appropriate training and testing.
(b) Each railroad may prescribe additional or more stringent rules,
and other special instructions, that are not inconsistent with this
subpart.
(c) This subpart does not exempt a railroad from compliance with any
requirement of subparts A through H of this part or parts 233, 234,
and 235 of this chapter, unless:
(1) It is otherwise explicitly excepted by this subpart; or
(2)
The applicable PTCSP, as defined under §236.1003 and approved by
FRA under §236.1015, provides for such an exception per
§236.1013.
§236.1005 Requirements
for Positive Train Control systems.
(a) PTC
system requirements. Each PTC system required to be
installed under this subpart shall:
(1)
Reliably and functionally prevent:
(i)
Train-to-train collisions—including collisions between
trains operating over rail-to-rail at-grade crossings in
accordance with the following risk-based table or alternative
arrangements providing an equivalent level of safety as
specified in an FRA approved PTCSP:
Crossing type
|
Max speed*
|
Protection required
|
(A) Interlocking—one or more PTC routes intersecting
with one or more non-PTC routes
|
≤40 miles per hour
|
Interlocking signal arrangement in accordance with the
requirements of subparts A-G of this part and PTC enforced
stop on PTC routes.
|
(B) Interlocking—one or more PTC routes intersecting
with one or more non-PTC routes
|
>40 miles per hour
|
Interlocking signal arrangement in accordance with the
requirements of subparts A-G of this part, PTC enforced
stop on all PTC routes, and either the use of other than
full PTC technology that provides positive stop
enforcement or a split-point derail incorporated into the
signal system accompanied by 20 miles per hour maximum
allowable speed on the approach of any intersecting
non-PTC route.
|
(C) Interlocking—all PTC routes intersecting
|
Any speed
|
Interlocking signal arrangements in accordance with the
requirements of subparts A-G of this part, and PTC
enforced stop on all routes.
|
(ii) Overspeed derailments, including derailments related to
railroad civil engineering speed restrictions, slow orders,
and excessive speeds over switches and through turnouts;
(iii) Incursions into established work zone limits without
first receiving appropriate authority and verification from
the dispatcher or roadway worker in charge, as applicable and
in accordance with part 214 of this chapter; and
(iv) The movement of a train through a main line switch in the
improper position as further described in paragraph (e) of
this section.
(2) Include safety-critical integration of all authorities and
indications of a wayside or cab signal system, or other
similar appliance, method, device, or system of equivalent
safety, in a manner by which the PTC system shall provide
associated warning and enforcement to the extent, and except
as, described and justified in the FRA approved PTCDP or
PTCSP, as applicable;
(3) As applicable, perform the additional functions specified
in this subpart;
(4) Provide an appropriate warning or enforcement when:
(i) A derail or switch protecting access to the main line
required by §236.1007, or otherwise provided for in the
applicable PTCSP, is not in its derailing or protecting
position, respectively;
(ii) A mandatory directive is issued associated with a
highway-rail grade crossing warning system malfunction as
required by §§234.105, 234.106, or 234.107;
(iii) An after-arrival mandatory directive has been issued and
the train or trains to be waited on has not yet passed the
location of the receiving train;
(iv) Any movable bridge within the route ahead is not in a
position to allow permissive indication for a train movement
pursuant to §236.312; and
(v) A hazard detector integrated into the PTC system that is
required by paragraph (c) of this section, or otherwise
provided for in the applicable PTCSP, detects an unsafe
condition or transmits an alarm; and
(5) Limit the speed of passenger and freight trains to 59
miles per hour and 49 miles per hour, respectively, in areas
without broken rail detection or equivalent safeguards.
(b) PTC system installation. (1) Lines required to
be equipped. Except as otherwise provided in this subpart,
each Class I railroad and each railroad providing or hosting
intercity or commuter passenger service shall progressively
equip its lines as provided in its approved PTCIP such that,
on and after December 31, 2015, a PTC system certified under
§236.1015 is installed and operated by the host railroad
on each:
(i) Main line over which is transported any quantity of
material poisonous by inhalation (PIH), including anhydrous
ammonia, as defined in §§171.8, 173.115 and 173.132
of this title;
(ii) Main line used for regularly provided intercity or
commuter passenger service, except as provided in §236.1019;
and
(iii) Additional line of railroad as required by the
applicable FRA approved PTCIP, this subpart, or an FRA order
requiring installation of a PTC system by that date.
(2) Initial baseline identification of lines. For the
purposes of paragraph (b)(1)(i) of this section, the baseline
information necessary to determine whether a Class I
railroad's track segment shall be equipped with a PTC system
shall be determined and reported as follows:
(i) The traffic density threshold of 5 million gross tons
shall be based upon calendar year 2008 gross tonnage, except
to the extent that traffic may fall below 5 million gross tons
for two consecutive calendar years and a PTCIP or an RFA
reflecting this change is filed and approved under paragraph
(b)(4) of this section and, if applicable, §236.1021.
(ii) The presence or absence of any quantity of PIH hazardous
materials shall be determined by whether one or more cars
containing such product(s) was transported over the track
segment in calendar year 2008 or prior to the filing of the
PTCIP, except to the extent that the PTCIP or RFA justifies,
under paragraph (b)(4) of this section, removal of the subject
track segment from the PTCIP listing of lines to be equipped.
(3) Addition of track segments. To the extent increases
in freight rail traffic occur subsequent to calendar year 2008
that might affect the requirement to install a PTC system on
any line not yet equipped, the railroad shall seek to amend
its PTCIP by promptly filing an RFA in accordance with
§236.1021. The following criteria apply:
(i) If rail traffic exceeds 5 million gross tons in any year
after 2008, the tonnage shall be calculated for the preceding
two calendar years and if the total tonnage for those two
calendar years exceeds 10 million gross tons, a PTCIP or its
amendment is required.
(ii) If PIH traffic is carried on a track segment as a result
of a request for rail service or rerouting warranted under
part 172 of this title, and if the line carries in excess of 5
million gross tons of rail traffic as determined under this
paragraph, a PTCIP or its amendment is required. This does not
apply when temporary rerouting is authorized in accordance
with paragraph (g) of this section.
(iii) Once a railroad is notified by FRA that its RFA filed in
accordance with this paragraph has been approved, the railroad
shall equip the line with the applicable PTC system by
December 31, 2015, or within 24 months, whichever is later.
(4) Exclusion or removal of track segments from PTC
baseline—(i) Routing changes. In a PTCIP or
an RFA, a railroad may request review of the requirement to
install PTC on a track segment where a PTC system is otherwise
required by this section, but has not yet been installed,
based upon changes in rail traffic such as reductions in total
traffic volume to a level below 5 million gross tons annually,
cessation of passenger service or the approval of an MTEA, or
the cessation of PIH materials traffic. Any such request shall
be accompanied by estimated traffic projections for the next 5
years (e.g., as a result of planned rerouting, coordinations,
or location of new business on the line).
(i) FRA will approve the exclusion requested pursuant to
paragraph (b)(4)(i) of this section if the railroad
establishes that, as of December 31, 2015:
(A) No passenger service will be present on the involved track
segment or the passenger service will be subject to an MTEA
approved in accordance with 49 CFR 236.1019; and
(B) No PIH traffic will be present on the involved track
segment or the gross tonnage on the involved track segment
will decline to below 5 million gross tons annually as
computed over a 2-year period.
(iii) Lines with de minimis PIH risk. (A) In a PTCIP or
RFA, a railroad may request review of the requirement to
install PTC on a low density track segment where a PTC system
is otherwise required by this section, but has not yet been
installed, based upon the presence of a minimal quantity of
PIH hazardous materials (less than 100 cars per year, loaded
and residue). Any such request shall be accompanied by
estimated traffic projections for the next 5 years (e.g., as a
result of planned rerouting, coordinations, or location of new
business on the line). Where the request involves prior or
planned rerouting of PIH traffic, the railroad must provide
the information and analysis identified in paragraph (b)(4)(i)
of this section. The submission shall also include a full
description of potential safety hazards on the segment of
track and fully describe train operations over the line. This
provision is not applicable to lines segments used by
intercity or commuter passenger service.
(B) Absent special circumstances related to specific hazards
presented by operations on the line segment, FRA will approve
a request for relief under this paragraph for a rail line
segment:
(1) Consisting exclusively of Class 1 or 2 track as
described in part 213 of this title;
(2) That carries less than 15 million gross tons
annually;
(3) Has a ruling grade of less than 1 percent; and
(4) On which any train transporting a car containing
PIH materials (including a residue car) is operated under
conditions of temporal separation from other trains using the
line segment as documented by a temporal separation plan
accompanying the request. As used in this paragraph, “temporal
separation” has the same meaning given by §236.1019(e),
except that the separation addressed is the separation of a
train carrying any number of cars containing PIH materials
from other freight trains.
(C) FRA will also consider, and may approve, requests for
relief under this paragraph for additional line segments where
each such segment carries less than 15 million gross tons
annually and where it is established to the satisfaction of
the Associate Administrator that risk mitigations will be
applied that will ensure that risk of a release of PIH
materials is negligible.
(D) Failure to submit sufficient information will result in
the denial of any request under this paragraph (b)(4)(ii). If
the request is granted, on and after the date the line would
have otherwise been required to be equipped under the schedule
contained in the PTCIP and approved by FRA, operations on the
line shall be conducted in accordance with any conditions
attached to the grant, including implementation of proposed
mitigations as applicable.
(5) Line sales. FRA does not approve removal of a line
from the PTCIP exclusively based upon a representation that a
track segment will be abandoned or sold to another railroad.
In the event a track segment is approved for abandonment or
transfer by the Surface Transportation Board, FRA will review
at the request of the transferring and acquiring railroads
whether the requirement to install PTC on the line should be
removed given all of the circumstances, including expected
traffic and hazardous materials levels, reservation of
trackage or haulage rights by the transferring railroad,
routing analysis under part 172 of this chapter, commercial
and real property arrangements affecting the transferring and
acquiring railroads post-transfer, and such other factors as
may be relevant to continue safe operations on the line. If
FRA denies the request, the acquiring railroad shall install
the PTC system on the schedule provided in the transferring
railroad's PTCIP, without regard to whether it is a Class I
railroad.
(6) New rail passenger service. No new intercity or
commuter rail passenger service shall commence after December
31, 2015, until a PTC system certified under this subpart has
been installed and made operative.
(c) Hazard detectors. (1) All hazard detectors
integrated into a signal or train control system on or after
October 16, 2008, shall be integrated into PTC systems
required by this subpart; and their warnings shall be
appropriately and timely enforced as described in the
applicable PTCSP.
(2) The applicable PTCSP must provide for receipt and
presentation to the locomotive engineer and other train crew
members of warnings from any additional hazard detectors using
the PTC data network, onboard displays, and audible alerts. If
the PTCSP so provides, the action to be taken by the system
and by the crew members shall be specified.
(3) The PTCDP (as applicable) and PTCSP for any new service
described in §236.1007 to be conducted above 90 miles per
hour shall include a hazard analysis describing the hazards
relevant to the specific route(s) in question (e.g., potential
for track obstruction due to events such as falling rock or
undermining of the track structure due to high water or
displacement of a bridge over navigable waters), the basis for
decisions concerning hazard detectors provided, and the manner
in which such additional hazard detectors will be interfaced
with the PTC system.
(d) Event recorders. (1) Each lead locomotive, as
defined in part 229, of a train equipped and operating with a
PTC system required by this subpart must be equipped with an
operative event recorder, which shall:
(i) Record safety-critical train control data routed to the
locomotive engineer's display that the engineer is required to
comply with;
(ii) Specifically include text messages conveying mandatory
directives, maximum authorized speeds, PTC system brake
warnings, PTC system brake enforcements, and the state of the
PTC system (e.g., cut in, cut out, active, or failed); and
(iii) Include examples of how the captured data will be
displayed during playback along with the format, content, and
data retention duration requirements specified in the PTCSP
submitted and approved pursuant to this paragraph. If such
train control data can be calibrated against other data
required by this part, it may, at the election of the
railroad, be retained in a separate memory module.
(2) Each lead locomotive, as defined in part 229, manufactured
and in service after October 1, 2009, that is equipped and
operating with a PTC system required by this subpart, shall be
equipped with an event recorder memory module meeting the
crash hardening requirements of §229.135 of this chapter.
(3) Nothing in this subpart excepts compliance with any of the
event recorder requirements contained in §229.135 of this
chapter.
(e) Switch position. The following requirements apply
with respect to determining proper switch position under this
section. When a main line switch position is unknown or
improperly aligned for a train's route in advance of the
train's movement, the PTC system will provide warning of the
condition associated with the following enforcement:
(1) A PTC system shall enforce restricted speed over any
switch:
(i) Where train movements are made with the benefit of the
indications of a wayside or cab signal system or other similar
appliance, method, device, or system of equivalent safety
proposed to FRA and approved by the Associate Administrator in
accordance with this part; and
(ii) Where wayside or cab signal system or other similar
appliance, method, device, or system of equivalent safety,
requires the train to be operated at restricted speed.
(2) A PTC system shall enforce a positive stop short of any
main line switch, and any switch on a siding where the
allowable speed is in excess of 20 miles per hour, if movement
of the train over the switch:
(i) Is made without the benefit of the indications of a
wayside or cab signal system or other similar appliance,
method, device, or system of equivalent safety proposed to FRA
and approved by the Associate Administrator in accordance with
this part; or
(ii) Would create an unacceptable risk. Unacceptable risk
includes conditions when traversing the switch, even at low
speeds, could result in direct conflict with the movement of
another train (including a hand-operated crossover between
main tracks, a hand-operated crossover between a main track
and an adjoining siding or auxiliary track, or a hand-operated
switch providing access to another subdivision or branch line,
etc.).
(3) A PTC system required by this subpart shall be designed,
installed, and maintained to perform the switch position
detection and enforcement described in paragraphs (e)(1) and
(e)(2) of this section, except as provided for and justified
in the applicable, FRA approved PTCDP or PTCSP.
(4) The control circuit or electronic equivalent for all
movement authorities over any switches, movable-point frogs,
or derails shall be selected through circuit controller or
functionally equivalent device operated directly by the switch
points, derail, or by switch locking mechanism, or through
relay or electronic device controlled by such circuit
controller or functionally equivalent device, for each switch,
movable-point frog, or derail in the route governed. Circuits
or electronic equivalent shall be arranged so that any
movement authorities less restrictive than those prescribed in
paragraphs (e)(1) and (e)(2) of this section can only be
provided when each switch, movable-point frog, or derail in
the route governed is in proper position, and shall be in
accordance with subparts A through G of this part, unless it
is otherwise provided in a PTCSP approved under this subpart.
(f) Train-to-train collision. A PTC system shall be
considered to be configured to prevent train-to-train
collisions within the meaning of paragraph (a) of this section
if trains are required to be operated at restricted speed and
if the onboard PTC equipment enforces the upper limits of the
railroad's restricted speed rule (15 or 20 miles per hour).
This application applies to:
(1) Operating conditions under which trains are required by
signal indication or operating rule to:
(i) Stop before continuing; or
(ii) Reduce speed to restricted speed and continue at
restricted speed until encountering a more favorable
indication or as provided by operating rule.
(2) Operation of trains within the limits of a joint mandatory
directive.
(g) Temporary rerouting. A train equipped with a PTC
system as required by this subpart may be temporarily rerouted
onto a track not equipped with a PTC system and a train not
equipped with a PTC system may be temporarily rerouted onto a
track equipped with a PTC system as required by this subpart
in the following circumstances:
(1) Emergencies. In the event of an emergency—including
conditions such as derailment, flood, fire, tornado,
hurricane, earthquake, or other similar circumstance outside
of the railroad's control—that would prevent usage of
the regularly used track if:
(i) The rerouting is applicable only until the emergency
condition ceases to exist and for no more than 14 consecutive
calendar days, unless otherwise extended by approval of the
Associate Administrator;
(ii) The railroad provides written or telephonic notification
to the applicable Regional Administrator of the information
listed in paragraph (i) of this section within one business
day of the beginning of the rerouting made in accordance with
this paragraph; and
(iii) The conditions contained in paragraph (j) of this
section are followed.
(2) Planned maintenance. In the event of planned
maintenance that would prevent usage of the regularly used
track if:
(i) The maintenance period does not exceed 30 days;
(ii) A request is filed with the applicable Regional
Administrator in accordance with paragraph (i) of this section
no less than 10 business days prior to the planned rerouting;
and
(iii) The conditions contained in paragraph (j) of this
section are followed.
(h) Rerouting requests. (1) For the purposes of
paragraph (g)(2) of this section, the rerouting request shall
be self-executing unless the applicable Regional Administrator
responds with a notice disapproving of the rerouting or
providing instructions to allow rerouting. Such instructions
may include providing additional information to the Regional
Administrator or Associate Administrator prior to the
commencement of rerouting. Once the Regional Administrator
responds with a notice under this paragraph, no rerouting may
occur until the Regional Administrator or Associate
Administrator provides his or her approval.
(2) In the event the temporary rerouting described in
paragraph (g)(2) of this section is to exceed 30 consecutive
calendar days:
(i) The railroad shall provide a request in accordance with
paragraphs (i) and (j) of this section with the Associate
Administrator no less than 10 business days prior to the
planned rerouting; and
(ii) The rerouting shall not commence until receipt of
approval from the Associate Administrator.
(i) Content of rerouting request. Each notice or
request referenced in paragraph (g) and (h) of this section
must indicate:
(1) The dates that such temporary rerouting will occur;
(2) The number and types of trains that will be rerouted;
(3) The location of the affected tracks; and
(4) A description of the necessity for the temporary
rerouting.
(j) Rerouting conditions. Rerouting of operations under
paragraph (g) of this section may occur under the following
conditions:
(1) Where a train not equipped with a PTC system is rerouted
onto a track equipped with a PTC system, or a train not
equipped with a PTC system that is compatible and functionally
responsive to the PTC system utilized on the line to which the
train is being rerouted, the train shall be operated in
accordance with §236.1029; or
(2) Where any train is rerouted onto a track not equipped with
a PTC system, the train shall be operated in accordance with
the operating rules applicable to the line on which the train
is rerouted.
(k) Rerouting cessation. The applicable Regional
Administrator may order a railroad to cease any rerouting
provided under paragraph (g) or (h) of this section.
[75 FR 2699, Jan. 15,
2010, as amended at 75 FR 59117, Sept. 27, 2010; 77 FR 28305,
May 14, 2012]
236.1006 Equipping
locomotives operating in PTC territory.
(a) Except as provided in paragraph (b) of this section, each
train operating on any track segment equipped with a PTC
system shall be controlled by a locomotive equipped with an
onboard PTC apparatus that is fully operative and functioning
in accordance with the applicable PTCSP approved under this
subpart.
(b) Exceptions. (1) Prior to December 31, 2015, each
railroad required to install PTC shall include in its PTCIP
specific goals for progressive implementation ofonboard
systems and deployment of PTC-equipped locomotives such that
the safety benefits of PTC are achieved through incremental
growth in the percentage of controlling locomotives operating
on PTC lines that are equipped with operative PTC onboard
equipment. The PTCIP shall include a brief but sufficient
explanation of how those goals will be achieved, including
assignment of responsibilities within the organization. The
goals shall be expressed as the percentage of trains operating
on PTC-equipped lines that are equipped with operative onboard
PTC apparatus responsive to the wayside, expressed as an
annualized (calendar year) percentage for the railroad as a
whole.
(2) Each railroad shall adhere to its PTCIP and shall report,
on April 16, of 2011, 2012,2013, and 2014, its progress toward
achieving the goals set under paragraph (b)(1) of this
section. In the event any annual goal is not achieved, the
railroad shall further report the actions it is taking to
ensure achievement of subsequent annual goals.
(3) On and after December 31, 2015, a train controlled by a
locomotive with an onboard PTC apparatus that has failed en
route is permitted to operate in accordance with §236.1029.
(4) A train operated by a Class II or Class III railroad,
including a tourist or excursion railroad, and controlled by a
locomotive not equipped with an onboard PTC apparatus is
permitted to operate on a PTC-operated track segment:
(i) That either:
(A) Has no regularly scheduled intercity or commuter passenger
rail traffic; or
(B) Has regularly scheduled intercity or commuter passenger
rail traffic and the applicable PTCIP permits the operation of
a train operated by a Class II or III railroad and controlled
by a locomotive not equipped with an onboard PTC apparatus;
(ii) Where operations are restricted to four or less such
unequipped trains per day, whereas a train conducting a “turn”
operation (e.g., moving to a point of interchange to drop off
or pick up cars and returning to the track owned by a Class II
or III railroad) is considered two trains for this purpose;
and
(iii) Where each movement shall either:
(A) Not exceed 20 miles in length; or
(B) To the extent any movement exceeds 20 miles in length,
such movement is not permitted without the controlling
locomotive being equipped with an onboard PTC system after
December 31, 2020, and each applicable Class II or III
railroad shall report to FRA its progress in equipping each
necessary locomotive with an onboard PTC apparatus to
facilitate continuation of the movement. The progress reports
shall be filed not later than December 31, 2017 and, if all
necessary locomotives are not yet equipped, on December 31,
2019.
(c) When a train movement is conducted under the exceptions
described in paragraph (b)(4) of this section, that movement
shall be made in accordance with §236.1029.
§236.1007 Additional
requirements for high-speed service.
(a) A PTC railroad that conducts a passenger operation at or
greater than 60 miles per hour or a freight operation at or
greater than 50 miles per hour shall have installed a PTC
system including or working in concert with technology that
includes all of the safety-critical functional attributes of a
block signal system meeting the requirements of this part,
including appropriate fouling circuits and broken rail
detection (or equivalent safeguards).
(b) In addition to the requirements of paragraph (a) of this
section, a host railroad that conducts a freight or passenger
operation at more than 90 miles per hour shall:
(1) Have an approved PTCSP establishing that the system was
designed and will be operated to meet the fail-safe operation
criteria described in Appendix C to this part; and
(2) Prevent unauthorized or unintended entry onto the main
line from any track not equipped with a PTC system compliant
with this subpart by placement of split-point derails or
equivalent means integrated into the PTC system; and
(3) Comply with §236.1029(c).
(c) In addition to the requirements of paragraphs (a) and (b)
of this section, a host railroad that conducts a freight or
passenger operation at more than 125 miles per hour shall have
an approved PTCSP accompanied by a document (“HSR-125”)
establishing that the system:
(1) Will be operated at a level of safety comparable to that
achieved over the 5 year period prior to the submission of the
PTCSP by other train control systems that perform PTC
functions required by this subpart, and which have been
utilized on high-speed rail systems with similar technical and
operational characteristics in the United States or in foreign
service, provided that the use of foreign service data must be
approved by the Associate Administrator before submittal of
the PTCSP; and
(2) Has been designed to detect incursions into the
right-of-way, including incidents involving motor vehicles
diverting from adjacent roads and bridges, where conditions
warrant.
(d) In addition to the requirements of paragraphs (a) through
(c) of this section, a host railroad that conducts a freight
or passenger operation at more than 150 miles per hour, which
is governed by a Rule of Particular Applicability, shall have
an approved PTCSP accompanied by a HSR-125 developed as part
of an overall system safety plan approved by the Associate
Administrator.
(e) A railroad providing existing high-speed passenger service
may request in its PTCSP that the Associate Administrator
excuse compliance with one or more requirements of this
section upon a showing that the subject service has been
conducted with a high level of safety.
§236.1009 Procedural
requirements.
(a) PTC Implementation Plan (PTCIP). (1) By April 16,
2010, each host railroad that is required to implement and
operate a PTC system in accordance with §236.1005(b)
shall develop and submit in accordance with §236.1011(a)
a PTCIP for implementing a PTC system required under
§236.1005. Filing of the PTCIP shall not exempt the
required filings of an NPI, PTCSP, PTCDP, or Type Approval.
(2) After April 16, 2010, a host railroad shall file:
(i) A PTCIP if it becomes a host railroad of a main line track
segment for which it is required to implement and operate a
PTC system in accordance with §236.1005(b); or
(ii) A request for amendment (“RFA”) of its
current and approved PTCIP in accordance with §236.1021
if it intends to:
(A) Initiate a new category of service (i.e., passenger or
freight); or
(B) Add, subtract, or otherwise materially modify one or more
lines of railroad for which installation of a PTC system is
required.
(3) The host and tenant railroad(s) shall jointly file a PTCIP
that addresses shared track:
(i) If the host railroad is required to install and operate a
PTC system on a segment of its track; and
(ii) If the tenant railroad that shares the same track segment
would have been required to install a PTC system if the host
railroad had not otherwise been required to do so.
(4) If railroads required to file a joint PTCIP are unable to
jointly file a PTCIP in accordance with paragraphs (a)(1) and
(a)(3) of this section, then each railroad shall:
(i) Separately file a PTCIP in accordance with paragraph
(a)(1);
(ii) Notify the Associate Administrator that the subject
railroads were unable to agree on a PTCIP to be jointly filed;
(iii) Provide the Associate Administrator with a comprehensive
list of all issues not in agreement between the railroads that
would prevent the subject railroads from jointly filing the
PTCIP; and
(iv) Confer with the Associate Administrator to develop and
submit a PTCIP mutually acceptable to all subject railroads.
(b) Type Approval. Each host railroad, individually or
jointly with others such as a tenant railroad or system
supplier, shall file prior to or simultaneously with the
filing made in accordance with paragraph (a) of this section:
(1) An unmodified Type Approval previously issued by the
Associate Administrator in accordance with §236.1013 or
§236.1031(b) with its associated docket number;
(2) A PTCDP requesting a Type Approval for:
(i) A PTC system that does not have a Type Approval; or
(ii) A PTC system with a previously issued Type Approval that
requires one or more variances;
(3) A PTCSP subject to the conditions set forth in paragraph
(c) of this section, with or without a Type Approval; or
(4) A document attesting that a Type Approval is not necessary
since the host railroad has no territory for which a PTC
system is required under this subpart.
(c) Notice of Product Intent (NPI). A railroad may, in
lieu of submitting a PTCDP, or referencing an already issued
Type Approval, submit an NPI describing the functions of the
proposed PTC system. If a railroad elects to file an NPI in
lieu of a PTCDP or referencing an existing Type Approval with
the PTCIP, and the PTCIP is otherwise acceptable to the
Associate Administrator, the Associate Administrator may grant
provisional approval of the PTCIP.
(1) A provisional approval of a PTCIP, unless otherwise
extended by the Associate Administrator, is valid for a period
of 270 days from the date of approval by the Associate
Administrator.
(2) The railroad must submit an updated PTCIP with either a
complete PTCDP as defined in §236.1013(a), an updated
PTCIP referencing an already approved Type Approval, or a full
PTCSP within 270 days after the “Provisional Approval.”
(i) Within 90 days of receipt of an updated PTCIP that was
submitted with an NPI, the Associate Administrator will
approve or disapprove of the updated PTCIP and notify in
writing the affected railroad. If the updated PTCIP is not
approved, the notification will include the plan's
deficiencies. Within 30 days of receipt of that notification,
the railroad or other entity that submitted the plan shall
correct all deficiencies and resubmit the plan in accordance
with this section and §236.1011, as applicable.
(ii) If an update to a “Provisionally Approved”
PTCIP is not received by the Associate Administrator by the
end of the period indicated in this paragraph, the
“Provisional Approval” given to the PTCIP is
automatically revoked. The revocation is retroactive to the
date the original PTCIP and NPI were first submitted to the
Associate Administrator.
(d) PTCSP and PTC System Certification. The following
apply to each PTCSP and PTC System Certification.
(1) A PTC System Certification for a PTC system may be
obtained by submitting an acceptable PTCSP. If the PTC system
is the subject of a Type Approval, the safety case elements
contained in the PTCDP may be incorporated by reference into
the PTCSP, subject to finalization of the human factors
analysis contained in the PTCDP.
(2) Each PTCSP requirement under §236.1015 shall be
supported by information and analysis sufficient to establish
that the requirements of this subpart have been satisfied.
(3) If the Associate Administrator finds that the PTCSP and
supporting documentation support a finding that the system
complies with this part, the Associate Administrator may
approve the PTCSP. If the Associate Administrator approves the
PTCSP, the railroad shall receive PTC System Certification for
the subject PTC system and shall implement the PTC system
according to the PTCSP.
(4) A required PTC system shall not:
(i) Be used in service until it receives from FRA a PTC System
Certification; and
(ii) Receive a PTC System Certification unless FRA receives
and approves an applicable:
(A) PTCSP; or
(B) Request for Expedited Certification (REC) as defined by
§236.1031(a).
(e) Plan contents. (1) No PTCIP shall receive approval
unless it complies with §236.1011. No railroad shall
receive a Type Approval or PTC System Certification unless the
applicable PTCDP or PTCSP, respectively, comply with
§§236.1013 and 236.1015, respectively.
(2) All materials filed in accordance with this subpart must
be in the English language, or have been translated into
English and attested as true and correct.
(3) Each filing referenced in this section may include a
request for full or partial confidentiality in accordance with
§209.11 of this chapter. If confidentiality is requested
as to a portion of any applicable document, then in addition
to the filing requirements under §209.11 of this chapter,
the person filing the document shall also file a copy of the
original unredacted document, marked to indicate which
portions are redacted in the document's confidential version
without obscuring the original document's contents.
(f) Supporting documentation and information. (1)
Issuance of a Type Approval or PTC System Certification is
contingent upon FRA's confidence in the implementation and
operation of the subject PTC system. This confidence may be
based on FRA-monitored field testing or an independent
assessment performed in accordance with §236.1035 or
§236.1017, respectively.
(2) Upon request by FRA, the railroad requesting a Type
Approval or PTC System Certification must engage in field
testing or independent assessment performed in accordance with
§236.1035 or §236.1017, respectively, to support the
assertions made in any of the plans submitted under this
subpart. These assertions include any of the plans' content
requirements under this subpart.
(g) FRA conditions, reconsiderations, and modifications.
(1) As necessary to ensure safety, FRA may attach special
conditions to approving a PTCIP or issuing a Type Approval or
PTC System Certification.
(2) After granting a Type Approval or PTC System
Certification, FRA may reconsider the Type Approval or PTC
System Certification upon revelation of any of the following
factors concerning the contents of the PTCDP or PTCSP:
(i) Potential error or fraud;
(ii) Potentially invalidated assumptions determined as a
result of in-service experience or one or more unsafe events
calling into question the safety analysis supporting the
approval.
(3) During FRA's reconsideration in accordance with this
paragraph, the PTC system may remain in use if otherwise
consistent with the applicable law and regulations and FRA may
impose special conditions for use of the PTC system.
(4) After FRA's reconsideration in accordance with this
paragraph, FRA may:
(i) Dismiss its reconsideration and continue to recognize the
existing FRA approved Type Approval or PTC System
Certification;
(ii) Allow continued operations under such conditions the
Associate Administrator deems necessary to ensure safety; or
(iii) Revoke the Type Approval or PTC System Certification and
direct the railroad to cease operations where PTC systems are
required under this subpart.
(h) FRA access. The Associate Administrator, or that
person's designated representatives, shall be afforded
reasonable access to monitor, test, and inspect processes,
procedures, facilities, documents, records, design and testing
materials, artifacts, training materials and programs, and any
other information used in the design, development,
manufacture, test, implementation, and operation of the
system, as well as interview any personnel:
(1) Associated with a PTC system for which a Type Approval or
PTC System Certification has been requested or provided; or
(2) To determine whether a railroad has been in compliance
with this subpart.
(i) Foreign regulatory entity verification. Information
that has been certified under the auspices of a foreign
regulatory entity recognized by the Associate Administrator
may, at the Associate Administrator's sole discretion, be
accepted as independently Verified and Validated and used to
support each railroad's development of the PTCSP.
(j) Processing times for PTCDP and PTCSP.
(1) Within 30 days of receipt of a PTCDP or PTCSP, the
Associate Administrator will either acknowledge receipt or
acknowledge receipt and request more information.
(2) To the extent practicable, considering the scope,
complexity, and novelty of the product or change:
(i) FRA will approve, approve with conditions, or deny the
PTCDP within 60 days of the date on which the PTCDP was filed;
(ii) FRA will approve, approve with conditions, or deny the
PTCSP within 180 days of the date on which the PTCSP was
filed;
(iii) If FRA has not approved, approved with conditions, or
denied the PTCDP or PTCSP within the 60-day or 180-day window,
as applicable, FRA will provide the submitting party with a
statement of reasons as to why the submission has not yet been
acted upon and a projected deadline by which an approval or
denial will be issued and any further consultations or
inquiries will be resolved.
§236.1011 PTC
Implementation Plan content requirements.
(a) Contents. A PTCIP filed pursuant to this subpart
shall, at a minimum, describe:
(1) The functional requirements that the proposed system must
meet;
(2) How the PTC railroad intends to comply with §§236.1009(c)
and (d);
(3) How the PTC system will provide for interoperability of
the system between the host and all tenant railroads on the
track segments required to be equipped with PTC systems under
this subpart and:
(i) Include relevant provisions of agreements, executed by all
applicable railroads, in place to achieve interoperability;
(ii) List all methods used to obtain interoperability; and
(iii) Identify any railroads with respect to which
interoperability agreements have not been achieved as of the
time the plan is filed, the practical obstacles that were
encountered that prevented resolution, and the further steps
planned to overcome those obstacles;
(4) How, to the extent practical, the PTC system will be
implemented to address areas of greater risk to the public and
railroad employees before areas of lesser risk;
(5) The sequence and schedule in which track segments will be
equipped and the basis for those decisions, and shall at a
minimum address the following risk factors by track segment:
(i) Segment traffic characteristics such as typical annual
passenger and freight train volume and volume of poison- or
toxic-by-inhalation (PIH or TIH) shipments (loads, residue);
(ii) Segment operational characteristics such as current
method of operation (including presence or absence of a block
signal system), number of tracks, and maximum allowable train
speeds, including planned modifications; and
(iii) Route attributes bearing on risk, including ruling
grades and extreme curvature;
(6) The following information relating to rolling stock:
(i) What rolling stock will be equipped with PTC technology;
(ii) The schedule to equip that rolling stock by December 31,
2015;
(iii) All documents and information required by §236.1006;
and
(iv) Unless the tenant railroad is filing its own PTCIP, the
host railroad's PTCIP shall:
(A) Attest that the host railroad has made a formal written
request to each tenant railroad requesting identification of
each item of rolling stock to be PTC system equipped and the
date each will be equipped; and
(B) Include each tenant railroad's response to the host
railroad's written request made in accordance with paragraph
(a)(6)(iv)(A) of this section;
(7) The number of wayside devices required for each track
segment and the installation schedule to complete wayside
equipment installation by December 31, 2015;
(8) Identification of each track segment on the railroad as
mainline or non-mainline track. If the PTCIP includes an MTEA,
as defined by §236.1019, the PTCIP should identify the
tracks included in the MTEA as main line track with a
reference to the MTEA;
(9) To the extent the railroad determines that risk-based
prioritization required by paragraph (a)(4) of this section is
not practical, the basis for this determination; and
(10) The dates the associated PTCDP and PTCSP, as applicable,
will be submitted to FRA in accordance with §236.1009.
(b) Additional Class I railroad PTCIP requirements.
Each Class I railroad shall include:
(1) In its PTCIP a strategy for full deployment of its PTC
system, describing the criteria that it will apply in
identifying additional rail lines on its own network, and rail
lines of entities that it controls or engages in joint
operations with, for which full or partial deployment of PTC
technologies is appropriate, beyond those required to be
equipped under this subpart. Such criteria shall include
consideration of the policies established by 49 U.S.C. 20156
(railroad safety risk reduction program), and regulations
issued thereunder, as well as non-safety business benefits
that may accrue.
(2) In the Technology Implementation Plan of its Risk
Reduction Program, when first required to be filed in
accordance with 49 U.S.C. 20156 and any regulation promulgated
thereunder, a specification of rail lines selected for full or
partial deployment of PTC under the criteria identified in its
PTCIP.
(3) Nothing in this paragraph shall be construed to create an
expectation or requirement that additional rail lines beyond
those required to be equipped by this subpart must be equipped
or that such lines will be equipped during the period of
primary implementation ending December 31, 2015.
(4) As used in this paragraph, “partial implementation”
of a PTC system refers to use, pursuant to subpart H of this
part, of technology embedded in PTC systems that does not
employ all of the functionalities required by this subpart.
(c) FRA review. Within 90 days of receipt of a PTCIP,
the Associate Administrator will approve or disapprove of the
plan and notify in writing the affected railroad or other
entity. If the PTCIP is not approved, the notification will
include the plan's deficiencies. Within 30 days of receipt of
that notification, the railroad or other entity that submitted
the plan shall correct all deficiencies and resubmit the plan
in accordance with §236.1009 and paragraph (a) of this
section, as applicable.
(d) Subpart H. A railroad that elects to install a PTC
system when not required to do so may elect to proceed under
this subpart or under subpart H of this part.
(e) Upon receipt of a PTCIP, NPI, PTCDP, or PTCSP, FRA posts
on its public web site notice of receipt and reference to the
public docket in which a copy of the filing has been placed.
FRA may consider any public comment on each document to the
extent practicable within the time allowed by law and without
delaying implementation of PTC systems.
(f) The PTCIP shall be maintained to reflect the railroad's
most recent PTC deployment plans until all PTC system
deployments required under this subpart are complete.
[75 FR 2699, Jan. 15, 2010, as amended at 75 FR 59117, Sept.
27, 2010]
§236.1013 PTC
Development Plan and Notice of Product Intent content
requirements and Type Approval.
(a) For a PTC system to obtain a Type Approval from FRA, the
PTCDP shall be filed in accordance with §236.1009 and
shall include:
(1) A complete description of the PTC system, including a list
of all PTC system components and their physical relationships
in the subsystem or system;
(2) A description of the railroad operation or categories of
operations on which the PTC system is designed to be used,
including train movement density (passenger, freight),
operating speeds (including a thorough explanation of intended
compliance with §236.1007), track characteristics, and
railroad operating rules;
(3) An operational concepts document, including a list with
complete descriptions of all functions which the PTC system
will perform to enhance or preserve safety;
(4) A document describing the manner in which the PTC system
architecture satisfies safety requirements;
(5) A preliminary human factors analysis, including a complete
description of all human-machine interfaces and the impact of
interoperability requirements on the same;
(6) An analysis of the applicability to the PTC system of the
requirements of subparts A through G of this part that may no
longer apply or are satisfied by the PTC system using an
alternative method, and a complete explanation of the manner
in which those requirements are otherwise fulfilled;
(7) A prioritized service restoration and mitigation plan and
a description of the necessary security measures for the
system;
(8) A description of target safety levels (e.g., MTTHE for
major subsystems as defined in subpart H of this part),
including requirements for system availability and a
description of all backup methods of operation and any
critical assumptions associated with the target levels;
(9) A complete description of how the PTC system will enforce
authorities and signal indications;
(10) A description of the deviation which may be proposed
under §236.1029(c), if applicable; and
(11) A complete description of how the PTC system will
appropriately and timely enforce all integrated hazard
detectors in accordance with §236.1005(c)(3), if
applicable.
(b) If the Associate Administrator finds that the system
described in the PTCDP would satisfy the requirements for PTC
systems under this subpart and that the applicant has made a
reasonable showing that a system built to the stated
requirements would achieve the level of safety mandated for
such a system under §236.1015, the Associate
Administrator may grant a numbered Type Approval for the
system.
(c) Each Type Approval shall be valid for a period of 5 years,
subject to automatic and indefinite extension provided that at
least one PTC System Certification using the subject PTC
system has been issued within that period and not revoked.
(d) The Associate Administrator may prescribe special
conditions, amendments, and restrictions to any Type Approval
as necessary for safety.
(e) If submitted, an NPI must contain the following
information:
(1) A description of the railroad operation or categories of
operations on which the proposed PTC system is designed to be
used, including train movement density (passenger, freight),
operating speeds (including a thorough explanation of intended
compliance with §236.1007), track characteristics, and
railroad operating rules;
(2) An operational concepts document, including a list with
complete descriptions of all functions that the proposed PTC
system will perform to enhance or preserve safety;
(3) A description of target safety levels (e.g., MTTHE for
major subsystems as defined in subpart H of this part),
including requirements for system availability and a
description of all backup methods of operation and any
critical assumptions associated with the target levels;
(4) A complete description of how the proposed PTC system will
enforce authorities and signal indications; and
(5) A complete description of how the proposed PTC system will
appropriately and timely enforce all integrated hazard
detectors in accordance with §236.1005(c)(3), if
applicable.
§236.1015 PTC
Safety Plan content requirements and PTC System Certification.
(a) Before placing a PTC system required under this part in
service, the host railroad must submit to FRA a PTCSP and
receive a PTC System Certification. If the Associate
Administrator finds that the PTCSP and supporting
documentation support a finding that the system complies with
this part, the Associate Administrator approves the PTCSP and
issues a PTC System Certification. Receipt of a PTC System
Certification affirms that the PTC system has been reviewed
and approved by FRA in accordance with, and meets the
requirements of, this part.
(b) A PTCSP submitted under this subpart may reference and
utilize in accordance with this subpart any Type Approval
previously issued by the Associate Administrator to any
railroad, provided that the railroad:
(1) Maintains a continually updated PTCPVL pursuant to
§236.1023;
(2) Shows that the supplier from which they are procuring the
PTC system has established and can maintain a quality control
system for PTC system design and manufacturing acceptable to
the Associate Administrator. The quality control system must
include the process for the product supplier or vendor to
promptly and thoroughly report any safety-relevant failure and
previously unidentified hazards to each railroad using the
product; and
(3) Provides the applicable licensing information.
(c) A PTCSP submitted in accordance with this subpart shall:
(1) Include the FRA approved PTCDP or, if applicable, the FRA
issued Type Approval;
(2)(i) Specifically and rigorously document each variance,
including the significance of each variance between the PTC
system and its applicable operating conditions as described in
the applicable PTCDP from that as described in the PTCSP, and
attest that there are no other such variances; or
(ii) Attest that there are no variances between the PTC system
and its applicable operating conditions as described in the
applicable PTCDP from that as described in the PTCSP; and
(3) Attest that the system was otherwise built in accordance
with the applicable PTCDP and PTCSP and achieves the level of
safety represented therein.
(d) A PTCSP shall include the same information required for a
PTCDP under §236.1013(a). If a PTCDP has been filed and
approved prior to filing of the PTCSP, the PTCSP may
incorporate the PTCDP by reference, with the exception that a
final human factors analysis shall be provided. The PTCSP
shall contain the following additional elements:
(1) A hazard log consisting of a comprehensive description of
all safety-relevant hazards not previously addressed by the
vendor or supplier to be addressed during the life-cycle of
the PTC system, including maximum threshold limits for each
hazard (for unidentified hazards, the threshold shall be
exceeded at one occurrence);
(2) A description of the safety assurance concepts that are to
be used for system development, including an explanation of
the design principles and assumptions;
(3) A risk assessment of the as-built PTC system described;
(4) A hazard mitigation analysis, including a complete and
comprehensive description of each hazard and the mitigation
techniques used;
(5) A complete description of the safety assessment and
Verification and Validation processes applied to the PTC
system, their results, and whether these processes address the
safety principles described in Appendix C to this part
directly, using other safety criteria, or not at all;
(6) A complete description of the railroad's training plan for
railroad and contractor employees and supervisors necessary to
ensure safe and proper installation, implementation,
operation, maintenance, repair, inspection, testing, and
modification of the PTC system;
(7) A complete description of the specific procedures and test
equipment necessary to ensure the safe and proper
installation, implementation, operation, maintenance, repair,
inspection, testing, and modification of the PTC system on the
railroad and establish safety-critical hazards are
appropriately mitigated. These procedures, including
calibration requirements, shall be consistent with or explain
deviations from the equipment manufacturer's recommendations;
(8) A complete description of any additional warning to be
placed in the Operations and Maintenance Manual in the same
manner specified in §236.919 and all warning labels to be
placed on equipment as necessary to ensure safety;
(9) A complete description of the configuration or revision
control measures designed to ensure that the railroad or its
contractor does not adversely affect the safety-functional
requirements and that safety-critical hazard mitigation
processes are not compromised as a result of any such change;
(10) A complete description of all initial implementation
testing procedures necessary to establish that
safety-functional requirements are met and safety-critical
hazards are appropriately mitigated;
(11) A complete description of all post-implementation testing
(validation) and monitoring procedures, including the
intervals necessary to establish that safety-functional
requirements, safety-critical hazard mitigation processes, and
safety-critical tolerances are not compromised over time,
through use, or after maintenance (adjustment, repair, or
replacement) is performed;
(12) A complete description of each record necessary to ensure
the safety of the system that is associated with periodic
maintenance, inspections, tests, adjustments, repairs, or
replacements, and the system's resulting conditions, including
records of component failures resulting in safety-relevant
hazards (see §236.1037);
(13) A safety analysis to determine whether, when the system
is in operation, any risk remains of an unintended incursion
into a roadway work zone due to human error. If the analysis
reveals any such risk, the PTCDP and PTCSP shall describe how
that risk will be mitigated;
(14) A more detailed description of any alternative
arrangements as already provided under §236.1005(a)(1)(i).
(15) A complete description of how the PTC system will enforce
authorities and signal indications, unless already completely
provided for in the PTCDP;
(16) A description of how the PTCSP complies with
§236.1019(f), if applicable;
(17) A description of any deviation in operational
requirements for en route failures as specified under
§236.1029(c), if applicable and unless already completely
provided for in the PTCDP;
(18) A complete description of how the PTC system will
appropriately and timely enforce all integrated hazard
detectors in accordance with §236.1005;
(19) An emergency and planned maintenance temporary rerouting
plan indicating how operations on the subject PTC system will
take advantage of the benefits provided under §236.1005(g)
through (k); and
(20) The documents and information required under §§236.1007
and 236.1033.
(e) The following additional requirements apply to:
(1) Non-vital overlay. A PTC system proposed as an
overlay on the existing method of operation and not built in
accordance with the safety assurance principles set forth in
appendix C of this part must, to the satisfaction of the
Associate Administrator, be shown to:
(i) Reliably execute the functions set forth in §236.1005;
(ii) Obtain at least 80 percent reduction of the risk
associated with accidents preventable by the functions set
forth in §236.1005, when all effects of the change
associated with the PTC system are taken into account. The
supporting risk assessment shall evaluate all intended changes
in railroad operations coincident with the introduction of the
new system; and
(iii) Maintain a level of safety for each subsequent system
modification that is equal to or greater than the level of
safety for the previous PTC systems.
(2) Vital overlay. A PTC system proposed on a newly
constructed track or as an overlay on the existing method of
operation and built in accordance with the safety assurance
principles set forth in appendix C of this part must, to the
satisfaction of the Associate Administrator, be shown to:
(i) Reliably execute the functions set forth in §236.1005;
and
(ii) Have sufficient documentation to demonstrate that the PTC
system, as built, fulfills the safety assurance principles set
forth in appendix C of this part. The supporting risk
assessment may be abbreviated as that term is used in subpart
H of this part.
(3) Stand-alone. A PTC system proposed on a newly
constructed track, an existing track for which no signal
system exists, as a replacement for an existing signal or
train control system, or otherwise to replace or materially
modify the existing method of operation, shall:
(i) Reliably execute the functions required by §236.1005
and be demonstrated to do so to FRA's satisfaction; and
(ii) Have a PTCSP establishing, with a high degree of
confidence, that the system will not introduce new hazards
that have not been mitigated. The supporting risk assessment
shall evaluate all intended changes in railroad operations in
relation to the introduction of the new system and shall
examine in detail the direct and indirect effects of all
changes in the method of operations.
(4) Mixed systems. If a PTC system combining overlay,
stand-alone, vital, or non-vital characteristics is proposed,
the railroad shall confer with the Associate Administrator
regarding appropriate structuring of the safety case and
analysis.
(f) When determining whether the PTCSP fulfills the
requirements under paragraph (d) of this section, the
Associate Administrator may consider all available evidence
concerning the reliability and availability of the proposed
system and any and all safety consequences of the proposed
changes. In any case where the PTCSP lacks adequate data
regarding safety impacts of the proposed changes, the
Associate Administrator may request the necessary data from
the applicant. If the requested data is not provided, the
Associate Administrator may find that potential hazards could
or will arise.
(g) If a PTCSP applies to a system designed to replace an
existing certified PTC system, the PTCSP will be approved
provided that the PTCSP establishes with a high degree of
confidence that the new system will provide a level of safety
not less than the level of safety provided by the system to be
replaced.
(h) When reviewing the issue of the potential data errors (for
example, errors arising from data supplied from other business
systems needed to execute the braking algorithm, survey data
needed for location determination, or mandatory directives
issued through the computer-aided dispatching system), the
PTCSP must include a careful identification of each of the
risks and a discussion of each applicable mitigation. In an
appropriate case, such as a case in which the residual risk
after mitigation is substantial or the underlying method of
operation will be significantly altered, the Associate
Administrator may require submission of a quantitative risk
assessment addressing these potential errors.
§236.1017 Independent
third party Verification and Validation.
(a) The PTCSP must be supported by an independent third-party
assessment when the Associate Administrator concludes that it
is necessary based upon the criteria set forth in §236.913,
with the exception that consideration of the methodology used
in the risk assessment (§236.913(g)(2)(vii)) shall apply
only to the extent that a comparative risk assessment was
required. To the extent practicable, FRA makes this
determination not later than review of the PTCIP and the
accompanying PTCDP or PTCSP. If an independent assessment is
required, the assessment may apply to the entire system or a
designated portion of the system.
(b) If a PTC system is to undergo an independent assessment in
accordance with this section, the host railroad may submit to
the Associate Administrator a written request that FRA confirm
whether a particular entity would be considered an independent
third party pursuant to this section. The request should
include supporting information identified in paragraph (c) of
this section. FRA may request further information to make a
determination or provide its determination in writing.
(c) As used in this section, “independent third party”
means a technically competent entity responsible to and
compensated by the railroad (or an association on behalf of
one or more railroads) that is independent of the PTC system
supplier and vendor. An entity that is owned or controlled by
the supplier or vendor, that is under common ownership or
control with the supplier or vendor, or that is otherwise
involved in the development of the PTC system is not
considered “independent” within the meaning of
this section.
(d) The independent third-party assessment shall, at a
minimum, consist of the activities and result in the
production of documentation meeting the requirements of
Appendix F to this part, unless excepted by this part or by
FRA order or waiver.
(e) Information provided that has been certified under the
auspices of a foreign railroad regulatory entity recognized by
the Associate Administrator may, at the Associate
Administrator's discretion, be accepted as having been
independently verified.
§236.1019 Main
line track exceptions.
(a) Scope and procedure. This section pertains
exclusively to exceptions from the rule that trackage over
which scheduled intercity and commuter passenger service is
provided is considered main line track requiring installation
of a PTC system. One or more intercity or commuter passenger
railroads, or freight railroads conducting joint passenger and
freight operation over the same segment of track may file a
main line track exclusion addendum (“MTEA”) to its
PTCIP requesting to designate track as not main line subject
to the conditions set forth in paragraphs (b) or (c) of this
section. No track shall be designated as yard or terminal
unless it is identified in an MTEA that is part of an FRA
approved PTCIP.
(b) Passenger terminal exception. FRA will consider an
exception in the case of trackage used exclusively as yard or
terminal tracks by or in support of regularly scheduled
intercity or commuter passenger service where the MTEA
describes in detail the physical boundaries of the trackage in
question, its use and characteristics (including track and
signal charts) and all of the following apply:
(1) The maximum authorized speed for all movements is not
greater than 20 miles per hour, and that maximum is enforced
by any available onboard PTC equipment within the confines of
the yard or terminal;
(2) Interlocking rules are in effect prohibiting reverse
movements other than on signal indications without dispatcher
permission; and
(3) Either of the following conditions exists:
(i) No freight operations are permitted; or
(ii) Freight operations are permitted but no passengers will
be aboard passenger trains within the defined limits.
(c) Limited operations exception. FRA will consider an
exception in the case of a track segment used for limited
operations (operating in accordance with §236.0 of this
part) under one of the following sets of conditions:
(1) The trackage is used for limited operations by at least
one passenger railroad subject to at least one of the
following conditions:
(i) All trains are limited to restricted speed;
(ii) Temporal separation of passenger and other trains is
maintained as provided in paragraph (e) of this section; or
(iii) Passenger service is operated under a risk mitigation
plan submitted by all railroads involved in the joint
operation and approved by FRA. The risk mitigation plan must
be supported by a risk assessment establishing that the
proposed mitigations will achieve a level of safety not less
than the level of safety that would obtain if the operations
were conducted under paragraph (c)(1) or (c)(2) of this
section.
(2) Passenger service is operated on a segment of track of a
freight railroad that is not a Class I railroad on which less
than 15 million gross tons of freight traffic is transported
annually and on which one of the following conditions applies:
(i) If the segment is unsignaled and no more than four
regularly scheduled passenger trains are operated during a
calendar day, or
(ii) If the segment is signaled (e.g., equipped with a traffic
control system, automatic block signal system, or cab signal
system) and no more than 12 regularly scheduled passenger
trains are operated during a calendar day.
(3) Not more than four passenger trains per day are operated
on a segment of track of a Class I freight railroad on which
less than 15 million gross tons of freight traffic is
transported annually.
(d) A limited operations exception under paragraph (c) is
subject to FRA review and approval. FRA may require a
collision hazard analysis to identify hazards and may require
that specific mitigations be undertaken. Operations under any
such exception shall be conducted subject to the terms and
conditions of the approval. Any main line track exclusion is
subject to periodic review.
(e) Temporal separation. As used in this section,
temporal separation means that limited passenger and freight
operations do not operate on any segment of shared track
during the same period and also refers to the processes or
physical arrangements, or both, in place to ensure that
temporal separation is established and maintained at all
times. The use of exclusive authorities under mandatory
directives is not, by itself, sufficient to establish that
temporal separation is achieved. Procedures to ensure temporal
separation shall include verification checks between passenger
and freight operations and effective physical means to
positively ensure segregation of passenger and freight
operations in accordance with this paragraph.
(f) PTCSP requirement. No PTCSP—filed after the
approval of a PTCIP with an MTEA—shall be approved by
FRA unless it attests that no changes, except for those
included in an FRA approved RFA, have been made to the
information in the PTCIP and MTEA required by paragraph (b) or
(c) of this section.
(g) Designation modifications. If subsequent to
approval of its PTCIP or PTCSP the railroad seeks to modify
which track or tracks should be designated as main line or not
main line, it shall request modification of its PTCIP or
PTCSP, as applicable, in accordance with §236.1021.
[75 FR 2699, Jan. 15,
2010, as amended at 75 FR 59117, Sept. 27, 2010]
§236.1021 Discontinuances,
material modifications, and amendments.
(a)
No changes, as defined by this section, to a PTC system,
PTCIP, PTCDP, or PTCSP, shall be made unless:
(1)
The railroad files a request for amendment (“RFA”)
to the applicable PTCIP, PTCDP, or PTCSP with the
Associate Administrator; and
(2)
The Associate Administrator approves the RFA.
(b)
After approval of an RFA in accordance with paragraph (a)
of this section, the railroad shall immediately adopt and
comply with the amendment.
(c)
In lieu of a separate filing under part 235 of this
chapter, a railroad may request approval of a
discontinuance or material modification of a signal or
train control system by filing an RFA to its PTCIP, PTCDP,
or PTCSP with the Associate Administrator.
(d)
An RFA made in accordance with this section will not be
approved by FRA unless the request includes:
(1)
The information listed in §235.10 of this chapter and
the railroad provides FRA upon request any additional
information necessary to evaluate the RFA (see §235.12),
including:
(2)
The proposed modifications;
(3)
The reasons for each modification;
(4)
The changes to the PTCIP, PTCDP, or PTCSP, as applicable;
(5)
Each modification's effect on PTC system safety;
(6)
An approximate timetable for filing of the PTCDP, PTCSP,
or both, if the amendment pertains to a PTCIP; and
(7)
An explanation of whether each change to the PTCSP is
planned or unplanned.
(i)
Unplanned changes that affect the Type Approval's PTCDP
require submission and approval in accordance with
§236.1013 of a new PTCDP, followed by submission and
approval in accordance with §236.1015 of a new PTCSP
for the PTC system.
(ii)
Unplanned changes that do not affect the Type Approval's
PTCDP require submission and approval of a new PTCSP.
(iii)
Unplanned changes are changes affecting system safety that
have not been documented in the PTCSP. The impact of
unplanned changes on PTC system safety has not yet been
determined.
(iv)
Planned changes may be implemented after they have
undergone suitable regression testing to demonstrate, to
the satisfaction of the Associate Administrator, they have
been correctly implemented and their implementation does
not degrade safety.
(v)
Planned changes are changes affecting system safety in the
PTCSP and have been included in all required analysis
under §236.1015. The impact of these changes on the
PTC system's safety has been incorporated as an integral
part of the approved PTCSP safety analysis.
(e)
If the RFA includes a request for approval of a
discontinuance or material modification of a signal or
train control system, FRA will publish a notice in the
Federal Register
of the application and will invite public comment in
accordance with part 211 of this chapter.
(f)
When considering the RFA, FRA will review the issue of the
discontinuance or material modification and determine
whether granting the request is in the public interest and
consistent with railroad safety, taking into consideration
all changes in the method of operation and system
functionalities, both within normal PTC system
availability and in the case of a system failed state
(unavailable), contemplated in conjunction with
installation of the PTC system. The railroad submitting
the RFA must, at FRA's request, perform field testing in
accordance with §236.1035 or engage in Verification
and Validation in accordance with §236.1017.
(g)
FRA may issue at its discretion a new Type Approval number
for a PTC system modified under this section.
(h)
Changes requiring filing of an RFA. Except as
provided by paragraph (i), an RFA shall be filed to
request the following:
(1)
Discontinuance of a PTC system, or other similar appliance
or device;
(2)
Decrease of the PTC system's limits (e.g., exclusion or
removal of a PTC system on a track segment);
(3)
Modification of a safety critical element of a PTC system;
or
(4)
Modification of a PTC system that affects the safety
critical functionality of any other PTC system with which
it interoperates.
(i)
Discontinuances not requiring the filing of an RFA.
It is not necessary to file an RFA for the following
discontinuances:
(1)
Removal of a PTC system from track approved for
abandonment by formal proceeding;
(2)
Removal of PTC devices used to provide protection against
unusual contingencies such as landslide, burned bridge,
high water, high and wide load, or tunnel protection when
the unusual contingency no longer exists;
(3)
Removal of the PTC devices that are used on a movable
bridge that has been permanently closed by the formal
approval of another government agency and is mechanically
secured in the closed position for rail traffic; or
(4)
Removal of the PTC system from service for a period not to
exceed 6 months that is necessitated by catastrophic
occurrence such as derailment, flood, fire, or hurricane,
or earthquake.
(j)
Changes not requiring the filing of an RFA. When
the resultant change to the PTC system will comply with an
approved PTCSP of this part, it is not necessary to file
for approval to decrease the limits of a system when it
involves the:
(1)
Decrease of the limits of a PTC system when interlocked
switches, derails, or movable-point frogs are not
involved;
(2)
Removal of an electric or mechanical lock, or signal used
in lieu thereof, from hand-operated switch in a PTC system
where train speed over such switch does not exceed 20
miles per hour, and use of those devices has not been part
of the considerations for approval of a PTCSP; or
(3)
Removal of an electric or mechanical lock, or signal used
in lieu thereof, from a hand-operated switch in a PTC
system where trains are not permitted to clear the main
track at such switch and use of those devices has not been
a part of the considerations for approval of a PTCSP.
(k)
Modifications not requiring the filing of an RFA.
When the resultant arrangement will comply with an
approved PTCSP of this part, it is not necessary to file
an application for approval of the following
modifications:
(1) A
modification that is required to comply with an order of
the Federal Railroad Administration or any section of part
236 of this title;
(2)
Installation of devices used to provide protection against
unusual contingencies such as landslide, burned bridges,
high water, high and wide loads, or dragging equipment;
(3)
Elimination of existing track other than a second main
track;
(4)
Extension or shortening of a passing siding; or
(5)
The temporary or permanent arrangement of existing systems
necessitated by highway-rail grade separation
construction. Temporary arrangements shall be removed
within six months following completion of construction.
§236.1023 Errors
and malfunctions.
(a)
Each railroad implementing a PTC system on its property
shall establish and continually update a PTC Product
Vendor List (PTCPVL) that includes all vendors and
suppliers of each PTC system, subsystem, component, and
associated product, and process in use system-wide. The
PTCPVL shall be made available to FRA upon request.
(b)(1)
The railroad shall specify within its PTCSP all
contractual arrangements with hardware and software
suppliers or vendors for immediate notification between
the parties of any and all safety-critical software
failures, upgrades, patches, or revisions, as well as any
hardware repairs, replacements, or modifications for their
PTC system, subsystems, or components.
(2) A
vendor or supplier, on receipt of a report of any
safety-critical failure to their product, shall promptly
notify all other railroads that are using that product,
whether or not the other railroads have experienced the
reported failure of that safety-critical system,
subsystem, or component.
(3)
The notification from a supplier to any railroad shall
include explanation from the supplier of the reasons for
such notification, the circumstances associated with the
failure, and any recommended mitigation actions to be
taken pending determination of the root cause and final
corrective actions.
(c)
The railroad shall:
(1)
Specify the railroad's process and procedures in its PTCSP
for action upon their receipt of notification of
safety-critical failure, as well as receipt of a
safety-critical upgrade, patch, revision, repair,
replacement, or modification.
(2)
Identify configuration/revision control measures in its
PTCSP that are designed to ensure the safety-functional
requirements and the safety-critical hazard mitigation
processes are not compromised as a result of any change
and that such a change can be audited.
(d)
The railroad shall provide to the applicable vendor or
supplier the railroad's procedures for action upon
notification of a safety-critical failure, upgrade, patch,
or revision for the PTC system, subsystem, component,
product, or process, and actions to be taken until the
faulty system, subsystem, or component has been adjusted,
repaired or replaced.
(e)
After the product is placed in service, the railroad shall
maintain a database of all safety-relevant hazards as set
forth in the PTCSP and those that had not previously been
identified in the PTCSP. If the frequency of the
safety-relevant hazard exceeds the thresholds set forth in
the PTCSP, or has not been previously identified in the
appropriate risk analysis, the railroad shall:
(1)
Notify the applicable vendor or supplier and FRA of the
failure, malfunction, or defective condition that
decreased or eliminated the safety functionality;
(2)
Keep the applicable vendor or supplier and FRA apprised on
a continual basis of the status of any and all subsequent
failures; and
(3)
Take prompt counter measures to reduce or eliminate the
frequency of the safety-relevant hazards below the
threshold identified in the PTCSP.
(f)
Each notification to FRA required by this section shall:
(1)
Be made within 15 days after the vendor, supplier, or
railroad discovers the failure, malfunction, or defective
condition. However, a report that is due on a Saturday or
a Sunday may be delivered on the following Monday and one
that is due on a holiday may be delivered on the next
business day;
(2)
Be transmitted in a manner and form acceptable to the
Associate Administrator and by the most expeditious method
available; and
(3)
Include as much available and applicable information as
possible, including:
(i)
PTC system name and model;
(ii)
Identification of the part, component, or system involved,
including the part number as applicable;
(iii)
Nature of the failure, malfunctions, or defective
condition;
(iv)
Mitigation taken to ensure the safety of train operation,
railroad employees, and the public; and
(v)
The estimated time to correct the failure.
(4)
In the event that all information required by paragraph
(f)(3) of this section is not immediately available, the
non-available information shall be forwarded to the
Associate Administrator as soon as practicable in
supplemental reports.
(g)
Whenever any investigation of an accident or service
difficulty report shows that a PTC system or product is
unsafe because of a manufacturing or design defect, the
railroad and its vendor or supplier shall, upon request of
the Associate Administrator, report to the Associate
Administrator the results of its investigation and any
action taken or proposed to correct that defect.
(h)
PTC system and product suppliers and vendors shall:
(1)
Promptly report any safety-relevant failures or defective
conditions, previously unidentified hazards, and
recommended mitigation actions in their PTC system,
subsystem, or component to each railroad using the
product; and
(2)
Notify FRA of any safety-relevant failure, defective
condition, or previously unidentified hazard discovered by
the vendor or supplier and the identity of each affected
and notified railroad.
(i)
The requirements of this section do not apply to failures,
malfunctions, or defective conditions that:
(1)
Are caused by improper maintenance or improper usage; or
(2)
Have been previously identified to the FRA, vendor or
supplier, and applicable user railroads.
(j)
When any safety-critical PTC system, subsystem, or
component fails to perform its intended function, the
cause shall be determined and the faulty product adjusted,
repaired, or replaced without undue delay. Until
corrective action is completed, a railroad shall take
appropriate action to ensure safety and reliability as
specified within its PTCSP.
(k)
Any railroad experiencing a failure of a system resulting
in a more favorable aspect than intended or other
condition hazardous to the movement of a train shall
comply with the reporting requirements, including the
making of a telephonic report of an accident or incident
involving such failure, under part 233 of this chapter.
Filing of one or more reports under part 233 of this
chapter does not exempt a railroad, vendor, or supplier
from the reporting requirements contained in this section.
§236.1027 PTC
system exclusions.
(a)
The requirements of this subpart apply to each office
automation system that performs safety-critical functions
within, or affects the safety performance of, the PTC
system. For purposes of this section, “office
automation system” means any centralized or
distributed computer-based system that directly or
indirectly controls the active movement of trains in a
rail network.
(b)
Changes or modifications to PTC systems otherwise excluded
from the requirements of this subpart by this section do
not exclude those PTC systems from the requirements of
this subpart if the changes or modifications result in a
degradation of safety or a material decrease in
safety-critical functionality.
(c)
Primary train control systems cannot be integrated with
locomotive electronic systems unless the complete
integrated systems:
(1)
Have been shown to be designed on fail-safe principles;
(2)
Have demonstrated to operate in a fail-safe mode;
(3)
Have a manual fail-safe fallback and override to allow the
locomotive to be brought to a safe stop in the event of
any loss of electronic control; and
(4)
Are included in the approved and applicable PTCDP and
PTCSP.
(d)
PTC systems excluded by this section from the requirements
of this subpart.
§236.1029 PTC
system use and en route failures.
(a)
When any safety-critical PTC system component fails to
perform its intended function, the cause must be
determined and the faulty component adjusted, repaired, or
replaced without undue delay. Until repair of such
essential components are completed, a railroad shall take
appropriate action as specified in its PTCSP.
(b)
Where a PTC onboard apparatus on a controlling locomotive
that is operating in or is to be operated within a PTC
system fails or is otherwise cut-out while en route (i.e,
after the train has departed its initial terminal), the
train may only continue in accordance with the following:
(1)
The train may proceed at restricted speed, or if a block
signal system is in operation according to signal
indication at medium speed, to the next available point
where communication of a report can be made to a
designated railroad officer of the host railroad;
(2)
Upon completion and communication of the report required
in paragraph (b)(1) of this section, or where immediate
electronic report of said condition is appropriately
provided by the PTC system itself, a train may continue to
a point where an absolute block can be established in
advance of the train in accordance with the following:
(i)
Where no block signal system is in use, the train may
proceed at restricted speed, or
(ii)
Where a block signal system is in operation according to
signal indication, the train may proceed at a speed not to
exceed medium speed.
(3)
Upon reaching the location where an absolute block has
been established in advance of the train, as referenced in
paragraph (b)(2) of this section, the train may proceed in
accordance with the following:
(i)
Where no block signal system is in use, the train may
proceed at medium speed; however, if the involved train is
a passenger train or a train hauling any amount of PIH
material, it may only proceed at a speed not to exceed 30
miles per hour.
(ii)
Where a block signal system is in use, a passenger train
may proceed at a speed not to exceed 59 miles per hour and
a freight train may proceed at a speed not to exceed 49
miles per hour.
(iii)
Except as provided in paragraph (c), where a cab signal
system with an automatic train control system is in
operation, the train may proceed at a speed not to exceed
79 miles per hour.
(c)
In order for a train equipped with PTC traversing a track
segment equipped with PTC to deviate from the operating
limitations contained in paragraph (b) of this section,
the deviation must be described and justified in the FRA
approved PTCDP or PTCSP, or the Order of Particular
Applicability, as applicable.
(d)
Each railroad shall comply with all provisions in the
applicable PTCDP and PTCSP for each PTC system it uses and
shall operate within the scope of initial operational
assumptions and predefined changes identified.
(e)
The normal functioning of any safety-critical PTC system
must not be interfered with in testing or otherwise
without first taking measures to provide for the safe
movement of trains, locomotives, roadway workers, and
on-track equipment that depend on the normal functioning
of the system.
(f)
The PTC system's onboard apparatus shall be so arranged
that each member of the crew assigned to perform duties in
the locomotive can receive the same PTC information
displayed in the same manner and execute any functions
necessary to that crew member's duties. The locomotive
engineer shall not be required to perform functions
related to the PTC system while the train is moving that
have the potential to distract the locomotive engineer
from performance of other safety-critical duties.
§236.1031 Previously
approved PTC systems.
(a)
Any PTC system fully implemented and operational prior to
March 16, 2010, may receive PTC System Certification if
the applicable PTC railroad, or one or more system
suppliers and one or more PTC railroads, submits a Request
for Expedited Certification (REC) letter to the Associate
Administrator. The REC letter must do one of the
following:
(1)
Reference a product safety plan (PSP) approved by FRA
under subpart H of this part and include a document
fulfilling the requirements under §§236.1011 and
236.1013 not already included in the PSP;
(2)
Attest that the PTC system has been approved by FRA and in
operation for at least 5 years and has already received an
assessment of Verification and Validation from an
independent third party under part 236 or a waiver
supporting such operation; or
(3)
Attest that the PTC system is recognized under an Order
issued prior to March 16, 2010.
(b)
If an REC letter conforms to paragraph (a)(1) of this
section, the Associate Administrator, at his or her sole
discretion, may also issue a new Type Approval for the PTC
system.
(c)
In order to receive a Type Approval or PTC System
Certification under paragraph (a) or (b) of this section,
the PTC system must be shown to reliably execute the
functionalities required by §§236.1005 and
236.1007 and otherwise conform to this subpart.
(d)
Previous approval or recognition of a train control
system, together with an established service history, may,
at the request of the PTC railroad, and consistent with
available safety data, be credited toward satisfaction of
the safety case requirements set forth in this part for
the PTCSP with respect to all functionalities and
implementations contemplated by the approval or
recognition.
(e)
To the extent that the PTC system proposed for
implementation under this subpart is different in
significant detail from the system previously approved or
recognized, the changes shall be fully analyzed in the
PTCDP or PTCSP as would be the case absent prior approval
or recognition.
(f)
As used in this section—
(1)
Approved refers to approval of a Product Safety
Plan under subpart H of this part.
(2)
Recognized refers to official action permitting a
system to be implemented for control of train operations
under an FRA order or waiver, after review of safety case
documentation for the implementation.
(g)
Upon receipt of an REC, FRA will consider all safety case
information to the extent feasible and appropriate, given
the specific facts before the agency. Nothing in this
section limits re-use of any applicable safety case
information by a party other than the party receiving:
(1) A
prior approval or recognition referred to in this section;
or (2) A Type Approval or PTC System Certification under
this subpart
§236.1033 Communications
and security requirements.
(a)
All wireless communications between the office, wayside,
and onboard components in a PTC system shall provide
cryptographic message integrity and authentication.
(b)
Cryptographic keys required under paragraph (a) of this
section shall:
(1)
Use an algorithm approved by the National Institute of
Standards (NIST) or a similarly recognized and FRA
approved standards body;
(2)
Be distributed using manual or automated methods, or a
combination of both; and
(3)
Be revoked:
(i)
If compromised by unauthorized disclosure of the cleartext
key; or
(ii)
When the key algorithm reaches its lifespan as defined by
the standards body responsible for approval of the
algorithm.
(c)
The cleartext form of the cryptographic keys shall be
protected from unauthorized disclosure, modification, or
substitution, except during key entry when the cleartext
keys and key components may be temporarily displayed to
allow visual verification. When encrypted keys or key
components are entered, the cryptographically protected
cleartext key or key components shall not be displayed.
(d)
Access to cleartext keys shall be protected by a tamper
resistant mechanism.
(e) Each railroad electing to also provide cryptographic
message confidentiality shall:
(1)
Comply with the same requirements for message integrity
and authentication under this section; and
(2)
Only use keys meeting or exceeding the security strength
required to protect the data as defined in the railroad's
PTCSP and required under §236.1013(a)(7).
(f)
Each railroad, or its vendor or supplier, shall have a
prioritized service restoration and mitigation plan for
scheduled and unscheduled interruptions of service. This
plan shall be included in the PTCDP or PTCSP as required
by §§236.1013 or 236.1015, as applicable, and
made available to FRA upon request, without undue delay,
for restoration of communication services that support PTC
system services.
(g)
Each railroad may elect to impose more restrictive
requirements than those in this section, consistent with
interoperability requirements specified in the PTCSP for
the system.
§236.1035 Field
testing requirements.
(a)
Before any field testing of an uncertified PTC system, or
a product of an uncertified PTC system, or any regression
testing of a certified PTC system is conducted on the
general rail system, the railroad requesting the testing
must provide:
(1) A
complete description of the PTC system;
(2)
An operational concepts document;
(3) A
complete description of the specific test procedures,
including the measures that will be taken to protect
trains and on-track equipment;
(4)
An analysis of the applicability of the requirements of
subparts A through G of this part to the PTC system that
will not apply during testing;
(5)
The date the proposed testing shall begin;
(6)
The test locations; and
(7)
The effect on the current method of operation the PTC
system will or may have under test.
(b)
FRA may impose additional testing conditions that it
believes may be necessary for the safety of train
operations.
(c)
Relief from regulations other than from subparts A through
G of this part that the railroad believes are necessary to
support the field testing, must be requested in accordance
with part 211 of this title.
§236.1037 Records
retention.
(a)
Each railroad with a PTC system required to be installed
under this subpart shall maintain at a designated office
on the railroad:
(1) A
current copy of each FRA approved Type Approval, if any,
PTCDP, and PTCSP that it holds;
(2)
Adequate documentation to demonstrate that the PTCSP and
PTCDP meet the safety requirements of this subpart,
including the risk assessment;
(3)
An Operations and Maintenance Manual, pursuant to
§236.1039; and
(4)
Training and testing records pursuant to §236.1043(b).
(b)
Results of inspections and tests specified in the PTCSP
and PTCDP must be recorded pursuant to §236.110.
(c)
Each contractor providing services relating to the
testing, maintenance, or operation of a PTC system
required to be installed under this subpart shall maintain
at a designated office training records required under
§236.1039(b).
(d)
After the PTC system is placed in service, the railroad
shall maintain a database of all safety-relevant hazards
as set forth in the PTCSP and PTCDP and those that had not
been previously identified in either document. If the
frequency of the safety-relevant hazards exceeds the
threshold set forth in either of these documents, then the
railroad shall:
(1)
Report the inconsistency in writing by mail, facsimile,
e-mail, or hand delivery to the Director, Office of Safety
Assurance and Compliance, FRA, 1200 New Jersey Ave, SE,
Mail Stop 25, Washington, DC 20590, within 15 days of
discovery. Documents that are hand delivered must not be
enclosed in an envelope;
(2)
Take prompt countermeasures to reduce the frequency of
each safety-relevant hazard to below the threshold set
forth in the PTCSP and PTCDP; and
(3)
Provide a final report when the inconsistency is resolved
to the FRA Director, Office of Safety Assurance and
Compliance, on the results of the analysis and
countermeasures taken to reduce the frequency of the
safety-relevant hazard(s) below the threshold set forth in
the PTCSP and PTCDP.
§236.1039 Operations
and Maintenance Manual.
(a)
The railroad shall catalog and maintain all documents as
specified in the PTCDP and PTCSP for the installation,
maintenance, repair, modification, inspection, and testing
of the PTC system and have them in one Operations and
Maintenance Manual, readily available to persons required
to perform such tasks and for inspection by FRA and
FRA-certified state inspectors.
(b)
Plans required for proper maintenance, repair, inspection,
and testing of safety-critical PTC systems must be
adequate in detail and must be made available for
inspection by FRA and FRA-certified state inspectors where
such PTC systems are deployed or maintained. They must
identify all software versions, revisions, and revision
dates. Plans must be legible and correct.
(c)
Hardware, software, and firmware revisions must be
documented in the Operations and Maintenance Manual
according to the railroad's configuration management
control plan and any additional configuration/revision
control measures specified in the PTCDP and PTCSP.
(d)
Safety-critical components, including spare equipment,
must be positively identified, handled, replaced, and
repaired in accordance with the procedures specified in
the PTCDP and PTCSP.
(e)
Each railroad shall designate in its Operations and
Maintenance Manual an appropriate railroad officer
responsible for issues relating to scheduled interruptions
of service contemplated by §236.1029.
§236.1041 Training
and qualification program, general.
(a)
Training program for PTC personnel. Employers shall
establish and implement training and qualification
programs for PTC systems subject to this subpart. These
programs must meet the minimum requirements set forth in
the PTCDP and PTCSP in §§236.1039 through
236.1045, as appropriate, for the following personnel:
(1)
Persons whose duties include installing, maintaining,
repairing, modifying, inspecting, and testing
safety-critical elements of the railroad's PTC systems,
including central office, wayside, or onboard subsystems;
(2)
Persons who dispatch train operations (issue or
communicate any mandatory directive that is executed or
enforced, or is intended to be executed or enforced, by a
train control system subject to this subpart);
(3)
Persons who operate trains or serve as a train or engine
crew member subject to instruction and testing under part
217 of this chapter, on a train operating in territory
where a train control system subject to this subpart is in
use;
(4)
Roadway workers whose duties require them to know and
understand how a train control system affects their safety
and how to avoid interfering with its proper functioning;
and
(5)
The direct supervisors of persons listed in paragraphs
(a)(1) through (a)(4) of this section.
(b)
Competencies. The employer's program must provide
training for persons who perform the functions described
in paragraph (a) of this section to ensure that they have
the necessary knowledge and skills to effectively complete
their duties related to operation and maintenance of the
PTC system.
§236.1043 Task
analysis and basic requirements.
(a)
Training structure and delivery. As part of the
program required by §236.1041, the employer shall, at
a minimum:
(1)
Identify the specific goals of the training program with
regard to the target population (craft, experience level,
scope of work, etc.), task(s), and desired success rate;
(2)
Based on a formal task analysis, identify the
installation, maintenance, repair, modification,
inspection, testing, and operating tasks that must be
performed on a railroad's PTC systems. This includes the
development of failure scenarios and the actions expected
under such scenarios;
(3)
Develop written procedures for the performance of the
tasks identified;
(4)
Identify the additional knowledge, skills, and abilities
above those required for basic job performance necessary
to perform each task;
(5)
Develop a training and evaluation curriculum that includes
classroom, simulator, computer-based, hands-on, or other
formally structured training designed to impart the
knowledge, skills, and abilities identified as necessary
to perform each task;
(6)
Prior to assignment of related tasks, require all persons
mentioned in §236.1041(a) to successfully complete a
training curriculum and pass an examination that covers
the PTC system and appropriate rules and tasks for which
they are responsible (however, such persons may perform
such tasks under the direct onsite supervision of a
qualified person prior to completing such training and
passing the examination);
(7)
Require periodic refresher training and evaluation at
intervals specified in the PTCDP and PTCSP that includes
classroom, simulator, computer-based, hands-on, or other
formally structured training and testing, except with
respect to basic skills for which proficiency is known to
remain high as a result of frequent repetition of the
task; and
(8)
Conduct regular and periodic evaluations of the
effectiveness of the training program specified in
§236.1041(a)(1) verifying the adequacy of the
training material and its validity with respect to current
railroads PTC systems and operations.
(b)
Training records. Employers shall retain records
which designate persons who are qualified under this
section until new designations are recorded or for at
least one year after such persons leave applicable
service. These records shall be kept in a designated
location and be available for inspection and replication
by FRA and FRA-certified State inspectors.
§236.1045 Training
specific to office control personnel.
(a)
Any person responsible for issuing or communicating
mandatory directives in territory where PTC systems are or
will be in use shall be trained in the following areas, as
applicable:
(1)
Instructions concerning the interface between the
computer-aided dispatching system and the train control
system, with respect to the safe movement of trains and
other on-track equipment;
(2)
Railroad operating rules applicable to the train control
system, including provision for movement and protection of
roadway workers, unequipped trains, trains with failed or
cut-out train control onboard systems, and other on-track
equipment; and
(3)
Instructions concerning control of trains and other
on-track equipment in case the train control system fails,
including periodic practical exercises or simulations, and
operational testing under part 217 of this chapter to
ensure the continued capability of the personnel to
provide for safe operations under the alternative method
of operation.
(b)
[Reserved]
§236.1047 Training
specific to locomotive engineers and other operating
personnel.
(a)
Operating personnel. Training provided under this
subpart for any locomotive engineer or other person who
participates in the operation of a train in train control
territory shall be defined in the PTCDP as well as the
PTCSP. The following elements shall be addressed:
(1)
Familiarization with train control equipment onboard the
locomotive and the functioning of that equipment as part
of the system and in relation to other onboard systems
under that person's control;
(2)
Any actions required of the onboard personnel to enable,
or enter data to, the system, such as consist data, and
the role of that function in the safe operation of the
train;
(3)
Sequencing of interventions by the system, including
pre-enforcement notification, enforcement notification,
penalty application initiation and post-penalty
application procedures;
(4)
Railroad operating rules and testing (part 217) applicable
to the train control system, including provisions for
movement and protection of any unequipped trains, or
trains with failed or cut-out train control onboard
systems and other on-track equipment;
(5)
Means to detect deviations from proper functioning of
onboard train control equipment and instructions regarding
the actions to be taken with respect to control of the
train and notification of designated railroad personnel;
and
(6)
Information needed to prevent unintentional interference
with the proper functioning of onboard train control
equipment.
(b)
Locomotive engineer training. Training required
under this subpart for a locomotive engineer, together
with required records, shall be integrated into the
program of training required by part 240 of this chapter.
(c)
Full automatic operation. The following special
requirements apply in the event a train control system is
used to effect full automatic operation of the train:
(1)
The PTCDP and PTCSP shall identify all safety hazards to
be mitigated by the locomotive engineer.
(2)
The PTCDP and PTCSP shall address and describe the
training required with provisions for the maintenance of
skills proficiency. As a minimum, the training program
must:
(i)
As described in §236.1043(a)(2), develop failure
scenarios which incorporate the safety hazards identified
in the PTCDP and PTCSP including the return of train
operations to a fully manual mode;
(ii)
Provide training, consistent with §236.1047(a), for
safe train operations under all failure scenarios and
identified safety hazards that affect train operations;
(iii)
Provide training, consistent with §236.1047(a), for
safe train operations under manual control; and
(iv)
Consistent with §236.1047(a), ensure maintenance of
manual train operating skills by requiring manual starting
and stopping of the train for an appropriate number of
trips and by one or more of the following methods:
(A)
Manual operation of a train for a 4-hour work period;
(B)
Simulated manual operation of a train for a minimum of 4
hours in a Type I simulator as required; or
(C)
Other means as determined following consultation between
the railroad and designated representatives of the
affected employees and approved by FRA. The PTCDP and
PTCSP shall designate the appropriate frequency when
manual operation, starting, and stopping must be
conducted, and the appropriate frequency of simulated
manual operation.
(d)
Conductor training. Training required under this
subpart for a conductor, together with required records,
shall be integrated into the program of training required
under this chapter.
§236.1049 Training
specific to roadway workers.
(a)
Roadway worker training. Training required under
this subpart for a roadway worker shall be integrated into
the program of instruction required under part 214,
subpart C of this chapter (“Roadway Worker
Protection”), consistent with task analysis
requirements of §236.1043. This training shall
provide instruction for roadway workers who provide
protection for themselves or roadway work groups.
(b)
Training subject areas. (1) Instruction for roadway
workers shall ensure an understanding of the role of
processor-based signal and train control equipment in
establishing protection for roadway workers and their
equipment.
(2)
Instruction for all roadway workers working in territories
where PTC is required under this subpart shall ensure
recognition of processor-based signal and train control
equipment on the wayside and an understanding of how to
avoid interference with its proper functioning.
(3)
Instructions concerning the recognition of system failures
and the provision of alternative methods of on-track
safety in case the train control system fails, including
periodic practical exercises or simulations and
operational testing under part 217 of this chapter to
ensure the continued capability of roadway workers to be
free from the danger of being struck by a moving train or
other on-track equipment.
|
|
|
|
| File Type | application/msword |
| File Title | 49 CFR |
| Author | frauser1 |
| Last Modified By | USDOT User |
| File Modified | 2014-08-07 |
| File Created | 2008-04-28 |