Positive Train Control Systems
Notice Of Proposed Rulemaking.
FRA proposes regulations implementing a requirement of the Rail Safety Improvement Act of 2008 that certain passenger and freight railroads install positive train control systems. The proposal includes required functionalities of the technology and the means by which it would be certified. The proposal also describes the contents of the positive train control implementation plans required by the statute and contains the proposed process for submission of those plans for review and approval by FRA. These proposed regulations could also be voluntarily complied with by entities not mandated to install positive train control systems.
6 actions from July 21st, 2009 to November 26th, 2010
July 21st, 2009
August 20th, 2009
- NPRM Comment Period End
January 15th, 2010
- Final Rule; Request for Comments
March 16th, 2010
- Final Rule Effective
September 27th, 2010
- Final Rule
November 26th, 2010
- Final Rule Effective
Table of Contents Back to Top
- FOR FURTHER INFORMATION CONTACT:
- SUPPLEMENTARY INFORMATION:
- Table of Contents for Supplementary Information
- I. Introduction
- II. Background
- A. The Need for Positive Train Control Technology
- B. Earlier Efforts To Encourage Voluntary PTC Implementation
- C. Technology Advances Under Subpart H
- III. The Rail Safety Improvement Act of 2008
- IV. RSAC
- V. Use of Performance Standards
- VI. Section-by-Section Analysis
- Proposed Amendments to 49 CFR Part 229
- Section 229.135Event Recorders
- Proposed Amendments to 49 CFR Part 234
- Section 234.275Processor-Based Systems
- Proposed Amendments to 49 CFR Part 235
- Section 235.7Changes Not Requiring Filing of Application
- Proposed Amendments to 49 CFR Part 236
- Section 236.0Applicability, Minimum Requirements, and Penalties
- Section 236.909Minimum Performance Standard
- Subpart I—Positive Train Control Systems
- Section 236.1001Purpose and Scope
- Section 236.1003Definitions
- Section 236.1005Requirements for Positive Train Control Systems
- Section 236.1006Equipping Locomotives Operating in PTC Territory
- Section 236.1007Additional Requirements for High Speed Service
- Section 236.1009Procedural Requirements
- Section 236.1011PTC Implementation Plan Content Requirements
- Section 236.1013PTCDP Content Requirements and Type Approval
- Section 236.1015PTCSP Content Requirements and PTC System Certification
- Section 236.1017Independent Third Party Review of Verification and Validation
- Section 236.1019Main Line Track Exceptions
- Section 236.1021Discontinuances, Material Modifications, and Amendments
- Section 236.1023Errors and Malfunctions
- Section 236.1027Exclusions
- Section 236.1029PTC System Use and En Route Failures
- Section 236.1031Previously Approved PTC Systems
- Section 236.1033Communications and Security Requirements
- Section 236.1035Field Testing Requirements
- Sections 236.103Through 236.1049
- Appendix B to Part 236—Risk Assessment Criteria
- Appendix C to Part 236—Safety Assurance Criteria and Processes
- VII. Regulatory Impact and Notices
- A. Executive Order 12866 and DOT Regulatory Policies and Procedures
- B. Regulatory Flexibility Act and Executive Order 13272
- 1. Reasons for Considering Agency Action
- 2. Legal Basis for the Proposed Rule
- 3. Description and Estimate of Small Entities Affected
- 4. Description of Reporting, Recordkeeping, and Other Compliance Requirements and Impacts on Small Entities Resulting From Specific Proposed Requirements
- 5. Identification of Relevant Duplicative, Overlapping, or Conflicting Federal Rules
- 6. Alternatives Considered
- C. Paperwork Reduction Act
- D. Federalism Implications
- E. Environmental Impact
- F. Unfunded Mandates Reform Act of 1995
- G. Energy Impact
- H. Privacy Act
- List of Subjects
- VIII. The Rule
- PART 229—[AMENDED]
- PART 234—[AMENDED]
- PART 235—[AMENDED]
- PART 236—[AMENDED]
- Subpart I—Positive Train Control Systems
- Subpart I—Positive Train Control Systems
- Appendix B to Part 236—Risk Assessment Criteria
- Appendix C to Part 236—Safety Assurance Criteria and Processes
- Appendix F to Part 236—Requirements of Mandatory Independent Third-Party Assessment of PTC System Safety Verification and Validation
Tables Back to Top
DATES: Back to Top
(1) Written comments must be received by August 20, 2009. Comments received after that date will be considered to the extent possible without incurring additional expenses or delays.
(2) FRA will hold an oral public hearing on a date to be announced in a forthcoming notice.
ADDRESSES: Back to Top
Comments: Comments related to Docket No. FRA-2008-0132, may be submitted by any of the following methods:
- Web Site: Comments should be filed at the Federal eRulemaking Portal, http://www.regulations.gov. Follow the online instructions for submitting comments.
- Fax: 202-493-2251.
- Mail: Docket Management Facility, U.S. Department of Transportation, 1200 New Jersey Avenue, SE., W12-140, Washington, DC 20590.
- Hand Delivery: Room W12-140 on the Ground level of the West Building, 1200 New Jersey Avenue, SE., Washington, DC between 9 a.m. and 5 p.m. Monday through Friday, except Federal holidays.
Instructions: All submissions must include the agency name and docket number or Regulatory Identification Number (RIN) for this rulemaking. Note that all comments received will be posted without change to http://www.regulations.gov including any personal information. Please see the Privacy Act heading in the SUPPLEMENTARY INFORMATION section of this document for Privacy Act information related to any submitted comments or materials.
Docket: For access to the docket to read background documents or comments received, go to http://www.regulations.gov at any time or to Room W12-140 on the Ground level of the West Building, 1200 New Jersey Avenue, SE., Washington, DC between 9 a.m. and 5 p.m. Monday through Friday, except Federal Holidays.
FOR FURTHER INFORMATION CONTACT: Back to Top
Thomas McFarlin, Office of Safety Assurance and Compliance, Staff Director, Signal Train Control Division, Federal Railroad Administration, Mail Stop 25, West Building 3rd Floor West, Room W35-332, 1200 New Jersey Avenue, SE., Washington, DC 20590 (telephone: 202-493-6203); or Jason Schlosberg, Trial Attorney, Office of Chief Counsel, RCC-10, Mail Stop 10, West Building 3rd Floor, Room W31-217, 1200 New Jersey Avenue, SE., Washington, DC 20590 (telephone: 202-493-6032).
SUPPLEMENTARY INFORMATION: Back to Top
FRA is issuing this proposed rule to provide regulatory guidance and performance standards for the development, testing, implementation, and use of Positive Train Control (PTC) systems for railroads mandated by the Railroad Safety Improvement Act of 2008 section 104, Public Law 110-432, 122 Stat. 4854 (Oct. 16, 2008) (codified at 9 U.S.C. 20157) (hereinafter “RSIA08”) to install PTC systems. These regulations may also be voluntarily complied with by entities not mandated to install PTC in lieu of the requirements contained in subpart H of part 236. The proposed rule establishes requirements for PTC system standard design and functionality, the associated submissions for FRA PTC system approval and certification, requirements for training, and required risk-based criteria. The RSIA08 mandates that widespread implementation of PTC across a major portion of the U.S. rail industry be accomplished by December 31, 2015. This proposed rule is intended to provide the necessary Federal oversight, guidance, and assistance toward successful completion of that congressional requirement. This proposed rule also necessitates or results in some minimal revision or amendment to parts 229, 234 and 235, as well as previously existing subparts A through H of part 236.
Table of Contents for Supplementary Information Back to Top
A. The Need for Positive Train Control Technology
B. Earlier Efforts to Encourage Voluntary PTC Implementation
C. Technology Advances Under Subpart H
III. The Rail Safety Improvement Act of 2008
V. Use of Performance Standards
VI. Section-by-Section Analysis
VII. Regulatory Impact and Notices
A. Executive Order 12866 and DOT Regulatory Policies and Procedures
B. Regulatory Flexibility Act and Executive Order 13272
C. Paperwork Reduction Act
D. Federalism Implications
E. Environmental Impact
F. Unfunded Mandates Reform Act of 1995
G. Energy Impact
H. Privacy Act
VIII. The Rule
I. Introduction Back to Top
This proposed rule provides new performance standards for the implementation and operation of PTC systems as mandated by RSIA08 and as otherwise voluntarily adopted. The proposed rule also details the process and identifies the documents that railroads and operators of passenger trains are to utilize and incorporate in their PTC implementation plans required by the Railroad Safety Improvement Act of 2008 section 104, Public Law 110-432, 122 Stat. 4854, (Oct. 16, 2008) (codified at 9 U.S.C. 20157) (hereinafter “RSIA08”). The proposal also details the process and procedure for obtaining FRA approval of such plans.
FRA began the process of developing a proposed rule after RSIA08 was signed into law. While developing the proposed rule, FRA applied the performance-based principles embodied in existing subpart H of part 236 to identify and remedy any weaknesses discovered in the subpart H regulatory approach, while exploiting lessons learned from products developed under subpart H. FRA has continued to make performance-based safety decisions while supporting railroads in their development and implementation of PTC system technologies.
Development of the proposed rule was enhanced with the participation of the Railroad Safety Advisory Committee (RSAC), which tasked a PTC Working Group to provide advice regarding development of implementing regulations for PTC systems and their deployment that are required under RSIA08. The PTC Working Group made a number of consensus recommendations, which have been identified and included in this proposed rule. The preamble discusses the statutory background, the regulatory background, the RSAC proceedings, the alternatives considered and the rationale for the option selected, the proceedings to date, as well as the comments and conclusions on general issues. Other comments and resolutions are discussed within the corresponding section-by-section analysis.
II. Background Back to Top
A. The Need for Positive Train Control Technology
Since the early 1920s, systems have been in use that can intervene in train operations by warning crews or causing trains to stop if they are not being operated safely because of inattention, misinterpretation of wayside signal indications, or incapacitation of the crew. Pursuant to orders of the Interstate Commerce Commission (ICC)—whose safety regulatory activities were later transferred to FRA when it was established in 1967—cab signal systems, automatic train control, and automatic train stop systems were deployed on a significant portion of the national rail system to supplement and enforce the indications of wayside signals and operating speed limitations. However, these systems were expensive to install and maintain, and with the decline of intercity passenger service following the Second World War, the ICC and the industry allowed many of these systems to be discontinued. During this period, railroads were heavily regulated with respect to rates and service responsibilities. The development of the Interstate Highway System and other factors led to reductions in the railroads' revenues without regulatory relief, leading to bankruptcies, railroad mergers, and eventual abandonment of many rail lines. Consequently, railroads focused on fiscal survival, and investments in expensive relay-based train control technology were economically out of reach. The removal of these train control systems, which had never been pervasively installed, permitted train collisions to continue, notwithstanding enforcement of railroad operating rules designed to prevent them.
As early as 1970, following its investigation of the August 20, 1969, head-on collision of two Penn Central Commuter trains near Darien, Connecticut, in which 4 people were killed and 45 people were injured, the National Transportation Safety Board (NTSB) asked FRA to study the feasibility of requiring a form of automatic train control system to protect against operator error and prevent train collisions. Following the Darien accident, the NTSB continued to investigate one railroad accident after another caused by human error. During the next two decades, the NTSB issued a number of safety recommendations asking for train control measures. Following its investigation of the May 7, 1986, rear-end collision involving a Boston and Maine Corporation commuter train and a Consolidated Rail Incorporated (Conrail) freight train in which 153 people were injured, the NTSB recommend that FRA promulgate standards to require the installation and operation of a train control system that would provide for positive train separation. NTSB Recommendation R-87-16 (May 19, 1987), available at http://www.ntsb.gov/Recs/letters/1987/R87_16.pdf. When the NTSB first established its Most Wanted List of Transportation Safety Improvements in 1990, the issue of Positive Train Separation was among the improvements listed, and it remained on the list until just after enactment of RSIA08. Original “Most Wanted” list of Transportation Safety Improvements, as adopted September 1990, available at http://www.ntsb.gov/Recs/mostwanted/original_list.htm. The NTSB continues to follow the progress of the technology's implementation closely and participated through staff in the most recent PTC Working Group deliberations.
Meanwhile, enactment of the Staggers Rail Act of 1980 signaled a shift in public policy that permitted the railroads to shed unprofitable lines, largely replace published “tariffs” with appropriately priced contract rates, and generally respond to marketplace realities, which increasingly demanded flexible service options responsive to customer needs. The advent of microprocessor-based electronic control systems and digital data radio technology during the mid-1980s led the freight railroad industry, through the Association of American Railroads (AAR) and the Railway Association of Canada, to explore the development of Advanced Train Control Systems (ATCS). With broad participation by suppliers, railroads, and FRA, detailed specifications were developed for a multi-level “open” architecture that would permit participation by many suppliers while ensuring that systems deployed on various railroads would work in harmony as trains crossed corporate boundaries. ATCS was intended to serve a variety of business purposes, in addition to enhancing the safety of train operations. Pilot versions of ATCS and a similar system known as Advanced Railroad Electronic Systems (ARES) were tested relatively successfully, but the systems were never deployed on a wide scale primarily due to cost. However, sub-elements of these systems were employed for various purposes, particularly for replacement of pole lines associated with signal systems.
Collisions, derailments, and incursions into work zones used by roadway workers continued as a result of the absence of effective enforcement systems designed to compensate for the effects of fatigue and other human factors. Renewed emphasis on rules compliance and Federal regulatory initiatives, including rules for the control of alcohol and drug use in railroad operations, operational testing and inspection programs designed to verify railroad rules compliance, requirements for qualification and certification of locomotive engineers, and negotiated rules for roadway worker protection led to some reduction in risk. However, the lack of an effective collision avoidance system allowed the continued occurrence of accidents, some involving tragic losses of life and significant property damage.
B. Earlier Efforts To Encourage Voluntary PTC Implementation
As the NTSB continued to highlight the opportunities for accident prevention associated with emerging train control technology through its investigations and findings, Congress showed increasing interest, mandating three separate reports over the period of a decade. In 1994, FRA reported to Congress on this problem, calling for implementation of an action plan to deploy PTC systems (Railroad Communications and Train Control, July 1994 (hereinafter “1994 Report”)). The 1994 Report forecasted substantial benefits of advanced train control technology in supporting a variety of business and safety purposes, but noted that an immediate regulatory mandate for PTC could not be justified based upon normal cost-benefit principals relying on direct safety benefits. The report outlined an aggressive Action Plan implementing a public-private sector partnership to explore technology potential, deploy systems for demonstration, and structure a regulatory framework to support emerging PTC initiatives.
Following through on the 1994 Report, FRA committed approximately $40 million through the Next Generation High Speed Rail Program and the Research and Development Program to support development, testing, and deployment of PTC prototype systems in the Pacific Northwest, Michigan, Illinois, Alaska, and some Eastern railroads. FRA also initiated a comprehensive effort to structure an appropriate regulatory framework for facilitating voluntary implementation of PTC and for evaluating future safety needs and opportunities.
In September of 1997, FRA asked the RSAC to address the issue of PTC. The RSAC accepted three tasks: Standards for New Train Control Systems (Task 1997-06), Positive Train Control Systems—Implementation Issues (Task 1997-05), and Positive Train Control Systems—Technologies, Definitions, and Capabilities (Task 1997-04). The PTC Working Group was established, comprised of representatives of labor organizations, suppliers, passenger and freight railroads, other Federal agencies, and interested state departments of transportation. The PTC Working Group was supported by FRA counsel and staff, analysts from the Volpe National Transportation Systems Center, and advisors from the NTSB staff.
In 1999, the PTC Working Group provided to the Federal Railroad Administrator a consensus report (“1999 Report”) with an indication that it would be continuing its efforts. The report defined the PTC core functions to include: Prevention of train-to-train collisions (positive train separation); enforcement of speed restrictions, including civil engineering restrictions (curves, bridges, etc.) and temporary slow orders; and protection for roadway workers and their equipment operating under specific authorities. The PTC Working Group identified additional safety functions that might be included in some PTC architectures: Provide warning of on-track equipment operating outside the limits of authority; receive and act upon hazard information, when available, in a more timely or more secure manner (e.g., compromised bridge integrity, wayside detector data); and provide for future capability by generating data for transfer to highway users to enhance warning at highway-rail grade crossings. The PTC Working Group stressed that efforts to enhance highway-rail grade crossing safety must recognize the train's necessary right of way at grade crossings and that it is important that warning systems employed at highway-rail grade crossings be highly reliable and “fail-safe” in their design.
As the PTC Working Group's work continued, other collaborative efforts, including development of Passenger Equipment Safety Standards (including private standards through the American Public Transit Association), Passenger Train Emergency Preparedness rules, and proposals for improving locomotive crashworthiness (including improved fuel tank standards) have targeted reduction in collision and derailment consequences.
In 2003, in light of technological advances and potential increased cost and system savings related to prioritized deployment of PTC systems, the Appropriations Committees of Congress requested that FRA update the costs and benefits for the deployment of PTC and related systems. As requested, FRA carried out a detailed analysis that was filed in August of 2004 (“2004 Report”), which indicated that under one set of highly controversial assumptions, substantial public benefits would likely flow from the installation of PTC systems on the railroad system. Further, the total amount of these benefits was subject to considerable controversy. While many of the other findings of the 2004 Report were disputed, there were no data submitted to challenge the 2004 Report finding that reaffirmed earlier conclusions that the safety benefits of PTC systems were relatively small in comparison to the large capital and maintenance costs. Accordingly, FRA continued to believe that an immediate regulatory mandate for widespread PTC implementation could not be justified based upon traditional cost-benefit principles relying on direct railroad safety benefits. Benefits and Costs of Positive Train Control (Report in Response to Committees on Appropriations, August 2004).
Despite the economic infeasibility of PTC based on safety benefits alone, as outlined in the 1994, 1999, and 2004 Reports, FRA continued with regulatory and other efforts to facilitate and encourage the voluntary installation of PTC systems. As part of the High Speed Rail Initiative, and in conjunction with the National Railroad Passenger Corporation (Amtrak), the AAR, the State of Illinois, and the Union Pacific Railroad Company (UP), FRA created the North American Joint Positive Train Control (NAJPTC) Program, which set out to describe a single standardized open source PTC architecture and system. UP's line between Springfield and Mazonia, Illinois was selected for initial installation of a train control system to support Amtrak operations up to 110 mph, and the system was installed and tested on portions of that line. Although the system did not prove viable as then conceived, the project hastened the development of PTC technology that was subsequently employed in other projects. Promised standards for interoperability of PTC systems also proved elusive.
In addition to financially supporting the NAJPTC Program, FRA continued to work with the rail carriers, rail labor, and suppliers on regulatory reforms to facilitate voluntary PTC implementation. The regulatory reform effort culminated when FRA issued a final rule on March 7, 2005, establishing a technology neutral safety-based performance standard for processor-based signal and train control systems. This new regulation, codified as subpart H to part 236, was carefully crafted to encourage the voluntary implementation and operation of processor-based signal and train control systems without impairing technological development. 70 FR 11052 (Mar. 7, 2005).
FRA intended that final rule—developed in close cooperation with rail management, rail labor, and suppliers—to further facilitate individual railroad efforts to voluntarily develop and deploy cost effective PTC technologies that would make system-wide deployment more economically viable. It also appeared very possible that major railroads would elect to make voluntary investments in PTC to enhance safety, improve service quality, and foster efficiency (e.g., better asset utilization, reduced fuel use through train pacing).
C. Technology Advances Under Subpart H
While FRA and RSAC worked to develop consensus on the regulations that would become subpart H, the railroads continued with PTC prototype development. The technology neutral, performance-based regulatory process established by subpart H proved to be very successful in facilitating the development of other PTC implementation approaches. Although the railroads prototype development efforts were generally technically successful and offered significant improvements in safety, costs of nationwide deployment continued to be untenable. Information gained from prototype efforts did little to reduce the estimated costs for widespread implementation of the core PTC safety functions on the nation's railroads.
Working under subpart H, the BNSF Railway Company (BNSF), CSX Transportation, Inc. (CSXT), the Norfolk Southern Corporation (NS), and UP undertook more aggressive design and implementation work. The new subpart H regulatory approach also made it feasible for smaller railroads such as the Alaska Railroad and the Ohio Central Railroad to begin voluntary design and implementation work on PTC systems that best suited their needs. FRA provided, and continues to provide, technical assistance and guidance regarding regulatory compliance to enable the railroads to more effectively design, install, and test their respective systems.
In December 2006, FRA approved the initial version of the Electronic Train Management System (ETMS) product for deployment on 35 of BNSF's subdivisions (“ETMS I Configuration”) comprising single track territory that was either non-signaled or equipped with traffic control systems. In a separate proceeding, FRA agreed that ETMS could be installed in lieu of restoring a block signal system on a line for which discontinuance had been authorized followed by a significant increase in traffic. During the same period, BNSF successfully demonstrated a Switch Point Monitoring System (SPMS)—a system that contains devices attached to switches that electronically report the position of the switches to the railroad's central dispatching office or the crew of an approaching train—and a Track Integrity Warning System (TIWS)—a system that electronically reports to the railroad's central dispatching office or the crew of an approaching train if there are any breaks in the rail that might lead to derailments. FRA believes both of these technologies help to reduce risk in non-signaled territory and are forward-compatible for use with existing and new PTC systems. To be forward-compatible, not to be confused with the similar concept of extensibility, a system must be able to gracefully provide input intended for use in later system versions. The introduction of a forward-compatible technology implies that older devices can partly understand and provide data generated or used by new devices or systems. The concept can be applied to electrical interfaces, telecommunication signals, data communication protocols, file formats, and computer programming languages. A standard supports forward-compatibility if older product versions can receive, read, view, play, execute, or transmit data to the new standard. In the case of wayside devices, they are said to be forward compatible if they can appropriately communicate and interact with a PTC system when later installed. A wayside device might serve the function of providing only information or providing information and accepting commands from a new system.
In addition to scheduling the installation of the ETMS I configuration as capital funding became available, BNSF voluntarily undertook the design and testing of complementary versions of ETMS that would support BNSF operations on more complex track configurations, at higher allowable train speeds, and with additional types of rail traffic. Meanwhile, CSXT was in the process of redesigning and relocating the test bed for its Communications Based Train Management (CBTM) system, which it has tested for several years, and UP and NS were working on similar systems using vital onboard processing.
As congressional consideration of legislation that resulted in the RSIA08 commenced, all four major railroads had settled on the core technology developed for them by Wabtec Railway Electronics (“Wabtec”). As the legislation progressed, the railroads and Wabtec worked toward greater commonality in the basic functioning of the onboard system with a view toward interoperability. Accordingly, ETMS is now a generic architectural description of one type of PTC system. Examples of ETMS include the non-vital PTC systems of BNSF's ETMS I and ETMS II, CSXT's CBTM, UP's Vital Train Management System (VTMS), and NS's Optimized Train Control (OTC). Further work is being undertaken by BNSF to advance the capability of ETMS by integrating Amtrak operations (ETMS III). For a description of system enhancements planned by BNSF as per the Product Safety Plan filed in accordance with subpart H, see FRA Docket No. 2006-23687, Document 0017, at pp. 40-43.
While the freight railroads' efforts for developing and installing PTC systems progressed over a relatively long period of time, starting with demonstrations of ATCS and ARES in the late 1980s and culminating in the initial ETMS Product Safety Plan approval in December of 2006, Amtrak demonstrated its ability to turn on revenue-quality PTC systems on its own railroad in support of high speed rail. Beginning in the early 1990s, Amtrak developed plans for enhanced high speed service on the Northeast Corridor (NEC), which included electrification and other improvements between New Haven and Boston and introduction of the Acela trainsets as the premium service from Washington to New York and New York to Boston. In connection with these improvements, which support train speeds up to 150 mph, Amtrak undertook to install the Advanced Civil Speed Enforcement System (ACSES) as a supplement to existing cab signals and automatic train control (speed control). Together, these systems deliver PTC core functionalities. In support of this effort, FRA issued an order for the installation of the system, which required all passenger and freight operators in the New Haven-Boston segment to equip their locomotives with ACSES. See 63 FR 39343 (July 22, 1998). ACSES was installed between 2000 and 2002, and has functioned successfully between New Haven and Boston, and on selected high speed segments between Washington and New York for a number of years.
Amtrak voluntarily began development of an architecturally different PTC system, the Incremental Train Control System (ITCS), for installation on its Michigan Line. Amtrak developed and installed ITCS under waivers from specific sections of 49 CFR part 236, subparts A through G, granted by FRA. ITCS was applied to tenant NS locomotives as well as Amtrak locomotives traversing the route. Highway-rail grade crossings on the route were fitted with ITCS units to pre-start the warning systems for high-speed trains and to monitor crossing warning system health in real time. The ITCS was tested extensively in the field for safety and reliability, and it was placed in revenue service in 2001. As experience was gained, FRA authorized increases in speed to 95 mph; and FRA is presently awaiting final results of an independent assessment of verification and validation for the system with a view toward authorizing operations at the design speed of 110 mph.
Despite these successes, the widespread deployment of these various train control systems, particularly on the general freight system, remained very much constrained by prohibitive capital costs. While the railroads were committed to installing these new systems to enhance the safety afforded to the public and their employees, the railroad's actual widespread implementation remained forestalled due to an inability to generate sufficient funding for these new projects in excess of the capital expenditures necessary to cover the ongoing operating and maintenance costs. Accordingly, the railroads continued to plan very slow deployments of PTC system technologies.
III. The Rail Safety Improvement Act of 2008 Back to Top
On May 1, 2007, the House of Representatives introduced H.R. 2095, which would, among other things, mandate the implementation and use of PTC systems. The bill passed the House on October 17, 2007. The bill was then amended and passed by the Senate on August 1, 2008. While the bill was awaiting final passage, the FRA Administrator testified before Congress that “FRA is a strong supporter of PTC technology and is an active advocate for its continued development and deployment.” Senate Commerce Committee Briefing on Metrolink Accident, 110th Cong. (Sept. 23, 2008) (written statement of Federal Railroad Administrator Joseph H. Boardman), available at http://www.fra.dot.gov/downloads/PubAffairs/09-23-08FinalStatementFRAAdministratorPTC_Sen_Boxer_Meeting.pdf.
On September 24, 2008, the House concurred with the Senate amendment and added another amendment pursuant to H. Res. 1492. When considering the House's amendment, various Senators made statements referencing certain train accidents that were believed to be PTC-preventable. For instance, Senator Lautenberg (NJ) took notice of the collision at Graniteville, South Carolina in 2005, and Senators Lautenberg, Hutchinson (TX), Boxer (CA), Levin (MI), and Carper (DE) took notice of an accident at Chatsworth, California, on September 12, 2008. According to Senator Levin, Federal investigators have said that a collision warning system could have prevented that crash and the subject legislation would require that new technology to prevent crashes be installed in high risk tracks. Senators Carper and Boxer made similar statements, indicating that PTC systems are designed to prevent train derailments and collisions, like the one in Chatsworth. 154 Cong. Rec. S10283-S10290 (2008). Ultimately, on October 1, 2008, the Senate concurred with the House amendment.
The Graniteville accident referenced by Senator Lautenberg was an early morning collision between two NS trains in non-signaled (dark) territory near the Avondale Mills Textile plant. One of the trains—which was transporting chlorine gas, sodium hydroxide, and cresol on the main track—approached an improperly lined hand-operated switch. As the train diverged through the switch, it ran onto the siding track where it collided with a parked train. Various tank cars ruptured, releasing at least 90 tons of chlorine gas. Nine people died due to chlorine inhalation and at least 250 people were treated for chlorine exposure. In addition, 5,400 residents within a mile of the crash site were forced to evacuate for nearly two weeks while hazardous materials (hazmat) teams and cleanup crews decontaminated the area.
The Chatsworth train collision occurred on the afternoon of September 12, 2008, when a Union Pacific freight train and a Metrolink commuter train collided head-on on a single main track equipped with a Traffic Control System (TCS) in the Chatsworth district of Los Angeles, California. Although NTSB has not yet released its final report, evidence summarized at the NTSB's public hearing suggested that the Metrolink passenger train was operated past a signal displaying a stop indication and entered a section of single track where the opposing UP freight train was operating on a signal indication permitting it to proceed over a switch and into a siding (after which the switch would have been lined for the Metrolink train to proceed). As a consequence of the accident, 25 people died and over 130 more were seriously injured.
Prior to the accidents in Graniteville and Chatsworth, the railroads' slow incremental deployment of PTC technologies—while not uniformly agreed upon by the railroads, FRA, and NTSB—was generally deemed acceptable by them in view of the tremendous costs involved. Partially as a consequence and severity of these very public accidents, coupled with a series of other less publicized accidents, Congress passed the Rail Safety Improvement Act of 2008 into law on October 16, 2008, marking a public policy decision that, despite the implementation costs, railroad employee and general public safety warranted mandatory and accelerated installation and operation of PTC systems.
As immediately relevant to this rulemaking, RSIA08 requires the installation and operation of PTC systems on all main lines, meaning all intercity and commuter lines—with limited exceptions entrusted to FRA—and on freight-only lines when they are part of a Class I railroad system, carrying at least 5 million gross tons of freight annually, and carrying any amount of poison- or toxic-by-inhalation (PIH or TIH) materials. While the statute vests certain responsibilities with the Secretary of the U.S. Department of Transportation, the Secretary has since delegated those responsibilities to the FRA Administrator. See 49 CFR 1.49(oo); 74 FR 26,981 (June 5, 2009); see also 49 U.S.C. 103(g).
In RSIA08, Congress established very aggressive dates for PTC system build-out completion. Each subject railroad is required to submit to FRA by April 16, 2010, an implementation plan indicating where and how it intends to install PTC systems by December 31, 2015. As a result of this accelerated PTC system deployment schedule, railroads must immediately engage in a massive reprogramming of capital funds.
In light of the timetable instituted by Congress, and to better support railroads with their installation while maintaining safety, FRA decided that it is appropriate for mandatory PTC systems to be reviewed by FRA differently than the regulatory approval process provided under subpart H. FRA believes that it is important to develop a process more suited specifically for PTC systems that would better facilitate railroad reuse of safety documentation and simplify the process of showing that the installation of the PTC system did not degrade safety. FRA also believes that subpart H does not clearly address the statutory mandates and that such lack of clarity would complicate railroad efforts to comply with the new statutory requirements. Accordingly, FRA is hereby proposing to amend part 236 by modifying existing subpart H and adding a new subpart I. FRA requests comments on whether this proposed regulation exercises the appropriate level of discretion and flexibility to comply with RSIA08 in the most cost effective and beneficial manner.
IV. RSAC Back to Top
In March 1996, FRA established the RSAC, which provides a forum for collaborative rulemaking and program development. The RSAC includes representatives from all of the agency's major stakeholder groups, including railroads, labor organizations, suppliers and manufacturers, and other interested parties. When appropriate, FRA assigns a task to RSAC, and after consideration and debate, RSAC may accept or reject the task. If accepted, RSAC establishes a working group that possesses the appropriate expertise and representation of interests to develop recommendation to FRA for action on the task. These recommendations are developed by consensus. The working group may establish one or more task forces or other subgroups to develop facts and options on a particular aspect of a given task. The task force, or other subgroup, reports to the working group. If a working group comes to consensus on recommendations for action, the package is presented to the RSAC for a vote. If the proposal is accepted by a simple majority of the RSAC, the proposal is formally recommended to FRA. FRA then determines what action to take on the recommendation. Because FRA staff has played an active role at the working group and subgroup levels in discussing the issues and options and in drafting the language of the consensus proposal, and because the RSAC recommendation constitutes the consensus of some of the industry's leading experts on a given subject, FRA is generally favorably inclined toward the RSAC recommendation. However, FRA is in no way bound to follow the recommendation and the agency exercises its independent judgment on whether the recommended rule achieves the agency's regulatory goals, is soundly supported, and was developed in accordance with the applicable policy and legal requirements. Often, FRA varies in some respects from the RSAC recommendation in developing the actual regulatory proposal.
In developing this proposal, FRA adopted the RSAC PTC Working Group approach. As part of this effort, FRA is working with the major stakeholders affected by this subpart in as much a collaborative manner as possible. FRA believes establishing a collaborative relationship early in the product development and regulatory development cycles can help bridge the divide between the railroad carrier's management, railroad labor organizations, the suppliers, and FRA by ensuring that all stakeholders are working with the same set of data and have a common understanding of product characteristics or their related processes production methods, including the regulatory provisions, with which compliance is mandatory. However, where the group failed to reach consensus on an issue, FRA used its authority to resolve the issue, attempting to reconcile as many of the divergent positions as possible through traditional rulemaking proceedings.
On December 10, 2008, the RSAC accepted a task (No. 08-04) entitled “Implementation of Positive Train Control Systems.” The purpose of this task was defined as follows: “To provide advice regarding development of implementing regulations for Positive Train Control (PTC) systems and their deployment under the Rail Safety Improvement Act of 2008.” The task called for the RSAC PTC Working Group to perform the following:
- Review the mandates and objectives of the Act related to deployment of PTC systems;
- Help to describe the specific functional attributes of systems meeting the statutory purposes in light of available technology;
- Review impacts on small entities and ascertain how best to address them in harmony with the statutory requirements;
- Help to describe the details that should be included in the implementation plans that railroads must file within 18 months of enactment of the Act;
- Offer recommendations on the specific content of implementing regulations; and The task also required the PTC Working Group to:
- Report on the functionalities of PTC systems;
- Describe the essential elements bearing on interoperability and the requirements for consultation with other railroads in joint operations; and
- Determine how PTC systems will work with the operation of non-equipped trains.
The PTC Working Group was formed from interested organizations that are members of the RSAC. The following organizations contributed members:
American Association of State Highway Transportation Officials (AAHSTO)
American Chemistry Council (ACC)
American Public Transportation Association (APTA)
American Short Line and Regional Railroad Association (ASLRRA)
Association of American Railroads (AAR)
Association of State Rail Safety Managers (ASRSM)
Brotherhood of Maintenance of Way Employees Division (BMWED)
Brotherhood of Locomotive Engineers and Trainmen Division (BLETD)
Brotherhood of Railroad Signalmen
Federal Transit Administration*
International Brotherhood of Electrical Workers
National Railroad Construction and Maintenance Association
National Railroad Passenger Corporation (Amtrak)
National Transportation Safety Board (NTSB)*
Railway Supply Institute (RSI)
Tourist Railway Association Inc.
United Transportation Union (UTU)
*Indicates associate (non-voting) member.
From January to April 2009, FRA met with the entire PTC Working Group five times over the course of twelve days. During those meetings, in order to efficiently accomplish the tasks assigned to it, the PTC Working Group empowered three task forces to work concurrently. These task forces were the passenger, short line and regional railroad, and the radio and communications task forces. Each discussed issues specific to their particular interests and needs and produced proposed rule language for the PTC Working Group's consideration. The majority of the proposals were adopted into the rule as agreed upon by the working group, with rule language related to a remaining few issues being further discussed and enhanced for inclusion into the rule by the PTC Working Group.
The passenger task force discussed testing issues relating to parts 236 and 238 and the definition of “main line” under the statute, including possible passenger terminal and limited operations exceptions to PTC implementation. Recommendations of the task force were presented to the PTC Working Group, which adopted or refined each suggestion.
The short line and regional railroad task group was formed to address the questions pertaining to Class II and Class III railroads. Specifically, the group discussed issues regarding the trackage rights of Class II and III railroads using trains not equipped with PTC technology over a Class I railroad's PTC territory, passenger service over track owned by a Class II or Class III railroads where PTC would not otherwise be required, and railroad crossings-at-grade involving a Class I railroad's PTC-equipped train and a Class II or III railroad's PTC unequipped train. After much discussion, there were no resolutions reached to any of the main issues raised. However, the discussion yielded insights utilized by FRA in preparing this proposed rule.
The radio and communications task force addressed wireless communications issues, particularly as it relates to communications security, and recommended language for proposed § 236.1033.
FRA staff worked with the PTC Working Group and its task forces in developing many facets of this proposal. FRA gratefully acknowledges the participation and leadership of representatives who served on the PTC Working Group and its task forces. These points are discussed to show the origin of certain issues and the course of discussion on these issues at the task force and working group levels. We believe this helps illuminate the factors FRA weighed in making its regulatory decisions regarding this proposed rule and the logic behind those decisions.
In general, the PTC Working Group agreed on the process for implementing PTC under the statute, including decisional criteria to be applied by FRA in evaluating safety plans, adaptation of subpart H principles to support this mandatory implementation, and refinements to subpart H and the part 236 appendices necessary to dovetail the two regulatory regimes and take lessons from early implementation of subpart H, including most aspects of the training requirements. Notable accords were reached, as well, on major functionalities of PTC and on exceptions applicable to passenger service (terminal areas and main line exceptions). Major areas of disagreement included whether to allow non-equipped trains on PTC lines, extension of PTC to lines not within the statutory mandate, and whether to provide for additional onboard displays when two or more persons are regularly assigned duties in the cab. Some additional areas of concern were discussed but could not be resolved in the time available. It was understood that where discussion did not yield agreement, FRA would make proposals and receive public comment.
V. Use of Performance Standards Back to Top
Given the statutory mandate for the implementation of PTC systems, FRA intends the proposed rule to accelerate the promotion of, and not hinder, cost effective technological innovation by encouraging an efficient utilization of resources, an increased level of competition, and more innovative user applications and technological developments. FRA believes that, wherever possible, regulation must allow technologies the full freedom to exploit market opportunities, must support the challenges and opportunities resulting from the combination of emerging and varying technologies within an evolving marketplace, and should not discriminate between PTC systems vendors due to the technology or services provided.
Accordingly, wherever possible, FRA has attempted to refrain as much as possible from developing technical or design standards, or even requiring implementation of particular PTC technologies that may prevent technological innovation or the development of alternative means to achieve the statutorily defined PTC functions. If FRA were to implement specific technical standards, emerging technologies may render those standards obsolete. Thus, implementation of systems by the railroads using new technologies that are not addressed by the specific standards would require railroads and FRA to manage the deployment of alternative technologies using a cumbersome and time consuming waiver process. Consequently, for the same reasons FRA expressed in the final rule implementing subpart H (70 FR 11052, 11055-11059 (Mar. 7, 2005)), FRA continues to believe that it is best to pursue a performance-based standard while providing sufficient basic parameters within which the PTC system's architectures and functionalities must be developed, implemented, and maintained.
Like subpart H of part 236, proposed subpart I provides for the same level of product confidence and versatility in determining what PTC technology a railroad may elect to implement and operate, even if the railroad chooses to modify its PTC system over time. Unlike subpart H, however, proposed subpart I requires specific deployment of PTC while simplifying the application process, potentially reducing the size of the regulatory filings through facilitation of safety documentation reuse, and more narrowly defining the required performance targets based on railroad operations and in terms of more specific functional PTC behaviors. The approach under subpart I also reduces the likelihood of continually changing safety targets, which may vary based on each railroad's safety culture, and provides for incremental improvements in safety in coordination with FRA.
To ensure sufficient confidence in each PTC system implemented under subpart I, FRA expects that all safety- and risk-related data be supported by credible evidence or information. Such credible evidence or information may be developed through laboratory or field testing, augmented by appropriate analysis and inspection, which may be monitored or reviewed by FRA. FRA expects that, as a practical matter, lab testing would be performed in the majority of cases. FRA does not believe it is necessary to require any railroad to lab test. However, field testing may be required in certain instances to test certain points of the PTC system in various conditions.
If the railroad or FRA determines that the complexity of the technology or the supporting safety case warrants, credibility of this information may also be evaluated through an assessment of Verification and Validation performed by an acceptable independent third party selected and paid for by the railroad, subject to FRA approval. Ultimately, however, it is FRA's responsibility to determine whether each PTC system's performance results in an acceptable level of safety to railroad employees and the general public and whether any such system shall receive PTC System Certification, as required by statute. In order to provide meaningful flexibility, FRA is prepared to consider use of alternative risk analysis methods and proposals regarding the extent to which a product exhibits fail-safe behavior. FRA still emphasizes that higher speed and higher risk rail service should be supported by more highly competent train control technology and analysis.
FRA recognizes that there may potentially be various PTC system configurations and a variety of operational scopes involved. FRA believes that the information requested under subpart I should be sufficient to permit FRA to predict whether a PTC system is fully adequate from a safety perspective. Subparts H and I require submission of similar technical data. Given the degree of uncertainty associated with the underlying analysis of a complex PTC system and its environs, subpart I—much like subpart H—requires application of FRA's judgment and expertise. Given the complexity of the underlying analysis—and FRA's need to ensure an acceptable level of safety and analytical uniformity between functionally equivalent but architecturally different systems—it is incumbent upon the subject railroad, possibly in concert with the vendor, supplier, or manufacturer of its PTC system, to make a persuasive case in its filings that the applicable performance standards are met. Primarily, the risk assessments required by the proposed rule should provide an objective measure of the safety risk levels involved, which will be reviewed by FRA for comparison purposes. As such, FRA believes that each risk assessment should determine relative risk levels, rather than absolute risk levels, but against a clearly delineated base case acceptable to FRA under the proposed regulation.
Thus, this proposed rule attempts to emphasize the determination of relative risk. FRA believes that the guidelines captured in Appendix B adequately state the objectives and major considerations of any risk assessment it would expect to see submitted under proposed subpart I. FRA also believes that these guidelines allow sufficient flexibility in the conduct of risk assessments, yet provide sufficient uniformity by helping to ensure that final results are presented in familiar units of measurement.
One of the major characteristics of a risk assessment is whether it is performed using qualitative or quantitative methods. FRA continues to believe that both quantitative and qualitative risk assessment methods may be used, as well as combinations of the two. FRA expects that qualitative methods should be used only where appropriate, and only when accompanied by an explanation as to why the particular risk cannot be fairly quantified. FRA also continues to believe that railroads and suppliers should not be limited in the type of risk assessments they should be allowed to perform to demonstrate compliance with the minimum performance standard. The state of the art of risk assessment methods could potentially change more quickly than the regulatory process will allow, and not taking advantage of these innovations could slow the progress of implementation of safer signal and train control systems. Thus, as in subpart H, FRA is allowing risk assessment methods not meeting the guidelines of this rule, so long as it can be demonstrated to the satisfaction of the FRA Associate Administrator for Railroad Safety/Chief Safety Officer (hereinafter Associate Administrator) that the risk assessment method used is suitable in the context of the particular PTC system. FRA believes this determination is best left to the Associate Administrator because the FRA retains authority to ultimately prevent implementation of a system whose plans do not adequately demonstrate compliance with the performance standard under the proposed rule.
FRA is aware that some types of risk are more amenable to measurement by using certain methods rather than others because of the type and amount of data available. If a railroad does elect to use different risk assessment methods, FRA will consider this as a factor for PTC System Certification (see§ 236.1015). Also, in such cases, when the margin of uncertainty has been inadequately described, FRA will be more likely to require FRA monitored field or laboratory testing (see§ 236.1035) or an independent third-party assessment (see § 236.1017).
When FRA issued the final rule establishing subpart H, FRA considered the criteria of simplicity, relevancy, reliability, cost, and objectivity. FRA believes that these criteria remain applicable. FRA has attempted to make the requirements under subpart I simpler than the requirements of subpart H, so that railroads will be provided with a greater amount of flexibility to more easily demonstrate that its PTC system is certifiable by FRA. Like subpart H, subpart I focuses on the safety-relevant characteristics of systems and emphasizes all relevant aspects of product performance. FRA also drafted performance standards that can be applied reliably and precisely in a manner which should yield similar results each time it is applied to the same subject. Although RSIA08 appears to make cost a consideration secondary to safety, FRA believes that demonstrating compliance under subpart I should minimize those costs while not degrading the primary objective of public safety. FRA also believes that subpart I includes an objective performance standard where compliance can be determined through sound engineering analysis, testing, or investigation.
VI. Section-by-Section Analysis Back to Top
Unless otherwise noted, all section references below refer to sections in title 49 of the Code of Federal Regulations (CFR). FRA seeks comments on all proposals made in this NPRM.
Section 229.135Event Recorders
Advances in electronics and software technology have not only enabled the development of PTC systems, but have also resulted in changes to the implementation of locomotive control systems. These technological changes have provided for the introduction of new functional capabilities and the integration of different functions in ways that advance the building, operation, and maintenance of locomotive control systems. FRA also recognizes that advances in technology may further eliminate the traditional distinctions between locomotive control and train control functionalities. Indeed, technological advances may provide opportunities for increased or improved functionalities in train control systems that run concurrently with locomotive control.
Train control and locomotive control, however, remain two fundamentally different operations with different objectives. FRA does not want to restrict the adoption of new locomotive control functions and technologies by imposing regulations on locomotive control systems intended to address safety issues associated with train control. Accordingly FRA is reviewing and enhancing the Locomotive Safety Standards (49 CFR part 229) to address the use of advanced electronics and software technologies to improve safe, efficient, and economical locomotive operations when a new or proposed locomotive control system function does not interface or commingle with a safety-critical train control system. In the meantime, FRA proposes to amend § 229.135 to ensure its applicability to subpart I.
Section 234.275Processor-Based Systems
Section 234.275 of title 49 presently requires that each processor-based system, subsystem, or component used for active warning at highway-rail grade crossings that is new or novel technology, or that provides safety-critical data to a railroad signal or train control system which is qualified using the subpart H process, shall also be governed by those requirements, including approval of a Product Safety Plan. Particularly with respect to high speed rail, FRA anticipates that PTC systems will in some cases incorporate new or novel technology to provide for crossing pre-starts (reducing the length of approach circuits for high speed trains), verify crossing system health as between the wayside and approaching trains, or slow trains approaching locations where storage has been detected on a crossing, among other options. Indeed, each of these functions is presently incorporated in at least one train control system, and others may one day be feasible (including in-vehicle warning). There would appear to be no reason why such a functionality intended for inclusion in a PTC system mandated by subpart I could not be qualified with the rest of the PTC system under subpart I. On the other hand, care should be taken to set an appropriate safety standard taking into consideration highway users, occupants of the high speed trains, and others potentially affected.
In fact, with new emphasis on high speed rail, FRA needs to consider the ability of PTC systems to integrate this type of new technology and thereby reduce risk associated with high speed rail service. Risk includes derailment of a high speed train with catastrophic consequences after encountering an obstacle at a highway-rail grade crossing. To avoid such consequences, as many crossings as possible should be eliminated. To that end, 49 CFR 213.347 requires a warning and barrier plan to be approved for Class 7 track (speeds above 110 mph) and prohibits grade crossings on Class 8 and 9 track (above 125 mph). That leaves significant exposure on Class 5 and 6 track that is currently not addressed by regulation. Comment is requested on how best to approach this issue, ensuring that various FRA regulations, including subpart I, address this safety need effectively and in harmony with one another.
Section 235.7Changes Not Requiring Filing of Application
FRA proposes to amend this section of the regulation which allows specified changes within existing signal or train control systems be made without the necessity of filing an application. The amendment consists of adding allowance for a railroad to remove an intermittent automatic train stop system in conjunction with the implementation of a PTC system approved under subpart I of part 236.
The changes allowable under this section, without filing of an application, are those identified on the basis that the resultant condition will be at least no less safe than the previous condition. The required functions of PTC within subpart I provide a considerably higher level of functionality related to both alerting and enforcing necessary operating limitations than an intermediate automatic train stop system does. Additionally, in the event of the loss of PTC functionality (i.e., a failure en route), the operating restrictions required will provide the needed level of safety in lieu of the railroad being expected to keep and maintain an underlying system such as intermittent automatic train stop for only in such cases. FRA therefore believes that with the implementation of PTC under the requirements of subpart I, the safety value of any previously existing intermittent automatic train stop system is entirely obviated. There were no objections in the PTC Working Group to this amendment.
Section 236.0Applicability, Minimum Requirements, and Penalties
FRA proposes to amend this existing section of the regulation to remove manual block from the methods of operation permitting speeds of 50 miles per hour or greater for freight trains and 60 miles per hour or greater for passenger trains. Manual block rules do create a reasonably secure means of preventing train collisions. However, where the attributes of block signal systems are not present, misaligned switches, broken rails, or fouling equipment may cause a train accident. FRA believes that contemporary expectations for safe operations require this adjustment, which also provides a more orderly foundation for the application of PTC to the subject territories. There were no objections in the PTC Working Group to this change.
Section 236.909Minimum Performance Standard
FRA is proposing to modify existing § 236.909 to make the risk metric sensitivity analysis an integral part of the full risk assessment required to be submitted with a product safety plan in accordance with § 236.907(a)(7). The proposed amendment of this section would also eliminate an alternative option for a railroad to use a risk metric in which consequences of potential accidents are measured strictly in terms of fatalities.
Currently, § 236.909(e)(1) indicates how safety and risk should be measured for the full risk assessment, but does not accentuate the need for running a sensitivity analysis on chosen risk metrics to assure that the worst case scenarios for the proposed system failures or malfunctions are accounted for in the risk assessment. On the other hand, Appendix B to this part mandates that each risk metric for the proposed product must be expressed with an upper bound, as estimated with a sensitivity analysis. The FRA's experience gained while reviewing product safety plans submitted to FRA in accordance with subpart H, revealed that the railroad's did not understand a sensitivity analysis for the chosen risk metrics to be a mandatory requirement. Accordingly, to ensure clarity regarding FRA's expectations, FRA proposes to amend paragraph (e)(1) to explicitly require the performance of a sensitivity analysis for the chosen risk metrics. The language proposed in this rule explains the need for the sensitivity analysis and describes the key input parameters that must be analyzed.
The proposed modification to paragraph (e)(2) is intended to clarify how the exposure and its consequences, as main components of the risk computation formula, must be measured. Under the proposed rule text, the exposure must be measured in train miles per year over the relevant railroad infrastructure where a proposed system is to be implemented. When determining the consequences of potential accidents, the railroad must identify the total costs involved, including those relating to fatalities, injuries, property damage, and other incidentals. FRA proposes to eliminate the option of using an alternative risk metric, which would allow the measurement of consequences strictly in terms of fatalities. It is FRA's experience that measuring consequences of accidents strictly in terms of fatalities did not serve as an adequate alternative to metrics of total cost of accidents for two main reasons. First, the statistical data on railroad accidents shows that accidents involving fatalities also cause injuries and significant damage to railroad property and infrastructure for both freight and especially passenger operations. Even though the cost of human life is often the highest component of monetary estimates of accident consequences, the dollar estimates of injuries, property losses, and damage to the environment associated with accidents involving fatalities cannot and should not be discounted in the risk analysis. Second, allowing fatalities to serve as the only risk metrics of accident consequences confused the industry and the risk assessment analysts attempting to determine the overall risk associated with the use of certain types of train control systems. As a result, some risk analysts inappropriately converted injuries and property damages for observed accidents into relative estimates of fatalities. This method cannot be considered acceptable because, while distorting the overall picture of accident consequences, it also raises questions on appropriateness of conversion coefficients. Therefore, FRA considers it appropriate to eliminate from the rule the alternative option for consequences to be measured in fatalities only.
Subpart I—Positive Train Control Systems Back to Top
Section 236.1001Purpose and Scope
This section describes both the purpose and the scope of subpart I. Subpart I provides performance-based regulations for the development, test, installation, and maintenance of Positive Train Control (PTC) Systems, and the associated personnel training requirements, that are mandated for installation by FRA. This subpart also details the process and identifies the documents that railroads and operators of passenger trains are to utilize and incorporate in their PTC implementation plans. This subpart also details the process and procedure for obtaining FRA approval of such plans.
Given that a natural language such as English contains, at any given time, a finite number of words, any comprehensive list of definitions must either be circular or leave some terms undefined. In some cases, it is not possible and indeed not necessary to state a definition. Where possible and practicable, FRA prefers to provide explicit definitions for terms and concepts rather than rely solely on a shared understanding of a term through use.
Paragraph (a) reinforces the applicability of existing definitions of subparts A through H. The definitions of subparts A through H are applicable to subpart I, unless otherwise modified by this part.
Paragraph (b) introduces definitions for a number of terms that have specific meanings within the context of subpart I. In lieu of analyzing each definition here, however, some of the delineated terms will be discussed as appropriate while analyzing other sections below.
As a general matter, however, FRA believes it is important to explain certain organizational changes required pursuant to RSIA08. The statute establishes the position of a Chief Safety Officer. The Chief Safety Officer has been designated as the Associate Administrator for Railroad Safety. Thus, the use of the term Associate Administrator in this subpart refers to the Associate Administrator for Railroad Safety and Chief Safety Officer.
Section 236.1005Requirements for Positive Train Control Systems
RSIA08 specifically requires that each PTC system be designed to prevent train-to-train collisions, overspeed derailments, incursions into established work zone limits, and the movement of a train through a switch left in the wrong position. Section 236.1005 includes the minimum statutory requirements and provides amplifying information defining the necessary PTC functions and the situations under which PTC systems must be installed. Each PTC system must be reliable and perform the functions specified in RSIA08. FRA requests comments on whether the definitions and amplifying information within § 236.1005 are appropriate interpretations of RSIA08 and whether FRA is exercising the appropriate level of discretion and flexibility to comply with RSIA08 in the most cost effective and efficient manner.
Train-to-train collisions. Paragraph (a)(1)(i) proposes to apply the statutory requirement that a mandatory PTC system must be designed to prevent train-to-train collisions. FRA understands this to mean head-to-head, rear-end, and side and raking collisions between trains on the same, converging, or intersecting tracks. PTC technology now available can meet these needs through guidance to the locomotive engineer that is current and continuous and through enforcement using predictive braking to stop short of known targets. FRA notes that the technology associated with currently available PTC systems may not completely eliminate all collisions risks. For instance, a PTC system mandated by this subpart is not required to prevent a collision caused by a train that derails and moves over an area not covered by track and onto a neighboring or adjacent track (known in common parlance as a “secondary collision”).
During discussions regarding available PTC technology, it has been noted that this technology also has inherent limitations with respect to prevention of certain collisions that might occur at restricted speed. In signaled territory, there are circumstances under which trains may pass red signals, other than absolute signals except with verbal authority, either at restricted speed or after stopping and then proceeding at restricted speed. Available PTC technology does not track the rear end of each train as a target that another train must be stopped short of but instead relies on the signal system to indicate the appropriate action. In this example, the PTC system would display “restricted speed” to the locomotive engineer as the action required and would enforce the upper limit of restricted speed (i.e., 15 or 20 miles per hour, depending on the railroad). This means that more serious rear end collisions will be prevented, because the upper limit of restricted speed is enforced, and it also means that fewer low speed rear-end collisions will occur because a continuous reminder of the required action will be displayed to the locomotive engineer (rather than the engineer relying on the aspect displayed by the last signal, which may have been passed some time ago). However, some potential for a low-speed rear-end collision will remain in these cases, and the rule is clear that this limitation has been accepted. Similar exposure may occur in non-signaled territory where trains are conducting switching operations or other activities under joint authorities. The PTC system can enforce the limits of the authority and the upper limit of restricted speed, but it cannot guarantee that the trains sharing the authority will not collide. Again, however, the likelihood and average severity of any potential collisions would be greatly reduced. FRA may address this issue in a later modification to subpart I if necessary as technology becomes available.
The proposed rule text does, however, provide an example of a potential train-to-train collision that a PTC system should be designed to prevent. Rail-to-rail crossings-at-grade—otherwise known as diamond crossings—present a risk of side collisions. FRA recognizes that such intersecting lines may or may not require PTC system implementation and operation. Since a train operating with a PTC system cannot necessarily recognize a train not operating with a PTC system or moving on an intersecting track without a PTC system, the PTC system—no matter how intelligent—may not be able to prevent a train-to-train collision in such circumstances.
Accordingly, paragraph (a)(1)(i) proposes to require certain protections for such rail-to-rail crossings-at-grade. While these locations are specifically referenced in paragraph (a)(1)(i), their inclusion is merely illustrative and does not necessarily preclude any other type of potential train-to-train collision. Moreover, a host railroad may have alternative arrangements to the specific protections referenced in the associated table under paragraph (a)(1)(i), which it must submit in its PTC Safety Plan (PTCSP)—discussed in detail below—and receive a PTC System Certification associated with that PTCSP.
Rail-to-rail crossings-at-grade that have one or more PTC routes intersecting with one or more routes without a PTC system must have an interlocking signal arrangement in place developed in accordance with subparts A through G of part 236 and a PTC enforced stop on all PTC routes. FRA has also determined that the level of risk varies based upon the speeds at which the trains operate through such crossings, as well as the presence, or lack, of PTC equipped lines leading into the crossing. Accordingly, under a compromise accepted by the PTC Working Group, if the maximum speed on at least one of the intersecting tracks is more than 40 miles per hour, then the routes without a PTC system must also have either some type of positive stop enforcement or a split-point derail on each approach to the crossing and incorporated into the signal system, and a permanent maximum speed limit of 20 miles per hour. FRA expects that these protections be instituted as far in advance of the crossing as is necessary to stop the encroaching train from entering the crossing. The 40 miles per hour threshold appears to be appropriate given three factors. First, the frequency of collisions at these rail intersections is low, because typically one of the routes is favored on a regular basis and train crews expect delays until signals clear for their movement. Second, the special track structure used at these intersections, known as crossing diamonds, experiences heavy wear; and railroads tend to limit speeds over these locations to no more than 40 miles per hour. Finally, FRA recognizes that for a train on either intersecting route, elevated speed will translate into higher kinetic energy available to do damage in a collision-induced derailment. Thus, for the relatively small number of rail crossings with one or more routes having an authorized train speed above 40 miles per hour, including higher speed passenger routes, it is particularly important that any collision be prevented. FRA appreciates that a more protective approach could be considered and welcomes any data or commentary that might bear on this issue.
FRA believes that these more aggressive measures are required to ensure train safety in the event the engineer does not stop a train before reaching the crossing when the engineer does not have a cleared route displayed by the interlocking signal system and higher speed operations are possible on the route intersected. The split-point derail would prevent a collision in such a case by derailing the offending train onto the ground before it reaches the crossing. Should the train encounter a split-point derail as a result of the crew's failure to observe the signal indication, the slower speed at which the unequipped train is required to travel would minimize the damage to the unequipped train and the potential affect on the surrounding area. As an alternative to split-point derails, the non-PTC line may be outfitted with some other mechanism that ensures a positive stop of the unequipped crossing train. If a PTC system or systems are installed and operated on all crossing lines, there are no speed restrictions other than those that might be enforced as part of a civil or temporary speed restriction. However, the crossing must be interlocked and the PTC system or systems must ensure that each of the crossing trains can be brought safely to a stop before reaching the crossing in the event that another train is already cleared through or occupying the crossing.
Overspeed derailments. Paragraph (a)(1)(ii) proposes that PTC systems mandated under subpart I be designed to prevent overspeed derailments and addresses specialized requirements for doing so. FRA notes that a number of passenger train accidents with significant numbers of injuries have been caused by trains exceeding the maximum allowable speed at turnouts and crossovers and upon entering stations. Accordingly, FRA emphasizes the importance of enforcement of turnout and crossover speed restrictions, as well as civil speed restrictions.
For instance, in the Chicago region, two serious train accidents occurred on the same Metra commuter line when locomotive engineers operated trains at more than 60 miles per hour while traversing between tracks using crossovers, which were designed to be safely traversed at 10 miles per hour. For illustrative purposes, the rule text makes clear that such derailments may be related to railroad civil engineering speed restrictions, slow orders, and excessive speeds over switches and through turnouts and these types of speed restrictions are to be enforced by the system.
Roadway work zones. Paragraph (a)(1)(iii) proposes that PTC systems mandated under subpart I be designed to prevent incursions into established work zone limits. Work zone limits are defined by time and space. The length of time a work zone limit is applicable is determined by human elements. Working limits are obtained by contacting the train dispatcher, who will confirm an authority only after it has been transmitted to the PTC server. Paragraph (a)(1)(iii) emphasizes the importance of the PTC systems to provide positive protection for roadway workers working within the limits of their work zone. Accordingly, once a work zone limit has been established, the PTC system must be notified. The PTC system must continue to obey that limit until it is notified from the dispatcher or roadway worker in charge, with verification from the other, either that the limit is released and the train is authorized to enter or the roadway worker in charge authorizes movement of the train through the work zone.
As a way to achieve this technological functionality, FRA's Office of Railroad Development has funded the development of a Roadway Worker Employee in Charge (EIC) Portable Terminal that allows the EIC to control the entry of trains into the work zone. While no rule includes the commonly used term EIC, FRA recognizes that it is the equivalent to the “Roadway Worker In Charge” as used in part 214. With the portable terminal, the EIC can directly control the entry of trains into the work zone and restrict the speed of the train through the work zone. If the EIC does not grant authority for the train to enter the work zone, the train is forced to a stop prior to violating the work zone authority limits. If the EIC authorizes entry of the train into the work zone, the EIC may establish a maximum operating speed for the train consistent with the safety of the roadway work employees. This speed is then enforced on the train authorized to enter and pass through the work zone. The technology is significantly less complex than the technology associated with dispatching systems and the PTC onboard system. In view of this, FRA strongly encourages deployment of such portable terminals as opposed to current approaches which only require the locomotive engineer to in some manner “acknowledge” his or her authority to operate into or through the limits of the work zone (e.g., by pressing a soft key on the onboard display, even if in error).
Pending the adoption of more secure technology such as the EIC Portable Terminal, FRA will scrutinize PTC Safety Plans to determine whether they leave no opportunity for single point human failure in the enforcement of work zone limits. FRA again notes that some approaches in the past have provided that the locomotive engineer could simply acknowledge a work zone warning, even if inappropriately, after which the train could proceed into the work zone. FRA proposes that more secure procedures be included in safety plans under the new proposed subpart.
Movement over main line switches. Paragraph (a)(1)(iv) proposes to require that PTC systems mandated under subpart I be designed to prevent the movement of a train through a main line switch in the improper position. Given the complicated nature of switches—especially when operating in concert with wayside, cab, or other similar signal systems—the proposed rule provides more specific requirements in paragraph (e) as discussed further below.
In numerous paragraphs, the proposed rules require various operating requirements based primarily on signal indications. Generally, these indications are communicated to the engineer, who would then be expected to operate the train in accordance with the indications and authorities provided. However, a technology that receives the same information does not necessarily have the wherewithal to respond unless it is programmed to do so. Thus, paragraph (a)(2) requires PTC systems implemented under subpart I to obey and enforce all such indications and authorities provided by these safety-critical underlying systems. The integration of the delivery of the indication or authority with the PTC system's response to those communications must be described and justified in the PTC Development Plan (PTCDP)—further described below—and the PTCSP, as applicable, and then must comply with those descriptions and justifications.
The PTC Working Group had extensive discussions concerning the monitoring of main line switches and came to the following general conclusions:
First, signal systems do a good job of monitoring switch position, and enforcement of restrictions imposed in accordance with the signal system is the best approach within signaled territory (main track and controlled sidings). As a general rule, the enforcement required for crossovers, junctions, and entry into and departure from controlled sidings will be a positive stop, and the enforcement provided for other switches (providing access to industry tracks and non-signaled sidings and auxiliary tracks) will be display and enforcement of the upper limit of restricted speed. National Transportation Safety Board representatives were asked to evaluate whether this strategy meets the needs of safety from their perspective. They returned with a list of accidents caused by misaligned switches that the Board had investigated in recent years, none of which was in signaled territory. Based on that data, the NTSB staff decided that it was not necessary to monitor individual switches in signaled territory.
Second, switch monitoring functions of contemporary PTC systems provide an excellent approach to addressing this requirement in dark territory. However, it is important to ensure that switch position is determined with the same degree of integrity that one would expect within a signaling system (e.g., fail safe point detection, proper verification of adjustment). The PTC Working Group puzzled over sidings in dark territory and how to handle the requirement for switch monitoring in connection with those situations. (While these are not “controlled” sidings, as such, they will often be mapped so that train movements into and out of the sidings are appropriately constrained.) At the final PTC Working Group meeting, a proposal was accepted that would treat a siding as part of the main line track structure requiring monitoring of each switch off of the siding if the siding is non-signaled and the authorized train speed within the siding exceeds 20 miles per hour.
This issue is more fully discussed below.
Other functions. While FRA has included the core PTC system requirements in § 236.1005, there is the possibility that other functions may be explicitly or implicitly required elsewhere in subpart I. Accordingly, under paragraph (a)(3), each PTC system required by subpart I must also perform any other functions specified in subpart I. According to 49 U.S.C. 20157(g), FRA must prescribe regulations specifying in appropriate technical detail the essential functionalities of positive train control systems and the means by which those systems will be qualified.
In addition to the general performance standards required under paragraphs (a)(1)-(3), paragraph (a)(4) proposes more prescriptive performance standards relating to the situations paragraphs (a)(1)-(3) intend to prevent. Paragraph (a)(4) defines specific situations where FRA has determined that specific warning and enforcement measures are necessary to provide for the safety of train operations, their crews, and the public and to accomplish the goals of the PTC system's essential core functions. Under paragraph (a)(4)(i), FRA proposes to prevent unintended movements onto PTC main lines and possible collisions at switches by ensuring proper integration and enforcement of the PTC system as it relates to derails and switches protecting access to the main line. Paragraph (a)(4)(ii) intends to account for operating restrictions associated with a highway-rail grade crossing active warning system that is in a reduced or non-operative state and unable to provide the required warning for the motoring public. In this situation, the PTC system must provide positive protection and enforcement related to the operational restrictions of alternative warning that are issued to the crew of any train operating over such crossing in accordance with part 234. Paragraph (a)(4)(iii) concerns the movement of a PTC operated train in conjunction with the issuance of an after arrival mandatory directive. While FRA recognizes that the use of after arrival mandatory directives poses a risk that the train crew will misidentify one or more trains and proceed prematurely, PTC provides a means to intervene should that occur. Further, such directives may sometimes be considered operationally useful. Accordingly, FRA fully expects that the PTC system will prevent collisions between the receiving trains and the approaching train or trains.
FRA recognizes that movable bridges, including draw bridges, present an operational issue for PTC systems. Under subpart C, § 236.312 already governs the interlocking of signal appliances with movable bridge devices and FRA believes that this section should equally apply to PTC systems governing movement over such bridges. While subparts A through H apply to PTC systems—as stated in § 236.1001—paragraph (a)(4)(iv) proposes to make this abundantly clear. Accordingly, in paragraph (a)(4)(iv) and consistent with § 236.312, movable bridges within a PTC route are to be equipped with an interlocked signal arrangement which is also to be integrated into the PTC system. A train shall be forced to stop prior to the bridge in the event that the bridge locking mechanism is not locked, the locking device is out of position, or the bridge rails of the movable span are out of position vertically or horizontally from the rails of the fixed span. Effective locking of the bridge is necessary to assure that the bridge is properly seated and thereby capable to support both the weight of the bridge and that of a passing train(s) and preventing possible derailment or other potential unsafe conditions. Proper track rail alignment is also necessary to prevent derailments, either of which again could result in damage to the bridge or a train derailing off the bridge.
Paragraph (a)(4)(v) proposes that hazard detectors integrated into the PTC system—as required by paragraph (c) of this section or the FRA approved PTCSP—must provide an appropriate warning and associated applicable enforcement through the PTC system. There are many types of hazard detection systems and devices. Each type has varying operational requirements, limitations, and warnings based on the types and levels of hazard indications and severities. FRA expects this enforcement to include a positive stop where necessary to protect the train (e.g., areas with high water, flood, rock slide, or track structure flaws) or to provide an appropriate warning with possible movement restriction be acknowledged (i.e., hot journal or flat wheel detection). The details of these warnings and associated required enforcements are to be specifically addressed within a PTCDP and PTCSP subject to FRA approval, and the PTC system functions are to be maintained in accordance with the system specifications. FRA does not expect that all hazard detectors be integrated into the PTC systems, but where they are, they must interact properly with the PTC system to protect the train from the hazard that the detector is monitoring.
Paragraph (a)(5) addresses the issue of broken rails, which is the leading cause of train derailments. FRA proposes to strictly limit the speed of passenger and freight operations in those areas where broken rail detection is not provided. Under § 236.0(c), as amended in this rule, 24 months after the effective date of a final rule, freight trains operating at or above 50 miles per hour, and passenger trains operating at or above 60 miles per hour are required to have a block signal system unless a PTC system meeting the requirements of this part is installed. Since current technology for block signal systems relies on track circuits—which also provide for broken rail detection—FRA proposes limiting speeds where broken rail detection is not available to the maximums allowed under § 236.0 when a block signal system is not installed.
Deployment requirements. Paragraph (b) contains proposed requirements for where and when PTC systems must be installed. Under RSIA08, each applicable railroad carrier must implement a PTC system in accordance with its PTC Implementation Plan (PTCIP), as further discussed below. The PTCIP is statutorily required to be submitted by April 16, 2010, and must explain how the railroad or railroads intend to implement an operating PTC system by December 31, 2015. Essentially, a PTC system must be installed on certain tracks. In addition, except as provided under § 236.1006, onboard components required for and responsive to the PTC system must be installed on each lead locomotive that operates over those tracks.
The lead locomotive means the first locomotive proceeding in the direction of movement. In addition to the lead locomotive that controls the train while moving in a forward direction, a PTC system must be installed on any rear end unit control cab locomotive that is capable of controlling the train when it moves in the reverse direction. These proposed requirements assume that locomotives controlling the train may be placed only at each end. At this time, FRA is unaware of any locomotives not placed at either end of the train that may independently control the train. FRA seeks comments and information regarding these assumptions and understandings.
As a threshold matter, RSIA08 requires that a PTC system be installed on certain main lines of each entity required to file a PTCIP. According to the statute, a main line is, with certain exceptions, a Class I railroad track over which 5 million or more gross tons of railroad traffic is transported annually. Pursuant to the statute, FRA may also designate additional tracks as main line and may provide exceptions for intercity rail or commuter passenger transportation over track where limited or no freight railroad operations occur. The statutory language does not indicate whether the phrase “main line” refers to the route used or actual trackage owned by the subject railroad. It is clear, however, that Congress intended to focus implementation and operation of PTC systems on freight lines owned or used by Class I railroads for operations specifically identified in the statute.
For instance, by referencing Class I railroads—and not referencing any other type of freight railroad—FRA believes that Congress did not intend, as a general matter, to have smaller freight railroads incur the tremendous costs involved in PTC system implementation and operation unless they own track over which is provided regularly schedule intercity or commuter rail passenger transportation. Congress gives the Secretary discretion in 49 U.S.C. 20157(f) to require the installation of PTC systems on railroads other than Class I railroads and intercity or commuter passenger systems.
The Surface Transportation Board (STB) has established a statutory definition for Class I, II, and III railroads based on the reported revenues in 1992. A reference to Class I railroads in this subpart refers to those railroads that have been designated as such by the Surface Transportation Board (STB). According to STB, a Class I railroad has revenues greater than $250 million (adjusted annually for inflation); a Class II railroad has revenues ranging from $20 million to $250 million (adjusted annually for inflation); and a Class III railroad has revenues that are less than $20 million (adjusted annually for inflation). All switching and terminal railroads, regardless of revenue size, are Class III railroads. The STB railroad classification determines the amount of reporting which a carrier must file with the STB. Class I railroads are required to file an annual R-1 Report, a detailed income, expense, and operating data report, quarterly and annual freight carload commodity reports, and reports on types of employees and employee compensation (Wage Form A and B).
From time to time, as some Class II railroads approached the Class I railroad revenue threshold, these carriers petitioned the STB to remain as Class II railroads, so that these carriers would not be burdened with the additional reporting requirements. Generally the STB allowed this exemption. Accordingly, there may be some large railroads—including Montana Rail Link and Florida East Coast—that are Class II railroads “by waiver,” thereby freeing them from having to file Class I railroad reports with the STB.
In drafts of this proposed rule provided to the RSAC PTC Working Group, it was suggested that a Class I railroad's main line be defined as track owned and controlled by the Class I railroad. By also including track “controlled” by the Class I railroad, FRA intended to include tracks not owned by Class I railroads, but used in a manner as if the Class I railroad did own that track. For instance, under the term “controlled,” FRA intended that a track owned by a Class II or III railroad would be considered a main line if a Class I railroad had effective control over the Class II or III railroad or that specific track. Without the “control” requirement, Class I railroads could divest themselves of track ownership while maintaining effective control for the purposes of avoiding PTC system implementation.
The American Short Line and Regional Railroad Association (ASLRRA), however, expressed concern with this provision, instead suggesting that a Class I railroad's main line include only those lines owned and “operated” by the Class I railroad. FRA believes that the underlying ASLRRA concern is that many of its member railroads may go out of business if they are mandated to install PTC systems and incur the associated untenable financial costs. FRA agrees that, from the point of view of the congressional mandate, a narrower concept is appropriate at this time. However, in light of future circumstances relating to railroad revenue, safety opportunities, traffic patterns, and other variables, FRA also recognizes that it may later require PTC system implementation and operation on certain Class II and III railroad tracks.
To avoid confusion, FRA proposes to define main line by standards applicable to a single element. In its effort to define a Class I railroad's main line as track owned and controlled by the Class I railroad, FRA focuses the proposed definition on the status of the track. To also focus on the issue of operations could raise confusion and irreconcilable understandings. Thus, FRA is not comfortable with ASLRRA's suggestion. To accomplish FRA's goal and respond to ASLRRA's concerns, however, FRA has limited a Class I railroad's main lines to tracks and segments documented in the timetables last filed before October 16, 2008, by the Class I railroads with FRA under § 217.7 of this title over which 5 million or more gross tons of railroad traffic is transported annually. For most of its territory, each railroad is already required to track tonnage in order to satisfy the requirements for joint bar and internal rail flaw inspections. See 213.119 (table), 213.237. Thus, FRA does not expect this determination to be difficult for railroads. For railroads that are required to submit a PTCIP by April 16, 2010, the gross tonnage will be based on 2008 year traffic. To the extent rail traffic exceeds 5 million gross tons in any year after 2008, the tonnage shall be calculated for the preceding two calendar years in determining whether a PTCIP or its amendment is required. FRA seeks comments on whether any tracks intended to be covered would be missed under this approach and on whether there is a better approach.
The RSIA08 requires certain tracks to be considered main line where a certain amount of railroad traffic is transported. However, in certain yard or terminal locations, trains are prepared for transportation, but railroad traffic is not “transported.” Moreover, FRA recognizes that in such locations, PTC system operation would be especially cumbersome and onerous and possibly resulting in a reduction of safety due to inappropriate interventions by the PTC system that could lead to “train handling” derailments or hazards to personnel riding the sides of rolling stock. Accordingly, in such locations, FRA may not consider the subject tracks as main line. For such locations that only include freight operations, FRA proposes to consider these tracks other than main line by definition if all trains in the location are limited to restricted speed.
However, for any tracks used by passenger trains, FRA proposes that any designation of track as other than main line should be performed on a case-by-case basis in accordance with § 236.1019. FRA seeks comments on this issue. FRA also seeks comments on whether this explanation comports with the railroads' understanding of the rule text.
Once a Class I railroad's main lines are determined, a PTC system must be installed and operated on those main line tracks over which passenger trains are operated or any PIH materials are is transported. As a corollary, PTC systems are not required on a Class I railroad's lines over which no PIH materials are transported and no passenger trains are operated. In addition to an applicable Class I railroad's main lines, a PTC system must be implemented and operated on all railroads' main lines over which regularly scheduled intercity rail passenger transportation or commuter rail passenger transportation, as defined by 49 U.S.C. 24102, is provided. However, FRA does not intend to apply this requirement to tracks operated by tourist railroads, as described in 49 U.S.C. 20103(f), because, inter alia, they are not Class I railroads and they do not provide regularly scheduled intercity or commuter passenger service.
According to 49 U.S.C. 24102, “intercity rail passenger transportation” means rail passenger transportation, except commuter rail passenger transportation. 49 U.S.C. 24102 defines commuter rail passenger transportation as “short-haul rail passenger transportation in metropolitan and suburban areas usually having reduced fare, multiple-ride, and commuter tickets and morning and evening peak period operations.”
49 CFR 238.5 provides further guidance, defining a long-distance intercity passenger train as “a passenger train that provides service between large cities more than 125 miles apart and is not operated exclusively in the National Railroad Passenger Corporation's Northeast Corridor” and a commuter train as “a passenger train providing commuter service within an urban, suburban, or metropolitan area. The term includes a passenger train provided by an instrumentality of a State or a political subdivision of a State.” Section 238.5 also defines passenger service as “a train or passenger equipment that is carrying, or available to carry, passengers. Passengers need not have paid a fare in order for the equipment to be considered in passenger or in revenue service.” According to § 238.5, a passenger train is “a train that transports or is available to transport members of the general public. If a train is composed of a mixture of passenger and freight equipment, that train is a passenger train for purposes of this part.”
While the statute generally limits mandatory PTC system implementation and operation to certain main lines—defined for freight purposes as track over which 5 million or more gross tons of railroad traffic is transported annually—FRA is required to define passenger main line by regulation. See 49 U.S.C. 20157(i)(2)(B). In that regard, FRA has determined that freight density, as such, is not a relevant factor. FRA intends to cover the same intercity and commuter passenger services as 49 CFR part 238 (Passenger Equipment Safety Standards), which excludes tourist railroads (49 CFR 238.3). See also, 49 CFR part 209, Appendix A.
As a corollary, after December 31, 2015, no intercity or commuter passenger operations may operate on any track that does not have a PTC system installed, except as described in the proposed rule. A PTC system must be installed on any track—regardless of its ownership or the weight of annual traffic—before any intercity or commuter rail passenger operation may operate. Thus, any passenger or freight track over which such passenger trains operate must be PTC-equipped.
The RSIA08 requires each intercity and commuter passenger railroad to implement PTC on “its main line over which intercity rail passenger transportation or commuter rail passenger transportation, as defined in section 24102, is regularly provided.” Section 24102 uses the terms “intercity” and “commuter” in essentially the same way FRA has used the terms for safety regulatory purposes. The single question that has been puzzling in considering this mandate has been the meaning of the possessive article, “its,” before “main line.” It appears clear from the course of congressional consideration that the expression was intended to apply to the passenger railroad's entire route system, regardless of ownership. Amtrak's route system includes predominately trackage owned or controlled by others. Many commuter railroads operate partially or even exclusively over lines owned by freight railroads. On the other hand, FRA is persuaded that the same intention does not apply as to Class I freight railroads. A Class I freight railroad might operate a train under trackage rights over a Class II or III railroad, but it does not appear that was intended to burden the smaller railroad with the responsibility to install PTC.
Accordingly, FRA is proposing to consider as passenger train main lines all tracks across the nation over which intercity or commuter passenger trains are transported. For the purposes of passenger trains, a main line is determined regardless of the amount (i.e., 5 million or more gross tons annually), except where temporary rerouting may occur in accordance with §§ 236.1005(g)-(k) as further discussed below. Thus, if an intercity or commuter passenger train is transported over a track, the track requires PTC implementation and operation, regardless of whether the track is owned by a passenger railroad entity, a Class I railroad, or any smaller freight railroads, including Class II and short line railroads.
This approach, permissible under 49 U.S.C. 20157(a)(1)(C), is consistent with both FRA's understanding of congressional intent and FRA's historical safety sensitivity to regulating passenger transportation. For example, in the relatively recent final rule governing continuous welded rail, different schedules were developed for track inspection intervals associated with freight and passenger train operations. See 71 FR 59,677, 59,681 (Oct. 11, 2006). According to FRA, the different schedules for track inspection were developed to consider the potentially greater severity, especially in terms of loss of life, from possible future track-related passenger train accidents.
If FRA were to otherwise restrict PTC systems to passenger train main lines that are only owned by the passenger railroads, then PTC systems would only be required on 11 percent of all track used by the passenger railroads across the nation, which would mostly include the Northeast Corridor (NEC) and some passenger lines in Michigan. Considering Congress' concern with accidents involving multiple passenger fatalities, which appears to be a significant impetus for Congress' final passage of RSIA08, FRA believes that Congress did not intend in 49 U.S.C. 20157 to limit PTC system operation to this narrow passenger territory.
Nevertheless, while all passenger routes, including those over track owned by freight railroads, are automatically deemed main lines under the proposed rule, the proposed rule also provides an exception for those main lines that would not be main lines but for the existence of passenger trains and are not deemed by FRA main lines due to limited or no freight railroad operations. This exception is permissible pursuant to 49 U.S.C. 20157(i)(2)(B). The proposed procedure for such exceptions can be found under §§ 236.1011 and 236.1019, as further discussed below.
In addition to determining which tracks require PTC system implementation and operation, paragraph (b) requires such installation be performed by the “host railroad.” Subpart I makes a distinction between the railroad that has effective operating control over a segment of track, and a railroad that is simply passing its trains across the same segment of track. While the concept of actual ownership of the track segment plays a significant role in determining the host railroad, a PTC system may be required on a track segment that is not owned by a PTC railroad. To avoid confusion, FRA designates the host railroad as the railroad that exercises operational control of the movement of trains on the segment, irrespective of the actual ownership of the segment. This is in contrast to a tenant railroad, which is any railroad that uses a segment of track but does not exercise operational control of the movements of its trains. The terms “host railroad” and “tenant railroad” are defined as such in the definitions listed under § 235.1003.
The requirements for PTC contained in RSIA08 pertaining to freight lines define the intended route structure by reference to the presence or absence of PIH traffic and the annual gross tonnage. The law requires installation and operation of a PTC system where it (1) is part of a Class I railroad system, (2) carries at least 5 million gross tons of rail traffic, and (3) carries at least some PIH traffic. Based upon information available to FRA, and assuming a level of rail operations consistent with normal economic conditions, these requirements describe approximately 45,000 miles of freight-only territory plus almost 18,000 miles where both PIH and passengers are carried. There are another 6,000 miles of track owned by a Class I railroad and used for passenger service that would not otherwise be required to be equipped, for a total build-out of about 69,000 route miles. These lines basically describe the heart or “core” of the Class I freight network, albeit with some gaps.
However, the railroads carry only about 100,000 carloads of PIH products annually (approximately 0.3% of all rail traffic). Facing an extraordinary potential for tort liability associated with this traffic, the railroads have sought through various means to reduce the potential for release of these commodities through safety improvements; but they have also sought to be relieved of their common carrier obligation to carry them. The RSIA08 mandate, which entails an expenditure of billions of dollars, most of it nominally because the lines in question carry PIH, presents an additional enormous incentive for the Class I railroads to shed PIH traffic and, further, to concentrate the remaining PIH traffic on the fewest possible lines of railroad.
FRA is concerned that PIH traffic could be diverted from the rail mode. Although the risks of transporting these commodities can be reduced by product substitution, by coordination of transportation that reduces length of haul, and by other means, and although the U.S. DOT continues to support these means where feasible, for the present there are still realistic and supportable demands for transportation of these PIH commodities that implicate the national interest in a very strong way. Hazardous materials are vital to maintaining the health of the economy of the United States and are essential to the well-being of its people. These materials are used in water purification, farming, manufacturing, and other industrial applications. The need for hazardous materials to support essential services means that transportation of hazardous materials is unavoidable. There are over 20 hazardous materials considered to be PIH that are shipped by rail in tank car quantities. In 2003, over 77,000 tank car loads of PIH materials were shipped by rail.
Examples of PIH materials include anhydrous ammonia and chlorine. Anhydrous ammonia is an important source of nitrogen fertilizer for crops and is used in the continuous cycle cooling units found in various appliances and vehicles and in the production of explosives and manufacturing of nitric acid and certain alkalies, pharmaceuticals, synthetic textile fibers, plastics, and latex stabilizers. Chlorine is used as an elemental disinfectant for over 84 percent of large drinking water systems (those serving more than 10,000 people), according to the American Water Works Association. For pharmaceuticals, chlorine chemistry is essential to manufacturing 85 percent of their products. Chlorine chemistry is also used in 25 percent of all medical plastics, and 70 percent of all disposable medical applications. The single largest use of chlorine is for the production of polyvinyl chloride (PVC), which is used for building and construction materials such as siding, windows, pipes, decks and fences.
The only effective modal alternative for transporting PIH materials is by road, and for the present insufficient capacity exists in the form of suitable packages (tank trucks, intermodal tanks). Further, diversion to highways would entail significantly higher societal costs, including adverse safety trade-offs from more trucks on the highways—even before the potential for accidental release of product or further security vulnerabilities are considered.
FRA is also concerned that PIH traffic could be retained on the railroads but concentrated in such a way as to result in circuitous routings with greater exposure to derailment hazards and security threats. Although security concerns may be addressed to some extent by rerouting during periods of high alert in specified urban areas, these detour routes would inevitably be over lines not equipped with PTC systems. These are the kinds of unfavorable trade-offs that the recent amendments to PHMSA's rail security rule—based on a separate statutory mandate and developed in concert with FRA—were intended to prevent. See, e.g., 73 FR 20752 (April 16, 2008); 73 FR 72182 (Nov. 26, 2008).); 49 CFR 172.820.
Finally, FRA believes that, while the presence of PIH traffic on the rail network was viewed by the Congress as a good proxy for risk sufficient to warrant PTC system installation and operation, FRA is not persuaded that it was the intent of Congress that PIH traffic be driven from the railroads or concentrated on a smaller number of lines with more circuitous routings. The final legislation constituting the RSIA08 emerged following the Chatsworth collision of September 12, 2008, which claimed 25 lives (one rail employee and 24 passengers). However, neither H.R. 2095, as initially passed by the House of Representatives on October 17, 2007, nor the Senate version of the bill passed on August 1, 2008, was limited to PIH routes. All versions of the bill, including that finally enacted, preserved FRA's ability to apply the technology to additional routes.
Although FRA recognizes that the congressional trade-offs in September 2008 were driven by the impending end of the 110th Congress, the Chatsworth accident, and the desire on the part of some senators to see a rapid deployment of PTC technology (more rapid, in fact, than provided in either the Senate- or House-enacted versions), FRA does not believe that the Congress intended an implementation that would create substantial incentives to drive PIH traffic off of the railroads or concentrate it in such a way that large urban areas would see an increase in volume above that expected using normal, direct routing of the shipments. Accordingly, FRA proposes to use its discretion in crafting implementing regulations to preserve the presumed congressional intent. FRA does this by proposing in paragraph (b) that implementation plans required to be filed by April 16, 2010, be based on 2008 traffic levels. Although rail traffic, including PIH traffic, declined in the second half of the year, 2008 constitutes a much more “normal” base year than 2009 is expected to be due to the current economic conditions. It was also the year during which the Congress enacted the subject mandate.
In taking this action, FRA departs from the PTC Working Group's consensus that 2009 be used as the base year. Since the RSAC initially took up this subject, rail traffic levels have continued to plummet, and that decision now appears to be inappropriate. FRA did advise the PTC Working Group that it reserved the right to “lock in” the PTC route structure as of passage of RSIA08 to prevent unintended consequences. From a technical standpoint, § 236.1005(b) attempts to do just that, but with ample room for adjustment in light of normal changes in market conditions.
Paragraph (b)(2) would require that the determination of Class I freight railroad main lines required to be equipped be initially established and reported as follows using a 2008 traffic base for gross tonnage and determine the presence of PIH traffic based on 2008 shipments and routings. If increases in traffic occur that require a line to be equipped and the PTCIP has already been filed, an amendment would be required. As suggested by the RSAC, gross tonnage would be measured over two years to avoid unusual spikes in traffic driving investments inappropriately. However, if the 5 million gross tons threshold was met based on the prior two years of traffic, and PIH was added to the route, the railroad would be required to promptly file a PTCIP amendment and thereafter equip the line by the end of December 31, 2015 or within two years, whichever is later.
Once a PTC system is installed, it cannot be removed or treated as inoperative unless such discontinuance or modification is approved by FRA in accordance with § 236.1021, as discussed below. This is the case even if the track segment ceases to be defined as a main line in accordance with subpart I due to traffic pattern or consist changes, such as annual traffic levels possibly dipping below the 5 million gross ton threshold referenced in the statute and in §§ 236.1003 and 236.1005 or the rerouting of PIH traffic. This result is consistent with longstanding practice under 49 U.S.C. 20502 (see 49 CFR part 235). To the extent traffic levels decline or PIH traffic ceases prior to April 16, 2010, or during the implementation period, a railroad could ask FRA to except a line segment from the requirement that it be equipped. The railroad would need to provide estimated traffic projections for the next 5 years (e.g., as a result of planned rerouting, coordinations, location of new business on the line). Where the request involves prior or planned rerouting of PIH traffic, the railroad would be required to provide a supporting analysis that takes into consideration the rail security provisions of the PHMSA rail routing rule, including any railroad-specific and interline routing impacts. See 49 CFR 172.820. For example, the request should include information where multiple railroad carriers may coordinate traffic, especially where there are parallel lines directing traffic in opposite directions. FRA could approve an exception if FRA finds that it would be consistent with safety and in the public interest.
Once a PTC system is required to be installed, it cannot be removed or treated as inoperative unless such discontinuance or modification is approved by FRA in accordance with § 236.1021, as discussed below. This is the case even if the track segment ceases to be defined as a main line in accordance with subpart I due to traffic pattern or consist changes, such as annual traffic levels possibly dipping below the 5 million gross ton threshold referenced in the statute and in §§ 236.1003 and 236.1005 or the rerouting of PIH traffic.
There was discussion in the PTC Working Group regarding how to handle new passenger service. Amtrak in particular suggested that FRA might consider some leeway for new intercity service that could be instituted within a short period if the sponsor (most likely a state government) requested. FRA considered this contingency but concluded that new passenger service should be adequately planned and deliberately executed with safety as its first priority. The proposal in paragraph (b) states that, after December 31, 2015, no intercity or commuter rail passenger service could continue or commence until a PTC system has been installed and made operative. FRA requests comment on this proposal and on whether a new rail passenger service commenced after April 10, 2010, but before December 31, 2015, should be permitted any leeway for installation of PTC after 2015 and, if so, what special circumstances would warrant that treatment.
Paragraph (c) provides amplifying information regarding the installation and integration of hazard detectors into PTC systems. Paragraph (c)(1) reiterates FRA's position that any hazard detectors that are currently integrated into an existing signal and train control system must be integrated into mandatory PTC systems and that the PTC system will enforce as appropriate on receipt of a warning from the detector. Paragraph (c)(2) proposes to require each PTCSP submitted by a railroad to also identify any additional hazard detector to provide warnings to the crew that a railroad may elect to install. The PTCSP must also clearly define the actions required by the crew upon receipt of the alarm or other warning or alert. FRA does not expect a railroad to install hazard detectors at every location where a hazard might possibly exist.
Paragraph (c)(3) proposes, in the case of high speed service (as described in § 236.1007 as any service operating at speeds greater than 90 mph) that FRA will require the hazard analysis to address any hazards on the route, along with a reason why additional hazard detectors are not required to provide warning and enforcement for hazards not already protected by an existing hazard detector. The hazard analysis must clearly identify the risk associated with the hazard, and the mitigations taken if a hazard detector is not installed and interfacing with a PTC system. For instance, in the past, large motor vehicles have left parallel or overhead structures and have fouled active passenger rail lines. Depending upon the circumstances, such events can cause catastrophic train accidents. Although not every such event can be prevented, detection of obstacles such as this may make it more likely that the accident could be prevented.
Under paragraph (d), FRA proposes that each lead locomotive operating with a PTC system be equipped with an operative event recorder that captures safety-critical data routed to the engineer's display that the engineer must obey, as well as the text of mandatory directives and authorized speeds. FRA intends that this information be available in the event of an accident with a PTC-equipped system to determine root causes and the necessary actions that must be taken to prevent reoccurrence. Although FRA expects implemented PTC systems will prevent PTC-preventable accidents, in the event of system failure FRA believes it is necessary to capture available data relating to the event. Further, FRA sees value in capturing information regarding any accident that may occur outside of the control of a PTC system as it is currently designed—including the prevention of collisions with trains not equipped with PTC systems—and accidents that could otherwise have been prevented by PTC technology, but were unanticipated by the system developers, the employing railroad, or FRA.
The data may be captured in the locomotive event recorder, or a separate memory module. If the locomotive is placed in service on or after October 1, 2009, the event recorder and memory module, if used, shall be crashworthy, otherwise known as crash-hardened, in accordance with § 229.135. For locomotives built prior to that period, the data shall be protected to the maximum extent possible within the limits of the technology being used in the event recorder and memory module.
As required by the RSIA08 and by paragraph (a)(1)(iv), as noted above, a PTC system required by subpart I must be designed to prevent the movement of a train through a main line switch in the wrong position. Paragraph (e) provides amplifying information on switch point monitoring, indication, warning of misalignment, and associated enforcement. According to the statute, each PTC system must be designed to prevent “the movement of a train through a switch left in the wrong position.” FRA understands “wrong position” to mean not in the position for the intended movement of the train. FRA believes that Congress' use of the phrase “left in the wrong position” was primarily directed at switches in non-signaled (dark) territory such as the switch involved in the aforementioned accident at Graniteville, South Carolina. FRA also believes that, in order to prevent potential derailment or divergence to an unintended route, it is critical that all switches be monitored by a PTC system in some manner to detect whether they are in their proper position for train movements. If a switch is misaligned, the PTC system shall provide an acceptable safe state of train operations.
Prior to the statute, PTC provided for positive train separation, speed enforcement, and work zone protection. The addition of switch point monitoring and run through prevention would have eliminated the Graniteville, South Carolina accident where a misaligned switch resulted in the unintended divergence of a train operating on the main track onto a siding track and the collision of that train with another parked train on the siding. The resulting release of chlorines gas caused nine deaths and required the evacuation of the entire town for two weeks while remediation efforts were in progress.
As discussed above, FRA considered requiring PTC systems to be interconnected with each main line switch and to individually monitor each switch's point position in such a manner as to provide for a positive stop short of any misalignment condition. However, after further consideration and discussion with the PTC Working Group, FRA believes that such an approach may be overly aggressive and terribly expensive in signaled territory.
Under paragraph (e), FRA instead proposes to treat switches differently, depending upon whether they are within a wayside or cab signal system—or are provided other similar safeguards (i.e., distant switch indicators and associated locking circuitry) required to meet the applicable switch position standards and requirements of subparts A-G—or are within non-signaled (dark) territory.
While a PTC system in dark territory would be required to enforce a positive stop—as discussed in more detail below—a PTC system in signaled territory would require a train to operate at no more than the upper limit of restricted speed between the associated signal, over any switch in the block governed by the signal, and until reaching the next subsequent signal that is displaying a signal indication more permissive than proceed at restricted speed.
Signaled territory includes various types of switches, including power-operated switches, hand-operated switches, spring switches, electrically-locked switches, electro-pneumatic switches, and hydra switches, to name the majority. Each type of switch poses different issues as it relates to PTC system enforcement. We look at power- and hand-operated switches as examples.
On a territory without a PTC system, if a power-operated switch at an interlocking or control point were in a condition resulting in the signal system displaying a stop indication, an approaching train would have to stop generally only a few feet from the switch, and in the large majority of cases no more than several hundred feet away from it. In contrast, in PTC territory adhering to the aforementioned overly aggressive requirement, a train would have to stop at the signal, which may be in close proximity to its associated switch, and operate at no more than the upper limit of restricted speed to that switch, where it would have to stop again. FRA believes that, since the train would be required to stop at the signal, and must operate at no more than the upper limit of restricted speed until it completely passes the switch (with the crew by rule watching for and prepared to stop short of, among other concerns, an improperly lined switch), another enforced stop at the switch would be unnecessarily redundant.
Operations using hand-operated switches would provide different, and arguably greater, difficulties and potential risks. Generally, in between each successive interlocking and control point, signal spacing along the right of way can approximately be 1 to 3 miles or more apart, determined by the usual length of track circuits and the sufficient number of indications that would provide optimal use for train operations. Each signal governs the movement through the entire associated block up to the next signal. Thus, a train approaching a hand-operated switch may encounter further difficulties since its governing signal may be much further away than one would be for a power-operated switch. If within signaled territory a hand-operated switch outside of an interlocking or control point were in a condition resulting in the signal system displaying a restricted speed signal indication, an approaching train may be required to stop before entering the block governed by the signal and proceed at restricted speed, or to otherwise reduce its speed to restricted speed as it enters the block governed by the signal, and be operated at restricted speed until the train reaches the next signal displaying an indication more permissive than proceed at restricted speed, including while passing over any switch within the block. The governing signal, however, may be anywhere from a few feet to more than a mile from the hand-operated switch. For instance, if a signal governs a 3 mile long block, and there is a switch at 1.8 miles after passing the governing signal (stated in advance of the signal), and that switch is misaligned, the train would have to travel that 1.8 miles at restricted speed. Even if the train crew members were able to normal the misaligned switch, they would need to remain at restricted speed at least until the next signal (absent an upgrade of a cab signal indication).
In signaled territory, to require a PTC system to enforce a positive stop of an approaching train at each individual switch that is misaligned would be an unnecessary burden on the industry, particularly since movement beyond the governing signal would be enforced by the PTC system to a speed no more than the upper limit of restricted speed. Accordingly, in signaled territory, FRA proposes in paragraph (e)(1) to require a PTC system to enforce the upper limit of restricted speed through the block. By definition, at restricted speed, the locomotive engineer must be prepared to stop within one-half the range of vision short of any misaligned switch or broken rail, etc., not to exceed 15 or 20 miles per hour depending on the operating rule of the railroad. Accordingly, if a PTC system is integrated with the signal system, and a train is enforced by the PTC system to move at restricted speed past a signal displaying a restricted speed indication, FRA feels comfortable that the PTC system will meet the statutory mandate of preventing the movement of the train through the switch left in the wrong position by continuously displaying the speed to be maintained (i.e., restricted speed) and by enforcing the upper limit of the railroads' restricted speed rule (but not to exceed 20 mph). While this solution would not completely eliminate human factors associated with movement through a misaligned switch, it would significantly mitigate the risk of a train moving through such a switch and would be much more cost effective.
Moreover, it would be cost prohibitive to require the industry to individually equip each of the many thousands of hand-operated switches with a wayside interface unit (WIU) necessary to interconnect with a PTC system in order to provide a positive stop short of any such switch that may be misaligned. Currently each switch in signaled territory has its position monitored by a switch circuit controller (SCC). When a switch is not in its normal position, the SCC opens a signal control circuit to cause the signal governing movement over the switch location to display its most restrictive aspect (usually red). A train encountering a red signal at the entrance to a block will be required to operate at restricted speed through the entire block, which can be several miles in length depending on signal spacing. The signal system is not capable of informing the train crew which switch, if any, in the block may be in an improper position since none of switches are equipped with an independent WIU. There could be many switches within the same block in a city or other congested area. Thus, there is a possibility that one or more switches may be not in its proper position and the signal system is unable to transmit which switch or switches are not in normal position. The governing signal could also be displaying a red aspect on account of a broken rail, broken bond wire, broken or wrapped line wire, bad insulated joint, bad insulated switch or gage rods, or other defective condition.
FRA believes that requiring a PTC system to enforce the upper limit of restricted speed in the aforementioned situations is statutorily acceptable. The statute requires each PTC system to prevent “the movement of a train through a switch left in the wrong position.” Under this statutory language, the railroad's intended route must factor into the question of whether a switch is in the “wrong” position. In other words, in order to determine whether a switch is in the “wrong position,” we must know the switch's “right position.” The “right position” is determined by the intended route of the railroad. Thus, when determining whether a switch is in the wrong position, it is necessary to know the railroad's intended route and whether the switch is properly positioned to provide for the train to move through the switch to continue on that route. The intended route is normally determined by the dispatcher.
Under the proposed rules, when a switch is in the wrong position, the PTC system must have knowledge of that information, must communicate that information to the railroad (e.g., the locomotive engineer or dispatcher), and must control the train accordingly. Once the PTC system or railroad has knowledge of the switch's position, FRA expects the position to be corrected in accordance with part 218 before the train operates through the switch. See, e.g.,§§ 218.93, 218.103, 218.105, 218.107.
If the PTC system forces the train to move at no more than the upper limit of restricted speed, the railroad has knowledge that a misaligned switch may be within the subject block, and the railroad by rule or dispatcher permission then makes the decision to move through the switch (i.e., the railroad's intent has changed as indicated by rule or dispatcher instructions), the switch is no longer in the “wrong position.” The RSAC PTC Working Group was unanimous in concluding that these arrangements satisfy the safety objectives of RSIA08. Utilization of the signal system to detect misaligned switches and facilitate safe movements also provides an incentive to retain existing signal systems, with substantial additional benefits in the form of broken rail detection and detection of equipment fouling the main line.
Paragraph (e)(2) addresses movements over switches in dark territory and under conditions of excessive risk, even if in block signal territory. In dark territory, by definition, there are no signals available to provide any signal indication or to interconnect with the switches or PTC system. Without the benefit of a wayside or cab signal system, or other similar system of equivalent safety, the PTC system will have no signals to obey. In such a case, the PTC system may be designed to allow for virtual signals, which are waypoints in the track database that would correspond to the physical location of the signals had they existed without a switch point monitoring system. Accordingly, paragraph (e)(2)(i) proposes to require that in dark territory where PTC systems are implemented and governed by this subpart, the PTC system must enforce a positive stop for each misaligned switch whereas the lead locomotive must be stopped short of the switch to preclude any fouling of the switch. Once the train stops, the railroad will have an opportunity to correct the switch's positioning and then continue its route as intended.
Unlike in signaled territory, FRA expects that on lines requiring PTC in dark territory, each switch will be equipped with a WIU to monitor the switch's position. A WIU is a device that aggregates control and status information from one or more trackside devices for transmission to a central office and/or an approaching train's onboard PTC equipment, as well as disaggregating received requests for information, and promulgates that request to the appropriate wayside device. Most of the switches in dark territory are hand-operated with a much smaller amount of them being spring and hydra switches. In dark territory, usually none of the switches have their position monitored by a SCC and railroads have relied on the proper handling of these switches by railroad personnel. When it is necessary to throw a main line switch from normal to reverse, an obligation arises under the railroad's rules to restore the switch upon completion of the authorized activity. Switch targets or banners are intended to provide minimal visual indication of the switch's position, but in the typical case trains are not required to operate at a speed permitting them to stop short of open switches. As evidenced by the issuance of Emergency Order No. 24 and the subsequent Railroad Operating Rules Final Rule (73 FR 8442 (Feb. 13, 2008)), proper handling of main line switches cannot be guaranteed in every case. However, now with the implementation and operation of PTC technology, if a switch is not in the normal position, that information will be transmitted to the locomotive. The PTC system will then know which switch is not in the normal position and require a positive stop at that switch location only.
In the event that movement through a misaligned switch would result in an unacceptable risk, whether in dark or signaled territory, paragraph (e)(2)(ii) proposes to require the PTC system to enforce a positive stop on each train before it crosses the switch in the same manner as described above for trains operating in dark, PTC territory. FRA acknowledges that regardless of a switch's position, and regardless of whether the switch is in dark or signaled territory, movement through certain misaligned switches—even at low speeds—may still create an unacceptable risk of collision with another train.
FRA understands the term “unacceptable risk” to mean risk that cannot be tolerated by the managing activity. It is a type of identified risk that must be eliminated or controlled. For instance, such an unacceptable risk may exist with a hand-operated crossover between two main tracks, between a main track and a siding or auxiliary track, or with a hand-operated switch providing access to another subdivision or branch line. The switches mentioned in (e)(2)(ii) are in locations where, if the switch is left lined in the wrong position, a train would be allowed to traverse through the crossover or turnout and potentially into the path of another train operating on an adjoining main track, siding, or other route. Even if such switches were located within a signaled territory, the signal governing movements over the switch locations, for both tracks as may be applicable, would be displaying their most restrictive aspect (usually red). This restrictive signal indication would in turn allow both trains to approach the location at restricted speed where one or both of the crossover switches are lined in the reverse position. Since the PTC system is not capable of actually enforcing restricted speed other than its upper limits, the PTC system would enforce a 15 or 20 mile per hour speed limit dependent upon the operating rules of the railroad. However, there is normally up to as much as a 5 mile per hour tolerance allowed for each speed limit before the PTC system will actually enforce the applicable required speed. Thus, in reality, the PTC system would not enforce the restricted speed condition until each train obtained a speed of up to 25 miles per hour. In this scenario, it is conceivable that two trains both operating at a speed of up to 25 miles per hour could collide with each other at a combined impact speed (closing speed) of up to 50 miles per hour. While these examples are provided in the rule text, they are merely illustrative and do not limit the universe of what FRA may consider an unacceptable risk for the purpose of paragraph (e). FRA emphasizes that FRA maintains the final determination as to what constitutes acceptable or unacceptable risk in accordance with paragraph (e)(2)(ii).
The PTC system must also enforce a positive stop short of any misaligned switch on a PTC controlled siding in dark territory where the allowable track speed is in excess of 20 miles per hour. Sidings are used for meeting and passing trains and where those siding movements are governed by the PTC system, safety necessitates the position of the switches located on them to be monitored in order to protect train movements operating on the siding. Conversely, on signaled sidings, train movements are governed and protected by the associated signal indications, track circuits, and monitored switches, none of which are present in dark territory.
Paragraph (e)(3) provides that the PTCSP may include a safety analysis for PTC system enforcement associated with switch position and an identification and justification of any alternate means of protection other than that provided in this section shall be identified and justified. FRA recognizes that in certain circumstances this flexibility may allow the reasonable use of a track circuit in lieu of individually monitored switches.
Paragraph (e)(4) provides amplifying information regarding existing standards of subparts A through G related to switches, movable-point frogs, and derails in the route governed that are equally applicable to PTC systems unless otherwise provided in a PTCSP approved under this subpart. This paragraph explains that the FRA required and accepted railroad industry standard types of components used to monitor switch point position and how those devices are required to function. This paragraph allows for some alternative method to be used to accomplish the same level of protection if it is identified and justified in a PTCSP approved under this subpart.
Paragraph (f) provides amplifying information for determining whether a PTC system is considered to be configured to prevent train-to-train collisions, as required under paragraph (a). FRA will consider the PTC system as providing the required protection if the PTC system enforces the upper limits of restricted speed. These criteria will allow following trains to pass intermediate signals displaying a restricting aspect and will allow for the issuance of joint mandatory directives.
Where a wayside signal displays a “Stop,” “Stop and Proceed,” or “Restricted Proceed” indication, paragraph (f)(1)(i) requires the PTC system to enforce the signal indication accordingly. In the case of a “Stop” or “Stop and Proceed” indication, the train will be brought to a stop prior to passing the signal displaying the indication. The train may then proceed at 15 or 20 miles per hour, as applicable according to the host railroad's operating rule(s) for restricted speed. In the case of a “Restricted Proceed” indication, the train would be allowed to pass the signal at 15 or 20 miles per hour. In either event, the speed restriction would be enforced until the train passes a more favorable signal indication. In dark territory where trains operate by mandatory directive, the PTC system would be expected to enforce the upper limit of restricted speed on a train when the train was allowed into a block already occupied by another preceding train traveling in the same direction. FRA would expect each PTC system to function in this way and that each railroad will test each system to ensure such proper functioning.
Paragraphs (g) through (k) all concern situations where temporary rerouting may be necessary and would affect application of the operational rules under subpart I. While the proposed rule attempts to reduce the opportunity for PTC and non-PTC trains to co-exist on the same track, FRA recognizes that this may not always be possible, especially when a track segment is out of service and a train must be rerouted in order to continue to destination. Accordingly, paragraph (g) allows for temporary rerouting of traffic between PTC equipped lines and lines not equipped with PTC systems. FRA anticipates two situations—emergencies and planned maintenance—that would justify such rerouting.
Paragraph (g) provides the preconditions and procedural rules to allow or otherwise effectuate a temporary rerouting in the event of an emergency or planned maintenance that would prevent usage of the regularly used track. Historically, FRA has dealt with temporary rerouting on an ad hoc basis. For instance, on November 12, 1996, FRA granted UP, under its application RSI-AP-No. 1099, conditional approval for relief from the requirements of § 236.566, which required equipping controlling locomotives with an operative apparatus responsive to all automatic train stop, train control, or cab signal territory equipment. The conditional approval provided for “detour train movements necessitated by catastrophic occurrence such as derailment, flood, fire, or hurricane” on certain listed UP territories configured with automatic cab signals (ACS) or automatic train stop (ATS). Ultimately, the relief would allow trains not equipped with the apparatus required under § 236.566 to enter those ACS and ATS territories. However, the relief was conditional upon establishing an absolute block in advance of each train movement—as prescribed by General Code of Operating Rules (GCOR) 11.1 and 11.2—and notifying the applicable FRA Regional Headquarters. The detour would only be permissible for up to seven days and FRA could modify or rescind the relief for railroad non-compliance.
On February 7, 2006, that relief was temporarily extended to include defined territory where approximately two months of extensive track improvements were necessary. Additional conditions for this relief included a maximum train speed of 65 miles per hour and notification to the FRA Region 8 Headquarters within 24 hours of the beginning of the non-equipped detour train movements and immediately upon any accident or incident. On February 27, 2007, FRA provided similar temporary relief for another three months on the same territory.
While the aforementioned conditional relief was provided on an ad hoc basis, FRA feels that codifying rules regulating temporary rerouting involving PTC system track or locomotive equipment is necessary due to the potential dangers of allowing mixed PTC and non-PTC traffic on the same track and the inevitable increased presence of PTC and PTC-like technologies. Moreover, FRA believes that the subject railroads and FRA would benefit from more regulatory flexibility to work more quickly and efficiently to provide for temporary rerouting to mitigate the problems associated with emergency situations and infrastructure maintenance.
Under the proposed rule, FRA is providing for temporary rerouting of non-PTC trains onto PTC track and PTC trains onto non-PTC track. A train will not be considered rerouted for purposes of the conditions set forth in this section if it operates on a PTC line that is other than its “normal route,” which is equipped and functionally responsive to the PTC system over which it is subsequently operated, or if it is a non-PTC train (not a passenger train or a freight train having any PIH materials) operating on a non-PTC line that is other than its “normal route.”
Paragraph (g) effectively provides temporary civil penalty immunity from various applicable requirements of this subpart, including provisions under subpart I relating to lead locomotives, similar to how waivers from FRA have provided certain railroads immunity from § 236.566. FRA seeks comments on what other requirements under part 236 should also be included.
FRA expects that emergency rerouting will require some flexibility in order to respond to circumstances outside of the railroad's control—most notably changes in the weather, vandalism, and other unexpected occurrences—that would result in potential loss of life or property or prevent the train from continuing on its normal route. While paragraph (g) lists a number of possible emergency circumstances, they are primarily included for illustrative purposes and are not a limiting factor in determining whether an event rises to an emergency. For instance, FRA would also consider allowing rerouting in the event use of the track is prevented by vandalism or terrorism. While these events are not the primary reasons FRA proposes paragraph (g) to allow rerouting, FRA recognizes that they may fall outside of the railroad's control.
In the event of an emergency that would prevent usage of the track, temporary rerouting may occur instantly by the railroad without immediate FRA notice or approval. By contrast, the vast majority of maintenance activities can be predicted by railroad operators. While the proposed rule provides for temporary rerouting for such activities, the lack of exigent circumstances does not require the allowance of instantaneous rerouting without an appropriate request and, in cases where the request is for rerouting to exceed 30 days, FRA approval. Accordingly, under paragraph (g), procedurally speaking, temporary rerouting for emergency circumstances will be treated differently than temporary rerouting for planned maintenance. While FRA continues to have an interest in monitoring all temporary rerouting to ensure that it is occurring as contemplated by FRA and within the confines of the rule, the timing of FRA notification, and the approval procedures, reflect the aforementioned differences.
When an emergency circumstance occurs that would prevent usage of the regularly used track, and would require temporary rerouting, the subject railroad must notify FRA within one business day after the rerouting commences. To provide for communicative flexibility in emergency situations, the proposed rule provides for such notification to be made in writing or by telephone. FRA proposes that written notification may be accomplished via overnight mail, e-mail, or facsimile. In any event, the railroad should take the steps necessary for the method of notification selected to include confirmation that an appropriate person actually on duty with FRA receives the notification and FRA is duly aware of the situation. FRA is considering whether to employ the National Response Center (NRC) for such communications, whereas notification may be made to the NRC clearly describing the actions taken and providing the railroad's point of contact so that FRA may follow up for additional information if necessary. While the NRC provides full time telephonic services, 24 hours a day, 7 days a week, 365 days a year, the light volume of calls FRA expects for rerouting purposes under this section may make the option cost prohibitive. FRA is currently reviewing this option and seeks comments on this issue.
While telephone notification may provide for easy communications by the railroad, a mere phone call would not provide for documentation of information required under paragraph (g). Moreover, if for some reason the phone call is made at a time when the designated telephone operator is not on duty or if the caller is only able to leave a message with the FRA voice mail system, the possibility exists that the applicable FRA personnel would not be timely notified of the communication and its contents. Thus, while not in the proposed rules, FRA is considering requiring any telephonic notification performed in accordance with paragraph (g) to be followed up with written notification within 48 hours. FRA seeks comments on this issue.
FRA is also considering using particular contact mail and e-mail addresses and telephone and facsimile numbers to be used exclusively for the notifications required by paragraph (g) as they relate to emergency rerouting. Otherwise, if a railroad would notify a particular member of the FRA staff in writing, and that staff member is unavailable (e.g., on annual or sick leave, working in the field, or otherwise indisposed), FRA would not be timely notified of the emergency situation and the rerouting actions that are occurring. If there is a singular contact address for each form of written notification, FRA could attempt to provide continuous personnel assignment to monitor incoming notifications. FRA seeks comments on this issue. FRA also seeks comments on the possible need to include requirements relating to confirmation of receipt of notifications required under paragraph (g).
Emergency rerouting can only occur without FRA approval for fourteen (14) consecutive calendar days. If the railroad requires more time, it must make a request to the Associate Administrator. The request must be made directly to the Associate Administrator and separately from the initial notification sometime before the 14-day emergency rerouting period expires. Unless the Associate Administrator notifies the railroad of his or her approval before the end of the allowable emergency rerouting timeframe, the relief provided by paragraph (g) will expire at the end of that timeframe.
While a mere notification is necessary to commence emergency rerouting, a request must be made, with subsequent FRA approval, to perform planned maintenance rerouting. The relative predictability of planned maintenance activities allows railroads to provide FRA with much more advance request of any necessary rerouting and allows FRA to review that request. FRA proposes that the request must be made at least 10 calendar days before the planned maintenance rerouting commences.
To ensure a retrievable record, the request must be made in writing. It may be submitted to FRA by fax, e-mail, or courier. Because of security protocols placed in effect after 9/11, regular mail undergoes irradiation to ensure that any pathogens have been destroyed prior to delivery. The irradiation process adds significant delay to FRA's receipt of the document, and the submitted document may be damaged due to the irradiation process. The lack of emergency circumstances makes telephonic communication less necessary and less preferable. Like notifications for emergency rerouting, the request for planned rerouting must include the number of days that the rerouting should occur. If the planned maintenance will require rerouting up to 30 days, then the request must be made with the Regional Administrator. If it will require rerouting for more than 30 days, then the request must be made with the Associate Administrator. These longer time periods reflects FRA's opportunity to review and approve the request. In other words, since FRA expects that the review and approval process will provide more confidence that a higher level of safety will be maintained, the rerouting period for planned maintenance activities may be more than the 14 days allotted for emergency rerouting.
Regardless of whether the temporary rerouting is the result of an emergency situation or planned maintenance, the communication to FRA required under paragraph (g) must include the information listed under paragraph (i). This information is necessary to provide FRA with context and details of the rerouting. To attempt to provide railroads with the flexibility intended under paragraph (g), and to attempt to prevent enforcement of the rules from which the railroad should be receiving relief, FRA must be able to coordinate with its inspectors and other personnel. This information may also eventually be important to FRA in developing statistical analyses and models, reevaluating its rules, and determining the actual level of danger inherent in mixing PTC and non-PTC traffic on the same tracks.
For emergency rerouting purposes, the information is also necessary for FRA to determine whether it should order the railroad or railroads to cease rerouting or provide additional conditions that differ from the standard conditions specified in paragraph (i). FRA recognizes the importance of allowing temporary rerouting to occur automatically in emergency circumstances. However, FRA must also maintain its responsibility of ensuring that such rerouting occurs lawfully and as intended by the rules. Accordingly, the proposed rules provide for the opportunity for FRA to review the information required by paragraph (g) to be submitted in accordance with paragraph (i) and order the railroad or railroads to cease rerouting if FRA finds that such rerouting is not appropriate or permissible in accordance with the requirements of paragraphs (g) through (i), and as may be so directed in accordance with paragraph (k), as discussed further below.
For rerouting due to planned maintenance, the information required under paragraph (i) is equally applicable and will be used to determine whether the railroad should not reroute at all. If the request for planned maintenance is for a period of up to 30 days, then the request and information must be sent in writing to the Regional Administrator of the region in which the temporary rerouting will occur. While such a request is self-executing—meaning that it will automatically be considered permissible if not otherwise responded to—the Regional Administrator may prevent the temporary rerouting from starting by simply notifying the railroad or railroads that its request is not approved. The Regional Administrator may otherwise provide conditional approval, request that further information be supplied to the Regional Administrator or Associate Administrator, or disapprove the request altogether. If the railroad still seeks to reroute due to planned maintenance activities, it must provide the Regional Administrator or Associate Administrator, as applicable, the requested information. If the Regional Administrator requests further information, no planned maintenance rerouting may occur until the information is received and reviewed and the Regional Administrator provides his or her approval. Likewise, no planned maintenance rerouting may occur if the Regional Administrator disapproves of the request. If the Regional Administrator does not provide notice preventing the temporary rerouting, then the planned maintenance rerouting may begin and occur as requested. However, once the planned maintenance rerouting begins, the Regional Administrator may at any time order the railroad or railroads to cease the rerouting in accordance with paragraph (k).
Requests for planned maintenance rerouting exceeding 30 days, however, must be made to the Associate Administrator and are not self-executing. No such rerouting may occur without Associate Administrator approval, even if the date passes on which the planned maintenance was scheduled to commence. Under paragraph (h)(3), like the Regional Administrator, the Associate Administrator may provide conditional approval, request further information, or disapprove of the request to reroute. Once approved rerouting commences, the Associate Administrator may also order the rerouting to cease in accordance with paragraph (k).
Paragraph (j) requires that, once temporary rerouting commences, regardless of whether it is for emergency or planned maintenance purposes, the track segments upon which the train will be rerouted must have an absolute block established in advance of each rerouted train movement and that each rerouted train movement shall not exceed 59 miles per hour for passenger and 49 miles per hour for freight. FRA requests comment on whether these speed restrictions should be limited to trains actually transporting PIH materials or intercity or commuter passengers and whether a higher limit should be provided on cab signal territory where the detoured train is led by a locomotive equipped with operative cab signals. FRA also requests comment on whether the more stringent requirements of § 236.1029 (trains failed en route on PTC lines) should apply. Finally, FRA requests comment on the extent to which the host railroad's PTCSP might provide for alternative safety measures.
Moreover, as referenced in paragraph (g) as it applies to both emergency and planned maintenance circumstances, the track upon which FRA expects the rerouting to occur would require certain mitigating protections listed under paragraph (j) in light of the mixed PTC and non-PTC traffic. While FRA purposefully intends paragraph (j) to apply similarly to § 236.567, FRA recognizes that § 236.567 does not account for the statutory mandates of interoperability and the core PTC safety functions. Accordingly, paragraph (j) must be more restrictive.
Section 236.567, which applies to territories where “an automatic train stop, train control, or cab signal device fails and/or is cut out en route,” requires trains to proceed at either restricted speed or, if an automatic block signal system is in operation according to signal indication, at no more than 40 miles per hour to the next available point of communication where report must be made to a designated officer. Where no automatic block signal system is in use, the train shall be permitted to proceed at restricted speed or where an automatic block signal system is in operation according to signal indication but not to exceed medium speed to a point where absolute block can be established. Where an absolute block is established in advance of the train on which the device is inoperative, the train may proceed at not to exceed 79 miles per hour. Paragraph (j) utilizes that absolute block condition, which more actively engages the train dispatcher in managing movement of the train over the territory (in both signaled and non-signaled territory). Recognizing that re-routes under this section will occur in non-signaled territory, the maximum authorized speeds associated with such territory are used as limitations on the speed of re-routed trains. FRA agrees with the comments of labor representatives in the PTC Working Group who contend that the statutory mandate alters to some extent what would otherwise be considered reasonable for these circumstances. FRA welcomes comments on whether restrictions associated with re-routing should vary depending on whether the actual train in question is a passenger train or includes cars containing PIH materials.
It should be noted that this paragraph (j) was added by FRA after further consideration of this issue and was not part of the PTC Working Group consensus. FRA believes that special precautions may be appropriate given the heightened safety expectations suggested by the statutory mandate. Comment is requested on the appropriateness of these restrictions, including any impact on other rail traffic.
Paragraph (k), as previously noted, provides the Regional Administrator with the ability to order the railroad or railroads to cease rerouting operations that were requested for up to 30 days. The Associate Administrator may order a railroad or railroads to cease rerouting operations regardless of the length of planned maintenance rerouting requested. FRA believes this is an important measure necessary to prevent rerouting performed not in accordance with the rules and FRA's expectations based on the railroad's communications and to ensure the protection of train crews and the public. However, FRA is confident that in the vast majority of cases railroads will utilize the afforded latitude reasonably and only under necessary circumstances.
FRA expects each host railroad to develop a plan to govern operations in the event temporary rerouting is performed in accordance with this section. Thus, as noted further below in § 236.1015, FRA proposes each PTCSP to include a plan accounting for such rerouted operations.
Section 236.1006Equipping Locomotives Operating in PTC Territory
The PTC Working Group discussed at great length the issues related to operation of PTC-equipped locomotives, and locomotives not equipped with PTC onboard apparatus, over lines equipped with PTC. The PTC Working Group recognized that the typical rule with respect to train control territory is that all controlling locomotives must be equipped and operative (see§ 236.566). It was also noted in the discussion that the Interstate Commerce Commission (FRA's predecessor agency in the regulation of this subject matter) and FRA have provided some relief from this requirement in discrete circumstances where safety exposure was considered relatively low and the hardship associated with equipping additional locomotives was considered substantial.
The ASLRRA noted that its member railroads conduct limited operations over Class I railroad lines that will be required to be equipped with PTC systems in a substantial number of locations. These operations are principally related to the receipt and delivery of carload traffic in interchange. The small railroad service extends onto the Class I railroad track in order to hold down costs and permit both the small railroad and the Class I railroad to retain traffic that might be priced off the railroad if the Class I had to dispatch a crew to pick up or place the cars. This, in turn, supports competitive transportation options for small businesses, including marginal small businesses in rural areas.
The ASLRRA advocated an exception that would permit the trains of its members and other small railroads to continue use of existing trackage rights and agreements without the necessity for equipping their locomotives with PTC. They suggested that any incremental risk be mitigated by requiring that such trains proceed subject to the requirement for an absolute block in advance (similar to operating rules consistent with § 236.567 applicable to trains with failed onboard train control systems). This position was consistently opposed both by the rail labor organizations and the Class I railroads. These organizations took the position that all trains should be equipped with PTC in order to gain the benefits sought by the congressional mandate and to provide the host railroad the full benefit of its investment in safety. Informal discussions suggested that Class I railroads might offer technical or financial assistance to certain small railroads in equipping their locomotives, but that this would, of course, be done based on the corporate interest of the Class I railroad.
In the PTC Working Group and in informal discussions around its activities, Class I railroads indicated that they intended to take a strong position against non-equipped trains operating on their PTC lines, and that in order to enforce this restriction fairly they understood that they would need to equip their own locomotives, including older road switchers that might venture onto PTC-equipped lines only occasionally. However, during these discussions, FRA was not able to develop a clear understanding regarding, outside the scope of FRA regulations, the extent to which the Class I railroads under previously executed private agreements enjoy the effective ability to enforce a requirement that all trains be equipped. FRA presumes for purposes of this proposal that there will be circumstances rooted in previously executed private agreements under which the Class I railroad would be entitled to require the small railroad to use a controlling locomotive equipped with PTC as a condition of operating onto the property. FRA wishes to emphasize that, in making this regulatory proposal, FRA does not intend to influence the exercise of private rights or to suggest that public policy would disfavor an otherwise legitimate restriction on the use of unequipped locomotives on PTC lines. Rather, this proposal is intended to explore limited exceptions that might be acceptable from the point of view of safety, and helpful from the point of view of the public interest in rail service, where it might be compatible with prior rights of the railroads involved. FRA also notes that, in the absence of clear guidance on this issue, a substantial number of waiver requests could be expected that would have to be resolved without the benefit of decisional criteria previously examined and refined through the rulemaking process.
Paragraph (a) proposes that, as general rule, all trains operating over PTC territory must be PTC-equipped. In other words, paragraph (a) would require that each lead locomotive to be operated with a PTC onboard apparatus if it is controlling a train operating on a track equipped with a PTC system in accordance subpart I. The PTC onboard apparatus should operate and function in accordance with the PTCSP governing the particular territory. Accordingly, it must successfully and sufficiently interoperate with the host railroad's PTC system.
Generally, the four parts of each PTC system are office, wayside, communications, and onboard components. FRA recognizes that a PTC onboard apparatus for a lead locomotive owned and operated by one railroad may not be part of the PTC system upon which the locomotive operates. For example, a Class II railroad lead locomotive equipped with a PTC onboard apparatus may operate on a Class I railroad's PTC line. Throughout this rule, the use of the term “PTC system,” depending upon its context, usually refers to the host railroad's PTC system, and not the tenant railroad's lead locomotive. When using the term, PTC onboard apparatus, however, FRA intends to cover all such mobile equipment, regardless of whether it on a locomotive owned or controlled by a host or tenant railroad.
Under proposed § 236.1006, FRA may enforce paragraph (a). Proposed paragraphs (b) and (c), however, contains a series of proposed qualifications and exceptions to paragraph (a).
First, it is understood that during the time PTC technology is being deployed to meet the statutory deadline of December 31, 2015, there will be movements over PTC lines by trains with lead locomotives not equipped with a PTC onboard apparatus. In general, Class I railroad locomotives are used throughout the owning railroad's system and, under shared power agreements, on other railroads nationally. FRA anticipates that the gradual equipping of locomotives—which will occur at a relatively small number of specialized facilities and which will require a day or two out of service as well as time in transit—will extend well into the implementation period that ends on December 31, 2015. It will not be feasible to tie locomotives down to PTC lines, and the RSAC stakeholders fully understood that point. Labor organizations did urge that railroads make every effort to use equipped locomotives as controlling units, and FRA believes that in general, railroads will do so in order to obtain the benefits of their investment.
Second, FRA has included a transitional provision, related to PTC apparatus that fails upon attempted initialization, specifically intended to encourage placement of PTC-equipped locomotives on the point during the period when reliability may be an issue. This provision would allow a stated, declining percentage of locomotives equipped with PTC to be dispatched even if the onboard apparatus fails. Although FRA agrees with the objective of rail labor's suggestion for “consist management” that puts equipped locomotives on the point, FRA also recognizes that a number of factors related to the age and condition of locomotives may influence this decision. Further, in the early stages of implementation, requiring that power be switched if initialization fails could result in significant train delays and contribute to congestion in yards and terminals. Some “slack” in the system will be required to implement PTC intelligently and successfully. Of course, if FRA determines during implementation that good faith efforts are not being made to take advantage of PTC-equipped locomotives, FRA could step in with more prescriptive requirements after providing notice and an opportunity for comment.
Recognizing that matching PTC lines with PTC-equipped controlling locomotives will be a key factor in obtaining the benefits of this technology in the period up to December 31, 2015, FRA requests comments on whether PTC Implementation Plans should be required to include power management elements describing how this will be accomplished to the degree feasible.
Third, the section provides a cross-reference to § 236.1029 pertaining to PTC onboard apparatus failing en route.
Fourth, this provision proposes exceptions for trains operated by Class II and III railroads, including tourist or excursion railroads. The exceptions are limited to lines not carrying intercity or commuter passenger service, except where the Class I freight railroad and the passenger railroad have requested an exception in the PTC Implementation Plan's main line track exception addendum (MTEA) in accordance with § 236.1019, as further discussed below, and FRA has approved that element of the plan.
FRA has considered whether to provide an exception to requiring each Class II and III railroad locomotive to be equipped with a PTC onboard apparatus when operating over passenger routes to be equipped with a PTC system, but FRA has not been able to define conditions that would apparently be suitable in every case. FRA is open to consideration of exceptions within the context of a PTC Implementation Plan. To the extent that the host Class I or passenger railroad would need to be supportive of the exception, FRA recognizes that options may be foreclosed prior to FRA consideration. However, railroads have historically exercised substantial control of operations over track that they own or dispatch, and in this case those interests significantly parallel the apparent intent of the Congress to achieve a high level of safety in mixed freight and passenger operations. If FRA were to handle exceptions through PTC Implementation Plans, FRA seeks comments on how that should be accomplished. FRA also seeks comments on whether there should be an assumption that the lead locomotives not equipped with PTC onboard apparatus' on four unequipped Class II or III railroad trains will be permitted daily on a segment of PTC-equipped track and that variances from that are permitted in a PTC Implementation Plan. If so, FRA questions whether that should be subject to the agreement of both railroads. If agreement by the Class II or III railroad is not required, FRA seeks comments on what assurance there would be that the Class I railroad would not effectively shut out the Class II or III railroad's operation.
FRA recognizes that most of the justifications stated for these proposed exceptions pertain to short movements for interchange that would constitute a small portion of the movements over the PTC-equipped line. The accident/incident data show that the risk attendant upon these movements is small. A review of the last seven years of accident data covering 3,312 accidents that were potentially preventable by PTC showed that there were only two of those accidents which involved a Class I railroad's train and a Class II or III railroad's train. FRA believes that the low level of risk revealed by these statistics justifies an exception for Class II and III railroad trains traversing a PTC-equipped line for a relatively short distance. FRA notes that the cost of equipping those trains would be high when viewed in the context of the financial strength of the Class II or III railroad and the marginal safety benefits would be relatively low in those cases where a small volume of traffic is moved over the PTC-equipped line.
FRA also believes that it is clearly desirable to eventually have each train using a PTC-equipped line to have a lead locomotive equipped with a PTC onboard apparatus. However, FRA seeks comments on the length of time the exception should last and a justification of that length of time. Other considerations aside, FRA seeks comments on whether FRA should not require a Class II or III railroad locomotive used on a PTC-equipped line to be equipped with PTC when it is rebuilt or replaced (i.e., when the cost of equipping a locomotive is lowest). In other cases, the Class II or III railroad has dedicated locomotives serving the line to be equipped with PTC. From the facts presently available to FRA, it appears to be appropriate for those locomotives to be equipped with PTC. Moreover, FRA is aware of other cases where Class II and III railroads have rather more extensive operations over Class I railroad lines; and, in these cases, the risks incurred could be more substantial. Further, in some of these cases the smaller railroads are aligned with the Class I railroads over which they operate or may even be under common ownership and control. For purposes of prompting a more complete public dialogue on this issue, FRA is proposing to limit unequipped movements by any single Class II or III railroad to not more than 4 trains per day over any given track segment on a PTC-equipped line. A train moving from the small railroad to the point of interchange and back within the same calendar day would count as two trains.
To the extent the movements in question do not exceed 20 miles, this exception would be available at least until FRA next considered the issue of PTC deployment. Information available to FRA indicates that this would accommodate a substantial majority of the affected operations. FRA questions and seeks comments as to whether this latitude should be available if one or more locomotives subsequently acquired by the small railroad were equipped for PTC.
To the extent the movements in question exceed 20 miles, the exception would be available only until December 31, 2020. In some cases, small railroads operate over Class I railroad tracks for over one hundred miles, and these operations may be integral to their service plans (e.g., permitting the small railroad to reach lines branching off from the Class I railroad's route structure for which the smaller railroad provides local service). FRA recognizes that in these circumstances the smaller railroads would face overwhelming competition for supplier attention and significant challenges related to pricing that will attend the initial period of implementation. Accordingly, FRA proposes to provide for these railroads to equip the necessary locomotives with additional time beyond the statutory deadline that applies to Class I railroads. In conjunction with this latitude, FRA would ask for progress reports to focus the attention of the railroads' management teams and to ensure that the agency could not be presented with unreasonable demands for further extensions at the end of the extended implementation period.
FRA recognizes that small railroads carry a wide variety of commodities, including PIH traffic. FRA invites comments on whether the small railroad exceptions for freight operations that FRA is proposing should be altered if the small railroad is transporting PIH traffic on PTC equipped track through a densely populated area. Commenters are requested to detail any alternative standards they believe should be adopted to address such a situation.
Section 236.1007Additional Requirements for High Speed Service
Since the early 1990s, there has been an interest centered around designated high speed corridors for the introduction of high speed rail, and a number of States have made progress in preparing rail corridors through safety improvements at highway-rail grade crossings, investments in track structure, and other areas. FRA has administered limited programs of assistance using appropriated funds. With the passage of the American Recovery and Reinvestment Act of 2009, Public Law 111-5, 123 Stat. 115 (2009), which provides $8 billion in capital assistance for high speed rail corridors and intercity passenger rail service, and the President's announcement in April 2009 of a Vision for High Speed Rail in America, FRA expects those efforts to increase considerably. FRA believes that railroads conducting high speed operations in the United States can provide a world class service as safe as, or better than, any high speed operations conducted elsewhere. In anticipation of such service, and to ensure public safety, FRA proposes three tiers of requirements for PTC systems operating in high speed service. The proposed performance thresholds are intended to increase safety performance targets as the maximum speed limits increase to compensate for increased risks, including the potential frequency and adverse consequences of a collision or derailment.
Section 236.1007 proposes setting the intervals for the high speed safety performance targets for operations with: maximum speeds at or greater than 60 and 50 miles per hour for passenger service and freight operations, respectively, under paragraph (a); maximum speeds greater than 90 miles per hour under paragraph (b); maximum speeds greater than 125 miles per hour under paragraph (c); and maximum speeds greater than 150 mph under paragraph (d). The reader should note that the requirements increase as speed rises. Thus, for instance, operations with trains moving above 125 miles per hour must, in addition to the requirements under paragraph (c), adhere to the requirements under paragraphs (a) and (b).
Paragraph (a) addresses the PTC system requirements for territories where speeds are greater than 59 miles per hour for passenger service and 49 miles per hour for freight service. Under existing regulations (49 CFR 236.0), block signal systems are required at these speeds (unless a manual block system is in place, an option that this proposal would phase out). The proposed rule expects covered operations moving at these speeds to have implemented a PTC system that provides, either directly or with another technology, all of the statutory PTC system functions along with the safety-critical functions of a block signal system as defined in the existing standards of subparts A-F of part 236. The safety-critical functions of a block signal system include track circuits, which assist in broken rail detection and unintended track occupancies (equipment rolling out), and fouling circuits, which can identify equipment that is intruding on the clearance envelope and may prevent raking collisions.
FRA recognizes that advances in technology may render current block signal, fouling, and broken rail detection systems obsolete and FRA does not want to preclude the introduction of suitable and appropriate advanced technologies. Accordingly, FRA believes that alternative mechanisms providing the same functionality are entirely acceptable and FRA encourages their development and use to the extent they do not have an adverse impact on the level of safety.
Paragraph (b) addresses system requirements for territories where operating speeds are greater than 90 miles per hour, which is currently the maximum allowable operating speed for passenger trains on Class 5 track. At these higher speeds, the implemented PTC system must not only comply with paragraph (a), but also be shown to be fail-safe (as defined in Appendix C) and at all times prevent unauthorized intrusion of rail traffic onto the higher speed line operating with a PTC system. FRA intends this concept of fail-safe application to be understood in its commonplace meaning, i.e., that insofar as feasible the system is designed to fail to a safe state, which normally means that trains will be brought to a stop. Further, FRA understands that there are aspects of current system design and operation that may create a remote opportunity for a “wrong-side” or unsafe failure and that these issues would be described in the PTCSP and mitigations would be provided. FRA recognizes that, as applied in the general freight system, this proposal could create a significant challenge related to interoperability of freight equipment operating over the same territory. Accordingly, FRA requests comment on whether, where operations do not exceed 125 miles per hour or some other value, the requirement for compliance with Appendix C safety assurance principles might be limited to the passenger trains involved, with “non-vital” onboard processing permitted for the intermingled freight trains.
As speed increases, it also becomes more important that inadvertent incursions on the PTC-equipped track be prevented at switch locations. FRA proposes that this be done by effective means that might include use of split-point derails properly placed, equipping of tracks providing entry with PTC, or arrangement of tracks and switches in such a way as to divert an approaching movement which is not authorized to enter onto the PTC line. The protection mechanism on the slower speed line must be integrated with the PTC system on the higher speed line in a manner to provide appropriate control of trains operating on the higher speed line if a violation is not prevented for whatever reason.
Paragraph (c) addresses high speed rail operations exceeding 125 miles per hour, which is the maximum speed for Class 7 track under § 213.307. At these higher speeds, the consequences of a derailment or collision are significantly greater than at lower speeds due to the involved vehicle's increased kinetic energy. In such circumstances, in addition to meeting the requirements under paragraphs (a) and (b), including having a fail-safe PTC system, the entity operating above 125 miles per hour must provide an additional safety analysis (the HSR-125) providing suitable evidence to the Associate Administrator that the PTC system can support a level of safety equivalent to, or better than, the best level of safety of comparable rail service in either the United States or a foreign country over the 5-year period preceding the submission of the PTCSP. Additionally, PTC systems on these high speed lines must provide the capability, as appropriate, to detect incursion from outside the right of way and provide warnings to trains. Each subject railroad is free to suggest in its HSR-125 any method to the Associate Administrator that ensures that the subject high speed lines are corridors effectively sealed and protected from such incursions (see § 213.347 of this title), including such hazards as large motor vehicles falling on the track structure from highway bridges.
Paragraph (d) addresses the highest speeds existing or currently contemplated for rail operations exceeding 150 miles per hour. FRA expects these operations to be governed by a Rule of Particular Applicability and the HSR-125 required by paragraph (c) shall be developed as part of an overall system safety plan approved by the Associate Administrator. The quantitative risk showing required for operations above 125 miles per hour is not required to include consideration of acts of deliberate violence. The reason for this exclusion is simply to remove speculative or extraordinary considerations from the analysis. FRA and the Department of Homeland Security will of course expect that security considerations are taken into account in system planning.
Section 236.1009Procedural Requirements
RSIA08 and the proposed rule requires that by April 16, 2010, each Class I railroad carrier and each entity providing regularly scheduled intercity or commuter rail passenger transportation develop and submit to FRA a plan for implementing a PTC system by December 31, 2015, and that FRA shall not permit the installation of any PTC system or component in revenue service unless the Administrator has certified them through the approval process contained in this part. FRA understands implementation to include design, testing, potential Verification and Validation, installation, and operation over the PTC system's life cycle.
Current subpart H of part 236 provides a technically sound procedure for obtaining FRA approval of various processor-based signal and train control systems. However, as based on experience gained during BNSF's ETMS 1 project, FRA believes that its process does not support rapid FRA review and decision making and requires redundant submission of information common to multiple railroads. FRA also believes that although the risk analysis required by subpart H fully reflects operational parameters associated with the different type of operations, it is excessively cumbersome and overly time consuming for the purposes of deploying PTC system technologies at the rate required under RSIA08. Moreover, subpart H does not require an implementation plan and does not provide for “certification.” Arguably FRA could simply amend subpart H to include requirements relating to implementation plans and to modify the language to equate “approval” under subpart H with “certification” under the statute. However, FRA believes that such a resultant amended subpart H would remain unsuitable for a PTC system certification process in light of the congressional mandates. Those potential amendments alone would not remedy subpart H's inability to provide quick and efficient FRA review.
Accordingly, for PTC system implementation, certification, and build-out completion to occur within the very aggressive dates set by Congress, FRA is proposing a new subpart I, with some minor modifications to subpart H. Under subpart I, § 236.1007 proposes and explains the process by which each railroad may ultimately receive PTC System Certification for its PTC system. Under § 236.1007, FRA intends to avoid procedural redundancy, provide sufficient procedural flexibility to accompany the varying needs of those seeking certification, mitigate the financial risk associated with technological investment necessary to comply with the regulatory requirements, and otherwise develop a streamlined process to provide for quick review and resolution of the issues leading to certification.
Generally speaking, there are three major elements of the proposed PTC System Certification process: PTC Implementation Plan (PTCIP) submission and approval, receipt or use of a Type Approval number—which may be provided with approval of a PTC Development Plan (PTCDP)—and PTC Safety Plan (PTCSP) submission to receive PTC System Certification. While § 236.1009 provides for the procedural requirements for this process, the contents for the applicable filings are provided for under §§ 236.1011, 236.1013, and 236.1015. The PTCIP is the written plan that defines the specific details of how and when the railroad will implement the PTC system. The PTCDP provides a detailed discussion of specific elements of the proposed technology and product that will be used to implement PTC as required by RSIA08. Approval of the PTCDP comes in the form of a Type Approval number that applies to the subject PTC system. The PTCSP provides the railroad-specific elements demonstrating that the system, as installed, meets the required safety performance objectives. Approval of the PTCSP comes in the form of a PTC System Certification.
Under paragraph (a), the PTCIP submission deadline of April 16, 2010, applies to all host railroads—as defined in § 236.1003—that exist at that time and are required to install a PTC system on one or more main lines in accordance with § 236.1005(b). Intercity and commuter railroads that are tenants on Class I, II, or III freight lines must also join with their host railroad in filing these plans. FRA believes that the railroad that maintains operational control over a particular track segment is generally in the best position to develop and submit the PTCIP, since that railroad is more knowledgeable of the conditions of and operations over its track. FRA recognizes that in cases where a tenant passenger railroad operates over a Class II or III railroad, the passenger railroad may be required to take a more active role in planning the PTC system deployment by working with the host railroad.
Paragraph (a), proposes to require that a PTCIP will be filed by railroads that are host railroads upon which passenger trains traverse and thus require PTC installation and operation. FRA recognizes that the statute requires timely submission of a PTCIP by each Class I railroad and each entity providing regularly scheduled intercity or commuter rail passenger transportation. Class II and III railroads that host intercity or commuter rail service will need to file implementation plans, whether or not they directly procure or manage installation of the PTC system.
The tenant passenger railroad will need to file jointly with the Class I, II or III railroad. This is consistent with RSIA08, which requires each subject passenger railroad to file an implementation plan. In the case of an intercity or commuter railroad providing service over a Class I railroad, it may be sufficient for the passenger railroad to file a letter associating itself with the Class I's plan to the extent it impacts the passenger service. FRA does not propose any requirement for joint filing in the more common case where another railroad has freight trackage rights over a Class I railroad's PTC line. However, the Class I railroad will, of course, address these joint operations and discuss the issue of interoperability in its plan as required by law.
If a host freight railroad and tenant passenger railroad cannot come to an agreement on a PTCIP to jointly file by April 16, 2010, they must instead each file a PTCIP separately with a notification separate from the PTCIP to the Associate Administrator indicating that a joint filing was not possible and an explanation of why the subject railroads could not agree upon a final PTCIP draft for joint filing. Under such a circumstance, each freight or passenger railroad may still be subject to a civil penalty assessed for each day past the deadline that a PTCIP is not jointly filed. FRA believes that these measures are necessary to ensure timely PTC system implementation and operation under the statute and are in the interest of public safety. FRA believes that when subject railroads have an obligation to submit a joint filing, they also carry the obligation to seek dispute resolution by private means if needed.
If a PTCIP or request for amendment (RFA), as provided in § 236.1021, must be submitted in accordance with the rule after April 16, 2010, paragraph (a) does not propose to provide the subject railroads with an opportunity to file separately. If a railroad intends to use track that would require the installation of a PTC system in accordance with paragraph (a)(3), and the parties have difficulty reaching agreement, then such usage would merely be delayed until the parties come to a mutually acceptable PTCIP for joint filing.
FRA notes that new passenger railroads are likely to begin operations during the period between issuance of the final rule in this proceeding and the end of the implementation period for PTC (December 15, 2015). Railroads beginning operations after April 16, 2010, but before December 31, 2015, that must install PTC would be expected to file a PTCIP that meets the requirements of paragraph (a) as soon as possible after the decision to proceed. It is FRA's position for purposes of this proposal that any railroad commencing operations after December 31, 2015, that require PTC will not be authorized to commence revenue operations until the PTC installation is complete. FRA requests comment on whether there are any legitimate exceptions to this approach, which appears to be the only approach consistent with the RSIA08.
Paragraph (b) contains the proposed process for receiving a Type Approval number for a particular PTC system. Under the proposed rule, each PTC system must receive a Type Approval number. The Type Approval is a number assigned to a particular off-the-shelf PTC system product—described in a PTCDP in accordance with § 236.1013—indicating FRA's belief that the product could fulfill the requirements of subpart I. FRA's issuance of a Type Approval does not mean that the product will meet the requirements of subpart I. The Type Approval applies to the technology designed and developed, but not yet implemented, and does not bestow any ownership or other similar interests or rights to any railroad. Each Type Approval number remains under the control of the FRA, and can be issued or revoked in accordance with this subpart.
FRA expects the proposed Type Approval process to provide a variety of benefits to FRA and the industry. If a railroad submits a PTCDP describing a PTC system, and the PTC system receives a Type Approval, then other railroads intending to use the same PTC system without variances may, in accordance with proposed paragraph (b)(1), simply rely on the Type Approval number without having to file a separate PTCDP. While the railroad filing the PTCDP must expend resources to develop and submit the PTCDP, all other railroads using the same PTC system would not. This would not only provide significant cost and time savings for a number of railroads, but will remove a significant level of redundancy from the approval process that is currently inherent in subpart H.
If, however, a railroad intends to use a modified version of a PTC system that has already received a Type Approval number, and the variances between the two systems are of a safety-critical nature, the railroad must submit a new PTCDP. The new PTCDP can either fully comply with the content requirements under § 236.1013 or supply a Type Approval number for the other PTC system upon which the modified PTC system will rely and a document fulfilling the content requirements under § 236.1013 as it applies to the safety-critical variances.
In any event, to receive a new Type Approval number, the railroad must submit to FRA a PTCDP, drafted in accordance with § 236.1013, no later than when it submits its PTCIP. While the PTCDP may be drafted by the PTC system vendor, FRA believes it is the railroads' regulatory responsibility and duty to submit its PTCIP to FRA. FRA believes that requiring the submission of the PTCDP with the PTCIP will facilitate a reduction in regulatory activities, thus maximizing the time available for the railroads to carry out the necessary activities to complete PTC implementation within the 65 months available between April 2010, and December 2015. During that time, the each railroad is expected to carry out all of the required actions necessary to complete design, manufacture, test, and installation of the PTC office, onboard, and wayside subsystems. FRA believes that the process proposed in paragraph (b) provides the railroads considerable flexibility. By requiring that a railroad's PTCDP be submitted no later than its PTCIP, FRA intends to ensure that FRA has the opportunity early in the regulatory approval process to review and determine whether the proposed technical solution in the PTCDP has the potential to satisfy the statutory requirements. If a PTCDP is submitted at a later time, the length of time available to the railroad to perform a complete PTC implementation will be decreased even further.
Many issues relating to FRA's review of the railroad's PTCDP may also cause further delays, thus reducing the time between the receipt of a Type Approval and the statutory deadline of December 15, 2015, upon which the PTC system must be installed and operating. For instance, FRA may find that the PTCDP does not adequately conform to this subpart or otherwise has insufficient information to justify approval. FRA may also determine that there are issues raised by the PTCDP that would adversely affect the ability of FRA to eventually certify the system. If such a situation were to arise, the railroad and its vendor would need to address the issues, and resubmit the PTCDP for FRA approval.
Given the magnitude of the tasks faced by the railroads, any additional delays beyond April 16, 2010, will increase the risk of the railroad failing to meet the December 31, 2015, completion date required by RSIA08. Such delays will increase the length of time that the risk to the public and railroad employees remains unmitigated by PTC technologies. More specifically, FRA recognizes that any loss of time would make it more difficult for a railroad to perform the installation, testing, and analyses necessary to submit its PTCSP for PTC System Certification. Such installation, testing, and analyses cannot occur until the railroad knows the PTC system that it may use, as identified by a Type Approval number. Accordingly, paragraph (b) proposes that each PTCDP be filed no later than when its associated PTCIP is submitted in order to preserve as much time as possible to ensure that each railroad meets the statutory deadline and that Congress' intent is not otherwise frustrated.
FRA believes that the existence of certain overlapping issues in each PTCDP and PTCIP also requires their contemporaneous submission and review. FRA strongly believes that a meaningful implementation plan cannot be created if the railroad has not identified and understands the technology they propose to implement. Without an understanding of the technology, and the issues associated with its design, test, and implementation, any schedules developed by the railroad may be meaningless. Unless there is an understanding of the PTC system it hopes to use, and how it expects to implement that system, evaluation of a deployment schedule can not be undertaken.
Moreover, the PTCIP requires that the railroad address the issue of interoperability with other PTC systems. Any meaningful discussion regarding interoperability requires that the railroad have a clear understanding of the technical capabilities of the system that it proposes to implement before it can make an informed judgment of how the system will interoperate with other systems. The information required in the PTCDP provides the implementing railroad, other railroads with which the implementing railroad interfaces, and FRA with an understanding of the technical requirements necessary for interoperability. FRA believes that early identification of technical capabilities of the proposed PTC systems will allow the concerned parties to make more timely design adjustments to facilitate interoperability, reducing any delays that may increase the level of risk of the railroad meeting its statutory deadline.
FRA also believes that the process proposed by paragraph (b) will also reduce each railroad's financial risk related to implementing a technological system requiring governmental approval. Members of the PTC Working Group expressed concern about having to expend significant resources to implement and test a PTC system prior to submitting a PTCSP reflecting its findings in order to receive PTC System Certification. FRA believes that proposed paragraphs (b) and (e) address this concern. By requiring submission of a PTCDP earlier in the process, FRA intends to be involved in the design and implementation process from the beginning. After contemporaneously reviewing a railroad's PTCIP and PTCDP, FRA may be able to predetermine, and share with the railroad, an appropriate course of action to adequately address the various issues specific to the railroad and related to drafting a successful PTCSP. Moreover, in accordance with paragraph (e)—as discussed further below—each subject railroad may have the benefit of FRA monitoring its progress in implementing its PTC system. With FRA's involvement in the process, each subject railroad's financial risk associated with implementing a PTC system prior to PTCSP approval will be mitigated.
While FRA expects each subject railroad to submit its PTCDP with its PTCIP, the proposed rule does not preclude a railroad from submitting its PTCDP before its PTCIP for FRA review and approval. FRA encourages an earlier submission of the PTCDP to further reduce the required regulatory effort necessary to review the PTCIP and PTCDP if submitted together. More importantly, it would present an opportunity for FRA to issue a Type Approval for the proposed PTC system before April 16, 2010, thus providing other railroads intending to use the same or similar PTC system the opportunity to leverage off of the work already accomplished by simply submitting the Type Approval—and a much less burdensome PTCDP in the event of variances. FRA also believes that the proposed regulatory procedure may incentivize railroads using the same or similar PTC system to jointly develop and submit a PTCDP, thus further reducing the paperwork burden on FRA and the industry as a whole and increasing confidence in the interoperability between systems.
Paragraph (c) proposes to require that each subject railroad must either file a Request for Expedited Certification (REC) or submit an approved PTCIP, a Type Approval, and a PTCSP developed in accordance with § 236.1015 in order to receive PTC System Certification. A REC applies only to PTC systems that have already been in revenue service and meet the criteria of § 236.1031(a), as further discussed below. If a PTC system is not eligible for expedited certification, the railroad must submit a PTCSP. As required under proposed § 236.1015, the PTCSP must include information relating to the operation and safety of the PTC system as defined in the PTCDP and as applied to the railroad's actual territory. To determine the sufficiency of the PTC system's applicability on the railroad's territory, the railroad may be required, as referenced in paragraph (e), to perform laboratory or field testing or have an independent assessment performed. Ultimately, PTC System Certification—issued by FRA based on a review and approval of the PTCSP—is FRA's formal recognition that the PTC system, as described and implemented, meets the statutory requirements and the provisions of subpart I. It does not imply FRA endorsement or approval of the PTC system itself.
To be clear, paragraph (d) requires that each PTCIP, PTCDP, and PTCSP must comply with the content requirements proposed in §§ 236.1011, 236.1013, and 236.1015, respectively. If the submissions do not comply with their respective regulatory requirements, then they may not be approved. Without approval, a PTC system may not receive a Type Approval or PTC System Certification.
Paragraph (d) also proposes that the contents of the submitted plans be understood by FRA personnel. In the interest of an open market, FRA does not want to preclude the ability of PTC system suppliers outside of the United States from manufacturing PTC systems or selling them to the subject railroads. However, in order to ensure the safety and reliability of those systems, FRA needs to adequately review the submitted plans. Accordingly, FRA proposes to require that all materials submitted in accordance with this subpart be in the English language, or be translated into the English language and attested as true and correct. FRA seeks comments on this proposal and whether any additional requirements are necessary to ensure FRA's adequate understanding of the submissions.
Under subpart H of part 236, a railroad may seek confidential treatment for certain information required to be submitted under that subpart. According to § 236.901(c), a railroad may label that information as confidential—if it deems it to be trade secrets, or commercial or financial information that is privileged or confidential under Exemption 4 of the Freedom of Information Act, 5 U.S.C. 552(b)(4)—and submit the information in accordance with § 209.11. FRA believes that the same concept should be applied to materials submitted in accordance with proposed subpart I. FRA continues to believe that the referenced information should receive the protections under the Freedom of Information Act (FOIA) (5 U.S.C. 552) and the Trade Secrets Act (18 U.S.C. 1905). FRA also continues to believe that it cannot make any flat pronouncements about the confidentiality of information it has not yet received. Should a FOIA request be made for information submitted under this rule that the submitting party has claimed should be withheld, the submitting company will be notified of the request in accordance with the submitter consultation provisions of the Department's FOIA regulations (§ 7.17) and will be afforded the opportunity to submit detailed written objections to the release of information protected by exemption 4 as provided for in § 7.17(a). Since FRA proposes to place the redacted versions of the submitted plans in a docket for public comment, FRA strongly encourages submitting parties to request protection from withholding only for those portions of documents that truly justify such treatment (i.e., trade secrets and security sensitive information).
While FRA continues to believe that there is no need at this time to substantially revise § 209.11, FRA proposes in subpart I to require an additional document to assist FRA in efficiently and correctly reviewing confidential information. Under § 209.11, a redacted and an unredacted copy of the same document must be submitted. When FRA review is required to determine whether confidentiality should be afforded, FRA personnel must painstakingly compare side-by-side the two versions to determine what information has been redacted. To reduce this burden, FRA proposes that any material submitted for confidential treatment under subpart I and § 209.11 must include a third version that would indicate, without fully obscuring, the redacted portions. For instance, to indicate, without obscuring, the plan's redacted portions, the railroad may use the color or light gray highlighting, underlining, or strikethrough functions of its word processing program. This document will also be treated as confidential under § 209.11. While FRA could instead amend § 209.11 to include this requirement, FRA does not believe it to be necessary at this time. If more regulatory procedures in other subparts or parts provide for confidential treatment under § 209.11, FRA will then consider whether amendment of § 209.11 would be appropriate at that time.
As discussed more specifically below, FRA is considering requiring the submission of an adequate GIS shapefile to fulfill some of the PTCIP content requirements under § 236.1011. Redacting word processing documents includes the simple task of blocking the text wished to be deemed confidential. However, in a GIS shapefile, which includes primarily map data, visually blocking out the information would defeat the purpose. For instance, a black dot over a particular map location, or a black line over a particular route, would actually reveal the location. FRA expects that a railroad seeking confidentiality for portions of a GIS shapefile will submit three versions of the shapefile to comply with paragraph (d). FRA expects that the version for public consumption would merely not include the confidential information. FRA seeks comments on this proposal. FRA also seeks comments on how a third version of the GIS shapefile would indicate, without fully obscuring, the confidential portions.
As previously noted, FRA expects that FRA-monitored laboratory or field testing or an independent third party assessment may be necessary to support conclusions made and included in a railroad's submitted PTCDP or PTCSP. This issue is initially addressed in paragraph (e). The procedural requirements to effectuate either of those requirements can be found in §§ 236.1035 and § 236.1017, respectively.
Proposed paragraph (f) makes clear that FRA approval of a plan submitted under subpart I may be contingent upon any number of factors and that once the plan is approved, FRA maintains the authority to modify or revoke the resulting Type Approval or PTC System Certification. Under paragraph (f)(1), FRAs would reserve the right to attach additional requirements as a condition for approval of a PTCIP, PTCDP, or PTCSP. A risk-informed and performance-based approach is one in which the risk insights, and engineering analysis and performance history, are used to: (1) Focus attention on the most important activities; (2) establish objective criteria based upon risk insights for evaluating performance; (3) develop measurable or calculable parameters for monitoring systems performance; and (4) focus on the results as the primary basis of regulatory decision-making. To accomplish these tasks, it is necessary to identify, analyze, assess, and control hazards and risks within all components of a system—including people, cultures and attitudes, procedures, materials, tools, equipment, facilities and software. In the preparation of any of these plans, railroads may have inadvertently failed to fully address hazards and risks associated with all of these components.
FRA believes that proposed paragraph (f)(1) will make the regulatory process more efficient and stable. Rather than reject a railroad's plan completely, and consequently delay the railroad's implementation of its PTC system, FRA would prefer to add additional conditions during the approval process to address these oversights. When determining whether to attach conditions to plan approval, FRA will consider whether: (1) The plan includes a well-defined and discrete technical or security issue that affects system safety; (2) the risk or safety significance of an issue can be adequately determined; (3) the issue affects public health and safety; (4) the issue is not already being processed under an existing program or process; and (5) the issue cannot be readily addressed through other regulatory programs and processes, existing regulations, policies, guidance, or voluntary industry initiatives.
Proposed paragraph (f)(2) provides FRA the right to withdraw a Type Approval or a PTC System Certification as a consequence of the discovery of new information regarding system safety that was not previously identified. FRA issuance of each Type Approval or PTC System Certification under performance-based regulations assumes that the model of the train control system and its associated probabilistic data adequately accounts for the behavior of all design features of the system that could contribute to system risk. Different system design approaches may result in different levels of detail introducing different approximations/errors associated with the safety performance. There are some characteristics for which modeling methods may not fully capture the behavior of the system, or there may be elements of the system for which historical performance data may not be currently available. These potential inconsistencies in the failure analysis could introduce significant variations in the predicted performance from the actual performance. Because of the design complexity associated with train control systems, FRA recognizes that these inconsistencies are not the results of deliberate acts by any individuals or organizations, but simply reflects the level of detail of the analysis, the availability of comprehensive information as well as the qualification and experience of the team of analysts, and the resource limitations of both the railroad and FRA.
In proposed paragraph (f)(3), FRA indicates that the railroad may be allowed to continue operations using the system, although such continued operations may have special conditions attached to mitigate any adverse consequences. It is FRA's intent, to the maximum extent possible and when consistent with safety, to assist railroads in keeping the systems in operation. FRA expects that if it places a condition on PTC system operations, each railroad will have a predefined process and procedure in place that would allow continued railroad operations, albeit under reduced capability, until appropriate mitigations are in place, and the system can be restored to full operation. In certain dire situations, FRA may actually order the suspension or discontinuation of operations until the root cause of the situation is understood and adequate mitigations are in place. FRA believes that suspending a Type Approval or a PTC System Certification pending a more detailed analysis of the situation may be appropriate, and that any such suspension must be done without prejudice. FRA expects to take such an action only in the most extreme circumstances and after consultation with the affected parties.
After reconsidering its issuance of a Type Approval or PTC System Certification, under paragraph (f)(4), FRA may either dismiss its reconsideration, continue to recognize the existing FRA approved Type Approval or PTC System Certification, allow continued operations with certain conditions attached, or order the railroad to cease applicable operations by revoking its Type Approval or PTC System Certification. If FRA dismisses its reconsideration or continues to recognize the Type Approval, any conditions required during the reconsideration period would no longer be applicable. If FRA will allow continued operations, FRA may order that the same or other conditions apply. FRA expects that revocation of a Type Approval or PTC System Certification may occur in very narrow circumstances, where the risks to safety appear insurmountable. Regrettably, there may be a few situations in which the inconsistencies are the result of deliberate fraudulent representations. In such situations, FRA may also seek criminal or civil penalties against the entities involved.
Proposed paragraph (g) enables FRA to engage in the proper inspection to ensure that a railroad is in compliance with subpart I. FRA inspections may be required to determine whether a particular railroad has not implemented a PTC system where necessary. For instance, FRA may need to confirm whether a track segment has traversing over it 5 million gross tons or more of annual railroad traffic, PIH materials, or passenger traffic. FRA may also need to inspect locomotives to determine whether they are equipped with a PTC onboard apparatus or to review locomotive logs to determine whether it has entered PTC territory. Paragraph (g) makes clear FRA's statutorily provided power to inspect the railroads and gather information necessary to enforce subpart I.
As noted above, in order to maintain an open marketplace, the proposed rule has been drafted to allow domestic railroads to purchase PTC systems from outside of the United States. FRA recognizes that PTC systems have been used in revenue service across the globe and that acceptable products may be available in other countries. FRA also recognizes that such use may come under a regulatory entity much like FRA. Accordingly, under paragraph (h), in the event information relating to a particular PTC system has been certified under the auspices of a regulatory entity in a foreign government, FRA is willing to consider that information as independently Verified and Validated in accordance with the proposed rule to support the railroad's PTCSP development. The phrase “under the auspices” intends to reflect the possibility of certification contractually performed by a private entity on behalf of a foreign government agency. However, the foreign regulatory entity must be one recognized by the Associate Administrator. A railroad seeking to enjoy the benefits of paragraph (h) must communicate that interest in its PTCSP.
Section 236.1011PTC Implementation Plan Content Requirements
This proposed section describes the minimum required contents of a PTC Implementation Plan. A PTCIP is a railroad's plan for complying with the installation of mandatory PTC systems required by RSIA08. The PTCIP consists of implementation schedules, narratives, rules, technical documentation, and relevant excerpts of agreements that an individual railroad will use to complete mandatory PTC implementation. FRA will measure the railroad's progress in meeting the required implementation date based on the schedule and other information in the PTCIP. While the proposed rule does not specify or mandate any format for the PTCIP, it must at least clearly indicate which portions intend to address compliance with the various plan requirements under § 236.1011. The PTCIP must also clearly identify each referenced document and either include a copy of each document (or its applicable excerpt) or indicate where FRA and the public may view that document. Should FRA not be able to readily determine adequate response to the required information, FRA will assume that the information has not been submitted, and will handle the document accordingly. The lack of the required information may result in FRA's disapproval of a PTCIP. To facilitate timely and successful submittals, FRA, through assistance from a PTCIP Task Force drawn from the PTC Working Group, is developing a template that could be used to format the documents that must be submitted. FRA, however, wishes to emphasize that the use of such a template is strictly voluntary, and encourages railroads to prepare and submit the documents in whatever structure is most economical for the railroad. FRA does believe it is necessary to require that the railroads expend their limited resources in reformatting of documents when such an activity adds no real value. However, while the template may be a useful tool, and in light of the various forms a PTCIP may be required to take due to the system the railroad intends to implement, complete adherence to the template will not guarantee FRA approval of the submitted PTCIP.
FRA expects each PTCIP to include various highly specific and descriptive elements relating to each railroad's infrastructure and operations. FRA recognizes that to manually assemble each piece of data into a PTCIP may be exceptionally onerous and time consuming and may make the PTCIP prone to errors. In light of the foregoing and due to the statutory requirement that Congress be apprised of the progress of the railroad carriers in implementing their PTC systems, FRA believes that electronic submission of much of this information may be warranted and preferred. To facilitate collection of this data, FRA proposes to require submission of this data in electronic format. Such electronic submission would fulfill the requirements under § 236.1011 to which they apply.
FRA believes that the preferred, least costly, and least error-prone method to comply with § 236.1011 is for railroads to submit an electronic geographic digital system map containing the aforementioned segment attribute information in shapefile format, which is a data format structure compatible with most Geographic Information System (GIS) software packages. Using a GIS provides an efficient means for organizing basic transportation-related geographic data to facilitate the input, analysis, and display of transport networks. Railways around the world rely on GIS to manage key information for rail operations, maintenance, asset management, and decision support systems. FRA believes that the railroads may have already identified track segments, and their physical and operational characteristics, in shapefile format. For instance, FRA believes that it may be preferable that for each track segment, a shapefile should provide the following identifiable information: Owning railroad(s); distance; signal system; track class; subdivision; number and location of sidings; maximum allowable speed; number and location of mainline tracks; annual volume of gross tonnage; annual number of cars carrying hazmat; annual number of cars carrying PIH; passenger traffic volume; average daily through trains; WIUs; switches; and at-grade rail-to-rail crossings. The requirements under paragraph (a) may be changed to accommodate any of these informational elements. FRA seeks comments on this proposal.
Paragraph (a)(1) proposes that the railroad describe the technology that will be employed in its PTC system. Here, FRA intends to use the term “technology” broadly to include all applicable tools, machines, methods, and techniques.
In proposed paragraph (a)(2), FRA addresses the statutory requirements that the PTCIP shall describe how the PTC system will provide interoperability with movements of trains of other railroad carriers over its lines. Practically speaking, this means that each locomotive operating within PTC territory must be able to communicate with and respond to the PTC systems installed on each PTC territory's track and signal system, except in limited situations established elsewhere in this proposed rule. For similar reasons, paragraph (a)(3) proposes that the PTCIP should describe how the PTC system will provide for interoperability of the system between the host and all tenant railroads on the lines required to be equipped with PTC systems under this subpart.
Interoperability means the ability of diverse systems and organizations to work together (inter-operate), taking into account the technical, operational, and organizational factors that may impact system-to-system performance. FRA expects each PTC system required by subpart I to exhibit syntactic interoperability—so that it may successfully communicate and exchange data with other PTC systems—and semantic interoperability—so that it may automatically, accurately, and meaningfully interpret the exchanged information to prove useful to the end user of each communicating PTC system. To achieve semantic interoperability, both sides must defer to a common information exchange reference model. In other words, the content of the information sent must be the same as what is received and understood. Taking syntactic and semantic interoperability together, FRA expects each PTC system to provide services to, and accept services from, other PTC systems and to use those services exchanged to enable the PTC systems to operate effectively together and to provide the intended results. The degree of interoperability should be defined in the PTCIP when referring to specific cases.
Interoperability is achieved through four interrelated means: Product testing, industry and community partnership, common technology and intellectual property, and standard implementation.
Product testing includes conformance testing and product comparison. Conformance testing ensures that the product complies with an appropriate standard. FRA recognizes that certain standards attempt to create a framework that would result in the development of the same end product. However, many standards apply only to core elements and allow developers to enhance or otherwise modify products as long as they adhere to those core elements. Thus, if an end product is developed in different ways to conform to the same standard, there may still be discrepancies between each instantiation of the end product due to the existence of those variables. Accordingly, FRA believes that comparison testing must also occur to ensure that each instantiation of the same product, regardless of the means upon which it is created to meet the same standard, is ultimately identical. In regards to PTC systems, such comparison testing must occur on all portions that relate to each system's interoperability with other systems. Thus, it is also important that the PTC system be formally tested in a production scenario—as they will be finally implemented—to ensure that it will actually intercommunicate and interoperate with other PTC systems as advertised and intended.
To reach interoperability between the various applicable PTC systems, each PTCDP must also show that the systems share common product engineering. Product engineering refers to the common standard, or a sub-profile thereof, as defined by the industry and community partnerships, specifically intended to achieve interoperability. Without common product engineering, the systems will be unable to intercommunicate or otherwise interact as necessary to comply with the proposed rule.
FRA expects that each interoperability standard for PTC systems will be developed by a partnership between various industry participants. Industry and community partnerships, either domestic or international, usually sponsor standard workgroups to define a common standard to provide system intercommunications for a specific purpose. At times, an industry or community will sub-profile an existing standard produced by another organization to reduce options and thus making interoperability more achievable. Thus, in each PTCDP, the railroad must discuss how it developed or adopted a standard commonly accepted by that partnership.
Means of achieving interoperability include having the various entities involved using the same PTC system product or obtaining its components from the same developer. While FRA does not necessarily require this approach—since the agency seeks to maintain an open and competitive marketplace—FRA believes that this is a suitable means to achieve interoperability. This technique may provide similar technical results when using PTC system products from different vendors relying on the same intellectual property. FRA recognizes that certain developers with an intellectual property interest in a particular technology may provide a non-exclusive license of its intellectual property to another entity so that the licensee may introduce into the marketplace a substantially similar product reliant on that intellectual property. In such a case, FRA foresees that the use of a common PTC system technology—even if it is proprietary to a single or multiple entities and licensed to railroads—could reduce the variability between components, thus providing for a more efficient means to achieve interoperability.
In order for interoperability to actually occur between multiple entities' PTC systems, there must be some standard to which they all adhere. Thus, FRA also expects that each PTCDP will provide assurances of a common interoperability standard agreed to between all entities using PTC systems that must interoperate.
Since each of these interrelated means has an important role in reducing variability in intercommunication, each railroad's PTCIP must clearly describe the elements required under paragraph (a)(1)-(3).
Much of the remaining information required in a PTCIP under the proposed rule relies on the location, length, and characteristics of each track segment. Therefore, a common understanding of a track segment is necessary. A track is the main designation for describing a physical linear portion of the network. Each line of railroad has a station location referencing system, which serves to locate inventory features and defects along the length of the track. Because some tracks can be very long, track segments are established to divide the track into smaller “management units.” Typically, segment's boundaries are established at point of switch (POS) locations, but may also be located at mile markers, grade crossings, or other readily identifiable locations. Inspection, condition assessment, and maintenance planning is performed individually on each segment. After the track network hierarchy is established, the attribute information associated with each track is defined. This attribute information describes the track layout (e.g., curves and grades), the track structure (e.g., rail weights and tie specifications), track clearance issues, and other track related items such as turnouts, rail-to-rail at-grade crossings, highway-rail grade crossings, drainage culverts, and bridges. Inventory information about these track attributes can be quite detailed. The benefits of a complete and accurate track inventory provides a record of the track network's properties and information about the existing track materials at the specific locations when maintenance or repair is necessary.
Proposed paragraphs (a)(4) and (a)(5) require the railroad to put its entire implementation plan into an understandable context, primarily as it relates to the sequence and schedule of line segment implementation events. Under RSIA08, § 20157(a)(2), Congress requires each subject railroad, in its PTCIP, to describe how it shall, to the extent practical, implement the PTC system in a manner that addresses areas of greater risk before areas of lesser risk. Accordingly, under paragraph (a)(4), the PTCIP must discuss the railroad's areas of risk and the criteria by which these risks were evaluated and prioritized for PTC system implementation. To this end, the railroad must clearly identify all track segments that must be equipped, the basis for that decision for each segment (which might be done by categories of segments), and, as provided in paragraph (a)(5), the dates that implementation of each segment will be completed, taking into account the time necessary to fulfill the procedural requirements related to PTCSP submission, review, and approval. At a minimum, the deployment decisions must be based on segment traffic characteristics such as passenger and freight traffic volumes, the quantity of PIH and other hazardous materials, current methods of operations, existence of block signals and other traditional train control technologies, the number and class of tracks, authorized and allowable speeds for each segment, and other unusual characteristics that may adversely impact safety, such as unusual ruling grades and other track geometries. In cases where deployment of the PTC system cannot be accomplished in order of areas with the greatest risk to areas with the least risk, paragraph (a)(9) proposes that the railroad must explain why such a deployment was not practical and the steps that will be taken to minimize adverse consequences to the public until the line segment can be equipped.
Proposed paragraphs (a)(6) and (a)(7) require the PTCIP to include information regarding the rolling stock and wayside devices that will be equipped with the appropriate PTC technology. For a PTC system to work as intended, PTC system components must be installed and operated in all applicable offices and on all applicable onboard and wayside subsystems. Accordingly, the PTCIP must identify which technologies will be installed on each subsystem and when they are scheduled to be installed.
Under paragraph (a)(6), each host railroad filing the PTCIP must include a comprehensive list of all rolling stock upon which a PTC onboard apparatus must be operative. FRA understands that in most situations, the rolling stock referenced in paragraph (a)(6) may only apply to lead locomotives. However, in the interest of not hindering creative technological innovations, FRA presumes the possibility that PTC system technology may also be attached to additional rolling stock to provide other functions, including determining train capacity and length or providing certain acceptable and novel train controls. To be kept apprised of these possibilities, FRA is proposing in paragraph (a)(6) that each PTCIP include a list of all rolling stock equipped with PTC technology. FRA believes that the PTCIP should also identify any risks associated with trains operated by tenant railroads and not equipped with PTC system technology and the efforts that the host railroad has made to establish the extent of that risk. Although FRA believes that this is inherent to reviewing the risk in the system, FRA asks for comment as to whether a requirement should be specifically called out in the rule text.
FRA understands that a host railroad may not receive cooperation from a tenant railroad in collecting the necessary rolling stock information. Nevertheless, FRA expects each host railroad to make a good faith effort. Identification of those tenant railroads that the host railroad attempted to obtain the requisite and applicable information from and that failed to address a host railroad's written request may establish a good faith effort by the host railroad.
Proposed paragraph (a)(7) requires the PTCIP to provide a detailed schedule of and the railroad to subsequently report WIU installation. The selection and identification of a technology selected as part of the PTCIP will also, to a great extent, determine the distribution of the functional behaviors of each of the PTC subsystems (e.g., office, wayside, communications, and back office). The WIU is a type of remote terminal unit (RTU) that is part of a larger PTC system, which is a type of Supervisory Control and Data Acquisition System (SCADA). As a whole, the safe and efficient operation of a SCADA—a centralized system that covers large areas, monitors and control systems, and passes status information from, and operational commands to, RTUs—is largely dependent on the ability of each of its RTUs to accurately receive and distribute the required information. As such, a PTC system cannot properly operate without properly functioning WIUs to provide and receive status information and react appropriately to control information.
It is commonly understood that a WIU device is capable of communicating directly to the office, train, or other wayside unit. FRA recognizes that there may not be the same amount of WIUs and devices that they monitor. Depending on the architecture and technology used, a single WIU may communicate the necessarily information as it relates to multiple devices. FRA is comfortable with this type of consolidation provided that, in the event of a failure of any one of the devices being monitored, the most restrictive condition will be transmitted to the train or office, except where the system may uniquely identify the failed device in a manner that will provide safe movement of the train when it reaches the subject location.
Because of the critical role that WIU's play in the proper and safe operation of PTC systems, paragraph (a)(7) proposes that the railroad identify the number of WIU's required to be installed on any given track segment and the schedule for installing the WIU's associated with that segment. This information is necessary to fully and meaningfully fulfill the RSIA08 requirement that by December 31, 2012, Congress shall receive a report on the progress of the railroad carriers in implementing PTC systems. See 49 U.S.C. 20157(d). To comply with this statutory requirement, each railroad must determine the number of WIUs it will need to procure and the location—as defined by the applicable subdivision—that each WIU will be installed. FRA believes that if a railroad does not perform these traditional engineering tasks, it will risk exceeding the statutory implementation deadline of December 31, 2015. FRA considers this information an integral part of the PTCIP that must be submitted to FRA for approval.
FRA recognizes the potential for technological improvements that may modify the number and types of WIU's required. FRA also recognizes that during testing and installation, it may be discovered that additional WIU installation may be necessary. In either case, the railroad will be required to submit an RFA in accordance with § 236.1021 indicating how the railroad intends to appropriately revise its schedule to reflect the resulting necessary changes. Nevertheless, regardless of whether FRA approves or disapproves of the RFA, if a railroad is required to submit its PTCIP by April 16, 2010, implementation must still be completed by the statutory deadline December 31, 2015.
Under proposed paragraph (a)(8), each railroad must also identify in its PTCIP which of its track segments are either main line or not main line. This list must be made based solely on the statutory and regulatory definitions regardless of whether FRA may later deem a track segment as other than main line. If a railroad has a main line that it believes should be considered not main line, it may file with the PTCIP a main line track exception addendum (MTEA) in accordance with § 236.1019, as further discussed below. Each track segment included in the MTEA should be indicated as much on the list required under paragraph (a)(8) so that the PTCIP accounts for each track segment with an appropriate cross-reference to the subject MTEA.
Paragraph (a)(9) requires that the plan call out the basis for this determination to the extent the railroad determines that risk-based prioritization required by paragraph (a)(4) of this section is not practical. FRA recognizes that there may be situations where risk is somewhat evenly distributed and where other factors related to practical considerations—such as the need to establish reliable operation of the system in less complex environments before installing it in more complex environments—may be the prudent course. However, the burden of establishing the reasonableness of this approach would be on the railroad, starting with a showing that risk does not vary substantially among the line segments in question.
As previously mentioned, § 236.1005(a) requires each applicable PTC system to be designed to prevent train-to-train collisions. Under that section, FRA has proposed various requirements that would apply to at-grade rail-to-rail crossings, also known as diamond crossings. While the proposed rule text includes certain specific technical requirements, it also provides the opportunity for each subject railroad to submit an alternative arrangement providing an equivalent level of safety as specified in an FRA approved PTCSP. Accordingly, under proposed paragraph (a)(10), if the railroad intends to utilize alternative arrangements providing an equivalent level of safety to that of the table provided under § 236.1005(a)(1)(i), each PTCSP must identify those alternative arrangements and methods, with any associated risk reduction measures, in its PTCSP.
Paragraph (b) contains proposed provisions related to further deployment of PTC. As noted elsewhere in this preamble, the specific characteristics of the PTC route structure, with the focus on PIH traffic as an indicator of risk, was a late addition to the bill that would become RSIA08, not having appeared in either the House or Senate bills until the final package was assembled using consultations between the committee staffs in lieu of a formal committee of conference. Although the statutory construct (Class I rail line with 5 million gross tons and some PIH materials) adequately defines most of the core of the national freight rail system, it is a construct that will introduce distortions at both ends of the spectrum of risk.
On one hand, a line with a maximum speed limit of 25 miles per hour ending at a grain elevator that receives a few cars of anhydrous ammonia per year is a “main line” if it has at least 5 million gross tons of traffic (a very low threshold for a Class I railroad). This is not a line without risk, particularly if it lacks wayside signals, but FRA analysis shows that the potential for a catastrophic release from a pressure tank car is very low at an operating speed of 25 miles per hour, and the low tonnage is likely associated with relatively infrequent train movements—limiting the chance of a collision. As FRA understands the congressional mandate, the law gives FRA little choice but to require PTC under these circumstances.
On the other end of the spectrum, lines with greater risk may go unaddressed. For instance, a line carrying perhaps a much higher level of train traffic and significant volumes of other hazardous materials at higher speeds, without any PIH or passenger traffic, would not be equipped. This example is not likely to be present to any significant extent under current conditions. However, should the Class I railroads raise freight rates sufficiently to eliminate PIH traffic by making rail transportation prohibitively expensive, the issue would be presented as a substantial one. Most of the transportation risk—including hazards to train crews and roadway workers and exposure to other hazardous materials if released—would remain, but not the few carloads of PIH. FRA believes that the intent of Congress with respect to deployment of PTC might be defeated, even though the literal language of the legislation would be satisfied. Other lines carrying very heavy volumes of bulk commodities such as coal and intermodal traffic may or may not include PIH traffic. Putting aside the risk associated with PIH materials, significant risk exists to train crews and persons in the immediate vicinity of the right-of-way if a collision or other PTC-preventable accident occurs. Any place on the national rail system is a potential roadway work zone, but special challenges are presented in providing for on-track safety where train movements are very frequent.
Risk on the larger Class II and III railroads' lines is also a matter of concern, and the presence of significant numbers of Class I railroad trains on some of those properties presents the opportunity for further risk reduction, since over the coming years virtually all Class I railroad locomotives will be equipped with PTC onboard apparatus'. Examples include trackage and haulage rights retained over Class II and III railroads following asset sales in which the Class I railroads divested the subject lines. Other prominent examples involve switching and terminal railroads, the largest of which are owned and controlled by two or more Class I railroads and function, in effect, as extensions of their systems. Conrail Shared Assets, a large regional switching railroad that is owned by NS and CSXT and is comprised of major segments of the former Conrail, then a Class I railroad, is perhaps the classic example.
FRA notes that there has also been a trend, only recently and temporarily abated by the downturn in the economy, toward higher train counts on some non-signaled lines of the Class I railroads. On a train-mile basis, these operations present about twice the risk as similar operations on signalized lines. These safety gaps need to be filled; and, while most will be filled due to the presence of PIH traffic, FRA cannot verify that this is the case in every instance.
FRA concludes that the mandated deployment of PTC will leave some substantial gaps in the Class I route structure, including gaps in some major urban areas. FRA believes that these gaps will, over time, be “filled in” by voluntary actions of the Class I railroads as they establish the reliability of their PTC systems, verify effective interoperability, and begin to enjoy the safety and other business benefits from use of these systems. FRA fully understands both the desire of the labor stakeholders in the PTC Working Group to see a broader build-out of PTC systems than that “minimally” required by RSIA08 and the concerns of the Class I railroads' representatives who noted the extreme challenge associated with equipping tens of thousands of wayside units, some 20,000 locomotives, and their dispatching centers' back offices within the statutory implementation period.
The Congress recognized that all of these issues are legitimate concerns and so mandated the establishment of Risk Reduction Programs under the same legislation. Section 103 of RSIA08 codifies language that includes, within the Risk Reduction Program, a Technology Implementation Plan that is specifically required to address technology alternatives, including PTC. Accordingly, the PTC and Risk Reduction provisions in RSIA08 are clearly aligned in purpose; and there are also references in the technology plan elements of the Risk Reduction language that address installation of PTC by other railroads. Further, FRA has been charged with a separate rulemaking under section 406 of RSIA08 regarding risk in non-signaled (dark) territory that significantly overlaps the issue set in this rulemaking and the Risk Reduction section. Use of technologies that are integral to PTC systems constitute the best response to hazards associated with non-signaled lines. Switch position monitoring systems, track integrity circuits, digital data links and other technology used to address dark territory issues should be and, as presently conceived, are forward-compatible with PTC. FRA proposes in paragraph (b) to dovetail these requirements by requiring that each Class I railroad include in its PTCIP deployment strategies indicating how it will approach the further build-out of full PTC, or partial implementation of PTC (e.g., using PTC technology to prevent train-to-train collisions but perhaps not monitoring all switches in the territory; or using PTC to protect movements of the Class I over a switching or terminal railroad without initially requiring all controlling locomotives of the switching or terminal railroad to be equipped). These railroads would then be required to include in the technology elements of their initial Risk Reduction plans a specification of which lines will be equipped and with what PTC system elements. Proposed paragraph (b) makes clear that there would be no expectation regarding additional lines being equipped until those mandated by subpart I have been addressed. FRA shares the view of the Class I railroads and the passenger railroads that the December 31, 2015, deadline already presents a substantial challenge for railroads, suppliers and the employees affected.
Paragraph (c) proposes to codify in regulation the statutory mandate that FRA review the PTCIP and determine, within 90 days upon receipt of the plan, whether to provide its approval or disapproval. FRA believes it is also important to provide procedural rules to communicate approval or disapproval. Thus, under paragraph (c), FRA proposes that any approval or disapproval of a PTCIP requires FRA to provide written notice. In the event that FRA disapproves of the PTCIP, the notice will also include a narrative explaining the reasons for disapproval. Once the railroad receives notification that its PTCIP has been disapproved by FRA, it will have 30 days to resubmit its PTCIP for review and approval. While FRA may provide assistance to remedy a faulty PTCIP, it is ultimately the railroad's responsibility and burden to develop and submit a PTCIP worthy of FRA approval. A railroad may be subject to civil penalties if it fails to timely file its PTCIP under this section. As noted previously, subpart I applies to each railroad that Congress and FRA has mandated to install a PTC system. A railroad that is not required to install a PTC system may still do so under its own volition. In such a case, it may either seek approval of its system under either subpart H or I. Paragraph (d) intends to make this choice clear.
Paragraph (e) responds to comments by labor organizations in the PTC Working Group. These employee representatives sought the opportunity to comment on major PTC filings. The paragraph provides that, upon receipt of a PTCIP, PTCDP, or PTCSP, FRA posts on its public Web site notice of receipt and reference to the public docket in which a copy of the filing has been placed. FRA may consider any public comment on each document to the extent practicable within the time allowed by law and without delaying implementation of PTC systems. The version of any filing initially placed in the public docket would be the redacted copy as filed by the railroad. If FRA later determined that additional material was not deserving of protection as confidential, that material would be added to the docket.
Section 236.1013PTCDP Content Requirements and Type Approval
As noted in the discussion above regarding § 236.1009, each PTCSP must be submitted with a Type Approval number identifying a PTC system that FRA believes could fulfill the requirements of subpart I. Under § 236.1009, a railroad may submit an existing Type Approval number in lieu of a PTC Development Plan (PTCDP) if the PTC system it intends to implement and operate is identical to the one described in that Type Approval's associated PTCDP. In the event, however, that a railroad intends to install a system for which a Type Approval number has not yet been assigned, or to use a system with an assigned Type Approval number that may have certain variances to its safety-critical functions, then the railroad must submit a PTCDP to obtain a new Type Approval number.
The PTCDP is the core document that provides the Associate Administrator sufficient information to determine whether the PTC system proposed for installation by the railroad could meet the statutory requirements for PTC systems specified by RSIA08 and the regulatory requirements under subpart I. Issuance of a product Type Approval number is contingent upon the approval of the PTCDP by the Associate Administrator. While filing of a PTCDP is optional in the sense that the railroad may proceed directly to submission of the PTCSP by the April 16, 2010 deadline (see § 236.1009), FRA encourages railroads engaged in joint operations to do so. Approval of the PTCDP, and issuance of a Type Approval, presents the opportunity for other railroads to reduce the effort required to obtain a PTC System Certification. If a Type Approval for a PTC system exists, another railroad may also use that Type Approval provided there are no variances in the system as described in the Type Approval's PTCDP. In such cases, the other railroad may avoid submitting its own PTCDP by simply incorporating by reference the supporting information in the Type Approval's PTCDP and certifying that no variances in the PTC system have been made.
This proposed section describes the contents of the PTCDP required to obtain FRA approval in the form of issuance of a Type Approval number. The proposed provisions of this section require each PTCDP to include all the elements and practices listed in this section to provide reasonable assurance that the subject PTC system will meet the statutory requirements and are developed consistent with generally-accepted principles and risk-oriented proof of safety methods surrounding this technology. FRA believes it is necessary to include the provisions contained in this section in order to provide reasonable assurance that the product, when developed and deployed, will have no adverse impact on the safety of railroad employees, the public, and the movement of trains.
FRA recognizes that much of the information required by § 236.1013 normally resides with the PTC system's developer or supplier maintains and not the client railroad. While FRA expects that each railroad and its PTC system supplier may jointly draft a PTCDP, the railroad has the primary responsibility for the safety of its operations and for providing the information required under § 236.1013. Accordingly, each railroad required to submit a PTCDP under subpart I should make the necessary arrangements to ensure that the requisite information is readily available from the supplier for submission to the agency. FRA believes that suppliers and railroads will develop a PTCDP for most products that adequately address the requirements of the new subpart without substantial additional expense. As part of the design and evaluation process, it is essential to ensure that an adequate analysis of the features and capabilities is made to minimize the possibility of conflicts resulting from any use or feature, including a software fault. Since this analysis is a normal cost of software engineering development, FRA does not believe this requirement imposes any additional significant costs beyond what should already be done when developing safety-critical software.
In proposed §§ 236.1013 and 236.1015, various adjectives may precede the several of the requirements. For instance, certain paragraphs require “a complete description,” “a detailed description,” or simply a “description.” These phrases are inherited from subpart H. Their inclusion in subpart I are similarly not to imply that any description should be more or less detailed or complete than any other description required. By contrast, they are included merely for the purposes of emphasis.
Paragraph (a)(1) proposes to require that the PTCDP include system specifications that describe the overall product and identify each component and its physical relationship in the system. FRA will not dictate specific product architectures, but will examine each PTC system to fully understand how its various parts interrelate. Safety-critical functions in particular will be reviewed to determine whether they are designed to be fail-safe. FRA believes this provision is an important element that can be applied to determine whether safety is maximized and maintainability can be achieved.
Paragraph (a)(2) proposes to require a description of the operation where the product will be used. Upon receipt of this information within a PTCDP, FRA will have better contextual knowledge of the product as it applies to the type of operation on which it is designed to be used. Where operational behaviors are not applicable to a particular railroad, or the product design is not intended to address a particular operational behavior, FRA would expect a short statement indicating which operational characteristics do not apply and why they are not applicable.
Paragraph (a)(3) proposes that the PTCDP include a concept of operations, a list of the product's functional characteristics, and a description explaining how various components within the system are controlled. FRA expects that the information provided under paragraphs (a)(2) and (a)(3) will together provide a thorough understanding of the PTC system. FRA will review this information—primarily by comparing the subject PTC system's functionalities with those underlying principles contained in standards for existing signal and train control systems—to determine whether the PTC system is designed to account for all relevant safety issues. While FRA proposes to not prescribe PTC system design standards, FRA expects that each applicant compare the concepts contained in existing standards to the operational concepts, functionalities, and controls contemplated for the PTC system in order to determine whether a sufficient level of safety will be achieved. For example, the proposed requirements prescribe that where a track relay is de-energized, a switch or derail is improperly lined, a rail is removed, or a control circuit is opened, each signal governing movements into the subject block occupied by a train, locomotive, or car must display its most restrictive aspect for the safety of train operations. The principle behind the requirement is that, when a condition exists in the operating environment, or with respect to the functioning of the system, that entails a potential hazard, the system will assume its most restrictive state to protect the safety of train operations.
Paragraph (a)(4) proposes that each PTCDP include a document that identifies and describes each safety-critical function of the subject PTC system. The product architecture includes both hardware and software aspects that identify the protection developed against random hardware faults and systematic errors. Further, the document should identify the extent to which the architecture is fault tolerant. FRA intends to use this information to determine whether appropriate safety concepts have been incorporated into the proposed PTC system. For example, existing regulations require that when a route has been cleared for a train movement, it cannot be changed until the governing signal has been caused to display its most restrictive indication and a predetermined time interval has expired where time locking is used or where a train is in approach to the location where approach locking is used. FRA intends to use this information to determine whether all the safety-critical functions are included. Where such functionalities are not clearly determined to exist as a result of technology development, FRA will expect the reasoning to be stated and a justification provided describing how that technology provides the required level of safety. Where FRA identifies a void in safety-critical functions, FRA may not approve the PTCDP until remedial action is taken to rectify the concern.
FRA recognizes that the information required under paragraph (a)(4) may already be provided when complying with paragraph (a)(1). In such a case, the railroad shall cross reference where in the PTCDP that both paragraphs (a)(1) and (a)(4) are jointly satisfied.
Paragraph (a)(5) proposes to require that each PTCDP address the minimum requirements under § 236.1005 for development of safety-critical PTC systems. FRA expects the information provided under paragraph (a)(5) to cover: identification of all safety requirements that govern the operation of a system; evaluation of the total system to identify known or potential safety hazards that may arise over the life-cycle of the system; identification of all safety issues during the design phase of the process; elimination or reduction of the risks posed by the hazards identified; resolution of safety issues presented; development of a process to track progress; and development of a program of testing and analysis to demonstrate that safety requirements are met. Paragraph (a)(5) also requires that each railroad identify the PTC system's safety assurance concepts.
Paragraph (a)(6) proposes to require a submission of a preliminary human factors analysis that addresses each applicable human-machine interface (HMI) and all proposed product functions to be performed by humans to enhance or preserve safety. FRA expects this analysis to place special emphasis on proposed human factors responses—and the result of any failure to perform such a response—to safety-critical hazards, including the consequences of human failure to perform. For each HMI, the PTCDP should address the proposed basis of assumptions used for selecting each such interface, its potential affect upon safety, and all potential hazards associated with each interface. Where more than one employee is expected to perform duties dependent upon HMI input or output, the analysis must address the consequences of failure by one or multiple employees. FRA intends to use this information to determine the proposed HMI's effect upon the safety of railroad operations. The preliminary human factors analysis must propose how the railroad or its PTC system supplier plans to address the HMI criteria listed in Appendix E to part 236 or any alternatives proposed by the railroad and deemed acceptable by the Associate Administrator.
Paragraph (a)(6) also proposes that the PTCDP explain how the proposed HMI will affect interoperability. RSIA08 requires that each subject railroad explain how it intends to obtain system interoperability. The ability of a train crew member to operate another railroad's PTC system significantly depends upon a commonly understood HMI. The HMI provides the end user with a method of interacting with the underlying system and accessing the PTC functionality. FRA expects that each railroad will adopt an HMI standard that will ensure ease of use of the PTC system both within, and between, railroads.
Paragraph (a)(7) proposes to require an analysis regarding how subparts A through G of part 236 apply, or no longer apply, to the subject PTC system. FRA recognizes that while a PTC system may be designed in accordance with the underlying safety concepts of subparts A through G, the specific existing requirements contained in those subparts are not applicable. In any event, the PTCDP must identify each pertinent requirement considered to be inapplicable, fully describe the alternative method used to fulfill that underlying safety concept, and explain how the proposed PTC system supports the underlying safety principle. FRA notes that certain sections in subparts A though G may always be applicable to PTC systems certified under subpart I.
FRA is concerned about all dimensions of system security. Thus, paragraph (a)(8) proposes to require the PTCDP to include a description of the security measures necessary to meet the specifications for each PTC system. Security is an important element in the design and development of PTC systems and covers issues such as developing measures to prevent hackers from gaining access to software and to preclude sudden system shutdown, mechanisms to provide message integrity, and means to authenticate the communicating parties. Safety and security are two closely related topics. Both are elements for ensuring that a subject is protected and without risk of harm. In the industrial marketplace, the goals of safety and security are to create an environment protecting assets from hazards or harm. While activities to ensure safety usually relate to the possibility of accidental harm, activities to ensure security usually relate to protecting a subject from intentional malicious acts such as espionage, theft, or attack. Since system performance may be affected by either inadvertent or deliberate hazards or harms, the safety and security involved in the implementation and operation of a PTC system must both be considered.
Integrated security recognizes that optimum protection comes from three mutually supporting elements: physical security measures, operational procedures, and procedural security measures. Today, the convergence of information and physical security is being driven by several powerful forces, including: interdependency, efficiency and organizational simplification, security awareness, regulations, directives, standards, and the evolving global communications infrastructure. Physical security describes measures that prevent or deter attackers from accessing a facility, resource, or information stored on physical media and guidance on how to design structures to resist various hostile acts. Communications security describes measures and controls taken to deny unauthorized persons information derived from telecommunications and ensure the authenticity of such telecommunications. Because of the integrated nature of security, FRA expects that each PTCDP will address security as a holistic concept, and not be restricted to limited or specific aspects.
Paragraph (a)(9) proposes to require documentation of assumptions concerning reliability and availability targets of mechanical, electrical, and electronic components. When building a PTC system, designers may make numerous presumptions that will directly impact specific implementation decisions. These fundamental assumptions usually come in the form of data (e.g., facts collected as the result of experience, observation or experiment, or processes, or premises) that can be randomly sampled. FRA does not expect to audit all of the fundamental assumptions on which a PTC system has been developed. Instead, FRA envisions sampling and reviewing fundamental assumptions prior to product implementation and after operation for some time. FRA expects that the data sampled may vary, depending upon the PTC system. It is not possible to provide a single set of quantitative numbers applicable to all systems, especially when systems have yet to be designed and for which the fundamental assumptions are yet to be determined. Quantification is part of the risk management process for each project. FRA believes that the actual performance of the system observed during the pre-operational testing and post-implementation phases will provide indications of the validity of the fundamental assumptions. FRA proposes that this review process will occur for the life of the PTC system (i.e., as long as the product is kept in operation). The depth of details required will depend upon what FRA observes. The range of difference between a PTC system's predicted and actual performance may indicate to FRA the validity of the underlying fundamental assumptions. Generally, if the actual performance matches the predicted performance, FRA believes that it will not have to extensively review the fundamental assumptions. If the actual performance does not match predicted performance, FRA may need to more extensively review the fundamental assumptions.
FRA expects each subject railroad to confirm the validity of initial assumptions by comparing them to actual in-service data. FRA is aware that mechanical and electronic component failure rates and times to repair are easily quantified data, and usually are kept as part of the logistical tracking and maintenance management of a railroad. FRA believes that this proposed criterion will enhance the quality of risk assessments conducted pursuant to this subpart by forcing PTC system designers and users to consider the long-term effects of operation over the course of the PTC system's projected life-cycle. If a PTC system can be used beyond its design life-cycle, FRA expects that any continued use would be only under a waiver provided in accordance with part 211 or under a PTCDP or PTCSP amended in accordance with § 236.1021. In its request for waiver or request for amendment, the railroad should address any new risks associated with the life-cycle extension.
Paragraph (a)(9) also proposes to require specification of the target safety levels. This includes the identity of each potential hazard and how the events leading to a hazard will be identified for each safety-critical subsystem; the proposed safety integrity level of each safety-critical subsystem, and the proposed means that accomplishment of these targets will be evaluated. This paragraph also requires identification of the proposed backup methods of operation and safety-critical assumptions regarding availability of the product. FRA believes this information is essential for making determinations about the safety of a product and both the immediate and long-term effect of its failure. FRA contends that availability is directly related to safety to the extent the backup means of controlling operations involves greater risk (either inherently or because it is infrequently practiced).
Paragraph (a)(10) proposes to require a complete description of how the PTC system will enforce all pertinent authorities and block signal, cab signal, or other signal related indications. FRA appreciates that not all PTC architectures will seek to enforce the speed restrictions associated with intermediate signals directly, but nevertheless a clear description of these functions is necessary for clarity and evaluation.
Proposed paragraph (a)(11) requires that, if the railroad is seeking to deviate from the requirements of section 236.1029 with respect to movement of trains with onboard equipment that has failed en route using the flexibility provided by paragraph (c) of that section, a justification must be provided in the PTCDP. Paragraph (c) of proposed § 236.1029 provides that, in order for a PTC train that operates at a speed above 90 miles per hour to deviate from the operating limitations contain in paragraph (b) of that section, the deviation must be described and justified in the FRA approved PTCDP or PTCSP, or by reference to an Order of Particular Applicability, as applicable. For instance, if Amtrak wished to continue to operate at up to 125 miles per hour with cab signals and automatic train control in the case of failure of onboard ACSES equipment, Amtrak would request to do so based on the applicable language of the Order of Particular Applicability that required installation of that system on portions of the Northeast Corridor. Similarly, a railroad wishing more liberal requirements for a high speed rail system on a dedicated right-of-way could request that latitude by explaining how the safety of all affected train movements would be maintained.
Paragraph (a)(12) requires a complete description of how the PTC system will appropriately and timely enforce all hazard detectors that are interconnected with the PTC system in accordance with § 236.105(c)(3), as may be applicable.
Proposed paragraph (b) specifies the approval standard that will be employed by the Associate Administrator. The PTCDP is not expected to provide absolute assurance to the Associate Administrator that every potential hazard will be eliminated with complete certainty. It only needs to establish that the PTC system meets the appropriate statutory and regulatory requirements for a PTC system required under this subpart, and that there is a reasonable chance that once built, it will meet the required safety standards for its intended use. FRA emphasizes that approval of a PTCDP and issuance of a Type Approval does not constitute final approval to operate the product in revenue service. Such approval only comes when the Associate Administrator issues an applicable PTC System Certification.
Paragraph (c) proposes a time limit on the validity of a Type Approval. Provided that at least one product is certified within the 5 year period after issuance of the Type Approval, the Type Approval remains valid until final retirement of the system. The main purpose of this requirement is to incentivize installation, not just creation, of a PTC system. This paragraph would also allow FRA to periodically clean out its records relating to Type Approvals and PTCDPs for obsolete PTC systems.
Paragraph (d) proposes the conditions under which a Type Approval may be used by another railroad. These conditions consist of the railroad maintaining a continually updated PTCPVL pursuant to § 236.1023(c) and the railroad providing licensing information associated with the use of the Type Approval. Under paragraph (d), FRA intends to ensure the implementation of the proper technology and not any orphan product using apparently similar, but actually different, technology. When a railroad submits a previously issued Type Approval for its PTC system, FRA expects that all the proper licensing agreements provide for continued use and maintenance of the PTC system are in place. To ensure FRA's confidence in this area, FRA proposes to require each Type Approval submission to include this relevant licensing information. FRA recognizes that there may be various licensing arrangements available relating to the exclusivity and sublicensing of manufacturing or vending of a particular PTC system. There may be other intellectual property variables that may make arrangements even more complex. To adequately capture all applicable arrangements, FRA proposes to generally require the submission of “licensing information.” More specific language may preclude FRA's ability to collect information necessary to fulfill its intent. If any of this information were to change, either through any type of sale, transfer, or sublicense of any right or ownership, then FRA would expect the railroad to submit a request for amendment of its PTCDP in accordance with § 236.1021. FRA recognizes that this may be difficult for a railroad to accomplish, given the railroad may not be privy to any intellectual property transactions that may occur outside of its control. In any event, FRA would expect that a railroad would ensure, either through contractual obligation or otherwise, that its vendor or supplier provide it with updated licensing information on a continuing basis. FRA seeks comments on this proposal.
Paragraph (e) proposes to require that a railroad submitting a PTCDP demonstrate that its vendor has a suitable quality control system. This requirement provides protection to the railroad and FRA that there is a reasonable probability that the vendor can design and manufacture the product such that it will meet the design targets specified in paragraph (a). FRA expects that compliance with paragraph (e) will eliminate the operation of a PTC system where its vendor has inadequate quality control procedures and processes to support the proper development of a safety critical product.
Paragraph (f) proposes language retaining the Associate Administrator's ability to impose any conditions necessary to ensure the safety of the public, train crews, and train operations when approving the PTCDP and issuing a Type Approval. While FRA expects that adherence to the remainder of this section's requirements should justify issuance of a Type Approval, FRA also recognizes that there may be situations where other unaccounted for variables may reduce the Associate Administrator's confidence in the PTC system, its manufacturer, supplier, vendor, or operator.
Section 236.1015PTCSP Content Requirements and PTC System Certification
The PTC Safety Plan (PTCSP) is the core document that provides the Associate Administrator the information necessary to certify that the as-built PTC system fulfills the required statutory PTC functions and is in compliance with the requirements of this subpart. Issuance of a PTC System Certification is contingent upon the approval of the PTCSP by the Associate Administrator. Under the proposed rules, the filing and approval of the PTCSP and issuance of a PTC System Certification is a mandatory prerequisite for PTC system operation in revenue service. Each PTCSP is unique to each railroad and must addresses railroad-specific implementation issues associated with the PTC system identified by the submitted Type Approval. Paragraph (a) proposes language explaining these meanings and limits.
When filing a PTCSP, proposed paragraph (b) proposes to require each railroad to: Include the applicable and approved PTCIP, PTCDP, and Type Approval; describe any changes subsequently made to the PTC system, as reflected in the PTCSP, that would require amendment of the PTCIP or PTCDP; and assure FRA whether the PTC system built is the same PTC system described in the PTCDP and PTCSP. Paragraph (b)(1) effectively merges the approved PTCIP and PTCDP into the PTCSP so that there will be a single “package” available for PTC operations and FRA review before and after issuance of a PTC System Certification. If a PTCSP is approved, and the railroad receives a PTC System Certification, all three plans continue to “live” and can only be amended in accordance with § 236.1021.
FRA recognizes the possibility that between PTCIP or PTCDP approval, and prior to PTCSP submission, there may be changes to the former two documents. While such changes may only be made in accordance with § 236.1021, documentation of those changes may not be readily apparent to the reader of the PTCSP. Accordingly, under proposed paragraph (b)(2), FRA expects that each PTCSP shall include a clear and complete description of any such changes by specifically and rigorously documenting each variance. Paragraph (b)(2) also proposes to require that the PTCSP include an explanation of each variance's significance. To ensure that there are no other existing variances not documented in the PTCSP, FRA also proposes under this paragraph to require the railroad to attest that there are no further variances. For the same reason, paragraph (b)(3) proposes that, if there have been no changes to the plans or to the PTC system as intended, the railroad be required to attest that there are no such variances.
Proposed paragraph (c) delineates the contents of the PTCSP. The first elements of the PTCSP are the same elements as the PTCDP (and are described more fully in the section by section for 236.1013). If the railroad had already submitted, and FRA had already approved, the PTCDP, then attachment of the PTCDP to the PTCSP should fulfill this requirement.
The additional, proposed railroad specific elements are as follows:
Paragraph (c)(1) proposes to require that the PTCSP include a hazard log comprehensively describing all hazards to be addressed during the life-cycle of the product, including maximum threshold limits for each hazard. For unidentified hazards, the threshold shall be exceeded at one occurrence. In other words, if the hazard has not been predicted, then any single occurrence of that hazard is unacceptable. The hazard log addresses safety-relevant hazards, or incidents or failures that affect the safety and risk assumptions of the PTC system. Safety relevant hazards include events such as false proceed signal indications and false restrictive signal indications. If false restrictive signal indications occur with any type of frequency, they could influence train crew members, roadway workers, dispatchers, or other users to develop an apathetic attitude towards complying with signal indications or instructions from the PTC system, creating human factors problems.
Incidents in which stop indications are inappropriately displayed may also necessitate sudden brake applications that may involve risk of derailment due to in-train forces. Other unsafe or wrong-side failures which affect the safety of the product will be recorded on the hazard log. The intent of this paragraph is to identify all possible safety-relevant hazards which would have a negative effect on the safety of the product. Right-side failures, or product failures which have no adverse effect on the safety of the product (i.e., do not result in a hazard) would not be required to be recorded on the hazard log.
Paragraph (c)(2) proposes to require that a risk assessment be included in the PTCSP. FRA will use this information as a basis to confirm compliance with the appropriate performance standard. A performance standard specifies the outcome required, but leaves the specific measures to achieve that outcome up to the discretion of the regulated entity. In contrast to a design standard or a technology-based standard that specifies exactly how to achieve compliance, a performance standard sets a goal and lets each regulated entity decide how to meet that goal. An appropriate performance standard should provide reasonable assurance of safe and effective performance by making provision for: (1) Considering the construction, components, ingredients, and properties of the device and its compatibility with other systems and connections to such systems; (2) testing of the product on a sample basis or, if necessary, on an individual basis; (3) measurement of the performance characteristics; and (4) requiring that the results of each or of certain of the tests required show that the device is in conformity with the portions of the standard for which the test or tests were required. Typically, the specific process used to design, verify and validate the product is specified in a private or public standard. The Administrator may recognize all or part of an appropriate standard established by a nationally or internationally recognized standard development organization.
Paragraph (c)(3) proposes to require that the PTCSP include a hazard mitigation analysis. The hazard mitigation analysis must identify the techniques used to investigate the consequences of various hazards and list all hazards addressed in the system hardware and software including failure mode, possible cause, effect of failure, and remedial actions. A safety-critical system must satisfy certain specific safety requirements specified by the system designer or procuring entity. To determine whether these requirements are satisfied, the safety assessor must determine that: (1) Hazards associated with the system have been comprehensively identified; (2) hazards have been appropriately categorized according to risk (likelihood and severity); (3) appropriate techniques for mitigating the hazards have been identified; and (4) hazard mitigation techniques have been effectively applied. See Leveson, Nancy G., Safeware: System Safety and Computers, (Addison-Wesley Publishing Company, 1995).
FRA does not expect that the safety assessment will prove that a product is absolutely safe. However, the safety assessment should provide evidence that risks associated with the product have been carefully considered and that steps have been taken to eliminate or mitigate them. Hazards associated with product use need to be identified, with particular focus on those hazards found to have significant safety effects. The risk assessment proposed under paragraph (c)(2) must include each hazard that cannot be mitigated by system designs (e.g., human over-reliance of the automated systems) no matter how low its probability may be. After the risk assessment, the designer must take steps to remove them or mitigate their effects. Hazard analysis methods are employed to identify, eliminate, and mitigate hazards. Under certain circumstances, FRA may require an independent third party assessment in accordance with proposed § 236.1017 to review these methods as a prerequisite to FRA approval.
Paragraph (c)(4) also proposes that the PTCSP address safety Verification and Validation procedures as defined under part 236. FRA believes that Verification and Validation for safety are vital parts of the PTC system development process. Verification and Validation require forward planning. Consequently, the PTCSP should identify the testing to be performed at each stage of development and the levels of rigor applied during the testing process. FRA will use this information to ensure that the adequacy and coverage of the tests are appropriate.
Paragraph (c)(5) proposes to require the railroad to include in its PTCSP the training, qualification, and designation program for workers regardless of whether those railroad employees will perform inspection, testing, and maintenance tasks involving the PTC system. FRA believes many benefits accrue from the investment in comprehensive training programs and are fundamental to creating a safe workforce. Effective training programs can result in fewer instances of human casualties and defective equipment, leading to increased operating efficiencies, less troubleshooting, and decreased costs. FRA expects any training program to include employees, supervisors, and contractors engaged in railroad operations, installation, repair, modification, testing, or maintenance of equipment and structures associated with the product.
Paragraph (c)(6) proposes to require the PTCSP to identify specific procedures and test equipment necessary to ensure the safe operation, installation, repair, modification and testing of the product. Requirements for operation of the system must be succinct in every respect. The procedures must be specific about the methodology to be employed for each test to be performed that is required for installation, repair, or modification including documenting the results thereof. FRA will review and compare the repair and test procedures for adequacy against existing similar requirements prescribed for signal and train control systems. FRA intends to use this information to ascertain whether the product will be properly installed, maintained, tested, and repaired.
Paragraph (c)(7) proposes that each railroad develop a manual covering the requirements for the installation, periodic maintenance and testing, modification, and repair for its PTC system. The railroad's Operations and Maintenance Manual must address the issues of warnings and describe the warning labels to be placed on each piece of PTC system equipment as necessary. Such warnings include, but are not limited to: Means to prevent unauthorized access to the system; warnings of electrical shock hazards; cautionary notices about improper usage, testing, or operation; and configuration management of memory and databases. The PTCSP should provide an explanation justifying each such warning and an explanation of why there are no alternatives that would mitigate or eliminate the hazard for which the warning is placed.
Paragraph (c)(8) proposes to require that the PTCSP identify the various configurable applications of the product, since this rule mandates use of the product only in the manner described in its PTCDP. Given the importance of proper configuration management in safety-critical systems, FRA believes it is essential that railroads learn of and take appropriate configuration control of hardware and software. FRA believes that a requirement for configuration management control will enhance the safety of these systems and ultimately provide other benefits to the railroad as well. Under this proposed paragraph, railroads are responsible—through its applicable Operations and Maintenance Plan and other supporting documentation maintained throughout the system's life-cycle—for all changes to configuration of their products in use, including both changes resulting from maintenance and engineering control changes, which result from manufacturer modifications to the product. Since not all railroads may experience the same software faults or hardware failures, the configuration management and fault reporting tracking system play a crucial role in the ability of the railroad and the FRA to determine and fully understand the risks and their implications. Without an effective configuration management tracking system in place, it is difficult, if not impossible, to fairly evaluate risks associated with a product over the life of the product.
Paragraph (c)(9) proposes to require the railroad to develop comprehensive plans and procedures for product implementation. Implementation (field validation or cutover) procedures must be prepared in detail and identify the processes necessary to verify that the PTC system is properly installed and documented, including measures to provide for the safety of train operations during installation. FRA will use this information to ascertain whether the product will be properly installed, maintained, and tested. FRA also believes that configuration management should reduce disarrangement issues. Further, configuration management will reduce the cost of troubleshooting by reducing the number of variables and will be more effective in promoting safety.
Paragraph (c)(10) proposes to require the railroad to provide a complete description of the particulars concerning measures required to assure that the PTC system, once implemented, continues to provide the expected safety level without degradation or variation over its life-cycle. The measures specifically provide the prescribed intervals and criteria for the following: testing; scheduled preventive maintenance requirements; procedures for configuration management; and procedures for modifications, repair, replacement and adjustment of equipment. FRA intends to use this information, among other data, to monitor the PTC system to assure it continually functions as intended.
Paragraph (c)(11) proposes to include in each PTCSP a description of each record concerning safe operation. Recordkeeping requirements for each product are discussed in proposed § 236.1037.
Paragraph (c)(12) proposes to require a safety analysis of unintended incursions into a work zone. Measuring incursion risks is a key safety risk assumption. Failing to identify incursion risk can have the effect of making a system seem safer on paper than it actually is. The requirements set forth in this paragraph attempt to mandate design consideration of incursion protection at an early stage in the product development process. The totality of the arrangements made to prevent unintended incursions or operation at higher than authorized speed within the work zone must be analyzed. That is, in addition to the functions of the PTC system, the required actions for dispatchers, train crews, and roadway workers in charge must be evaluated. Regardless of whether a PTC system has been previously approved or recognized, FRA will not accept a system that allows a single point human failure to defeat the essential protection intended by the Congress. See NTSB Recommendations R-08-05 and R-08-06. FRA believes that exposure should be identified because increases in risk due to increased exposure could be easily distinguished from increases in risk due solely to implementation and use of the proposed PTC system.
In the past, little attention was given to formalizing incursion protection procedures. Training for crews has also not been uniform among organizations, and has frequently received inadequate attention. As a result, a variety of procedures and techniques evolved based on what has been observed or what just seemed correct at the time. This lack of structure, standardization, and formal training is inconsistent with the goal of increasing the safety and efficiency.
Paragraph (c)(13) proposes to require a more detailed description of any alternative arrangements provided under proposed § 236.1011(a)(10), pertaining to at grade rail-to-rail crossings.
Paragraph (c)(14) proposes to require a complete description of how the PTC system will enforce mandatory directives and signal indications, unless already addressed in the PTCDP. FRA recognizes that all systems will enforce all signal indications; however, the PTCDP must describe where the architecture of the system performs this function.
Proposed paragraph (c)(15) refers to the requirement of § 236.1019(e) that the PTCSP is aligned with the PTCIP, including any amendments.
Under proposed § 236.1029(b), FRA proposes to require certain limitations on PTC trains operating over 90 miles per hour. Under § 236.1029(c), FRA provides railroads with an opportunity to deviate from those limitations if the railroad describes and justifies the deviation in its PTCDP, PTCSP, or by reference to an Order of Particular Applicability, as applicable. Thus, proposed paragraph (c)(16) to § 236.1015 reminds railroads that this is one of the optional elements that may be included in a PTCSP. This need may also be addressed through review of the PTCDP, and FRA reserves the right to so provide in the final rule.
Railroads are required under § 236.1005(c) to submit a complete description of its compliance regarding hazard detector integration and under §§ 236.1005(g)-(k) to submit a temporary rerouting plan in the event of emergencies and planned maintenance. Railroads must also submit a document indicating any alternative arrangements for each rail at-grade crossing not adhering to the table under § 236.1005(a)(1)(i). Proposed paragraphs (c)(17), (c)(18), and (c)(19) to § 236.1015 reminds railroads that such requirements must be fulfilled with the submission of the PTCSP. For example, under proposed paragraph (c)(18), FRA expects each temporary rerouting plan to explain the host railroad's procedure relating to detouring the applicable traffic. In other words, FRA expects that each temporary rerouting plan address how the host railroad will choose the track that traffic will be rerouted onto. For instance, the plan should explain the factors that will be considered in determining whether and how the railroad should take advantage of temporary rerouting. FRA remains concerned about the unnecessary commingling of PTC and non-PTC traffic on the same track and expects each temporary rerouting plan to address this possibility. More specifically, each plan should describe how the railroad expects to make decisions to reroute non-PTC train traffic onto a PTC line, especially where another non-PTC line may be available. While FRA recognizes each railroad may seek to use the most cost effective route, FRA expects the railroad to also consider the level of risk associated with that route.
In paragraph (d), FRA proposes to state the criteria that FRA will refer to when evaluating the PTCSP, depending upon the underlying technical approach. Whereas in subpart H the safety case is evaluated to determine whether it demonstrates with a high degree of confidence that relevant risk will be no greater under the new product than previously, the statutory mandate for PTC calls for a different approach. In crafting the proposed approach, FRA has attempted to limit requirements for quantitative risk assessment to those situations where the technique is truly needed. Regardless of the type of PTC system, the safety case for the system must demonstrate that it will reliably execute all of the functions required by this subpart (particularly those provided under proposed §§ 236.1005 and 236.1007). With this foundation, the additional criteria that must be met depend upon the type of PTC technology to be employed.
It is FRA's understanding that PTC systems may be categorized as one of the following four system types: Non-vital overlay; vital overlay; standalone; and mixed. Initially, however, all PTC systems will have some features that are not fully fail-safe in nature, even if onboard processing and certain wayside functions are fully fail-safe. Common causes include surveying errors of the track database, errors in consist weight or makeup from the railroad information technology systems, and the crew input errors of critical operational data. To the extent computer-aided dispatching systems are the only check on potential dispatcher error in the creation or inappropriate cancellation of mandatory directives, some room for undetected wrong-side failure will continue to exist in this function as well. This issue is addressed under paragraph (g) of this section.
Proposed paragraph (d)(1) specifies the required behavior for non-vital overlay systems. Based on previous experience with non-vital systems, FRA believes it is well within the technical capability of the railroads to reduce the level of risk on any particular track segment to a level of risk 80% lower than the level of risk prior to installation of PTC on that segment. For subsequent PTC system installations on the same line segment, FRA recognizes that requiring an additional 80% improvement may not be technically or economically practical. Therefore, FRA is only proposing that an entity installing or modifying an existing PTC system need only demonstrate that the level of safety is equal to, and preferably greater than, the level of safety of the prior PTC system. The risk that must be reduced is the risk against which the PTC functionalities are directed, assuming a high level of availability. Note that the required functionalities themselves do not call for elimination of all risk of mishaps. It is scope of risk reduction that the functionalities describe that becomes the 100% universe which is the basis of comparison. Although it is understood that the system will endeavor to eliminate 100% of this risk—meaning that if the system worked as intended every time and was always available, 100% of the target risk would be eliminated—the analysts will need to account for cases where wrong side failure of the technology is coincident with a human failure potentially induced by reliance on the technology. Since, within an appropriate conservative engineering analysis (i.e., pro forma analysis), non-vital processing has the theoretical potential to result in more failures than will typically be experienced, a 20% margin is provided. In preparing the PTCSP, the railroad will want to affirmatively address how training and oversight—including programs of operational testing under 49 CFR 217.9—will reduce the potential for inappropriate reliance by those charged with functioning in accordance with the underlying method of operation.
The 80% reduction in risk for PTC preventable accidents must be demonstrated by an appropriate risk analysis acceptable to the Associate Administrator and must address all intended track segments upon which the system will be installed. Again, FRA does not expect, or require, that these types of systems will prevent all wrong side failures. However, FRA expects that the systems will be designed to be robust, all pertinent risk factors (including human factors) will be fully addressed, and that no corners will be cut to “take advantage” of the nominal allowance provided for non-vital approaches. FRA also encourages those using non-vital approaches to preserve as much as possible the potential for a transition to vital processing.
Proposed paragraph (d)(2) addresses vital overlays. Unlike a non-vital system, the vital system must be designed to address, at a minimum, the factors delineated in Appendix C. The railroad and their vendors are encouraged to carry out a more thorough design analysis addressing any other potential product specific hazards. FRA cannot overemphasize that vital overlay system designs must be fully designed to address the factors contained in Appendix C. The associated risk analysis supporting this design analysis demonstrating compliance may be accomplished using any of the risk analysis approaches in subpart H, including abbreviated risk analysis.
Proposed paragraph (d)(3) addresses stand-alone PTC systems that are used to replace existing methods of operations. The PTCSP design and risk analysis submitted to the Associate Administrator must show that the system does not introduce any new hazards that have not been acceptably mitigated, based upon all proposed changes in railroad operation. The required analysis for standalone systems is much more comprehensive than that required for vital overlay systems, since it must provide sufficient information to the Associate Administrator to make a decision with a high degree of confidence. FRA will uniquely and separately consider each request for standalone operations, and will render decisions in the context of the proposed operation and the associated risks. FRA recognizes that application of this standard to a new rail system for which there is no clear North American antecedent could present a conceptual challenge. FRA invites comments regarding how best to frame the risk assessment showing for a standalone system applied to a new rail operation.
Proposed paragraph (d)(4) addresses mixed systems (i.e., systems that include a combination of the systems identified in paragraphs (d)(1) through (d)(3). Because of the inherent complexity of these systems, FRA will determine an appropriate approach to demonstrating compliance after consultation with the railroad. Any approach will, of course, require that the system perform the PTC requirements as proposed in §§ 236.1005 and 236.1007.
Paragraph (e) discusses proposed factors that the Associate Administrator will consider in reviewing the PTCSP. In general, PTC systems will have some features that are not failsafe in nature. Examples include surveys of the track database, errors in consist data from the railroad such as weight and makeup, and crew input errors. FRA participation in the design and testing of the PTC system product helps FRA to better understand the strengths and weaknesses of the product for which approval is requested, and facilitates the approval process.
The railroad must establish through safety analysis that its assertions are true. This standard places the burden on the railroad to demonstrate that the safety analysis is accurate and sufficiently supports certification of the PTC system. The FRA Associate Administrator will determine whether the railroad's case has been made. As provided in subpart H, FRA believes that final agency determinations under this new subpart I should also be made at the technical level, rather than the policy level, due to the complex and sometimes esoteric subject matters associated with risk analysis and evaluation. This is particularly appropriate in light of the RSIA08's designation of the Associate Administrator for Railroad Safety as the Chief Safety Officer of FRA. When considering the PTC system's compliance with recognized standards in product development, FRA will weigh appropriate factors, including: The use of recognized standards in system design and safety analyses; the acceptable methods in risk estimates; the proven safety records for proposed components; and the overall complexity and novelty of the product design. In those cases where the submission lacks information the Associate Administrator deems necessary to make an informed safety decision, FRA will solicit the data from the railroad. If the railroad does not provide the requested information, FRA may determine that a safety hazard exists. Depending upon the amount and scope of the missing data, PTCSP approval, and the subsequent system certification, may be denied.
While paragraph (e) summarizes how FRA intends to evaluate the risk analysis, proposed paragraph (f) applies specifically to cases where a PTC system has already been installed and the railroad subsequently wants to put in a new PTC system. Paragraph (f) re-emphasizes that FRA policy regarding the safety of PTC systems is not, and cannot expect to be, static. Rather, FRA policy may evolve as railroad operations evolve, operating rules are refined, related hazards are addressed (e.g., broken rails), and other readily available options for risk reduction emerge and become more affordable. FRA embraces the concept of progressive improvement and expects that when new systems are installed to replace existing systems that actual safety outcomes equal or exceed those for the existing systems.
Section 236.1017Independent Third Party Review of Verification and Validation
As previously noted in the discussion of proposed § 236.1009(e), FRA may require a railroad to engage in an independent assessment of its PTC system. In the event an independent assessment is required, § 236.1017 proposes the applicable rules and procedures.
Proposed paragraph (a) establishes factors considered by FRA when requiring a third-party assessment. FRA will attempt to make a determination of the necessary level of third party assessment as early as possible in the approval process. However, based on issues that may arise during the development and testing processes, or during the detailed technical reviews of the PTCDP and PTCSP, FRA may deem it necessary to require a third party assessment at any time during the review process.
Proposed paragraph (b) is intended to make it clear that it is FRA that will make the determination of the acceptability of the independence of the third party to avoid any potential issues downstream regarding the acceptability of the assessor's independence. If a third party assessment is required, each railroad is encouraged to identify in writing what entity it proposes to utilize as its third party assessor. Compliance with paragraph (b) is not mandatory. However, if FRA determines that the railroad's choice of a third party does not meet the level of independence contemplated under proposed paragraph (c), then the railroad will be obligated to have the assessment repeated, at its expense, until it has been completed by a third party suitable to FRA.
Paragraph (c) proposes a definition of the term “independent third party” as used in this section. It limits independent third parties to those that are compensated by the railroad or an association on behalf of one or more railroads that is independent of the PTC system supplier. FRA believes that requiring the railroad to compensate a third party will heighten the railroad's interest in obtaining a quality analysis and will avoid ambiguous relationships between suppliers and third parties that could indicate possible conflicts of interest.
Proposed paragraph (d) explains that the minimum requirements of a third party audit are outlined in Appendix F (which is modeled on current Appendix D, which is used in conjunction with subpart H) and that FRA has discretion to limit the extent of the third party assessment. FRA intends to limit the scope of the assessment to areas of the safety Verification and Validation as much as possible, within the bounds of FRA's regulatory obligations. This will allow reviewers to focus on areas of greatest safety concern and eliminate any unnecessary expense to the railroad. In order to limit the number of third-party assessments, FRA first strives to inform the railroad as to what portions of a submittal could be amended to avoid the necessity and expense of a third-party assessment altogether. However, FRA wishes to make it clear that Appendix F represents minimum requirements and that, if circumstances warrant, FRA may expand upon the Appendix F requirements as necessary to enable FRA to render a decision that is in the public interest (i.e., if FRA is unable to certify the system without the additional information).
Section 236.1019Main Line Track Exceptions
The RSIA08 generally defines “main line” as “a segment of railroad tracks over which 5,000,000 or more gross tons of railroad traffic is transported annually.”See 49 U.S.C. 20157(i)(2). However, FRA may also define “main line” by regulation “for intercity rail passenger transportation or commuter rail passenger transportation routes or segments over which limited or no freight railroad operations occur.”See 49 U.S.C. 20157(i)(2)(B); 49 CFR 1.49(oo). FRA recognizes that there may be circumstances where certain statutory PTC system implementation and operation requirements are not practical and provide no significant safety benefits. In those circumstances, FRA proposes to exercise its statutory discretion provided under 49 U.S.C. 20157(i)(2)(B).
In accordance with the authority provided by the statute and with carefully considered recommendations from the RSAC, FRA proposes to consider requests for designation of track over which rail operations are conducted as “other than main line track” for passenger and commuter railroads, or freight railroads operating jointly with passenger or commuter railroads. Such relief may be granted only after request by the railroad or railroads filing a PTCIP and approval by the Associate Administrator.
Paragraph (a), therefore, proposes to require the submittal of a main line track exclusion addendum (MTEA) to any PTCIP filed by a railroad that seeks to have any particular track segment deemed as other than main line. Since the statute only provides for such regulatory flexibility as it applies to passenger transportation routes or segments which limited or no freight railroad operations occur, only a passenger railroad may file an MTEA as part of its PTCIP. This may include a PTCIP jointly filed by freight and passenger railroads. In fact, FRA expects that in the case of joint operations, only one MTEA should be agreed upon and submitted by the railroads filing the PTCIP. After reviewing a submitted MTEA, FRA may provide full or partial approval for the requested exemptions.
Each MTEA must clearly identify and define the physical boundaries, use, and characterization of the trackage for which exclusion is requested. When describing the tracks' use and characterization, FRA expects the requesting railroad or railroads to include copies of the applicable track and signal charts. Ultimately, FRA expects each MTEA to include information sufficiently specific to enable easy segregation between main line track and non-main line track. In the event the railroad subsequently requests additional track to be considered for exclusion, a well-defined MTEA should reduce the amount of future information required to be submitted to FRA. Moreover, if FRA decides to grant only certain requests in an MTEA, the portions of track for which FRA has determined should remain considered as main line track can be easily severed from the MTEA. Otherwise, the entire MTEA, and thus its concomitant PTCIP, may be entirely disapproved by FRA, increasing the risk of the railroad or railroads not meeting its statutory deadline for PTC implementation and operation.
For each particular track segment, the MTEA must also provide a justification for such designation in accordance with paragraphs (b) or (c) of this section.
Proposed paragraph (b) specifically addresses the conditions for relief for passenger and commuter railroads with respect to passenger-only terminal areas. As noted previously in the analysis of § 236.1005(b), FRA proposes to except from the definition of main line any track within a yard used exclusively by freight operations moving at restricted speed. In those situations, operations are usually limited to preparing trains for transportation and do not usually include actual transportation. FRA does not propose to extend this automatic exclusion to yard or terminal tracks that include passenger operations. Such operations may also include the boarding and disembarking of passengers, heightening FRA's sensitivity to safety and blurring the lines between what defines “transportation” and “preparing for transportation.” Moreover, while FRA could not expend its resources to review whether a freight-only yard should be deemed other than main line track, FRA believes that the relatively lower number of passenger yards and terminals would allow for such review. Accordingly, FRA believes that it is appropriate to review these circumstances on a case-by-case basis.
During the PTC Working Group discussions, the major passenger railroads requested an exception for tracks in passenger terminal areas because of the impracticability of installing PTC. These are locations where signal systems govern movements over very complex special track work divided into short signal blocks. Operating speeds are low (not to exceed 20 miles per hour), and locomotive engineers moving in this environment expect conflicting traffic and restrictive signals. Although low-speed collisions do occasionally occur in these environments, the consequences are low; and the rate of occurrence is very low in relation to the exposure. It is the nature of current-generation PTC systems that they work with averages in terms of stopping distance and use conservative braking algorithms. Applying this approach in congested terminals would add to congestion and frustrate efficient passenger service, in the judgment of those who operate these railroads. The density of wayside infrastructure required to effect PTC functions in these terminal areas would also be exceptionally costly in relation to the benefits obtained. FRA agrees that technical solutions to address these concerns are not presently available. FRA does believe that the appropriate role for PTC in this context is to enforce the maximum allowable speed (which is presently accomplished in cab signal territory through use of automatic speed control, a practice which could continue where already in place).
If FRA grants relief, the proposed conditions of (b)(1), (b)(2), or (b)(3), as applicable, must be strictly adhered to. These three conditions represent the minimum conditions FRA believes is necessary for safe operations. FRA reserves the right to add more restrictive conditions if necessary to provide for the safety of the public and train crews. If FRA approves a MTEA and the railroad subsequently violates any of the applicable conditions, civil penalties may apply.
Under paragraph (b)(1), FRA proposes to limit relief under paragraph (b) to operations that do not exceed 20 miles per hour. The PTC Working Group agreed upon the 20 miles per hour limitation, instead of requiring restricted speed, because the operations in question will be by signal indication in congested and complex terminals with short block lengths and numerous turnouts. FRA agrees with the PTC Working Group that the use of restricted speed in this environment would exacerbate congestion, delay trains, and diminish the quality of rail passenger service.
Moreover, when trains on the excluded track are controlled by a locomotive with an operative PTC onboard apparatus, FRA proposes to require that PTC system component to enforce the regulatory speed limit or actual maximum authorized speed, whichever is less. While the actual track may not be outfitted with a PTC system in light of a MTEA approval, FRA believes it would be nevertheless prudent to require such enforcement when the technology is available on the operating locomotives. This can be accomplished in cab signal territory using existing automatic train stop technology and outside of cab signal territory by mapping the terminal and causing the onboard computer to enforce the maximum speed allowed.
Under paragraph (b)(2), FRA proposes to also limit relief under paragraph (b) to operations that enforce interlocking rules. Under interlocking rules, trains are prohibited from moving in reverse directions without dispatcher permission on track where there are no signal indications. FRA believes that such a restriction would minimize the potential for a head-on impact.
Also, under proposed paragraph (b)(3), such operations would only be allowed in yard or terminal areas where no freight operations are permitted. While the definition of main line may not include yard tracks used solely by freight operations, FRA does not propose to extend any relief or exception to tracks within yards or terminals shared by freight and passenger operations. The collision of a passenger train with a freight consist is typically a more severe condition because of the greater mass of the freight equipment.
Paragraph (c) proposes the conditions under which joint limited passenger and freight operations may occur on defined track segments without the requirement for installation of PTC. This paragraph proposes three alternative paths to the main line exception.
First, under paragraph (c)(1), an exception may be available where both the freight and passenger trains are limited to restricted speed. Such operations are feasible only for short distances, and FRA would examine the circumstances involved to ensure that the exposure is limited and that appropriate operating rules and training are in place.
Second, under paragraph (c)(2), FRA will consider an exception where temporal separation of the freight and passenger operations can be ensured. A more complete definition of temporal separation is provided in paragraph (d). Temporal separation of passenger and freight services reduces risk because the likelihood of a collision is reduced (e.g., due to freight cars engaged in switching that are not properly secured) and the possibility of a relatively more severe collision between a passenger train and much heavier freight consist is obviated.
Third, under paragraph (c)(3), FRA will consider commingled freight and passenger operations provided that a jointly agreed risk analysis is provided by the passenger and freight railroads, and the level of safety is the same as that which would be provided under one of the two prior options selected as the base case. FRA seeks comments on whether FRA or the subject railroad should determine the appropriate base case. FRA recognizes that there may be situations where temporal separation may not be possible. In such situations, FRA may allow commingled operations provided the risk to the passenger operation is no greater than if the passenger and freight trains where operating under temporal separation or with all trains limited to restricted speed. For an exception to be made under paragraph (c)(3), FRA requires a risk analysis jointly agreed to and submitted by the applicable freight and passenger services. This ensures that the risks and consequences to both parties have been fully analyzed, understood, and mitigated to the extent practical.
Paragraph (d) proposes the definition of temporal separation with respect to paragraph (c)(2). The temporal separation approach is currently used under the FRA-Federal Transit Administration Joint Policy on Shared Use, which permits co-existence of light rail passenger services (during the day) and local freight service (during the nighttime). See Joint Statement of Agency Policy Concerning Shared Use of the Tracks of the General Railroad System by Conventional Railroads and Light Rail Transit Systems, 65 FR. 42,526 (July 10, 2000); FRA Statement of Agency Policy Concerning Jurisdiction Over the Safety of Railroad Passenger Operations and Waivers Related to Shared Use of the Tracks of the General Railroad System by Light Rail and Conventional Equipment, 65 FR 42529 (July 10, 2000). Conventional rail technology and secure procedures are used to ensure that these services do not commingle. Amtrak representatives in the PTC Working Group were confident that more refined temporal separation strategies could be employed on smaller railroads that carry light freight volumes and few Amtrak trains (e.g., one train per day or one train per day in each direction). The Passenger Task Force agreed.
Proposed paragraph (e) ensures that by the time the railroad submits its PTCSP, it has made no unapproved changes to the MTEA and that the PTC system, as implemented, reflects the PTCIP and its MTEA. Under the proposed rule, the PTCSP shall reflect the PTCIP, including its MTEA, as it was approved or how it has been modified in accordance with proposed § 236.1021. FRA believes that it is also important that the railroad attest that no other changes to the documents or to the PTC system, as implemented, have been made.
FRA understands that as a railroad implements its PTC system in accordance with its PTCIP or even after it receives PTC System Certification, the railroad may decide to modify the scope of which tracks it believes to be other than main line. To effectuate such changes, paragraph (f) proposes to require FRA review. In the case that the railroad believes that such relief is warranted, the railroad may file in accordance with proposed § 236.1021 a request for amendment of the PTCIP, which will eventually be incorporated into the PTCSP upon PTCSP submission. Each request, however, must be fully justified to and approved by the Associate Administrator before the requested change can be made to the PTCIP. If such a RFA is submitted simultaneously with the PTCSP, the RFA may not be approved, even if the PTCSP is otherwise acceptable. A change made to a MTEA subsequent to FRA approval of its associated PTCIP that involves removal or reduction in functionality of the PTC system is treated as a material modification. In keeping with traditional signaling principles, such requests must be formally submitted for review and approval by FRA.
Section 236.1021Discontinuances, Material Modifications, and Amendments
FRA recognizes that after submittal of a plan or implementation of a train control system, the subject railroad may have legitimate reasons for making changes in the system design and the locations where the system is installed. In light of the statutory and regulatory mandates, however, FRA believes that the railroad should be required to request FRA approval prior to effectuating certain changes. Section 236.1021 proposes the scope and procedure for requesting and approving those changes. For example, all requests for covered changes must be made in a request for amendment (RFA) of the subject PTC system or plan. While § 236.1021 includes lengthy descriptions of what changes may, or may not, require FRA approval, there are various places elsewhere in subpart I that also require the filing of a RFA.
Under paragraph (a), FRA proposes to require FRA approval prior to certain PTC system changes. FRA expects that if a railroad wants to make a PTC system change covered by subpart I, then any such change would result in noncompliance with one of the railroad's plans approved under this subpart. For instance, if a railroad seeks to modify the geographical limits of its PTC implementation, such changes would not be reflected in the PTCIP. Accordingly, under paragraph (a), after a plan is approved by FRA and before any change is made to the PTC system's development, implementation, or operation, FRA proposes that the railroad file a RFA to the subject plan.
FRA considers an amendment to be a formal or official change made to the PTC system or its associated PTCIP, PTCDP, or PTCSP. Amendments can add, remove, or update parts of these documents, which may reflect proposed changes to the development, implementation, or operation of its PTC system. FRA believes that an amending procedure provides a simpler and cleaner option than requiring the railroad to file an entirely new plan.
While the railroad may develop a RFA without FRA input or involvement, FRA believes that it is more advantageous for the railroad to informally confer with FRA before formally submitting its RFA. If FRA is not involved in the drafting process, FRA may not have a complete understanding of the system, making it difficult for FRA to evaluate the impact of the proposed changes on public safety. After RFA submission, all applicable correspondence between FRA and the railroad must be made formally in the associated docket, as further discussed below. In such a situation, FRA's review may take a significantly longer time than usual. If FRA continues to not understand the impact, it may request a third party audit, which would only further delay a decision on the request. Accordingly, FRA believes it is more advantageous for the railroad drafting an RFA to informally confer with FRA before its formal submission of the change request. The railroad would then be provided an opportunity to discuss the details of the change and to assure FRA's understanding of what the railroad wishes to change and of the change's potential impact.
Paragraph (b) proposes a mechanism for requesting such change. Once the RFA is approved, the railroad may—and, in fact, is required under paragraph (b)—to adopt those changes into the subject plan and immediately ensure that its PTC complies with the plan, as amended. FRA expects that each PTC system accurately reflects the information in its associated approved plans. FRA believes that this requirement will also incentivize railroads to make approved changes as quickly as possible. Otherwise, if a railroad delays in implementing the changes reflected in an approved RFA, FRA may find it difficult to enforce its regulations until implementation is completed, since they plans and PTC system to not accurately and adequately reflect each other. In such circumstances, railroads may be assessed a civil penalty for violating its plan or for falsifying records.
Any change to a PTCIP, PTCDP, or PTCSP, which may include removal or discontinuance of any signal system, may not take effect until after FRA has approved the corresponding submitted or amended PTCIP, PTCDP, or PTCSP. FRA may provide partial or conditional approval. Until FRA has granted appropriate relief or approval, the railroad may not make the change, and once a requested change has been made, the railroad must comply with requested change.
FRA recognizes that a railroad may wish to remove an existing train control system due to new and appropriate PTC system implementation. For train control systems existing prior to promulgation of subpart I, any request for a material modification or discontinuance must be made pursuant to part 235. FRA proposes in paragraph (c), however, to provide the railroads with an opportunity to instead request such changes in accordance with proposed § 236.1021. FRA believes that this proposal would reduce the number of required filings and would otherwise simplify the process requesting material modifications or discontinuances.
Paragraph (d) proposes the minimum information required to be submitted to FRA when requesting an amendment. While FRA proposes to promulgate procedural rules here different than those in part 235, FRA expects that the same or similar information be provided. Accordingly, under paragraph (d)(1), the RFA must contain the information required in 235.10. Paragraph (d)(1) also requires the railroad to submit, upon FRA request, certain additional information, including the information referenced in § 235.12. Paragraphs (d)(2) through (d)(7) provide further examples of such information. While such information may only be required upon request, FRA urges each railroad to include this information in its RFA to help expedite the review process.
FRA believes that proposed paragraphs (d)(2) through (d)(6) are self-explanatory. However, according to proposed paragraph (d)(7), FRA may require with each RFA an explanation of whether each change to the PTCSP is planned or unplanned. Planned changes are those that the system developer and the railroad have included in the safety analysis associated with the PTC system, but have not yet implemented. These changes provide enhanced functionality to the system, and FRA strongly encourages railroads to include PTC system improvements that further increase safety. A planned change may require FRA approved regression testing to demonstrate that its implementation has not had an adverse affect on the system it is augmenting. Each planned change must be clearly identified as part of the PTCSP, and the PTCSP safety analysis must show the affect that its implementation will have on safety.
Unplanned changes are those either not foreseen by the railroad or developer, but nevertheless necessary to ensure system safety, or are unplanned functional enhancements from the original core system. The scope of any additional necessary work necessary to ensure safety may depend upon when in the development cycle phase the changes are introduced. For instance, if the PTCDP has not yet been submitted to FRA, no FRA involvement is required. However if the PTCDP has been submitted to FRA, or if the change impacts the safety functionality of the system once a Type Approval has been issued, and a PTCSP has not yet submitted, the railroad must submit a RFA requesting and documenting that change. Once FRA approves that RFA, FRA expects the subsequently filed PTCSP to account for the change in analysis.
If the change is made after approval of the PTCSP and the system has been certified by FRA, a RFA must be submitted to FRA for approval. Because this requires significant effort by FRA and the railroad, FRA expects that every effort will be made to eliminate the need for unplanned changes. If the railroad and the vendor submit unplanned safety related changes that FRA believes are a significant amount or inordinately complex, FRA may revoke any approvals previously granted and disallow the use of the product until such time the railroad demonstrates the product is sufficiently mature.
Paragraph (e) proposes that if a RFA is submitted for a discontinuance or a material modification to a portion or all of its PTC system, a notice of its submission shall be published in the Federal Register. Interested parties will be provided an opportunity to comment on the RFA, which will be located in an identified docket.
Proposed paragraph (f) makes it clear that FRA will consider all impacts on public safety prior to approval or disapproval of any request for discontinuance, modification, or amendment of a PTC system and any associated changes in the existing signal system that may have been concurrently submitted. While the economic impact to the affected parties may be considered by the FRA, the primary and final deciding factor on any FRA decision is safety. FRA will consider not only how safety is affected by installation of the system, but how safety is impacted by the failure modes of the system.
The purpose of proposed paragraph (g) is to emphasize the right of FRA to unilaterally issue a new Type Approval, with whatever conditions are necessary to ensure safety based on the impact of the proposed changes.
In proposed paragraph (h), FRA makes clear that it considers any implemented PTC system to be a safety device. Accordingly, the discontinuance, modification, or other change of the implemented system or its geographical limits will not be authorized without prior FRA approval. While this requirement primarily applies to safety critical changes, FRA believes that they should also apply to all changes that will affect interoperability. FRA seeks comments on this issue. The principles expressed in the paragraph parallel those embodied in part 235, which implements 49 U.S.C. 20502(a).
That said, FRA recognizes that there are a limited number of situations where changes of the PTC system may not have an adverse impact upon public safety. Specific situations where prior FRA approval is required are proposed in paragraphs (h)(1) through (h)(4).
Paragraph (i) proposes the exceptions from the requirement for prior approval in cases where the discontinuance of a system or system element will be treated as pre-approved, as when a line of railroad is abandoned.
Paragraph (j) proposes exceptions for certain lesser changes that are not expected to materially affect system risk, such as removal of an electric lock from a switch where speed is low and trains are not allowed to clear.
Paragraph (k) proposes additional exceptions consisting of modifications associated with changes in the track structure or temporary construction. FRA notes that only temporary removal of the PTC system without prior FRA approval is allowed to support highway rail separation construction or damage to the PTC system by catastrophic events. In both cases, the PTC system must be restored to operation no later than 6 months after completion of the event.
Section 236.1023Errors and Malfunctions
Because PTC systems are approved, in part, based on certain assumptions regarding expected failure modes and frequencies, reporting and recording of errors and malfunctions takes on critical importance. If the number of errors and malfunctions exceeds those originally anticipated in the design, or errors and malfunctions that were not predicted are observed to occur, the validity of the risk analysis becomes suspect. Since not all railroads may experience the same software faults or hardware failures, the developer's development, configuration management, and fault reporting tracking system play a crucial role in the ability of the railroad and FRA to determine and fully understand the risks and their implications. Without an effective configuration management tracking system in place, it is difficult, if not impossible, to fairly evaluate PTC system risks during the system's life cycle.
In the event of a safety-essential PTC system component failing to perform as intended, FRA intends to propose under § 236.1023 that the cause be identified and corrective action be taken without undue delay. Until the repair is completed, the railroad and vendors are required to take appropriate measures to assure the safety of train movements, roadway workers, and on-track equipment. This requirement mirrors the current requirements of 49 CFR 236.11, which applies to all signal system components. FRA recognizes that there may be situations where reducing the severity of such hazards will suffice for an equivalent reduction in risk. For example, a reduction in operating speeds may not reduce the frequency of certain hazards involving safety-critical products, but it may reduce the severity of such hazards in most cases.
Paragraph (a) proposes a direct obligation on suppliers to report safety-relevant failures, including “wrong-side” failures and other failures significantly impacting availability, where the PTCSP indicates availability to be a material issue in the safety performance of the larger railroad system. FRA expects each applicable supplier to identify the problem and the necessary corrective actions, recommended risk mitigations, and provide an estimated amount of time it expects to complete the corrective actions. FRA believes that it should be informed to ensure public safety in any case where a commercial dispute (e.g., over liability) might disrupt communication between a railroad and supplier.
Paragraph (b) proposes a similar responsibility on the part of the railroad to report safety relevant failures to the supplier and FRA, and to keep the vendor and FRA apprised of any subsequent failures. To aid FRA in understanding the scope of a problem on a railroad, and to aid the railroad in communicating any PTC system failures to the appropriate vendor, paragraph (c) proposes to require that each railroad keep a currently updated PTC Product Vendor List (PTCVPL), which must identify each supplier of PTC equipment on its railroad.
Paragraph (d) proposes the requirement that each railroad identify the procedures for action upon notification from the manufacturer of a safety-critical upgrade, patch, or revision performed within the scope of the applicable PTCDP. FRA expects that when issues are discovered that may adversely affect the safe operation of the system, regardless if the railroad has experienced the problem, the railroad will take corrective action without undue delay (see§ 236.11). FRA believes this is necessary to ensure that each railroad promptly addresses applicable errors to maintain a common safety baseline by performing component changes that, if left uncorrected, would increase risk or interfere with the safety of train operations. If the action were to take a significant amount of time, FRA proposes to require the railroad to provide FRA with periodic frequent progress reports.
Paragraph (e) proposes time limits for reporting failures and malfunctions and the minimum reporting requirements. FRA has no specific format for the reports, and will accept any format provided it contains at least the information required by this proposed rule. FRA will accept delivery of these reports by commercial courier, fax, and e-mail.
Paragraph (f) proposes to require the manufacturer to provide a detailed explanation of the problem and the intended or performed corrective action to FRA upon request, in the event that a PTC system is found to be unsafe due to a design or manufacturing defect. While the railroad may be able to report symptoms of a problem, it is the manufacturer who is in the best position to determine its underlying root cause. FRA may require this information to determine the full impact of the problem, and to determine if any additional restrictions or limitations on the use of the PTC may be warranted to ensure the safety of the general public and the railroad personnel.
Proposed paragraph (g) is intended to limit unnecessary reporting. If the failure was the result of improper operation of the PTC system outside of the design parameters or of non-compliance with the applicable operating instructions, FRA believes that compliance with paragraph (f) is not necessary. Instead, FRA expects, and proposes to require, the railroad to engage in more narrow remedial measures, including remedial training by the railroad in the proper operation of the PTC system. Similarly, once a problem has been identified to all stakeholders, FRA does not believe it is necessary for a manufacturer to repeatedly submit a formal report in accordance with paragraph (f). In either situation, however, FRA expects that all users of the equipment are proactively and timely notified of the misuse that occurred and the corrective actions taken.
Such reports, however, do not have to be made within seven days of occurrence, as required for other notifications under paragraph (e), but within a reasonable time appropriate to the nature and extent of the problem.
Proposed paragraph (h) is intended to make clear that the reporting requirements of part 233 are not a substitute for the proposed reporting requirements of this subpart. Both requirements apply. In the case of a false proceed signal indication, FRA would not expect the railroad to wait for the frequency of such occurrences to exceed the threshold reporting level assigned in the hazard log of the PTCSP. Rather, current § 233.7 requires all such instances to be reported.
This section retains similarities to, but also establishes contrasts with, § 236.911, which deals with exclusions from subpart H. In particular, § 236.911(c) offers reassurance that a stand-alone computer aided dispatching (CAD) system would not be considered a safety-critical processor-based system within the purview of subpart H. CADs have long been used by large and small railroads to assist dispatchers in managing their workload, tracking information required to be kept by regulation, and—most importantly—providing a conflict checking function designed to alert dispatchers to incipient errors before authorities are delivered. Even § 236.911, however, states that “a subsystem or component of an office system must comply with the requirements of this subpart if it performs safety-critical functions within, or affects the safety performance of, a new or next-generation train control system.” In fact, FRA is currently working with a vendor on a simple CAD that provides authorities in an automated fashion, without the direct involvement of a dispatcher.
For subpart I, FRA wishes to retain the exception referred to in § 236.911 for CAD systems not associated with a PTC system. Many smaller railroads use CAD systems to good effect, and there is no reason to impose additional regulations where dispatchers contemporaneously retain the function of issuing mandatory directives. However, in the present context, it is necessary to recognize that PTC systems utilize CAD systems as the “front end” of the logic chain that defines authorities enforced by the PTC system, particularly in non-signaled territory.
Accordingly, paragraph (a) proposes the potential exclusion of certain office systems technologies from subpart I compliance. These existing systems have been implemented voluntarily to enhance productivity and have proven to provide a reasonably high level of safety, reliability, and functionality. FRA recognizes that full application of subpart I to these systems would present the rail industry with a tremendous burden. The burdens of subpart I may discourage voluntary PTC implementation and operation by the smaller railroads.
However, FRA proposes to apply subpart I to those subsystems or components that perform safety critical functions or affect the safety performance of the associated PTC system. The level and extent of safety analysis and review of the office systems will vary depending upon the type of PTC system with which the office system interfaces. For example, to prevent the issuance of overlapping and inconsistent authorities, FRA expects that each PTC system demonstrate sufficient credible evidence that the requisite safety-critical, conflict resolution (although not necessarily vital) hardware and software functions of the system will work as intended. FRA also expects that the applicable PTCDP's and PTCSP's risk analysis will identify the associated hazards and describe how they have been mitigated. Particularly where mandatory directives and work authorities are evaluated for use in a PTC system use without separate oral transmission from the dispatcher to the train crew or employee in charge—with the opportunity for receiving personnel to evaluate and confirm the integrity of the directive or authority received and the potential for others overhearing the transmission to note conflicting actions by the dispatching center—FRA will insist on explanations sufficient to provide reasonable confidence that additional errors will not be introduced.
Paragraph (b) proposes requirements for modifications of excluded PTC systems. At some point when a change results in degradation of safety or in a material increase in safety-critical functionality, changes to excluded PTC systems or subsystems may be significant enough to require application of subpart I's safety assurance processes. FRA believes that all modifications caused by unforeseen implementation factors will not necessarily cause the product to become subject to subpart I. These types of implementation modifications will be minor in nature and be the result of site specific physical constraints. However, FRA expects that implementation modifications that will result in a degradation of safety or a material increase in safety-critical functionality, such as a change in executive software, will cause the PTC system or subsystem to be subject to subpart I and its requirements. FRA is concerned, however, that a series of incremental changes, while each individually not meeting the threshold for compliance with this subpart, may when aggregated result in a product which differs sufficiently so as to be considered a new product. Therefore, FRA reserves the right to require products that have been incrementally changed in this manner to comply with the requirements of this subpart. Prior to FRA making such a determination, the affected railroad will be allowed to present detailed technical evidence why such a determination should not be made. This provision mirrors paragraph (d) of existing § 236.911.
Proposed paragraph (c) addresses the integration of train control systems with other locomotive electronic control systems. The earliest train control systems were electro-mechanical systems that were independent of the discrete pneumatic and mechanical control systems used by the locomotive engineer for normal throttle and braking functions. Examples of these train control systems included cab signals and ACS/ATC appliances. These systems included a separate antenna for interfacing with the track circuit or inductive devices on the wayside. Their power supply and control logic were separate from other locomotive functions, and the cab signals were displayed from a separate special-purpose unit. Penalty brake applications by the train control system bypassed the locomotive pneumatic and mechanical control systems to directly operate a valve that accomplished a service reduction of brake pipe pressure and application of the brakes as well as reduction in locomotive tractive power. In keeping with this physical and functional separation, train control equipment on board a locomotive came under part 236, rather than the locomotive inspection requirements of part 229.
Advances in hardware and software technology have allowed the various PTC systems' and components' original equipment manufacturers (OEMs) to repackage individual components, eliminating parts and system function control points access. Access to control functions became increasingly restricted to the processor interfaces using proprietary software. While this resulted in significant simplification of the previously complex discrete pneumatic and mechanical control train and locomotive control systems into fewer, more compact and reliable devices, it also creates significant challenges with respect to compatibility of the application programs and configuration management.
FRA encourages such enhancements, and believes, if properly done, can result in significant safety, as well as operational, improvements. Locomotive manufacturers can certainly provide secure locomotive and train controls, and it is important that they do so if locomotives are to function safely in their normal service environment. FRA highly encourages the long-term goal of common platform integration. However, when such an integration occurs, it must not be done at the expense of decreasing the safe, and reliable operation of the train control system. Accordingly FRA expects that the complete integrated system will be shown to have been designed to fail-safe principles, and then demonstrated that the system operates in a fail safe mode. Any commingled system must have a manual failsafe fall back up that allows the engineer to be brought to a safe stop in the event of an electronic system failure. This analysis must be provided to FRA for approval in the PTCDP and PTCSP as appropriate. This provision mirrors the heightened scrutiny called for by § 236.913(c) of subpart H for commingled systems, but is more explicit with respect to FRA's expectations. The provision in general accords with the requirements for locomotive systems that are currently under development in the RSAC's Locomotive Safety Standards Working Group.
Finally proposed paragraph (d) clarifies the application of subparts A through H to products excluded from compliance with Subpart I. These products are excluded from the requirements of subpart I, but FRA expects that the developing activity demonstrates compliance of products with Subparts A through H. FRA believes that railroads not mandated to implement PTC, or that are implementing other non-PTC related processor based products should be given the option to have those products approved under subpart H by submitting a PSP and otherwise complying with subpart H or voluntarily complying with subpart I. This provision mirrors § 236.911(e) of subpart H.
Section 236.1029PTC System Use and En Route Failures
This section proposes minimum requirements, in addition to those found in the PTC system's plans, for each PTC system with a PTC System Certification. Railroads are allowed, and encouraged, to adopt more restrictive rules that increase safety.
Paragraph (a) proposes to require that, in the event of the failure of a component essential to the safety of a PTC system to perform as intended, the cause be identified and corrective action taken without undue delay. The paragraph also requires that until the corrective action is completed, the railroad is required at a minimum, to take the appropriate measures, including those specified in the PTCSP, to assure the safety of train movements, roadway workers, and on-track equipment. This proposed requirement mirrors current requirements of § 236.11, which applies to all signal and train control system components. Under proposed paragraph (a), FRA intends to apply to PTC systems provided PTC System Certification under subpart I the same standard in current § 236.11.
Paragraph (b) proposes the circumstance where a PTC onboard apparatus on a lead locomotive that is operating in or is to be operated within a PTC system fails or is otherwise cut-out while en route. Under proposed paragraph (b), the subject train may only continue such operations in accordance with specific limitations. An en route failure is applicable only in instances after the subject train has departed its initial terminal, having had a successful initialization, and subsequently rendering it no longer responsive to the PTC system. For example, FRA believes that an en route failure may occur when the PTC onboard apparatus incurs an onboard fault or is otherwise cut out.
Under subpart H, existing § 236.567 provides specific limitations on each train failing en route in relation to its applicable automatic cab signal, train stop, and train control system. FRA believes that it would be desirable to impose somewhat more restrictive conditions given the statutory mandate and the desire to have an appropriate incentive to properly maintain the equipment and to timely respond to en route failures. For instance, FRA recognizes that the limitations of § 236.567 do not account for the statutory mandates of the core PTC safety functions. However, during the PTC Working Group meetings, no consensus was reached on how to regulate en route failures on PTC territory. Nevertheless, proposed § 236.1029, and in particular proposed paragraph (b), purposefully intend to parallel the limitations contained in § 236.567. In other words, FRA intends that § 236.567 and proposed paragraph (b) to § 236.1029 will share the common purpose of maintaining a level of safety generally in accord with that expected with the train control system fully functional. This is accomplished by requiring supplementary procedures to heighten awareness and provide operational control (limiting the frequency of unsafe events) and by restricting the speed of the failed train (reducing the potential severity of any unsafe event).
Paragraph (b)(1) proposes to allow the subject train to proceed at restricted speed—or at medium speed if a block signal system is in operation according to signal indication—to the next available point where communication of a report can be made to a designated railroad officer of the host railroad. The intent of this requirement is to ensure that the occurrence of an en route failure may be appropriately recorded and that the necessary alternative protection of absolute block is established.
After a report is made in accordance with paragraph (b)(1), or made electronically and immediately by the PTC system itself, paragraph (b)(2) proposes to allow the train to continue to a point where an absolute block can be established in advance of the train in accordance with the limitations that follow in paragraphs (b)(2)(i) and (ii). Paragraph (b)(2)(i) proposes to require that where no block signal system is in use, the train may proceed at restricted speed. Alternatively, under proposed paragraph (b)(2)(ii), the train may proceed at a speed not to exceed medium speed where a block signal system is in operation according to signal indication.
Paragraph (b)(3) proposes to require that, upon the subject train reaching the location where an absolute block has been established in advance of the train, the train may proceed in accordance with the limitations that follow in paragraphs (b)(3)(i), (ii), or (iii). Proposed paragraph (b)(3)(i) requires that where no block signal system is in use, the train may proceed at medium speed; however, if the involved train is a train which is that of the criteria requiring the PTC system installation (i.e., a passenger train or a train hauling any amount of PIH material), it may only proceed at a speed not to exceed 30 miles per hour. Paragraph (b)(3)(ii) requires that where a block signal system is in use, a passenger train may proceed at a speed not to exceed 59 miles per hour and a freight train may proceed at a speed not to exceed 49 miles per hour. Paragraph (b)(3)(iii) requires that except as provided in paragraph (c), where a cab signal system with an automatic train control system is in operation, the train may proceed at a speed not to exceed 79 miles per hour.
Paragraph (c) requires that, in order for a PTC train that operates at a speed above 90 miles per hour to deviate from the operating limitations contained in paragraph (b) of this section, the deviation must be described and justified in the FRA approved PTCDP or PTCSP, or the Order of Particular Applicability, as applicable.
Paragraph (d) proposes to require that the railroad operate its PTC system within the design and operational parameters specified in the PTCDP and PTCSP. Railroads will not exceed maximum volumes, speeds, or any other parameter provided for in the PTCDP or PTCSP. On the other hand, a PTCDP or PTCSP could be based upon speed or volume parameters that are broader than the intended initial application, so long as the full range of sensitivity analyses is included in the supporting risk assessment. FRA feels this requirement will help ensure that comprehensive product risk assessments are performed before products are implemented.
Paragraph (e) sets forth the requirement that any testing of the PTC system must not interfere with its normal safety-critical functioning, unless an exception is obtained pursuant to 49 CFR 236.1035, where special conditions have been established to protect the safety of the public and the train crew. Otherwise, paragraph (e) requires that each railroad ensure that the integrity of the PTC system not be compromised, by prohibiting the normal functioning of such system to be interfered with by testing or otherwise without first taking measures to provide for the safety of train movements, roadway workers, and on-track equipment that depend on the normal safety-critical functioning of the system. This provision parallels current § 236.4, which applies to all systems. By requiring this paragraph, FRA also intends to clarify that the standard in current § 236.4 also applies to subpart I PTC systems.
Paragraph (f) proposes to require that each member of the operating crew has appropriate access to the information and functions necessary to perform his or her job safely when products are implemented and used in revenue service. Where two-person crews are employed, availability of a screen and any needed function keys will enable the second crew person to carry out PTC onboard computer-related activities without distracting the locomotive engineer from maintaining situational awareness of activities outside the locomotive cab. FRA's existing regulations for train control in § 236.515 requires that the cab signal display be clearly visible to each member of the crew. FRA believes the decision to operate with one PTC screen, only accessible to the engineer, can only be made after careful analysis of the human factor implications, the associated risks, and the sensitivity of the safety analysis that is used to potentially justify the decision. FRA notes that the principles of crew resource management and current crew briefing practices in the railroad industry require that all members of a functioning team (e.g., engineer, conductor, dispatcher, roadway worker in charge) have all relevant information available to facilitate constructive interactions and permit incipient errors to be caught and corrected. Retaining and reinforcing this level of cooperation will be particularly crucial during the early PTC implementation as errors in train consist information, errors generated in on-board processing, delays in delivery of safety warnings due to radio frequency congestion, and occasional errors in dispatching challenge the integrity of PTC systems even as the normal reliability of day-to-day functioning supports reductions in vigilance. Loss of crew cooperation could easily spill over to other functions, including switching operations and management of emergency situations.
This issue was the subject of significant disagreement within the PTC Working Group. FRA appreciates the views of those who suggest that the cost of additional displays is not warranted and the argument that, where there is an additional crew member assigned, no value may be added by isolating the second crew member from potentially corrupted information communicated from the PTC display. However, FRA believes that there is a strong likelihood that railroads will at some point in the future seek to deliver electronically all mandatory directives from the dispatcher to the PTC onboard apparatus, obviating the need for oral transmission. When this occurs, FRA believes that having a second crew member involved in receipt and confirmation of the authority will be useful to verify situational appropriateness and avoid information overload of the locomotive engineer.
Section 236.1031Previously Approved PTC Systems
FRA recognizes that substantial effort has been voluntarily undertaken by the railroads to develop, test, and deploy PTC systems prior to the passage of the RSIA08, and that some of the PTC systems have accumulated a significant history of safe and reliable operations. In order to facilitate the ability of the railroads to leverage the results of PTC design, development, and implementation efforts that have been previously been approved or recognized by FRA prior to the adoption of this subpart, FRA is proposing an expedited certification process in this section.
Under proposed paragraph (a), each railroad that has a PTC system that may qualify for expedited treatment would have to submit a Request for Expedited Certification (REC) letter. Products that have not received approval under the subpart H, or that have not been previously recognized by FRA, would be ineligible. The REC letter may be jointly submitted by PTC railroads and suppliers as long as there is at least one PTC railroad. A PTC system may qualify for expedited certification if it fulfills at least one of the descriptions proposed in paragraphs (a)(1) through (a)(3). While these descriptions are objective in nature, FRA intends them to cover ETMS, ITCS, and ACSES, respectively.
Proposed paragraph (a)(1) applies to systems that have been recognized or approved by FRA after submission of a product safety plan (PSP) in accordance with subpart H. Subpart I generally reflects the same criteria required for a PSP under subpart H. Thus, FRA believes that most of the PTCDP and PTCSP requirements in subpart I can be fulfilled with the submission of the existing and approved PSP. However, FRA notes that the subject railroad will also need to submit the information required in a PTCDP and PTCSP that is not in the current PSP.
FRA also recognizes that certain PTC systems may currently operate in revenue service with FRA approval through the issuance of a waiver or order. Proposed paragraphs (a)(2) and (a)(3) intend to cover those systems.
If a PTC system complying with paragraph (a)(1) is provided expedited certification, the system plans should ultimately match the criteria required for each PTCDP and PTCSP. As previously noted, a railroad may seek to use a PTC system that has already received a Type Approval. To extend this benefit as it applies to previously used systems for which expedited certification is provided, paragraph (b) proposes to give the Associate Administrator the ability to provide a Type Approval to systems receiving expedited certification in accordance with paragraph (a)(1).
FRA recognizes that certain systems eligible for expedited certification may not entirely comply with the subsequently issued statutory mandate. Accordingly, under paragraph (c), FRA is compelled to propose that before any Type Approval or expedited certification may be provided, the PTC system must be shown to reliably execute the same functionalities of every other PTC system required by subpart I. Nothing in this abbreviated process should be construed as implying the automatic granting by FRA of a Type Approval or PTC System Certification. Each expedited request for a Type Approval or PTC System Certification must be submitted by the railroad under this abbreviated process and, as required under subpart I, must demonstrate that the system reliably enforces positive train separation and prevents overspeed derailments, incursions into roadway worker zones, and movements through misaligned switches.
Under proposed paragraph (d), FRA encourages railroads, to the maximum extent possible, to use proven service history data to support their requests for Type Approval and PTC System Certification. While proven service history cannot be considered a complete replacement for an engineering analysis of the risks and mitigations associated with a PTC product, it provides great creditability for the accuracy of the engineering analysis. Testing and operation can only show the absence or mitigation of a particular failure mode, and FRA believes that there will always be some failure modes that may only be determined through analysis. Due to this inherent limitation associated with testing and operation, FRA also strongly encourages the railroads to also submit any available analysis or information.
Paragraph (e) proposes that, to the extent that the PTC system proposed for implementation under this subpart is different in significant detail from the system previously approved or recognized, the changes shall be fully analyzed in the PTCDP or PTCSP as would be the case absent prior approval or recognition. FRA understands that the PTC product for which expedited Type Approval and PTC System Certification is sought may differ in terms of functionality or implementation from the PTC product previously approved or recognized by FRA. In such a case, the service history and analysis may not align directly with the new variant of the product. Similarly, the available service history and analysis associated with a PTC product may be inconclusive about the reliability of a particular function. It is because of these possible situations that FRA can not unequivocally promise that all requests for expedited Type Approval and PTC System Certification submitted by a railroad under this subpart will be automatically granted. FRA will, however, apply the available service history and analytical data as credible evidence to the maximum extent possible. FRA believes that this still greatly simplifies each railroad's task in making its safety case, since the additional testing and analysis required need only address those areas for which credible evidence is insufficient. To reduce the overall level of financial resources and effort necessary to obtain sufficient credible evidence to support the claims being made for the safety performance of the product, FRA also encourages each railroad to share with other railroads a system's service history and the results of any analysis, even in the case where the shared information does not fully support a particular railroad's safety analysis.
Proposed paragraph (f) defines terms used only in this section. “Approved” refers to approval of a Product Safety Plan under subpart H. As this NPRM was being prepared, only BNSF Railway's ETMS Configuration I had been so approved, but other systems were under development. “Recognized” refers to official action permitting a system to be implemented for control of train operations under an order or waiver, after review of safety case documentation for the implementation. As this NPRM was being prepared, only ACSES I had been recognized under an order of particular applicability, and ACSES II was under review for potential approval. Only one system, the ITCS in place on Amtrak's Michigan line, had been approved for unrestricted revenue service under waiver.
FRA was unable to fashion an outright “grandfathering” of equipment previously used in transit and foreign service. FRA does not have the same degree of direct access to the service history of these systems. Transit systems—except those that are connected to the general railroad system—are not directly regulated by FRA. FRA has had limited positive experience eliciting safety documentation from foreign authorities, particularly given the influence of national industrial policies.
However, FRA believes that, while complete exclusion may not be available in those circumstances, procedural simplification may be possible. FRA is considering a procedure under which the railroad and supplier could establish safety performance at the highest level of analysis for the particular product, relying in part on experience in the other service environments and showing why similar performance should be expected in the U.S. environment. Foreign signal suppliers should be in a good position to marshal service histories for these products and present them as part of the railroad's PTCSP. For any change, the applicant must provide additional information that will enable FRA to make an informed decision regarding the potential impact of the change on safety. This information must include, but is not limited to, the following: (1) A detailed description of the change; (2) a detailed description of the hardware and software impacted by the change; (3) a detailed description of any new functional data flows resulting from the change; (4) the results of the analysis used to verify that the change did not introduce any new safety risks or, if the change did introduce any new safety risks, a detailed description of the new safety risks and the associated risk mitigation actions taken; (5) the results of the tests used to verify and validate the correct functionality of the product after the change has been made; (6) a detailed description of any required modifications in the railroad training plan that are necessary for continued safe operation of the product after the change; and (7) a detailed description of any new test equipment and maintenance procedures required for the continued safe operation of the product. FRA requests comment on whether and in what way these concepts might be captured in the final rule.
In the same vein, paragraph (g) encourages re-use of safety case documentation previously reviewed, whether under subpart H or subpart I.
Section 236.1033Communications and Security Requirements
Subpart I proposes specific communications security requirements for PTC system messages. Proposed § 236.1033 originated from the radio and communications task force within the PTC Working Group. The objectives of the proposal are to ensure data integrity and authentication for communications with and within a PTC system.
In data communications, “cleartext” is a message or data in a form that is immediately comprehensible to a human being without additional processing. In particular, it implies that this message is transferred or stored without cryptographic protection. It is related to, but not entirely equivalent to, the term “plaintext.” Formally, plaintext is information that is fed as an input to a cryptographic process, while “ciphertext” is what comes out of that process. Plaintext might be compressed, encrypted, or otherwise manipulated before the cryptographic process is applied, so it is quite common to find plaintext that is not cleartext. Cleartext material is sometimes in plain text form, meaning a sequence of characters without formatting, but this is not strictly required. The security requirements proposed in this document are consistent with the Department of Homeland Security (DHS) guidance for SCADA systems and the National Institute of Standards and Technology guidance. FRA has coordinated this proposal with DHS.
Proposed paragraph (a) establishes the requirement for message integrity and authentication. Integrity is the assurance that data is consistent and correct. Generally speaking, in cryptography and information security, integrity refers to the validity of data. Integrity can be compromised through malicious altering—such as an attacker altering an account number in a bank transaction, or forgery of an identity document—or accidental altering—such as a transmission error, or a hard disk crash. A level of data integrity can be achieved by mechanisms such as parity bits and Cyclic Redundancy Codes (CRCs). Such techniques, however, are designed only to detect some proportion of accidental bit errors; they are powerless to thwart deliberate data manipulation by a determined adversary whose goal is to modify the content of the data for his or her own gain. To protect data against this sort of attack, cryptographic techniques are required. Thus, appropriate algorithms and keys must be employed and commonly understood between the entity wanting to provide data integrity and the entity wanting to be assured of data integrity.
Authentication is the act of establishing or confirming something (or someone) as authentic. Various systems have been invented to provide a means for readers to reliably authenticate the sender. In any event, the communication must be properly protected; otherwise, an eavesdropper can simply copy the relevant data and later replay it, thereby successfully masquerading as the original, legitimate entity.
Sender authentication typically finds application in two primary contexts. Entity identification serves simply to identify the specific entity involved, essentially in isolation from any other activity that the entity might want to perform. The second context is data origin identification, which identifies a specific entity as the source or origin of a given piece of data. This is not entity identification in isolation, nor is it entity identification for the explicit purpose of enabling some other activity. Rather, this is identification with the intent of statically and irrevocably binding the identified entity to some particular data, regardless of any subsequent activities in which the entity might engage. Cryptographically based signatures provide nearly irrefutable evidence that can be used subsequently to prove to a third party that this entity did originate—or at least possess—the data.
Proposed paragraph (b)(1) requires that cryptographic algorithms and keys used to establish integrity and authenticity be approved by either the National Institute of Standards or a similar standards organization acceptable to FRA. As a practical matter, cryptographic algorithms can be believed secure by competent, experienced, practicing cryptographers. This requires that the algorithms be publicly known and have been seriously studied by working cryptographers. Algorithms that have been approved by NIST (or similar standards bodies) can be assured of being both publicly known and seriously studied.
Proposed paragraph (b)(2) allows the use of either manual or automated means to distribute keys. Key distribution is the most important component in secure transmissions. The general key distribution problem refers to the task of distributing keys between communicating parties to provide the required security properties. Frequent key changes are usually desirable to limit the amount of data compromised if an attacker learns the key. Therefore, the strength of any cryptographic system results with the key distribution technique, a term that refers to the means of delivering a key to two parties that wish to exchange data without allowing others to see the key. Key distribution can be achieved in a number of ways. There are various combinations by which a key can be selected manually or in automation amongst one or multiple parties.
Proposed paragraph (b)(3) establishes the conditions under which cryptographic keys must be revoked. Paragraph (b)(3)(i) addresses the situation when a key has actually been found to have been compromised and when the possibility of key compromise exists. Cryptographic algorithms are part of the foundations of the security house, and any house with weak foundations will collapse. Adequate procedures should be foreseen to take an algorithm out of service or to upgrade an algorithm which has been used beyond its lifetime
Proposed paragraph (d) addresses physical protection as applied to cryptographic equipment. Compliance does not necessitate locking devices within mechanical safes or enclosing their electronics within thick steel or concrete shields (i.e. making them tamper-proof). Compliance does, however, involve using sound design practices to construct a system capable of attack detection by a comprehensive range of sensors (i.e. tamper resistant). The level of physical security suggested should be such that unauthorized attempts at access or use will either be unsuccessful or will have a high probability of being detected during or after the event. Additionally, the cryptographic equipment should be prominently situated in operation so that its condition (outward appearance, indicators, controls, etc.) is easily visible to minimize the possibility of undetected penetration. In any system containing detection and destruction methods as described here, there is naturally a cost penalty for providing very high levels of tamper resistance, due to construction and test requirements by the manufacturer. It is naturally important to analyze the risks of key disclosure against cost of protection and specify a suitable implementation.
Confidentiality has been defined by the International Organization for Standardization (ISO) as “ensuring that information is accessible only to those authorized to have access.” Confidentiality, integrity, and authentication all rely on the same basic cryptographic primitives—algorithms with basic cryptographic properties—and their relationship to other cryptographic problems. These primitives provide fundamental properties, which guarantee one or more of the high-level security properties. In proposed paragraph (e)(1), FRA makes it clear that while providing for confidentiality of message data is not a regulatory requirement, if confidentiality is elected to be implemented by a railroad, that the same protection mechanisms applicable to the cryptographic primitives that support integrity and authentication must also be provided for the cryptographic primitives that support confidentiality.
It is only the difficulty of obtaining the key that determines security of the system, provided that there is no analytic attack (i.e., a “structural weakness” in the algorithms or protocols used), and assuming that the key is not otherwise available (such as via theft, extortion, or compromise of computer systems). A key should therefore be large enough that a brute force attack (possible against any encryption algorithm) is infeasible, whereas the attack would take too long to execute. Under information theory, to achieve perfect secrecy, it is necessary for the key length to be at least as large as the message to be transmitted and only used once (this algorithm is called the one-time pad). In light of this, and the practical difficulty of managing such long keys, modern cryptographic practice has discarded the notion of perfect secrecy as a requirement for encryption, and instead focuses on computational security. Under this definition, the computational requirements of breaking an encrypted text must be infeasible for an attacker. Paragraph (e)(2) proposes to require that in the event that a railroad elects to implement confidentiality, the chosen key length should provide the appropriate level of computational complexity to protect the information being protected, and that this information be included in the PTCSP. Both academic and private organizations provide recommendations and mathematical formulas to approximate the minimum key size requirement for security based on mathematic attacks; they generally do not take algorithmic attacks, hardware flaws, or other such issues into account.
Key management—the process of handling and controlling cryptographic keys and associated material during their life cycle in a cryptographic system—includes ordering, generating, distributing, storing, loading, escrowing, archiving, auditing, and destroying the different types of material. Paragraph (e) proposes to require that cleartext stored cryptographic keys be protected from unauthorized disclosure, modification, or substitution. During key management, however, it may be necessary to validate the accuracy of the key being entered, especially in cases where the key management process is being done manually. During the key entry process, keys not encrypted to protect against disclosures may be temporarily displayed to allow visual verification. However, if the key has been encrypted to protect against disclosure, then the cleartext version of the key may not be displayed. This does not, however, preclude the display of the encrypted version of the key.
In proposed paragraph (f), FRA requires that each railroad implement a service restoration and mitigation plan to address restoral of communications services in the event of their loss or disruption and to make this plan available to FRA. Loss of communications services reduces or eliminates the effectiveness of a PTC system and FRA requires that these critical safety systems, once implemented, are restored to operation as soon as practical. FRA believes that the restoration plan must include testing and validating the plan, communicating the plan, and validating backup and restoration operations.
To ensure that these or any other procedures work in the railroads operational environment, the railroad must validate each procedure intended for implementation. The backup and restoration plan should clearly describe who is to implement procedures and how they are to do it. The primary information to be communicated includes: the team or person (specified as an individual or a role) that is responsible for determining when restoration of service is required and the procedures to be used to restore service, as well as the team or person responsible for implementing procedures for each restoration scenario; the criteria for determining which restoration procedures are most appropriate for a specific situation; the time estimates for restoration of service in each restoration scenario; the restoration procedures to be used, including the tools required to complete each procedure; and the information required to restore data and settings.
Finally, paragraph (g) is proposed to make clear that railroads are permitted to implement more restrictive security requirements provided the requirements do not adversely impact the interoperability.
Section 236.1035Field Testing Requirements
Initial field or subsequent regression testing of a PTC product on the general rail system is often required before the product has been certified in order to obtain data to support the safety case presented in the PTCSP. To ensure the safety of the public and train crews, prior FRA approval is required to conduct test operations on the general rail system. This paragraph proposes an alternative to the waiver process when only part 236 regulations are involved. When regulations concerning track safety grade crossing safety or when operational rules are involved, however, this process would not be available. Such testing may also implicate other safety issues, including adequacy of warning at highway-rail crossings (including part 234 compliance), qualification of passenger equipment (part 238), sufficiency of the track structure to support higher speeds or unbalance (part 213), and a variety of other safety issues, not all of which can be anticipated in any special approval procedure. Approval under this part for testing does not grant relief from other parts of this title and the railroads must still apply for relief from the non-part 236 regulations under the discrete special approval sections of those regulations, the provisions of part 211 related to waivers, or both.
The information required for this filing is described in proposed paragraphs 236.1035(a)(1) through (a)(7). This information is necessary in order for FRA to make informed decisions regarding the safety of testing operations. FRA would prefer that the informational filings to test under this part be accompanied by any requests for relief from non-part 236 regulations so that they may be considered as a whole.
Proposed paragraph (b) provides notification that FRA may—based on the results of the review of the information provided in paragraph (a) and in order to provide additional oversight to ensure the safety of rail operations—impose special conditions on the execution of the testing, including the appointment of a FRA test monitor. When a test monitor is appointed, he or she has the authority to stop testing if unsafe conditions arise, require additional tests as necessary to demonstrate the safe operation of the system, or have tests rerun when the results are in question.
Paragraph (c) reemphasizes the earlier discussion that either temporary or permanent requests for relief for other than requirements of part 236 must be submitted in accordance with the waiver processes specified by part 211.
Sections 236.103Through 236.1049
In subpart H, §§ 236.917 through 236.929 contain various requirements that involve PSPs. FRA believes that these requirements should apply equally to PTC systems governed by subpart I. FRA has included proposed §§ 236.1037 to 236.1049 to inform interested parties how these elements would apply. FRA intends that the meanings of those sections in subpart H, as described in the preamble to its proposed and final rules, would also apply equally in the context of this proposal. While FRA has considered amending these sections in subpart H to incorporate references to subpart I, FRA believes such an attempt and its results would be cumbersome and awkward. Thus, FRA has included the provisions in proposed subpart I for clarity. FRA seeks comments on this issue.
Appendix B to Part 236—Risk Assessment Criteria
FRA proposes modifying Appendix B of part 236 to enhance the language for risk assessment criteria in a light of experience gained during the initial stage of PTC system implementation under subpart H and to accommodate the requirements of subpart I regulating the use of mandatory PTC systems. As modified, Appendix B will modify certain headings and incorporate new language in paragraphs (a) through (h).
Paragraph (a) reflects the change in the required length of time over which the system's risk must be computed. FRA replaces the requirement to assess risk for the system “over the life-cycle of 25 years or greater” with the requirement to assess risk “over the designed life-cycle of the product.” FRA believes that the proposed language is consistent with the preamble discussion of the subpart H final rule inasmuch that they do not specify the length of a system's life cycle, thereby providing flexibility for new processor-based systems to have a life cycle other than 25 years.
FRA proposes to modify paragraph (b) only to clarify FRA's intent.
FRA proposes to modify the heading and content of paragraph (c) to better identify the main purpose of this requirement and to ensure its consistency with the associated requirements of §§ 236.909(c) and (d). FRA believes that current paragraph (c) and its heading do not fully support or clarify the main intent of subpart H, which requires that the total cost of hazardous events should be the risk measure for a full risk assessment and that the mean time to hazardous event (MTTHE) calculations for all hazardous events should be the risk measure for the abbreviated risk assessment. The existing subpart H text asks for both the base case and the proposed case to be expressed in the same metrics. Paragraph (c) of this appendix, as currently written, does not fully reflect FRA's intent that the same risk metric is to be used in the risk assessment for both the previous and current conditions (see§ 236.913(g)(2)(vii). FRA believes that the revised title of this paragraph poses the right question and that its new language provides better guidance on how to perform risk assessment for previous and current conditions.
FRA proposes to modify the heading and text of paragraph (d) to create a comprehensive and detailed list of system characteristics that must be included in the risk assessment for each proposed PTC system subject to requirements of subpart H or subpart I, or both, as applicable. FRA believes that the extended description of system characteristics better suits the risk assessment requirements of subpart H and subpart I. For example, the proposed revisions clarify that the risk assessment must account for the total volume of traffic, the type of transported freight materials (PIH, PIH), and any additional requirements for PTC systems with trains operating at certain speeds.
FRA proposes to modify paragraph (e) to clarify its intent and reflect the industry's experience in risk assessment techniques gained during the initial stage of PTC system implementation under subpart H. In the proposed language of paragraph (e), FRA provides more specific guidance on how to derive the main risk characteristics, MTTHE, and what role reliability and availability parameters, such as mean time to failure (MTTF) or mean time between failures (MTBF), for different system components can play while assessing risk for vital and non-vital hardware or software components of the system. FRA emphasizes that it is critical that each railroad and its vendors include the software failure rates into risk assessments for the system. FRA also finds it necessary to advise each railroad and its vendors to include reliability and availability characteristics, such as MTTF or MTBF, into its risk assessment to account for potential system exposure to hazards during system failures or malfunctioning when the system operates in its fall back mode—the back-up operation, as described in the PTCSP, when the PTC system fails to operate.
FRA believes that the proposed modifications to paragraph (e) more accurately address the industry's need for clarity in interpretation and execution of the requirements related to risk assessment.
FRA proposes to modify paragraph (f)(2) to reflect FRA's understanding that a software failure analysis may not necessarily be based on MTTHE “Verification and Validation” processes and that MTTHE characteristics cannot be easily obtained for the system software components. Therefore, the proposed modification intends to outline the significance of detailed software fault/failure analysis and software testing to demonstrate repeatable predictive results that all software defects are identified and corrected.
FRA proposes to modify paragraph (g) to clarify that MMTHE calculations should account for the restoration time after system or component failure and that the system design must be assessed for adequacy through the Verification and Validation process.
FRA proposes to modify paragraph (h) to emphasize the need to document all assumptions made during the risk assessment process. FRA believes that the assumptions should be documented while deriving the total cost of potential accident consequences for full risk assessment or MTTHE values for abbreviated risk assessment, rather than only documenting assumptions for her intermediate parameters, such as MTTF and MTTR, as currently required. These two referenced parameters may or may not be relevant for the risk assessment.
Appendix C to Part 236—Safety Assurance Criteria and Processes
FRA proposed to modify Appendix C to Part 236 to enhance and clarify its language, re-organize the existing list of safe system design principles in accordance with the well established models of system safety engineering, and augment the list of safe system design principles with the principles related to safe system software design. A safe state is a system configuration that the system defaults to in the event of a fault or failure or when unacceptable or dangerous conditions are detected. The safe state is a state of the process operation where the hazardous event cannot occur. Paragraph (a), as proposed, is revised to reflect the main purpose of this appendix in clear, accurate, and consistent language that will be repeatedly used throughout the appendix. It also outlines that the requirements of this appendix will be applicable to each railroad's PTCIP and PTCSP, as required by subpart I.
Paragraph (b), as proposed, is modified and restructured to consistently present a complete list of safety assurance principles properly classified or categorized in accordance with well established system safety engineering principles that need to be followed by the designer of the system to assure that all system components perform safely under normal operating conditions and under failures, accounting for human factor impacts, external influencing, and procedures and policies related to maintenance, repair, and modification of the system. FRA also proposes adding language indicating that these principles must also be applicable to PTC systems designed and implemented under the requirements of subpart I. FRA's intent in promulgating Appendix C was to ensure that safety principles are followed during the design stage and that Verification and Validation methods are used to assure that the product meets the safety criteria established in § 236.909. The heading of this paragraph and its subparagraphs are changed to more adequately and precisely capture this paragraph's purpose. For instance, FRA proposes to modify the heading of paragraph (b)(1) to better suit the chosen base of classification for all safety principles under paragraph (b).
Under paragraph (b)(3), FRA proposes to amend the definition of Closed Loop Principle to reflect its industry accepted definition provided by the AREMA Manual. FRA believes that the current definition is too general and does not reflect the essence of the most significant principles of safe signaling system design.
Under paragraph (b)(4), FRA proposes to add a list of Safety Assurance Concepts that the designer may consider for implementation to assure sail-safe system design and operation. These principles are predominantly applicable for the safe system software design and quoted from the IEEE-1483 standard. Based on this proposed amendment, FRA also proposes to renumber some of the remaining subparagraphs of paragraph (b) to follow the chosen scheme for the proper classification and sequence of safety principles.
FRA proposes to amend paragraph (c) reflect the changes in recommended standards. For instance, the standard “EN50126: 1999, Railway Applications: Specification and Demonstration of Reliability, Availability, Maintainability and Safety” (RAMS) is superseded by the standard IEC62278: 2002 under the same title. The standard “EN50128 (May 2001), Railway Applications: Software for Railway Control and Protection Systems” is superseded by the Standard IEC62279: 2002 under the same title.
Under paragraph (c)(3)(i), FRA references additional IEEE standards that have become available and will support the designs of PTC systems that are widely using communications as their main component. In addition to existing reference under paragraph (c)(3)(i)(A) for IEEE-1483 Standard, the following standards are added to paragraph (c)(3)(i): IEEE 1474.2-2003, Standard for user interface requirements in communications based train control (CBTC) systems; and IEEE 1474.1-2004, Standard for Communications-Based Train Control (CBTC) Performance and Functional Requirements.
After an analysis of the current applicability of ATCS Specification 130 and 140, FRA believes that they are not being used. Thus, FRA proposes to remove these standards from the list of referenced standards. However, FRA also proposes to add the ATCS 200, Data Communication standard that remains relevant for communication segment of PTC system designs.
FRA also considers it necessary to reference several additional sections of the current AREMA 2009 Communications and Signal Manual of Recommended Practices. In addition to Section 17 of this manual referenced in a previous version of Appendix C, FRA proposes to add to the list of references Section 16 Vital Circuit and Software Design; Section 21 Data Transmission; and Section 23 Communication-Based Signaling.
VII. Regulatory Impact and Notices Back to Top
A. Executive Order 12866 and DOT Regulatory Policies and Procedures
This proposed rule has been evaluated in accordance with existing policies and procedures, and determined to be significant under both Executive Order 12866 and DOT policies and procedures (44 FR 11034; Feb. 26, 1979). We have prepared and placed in the docket a regulatory impact analysis (RIA) addressing the economic impact of this proposed rule. FRA invites comments on this RIA.
The costs anticipated to accrue from adopting this proposed rule would include: (1) Costs associated with developing implementation plans and administrative functions related to the implementation and operation of PTC systems, including the information technology and communication systems that make up the central office; (2) hardware costs for onboard locomotive system components, including installation; (3) hardware costs for wayside system components, including installation; and (4) maintenance costs for all system components.
Two types of benefits are expected to result from the implementation of this proposed rule—benefits from railroad accident reduction and business benefits from efficiency gains. The first type would include safety benefits or savings expected to accrue from the reduction in the number and severity of casualties arising from train accidents that would occur on lines equipped with PTC systems. Casualty mitigation estimates are based on a value of statistical life of $6 million. In addition, benefits related to accident preventions would accrue from a decrease in damages to property such as: Locomotives, railroad cars, and track; environmental damage; track closures; road closures; and evacuations. Benefits more difficult to monetize—such as the avoidance of hazmat accident related costs incurred by Federal, State, and local governments and impacts to local businesses—will also result. FRA also expects that once PTC systems are refined, there would likely be substantial additional business benefits resulting from more efficient transportation service; however such benefits are not included because of significant uncertainties regarding whether and when individual elements will be achieved and given the complicating factor that some benefits might, absent deployment of PTC, be captured using alternative technologies at lower cost. FRA requests comments on whether this proposed regulation exercises the appropriate level of discretion and flexibility to comply with RSIA08 in the most cost effective and beneficial manner.
This document presents a 20-year analysis of the costs and benefits associated with FRA's proposed rule, using both 7 percent and 3 percent discount rates, and two types of sensitivity analyses. The first is associated with varying cost assumptions used for estimating PTC implementation costs. The second takes into account potential business benefits from realizing service efficiencies and related additional societal benefits from attainment of environmental goals and an overall reduction in transportation risk from modal diversion.
The 20-year total cost estimates are $10.00 billion (PV, 7%) and $13.85 billion (PV, 3%). Annualized costs are $0.95 billion (PV, 7%) and $0.93 billion (PV, 3%). Using high-cost assumptions, the 20-year total cost estimates would be $17.12 billion (PV, 7%) and $23.76 billion (PV, 3%). Using low-cost assumptions, the 20-year cost estimates would be $7.09 billion (PV, 7%) and $9.84 billion (PV, 3%). The later the expenditures are made, the lower the discounted cost impact, which in any event is a very small portion of the total PTC costs.
Twenty-year railroad safety (railroad accident reduction) benefit estimates associated with implementation of the proposed rule are $608 million (PV, 7%) and $931 million (PV, 3%). Annualized benefits are $57 million (PV, 7%), and $63 million (PV, 3%). Some forecasts predict significant growth of both passenger and freight transportation demands, and it is thus possible that greater activity on the system could present the potential for larger safety benefits than estimated in this analysis. The presence of a very large PTC-equipped freight locomotive fleet also supports the opportunity for introduction of new passenger services of higher quality at less cost to the sponsor of that service. Information is not presently available to quantify that benefit.
|[At 3% and 7%]|
|Central Office and Development||$283,025,904||$263,232,675|
|Railroad Safety Benefits||931,253,681||607,711,640|
The Port Authority Trans Hudson (PATH), a commuter railroad, is apparently considering the system used by the New York City Transit Authority on the Canarsie line. This system, which is known as Communication-Based Train Control, is not similar in concept to any of the other PTC systems (including the CSX CBTC, with which its name might easily be confused), and would not be suitable, as FRA understands the system, except on a railroad with operating characteristics similar to a heavy rail mass transit system. FRA believes that, in absence of the statutory mandate or this rulemaking, PATH would have adopted PTC for business reasons.
Although costs associated with implementation of the proposed rule are significant and such costs would far exceed the benefits, FRA is constrained by the requirements of RSIA08, which do not provide latitude to for implementing PTC differently. Nevertheless, FRA has taken several steps to avoid triggering unnecessary costs in the proposed rule. For instance, FRA is not proposing to require use of separate monitoring of switch position in signal territory or that the system be designed to determine the position of the end of the train. FRA also minimized costs, such as by proposing a requirement to monitor derails protecting the mainline, but limiting it to derails connected to the signal system; and by proposing a requirement to monitor hazard detectors protecting the mainline, but limiting it to hazard detectors connected to the signal system. FRA also minimized costs related to diamond crossings, where a PTC equipped railroad crosses a non-PTC equipped railroad at grade; included exceptions to main track for passenger train operations, and proposed provisions that would permit some Class III railroad operation of trains not equipped with PTC over Class I railroad freight lines equipped with PTC.
RSIA08 requires the railroads to have all mandatory PTC systems operational on or before December 31, 2015. Members of the PTC Working Group, especially railroad and supplier representatives, said that the timeframe was very tight, and that the scheduled implementation dates would be difficult to meet. In general, the faster a government agency requires a regulated entity to adopt new equipment of procedures, the more expensive compliance becomes. In part, this is due to supply elasticity being less over shorter time periods.
FRA is unable to estimate the potential savings if Congress provided a longer implementation schedule or provided incentives, rather than mandates, for PTC system installation. In order to estimate the likely reduction in costs in such situations, FRA would need to develop some other schedule for implementation. The element least sensitive to an implementation's schedule appears to be onboard costs. Each PTC system's onboard equipment seems similar and is not very different from existing onboard systems. Further, the 2015 deadline is not so restrictive that it would cause railroads to pull locomotives out of service just to install on board PTC equipment. Locomotives must be inspected thoroughly every 90 and more extensively every 360 days. The inspections can last from one to several days. Railroads usually bring locomotives into their shops to perform these inspections, during which time a skilled and experienced team could install the on board equipment for PTC. System development is much less certain, and more time would enable vendors to develop, test, and implement the software at a more reasonable cost. Wayside costs are also sensitive to the installation timetable, as the wayside must be mapped and measured, and then the railroads must install wayside interface units (WIUs). Wayside mapping and measurement takes a highly skilled workforce. A larger workforce is necessary to timely implement the required PTC systems in a shorter amount of time. WIU installation is likely similar to existing signal or communication systems installation, and is likely to involve use of existing railroad skilled workers. The shorter the installation time period, the more work will be done at overtime rates, which are, of course, higher.
FRA believes that lower costs could result from a longer installation period, but FRA also believes that the differences in costs would be within the range of the low costs provided in the main analysis of the proposed rule. The 2004 report included some lower cost estimates, but in light of current discussions with railroads, the cost estimates in the 1998 report seem more accurate. The lower estimates FRA received in preparing the 2004 report were both overly optimistic, and excluded installation costs, as well as higher costs which stem from meeting the performance standards.
Some of the costs of PTC implementation, operation, and maintenance may be offset by business benefits, especially in the long run, although there is uncertainty regarding the timing and level of those benefits. Economic and technical feasibility of the necessary system refinements and modifications to yield the potential business benefits has not yet been demonstrated. FRA analyzed business benefits associated with PTC system implementation and presented its findings in the 2004 Report. Due to the aggressive implementation schedule for PTC and the resulting need to issue a rule promptly, FRA has not formally updated this study. Nevertheless, FRA believes that there is opportunity for significant business benefits to accrue several years after implementation once the systems have been refined to the degree necessary. Thus, FRA conducted a sensitivity analysis of potential business benefits based on the 2004 Report.
The 2004 Report included business benefits from improved or enhanced locomotive diagnostics, fuel savings attributable to train pacing, precision dispatch, and capacity enhancement. Although railroads are enhancing locomotive diagnostics using other technologies, FRA believes that PTC could provide the basis for significant gains in the other three areas.
In the years since the 2004 Report, developing technology and rising fuel costs have caused the rail supply industry and the railroads to focus on additional means of conserving diesel fuel while minimizing in-train forces that can lead to derailments and delays from train separations (usually broken coupler knuckles). Software programs exist that can translate information concerning throttle position and brake use, together with consist information and route characteristics, to produce advice for prospective manipulation of the locomotive controls to limit in-train forces. Programs are also being conceived that project arrival at meet points and other locations on the railroad. These types of tools can be consolidated into programs that either coaches the locomotive engineer regarding how to handle the train or even take over the controls of the locomotive under the engineer's supervision. The ultimate purpose of integrating this technology is to conserve fuel use while handling the train properly and arriving at a designated location “just in time” (e.g., to meet or pass a train or enter a terminal area in sequence ahead of or behind other traffic). Further integrating this technology with PTC communications platforms and traffic planning capabilities could permit transmittal of “train pacing” information to the locomotive cab in order to conserve fuel. Like the communications backbone, survey data concerning route characteristics can be shared by both systems. The cost of diesel fuel for road operations to the Class I railroads is approximately $3.5 billion annually and is gradually rising. If PTC technology helps to spur the growth and effective use of train pacing, fuel savings of 5% ($175,000,000 annually) or greater could very likely be achieved. Clearly, if the railroads are able to conserve use of fuel, they will also reduce emissions and contribute to attainment of environmental goals, even before modal diversion occurs.
The improvements in dispatch and capacity have further implications. With those improvements, railroads could improve the reliability of shipment arrival time and, thus, dramatically increase the value of rail transportation to shippers, who in turn would divert certain shipments from highway to rail. Such diversion would yield greater overall transportation safety benefits since railroads have much lower accident risk than highways, on a point-to-point ton-mile basis. The total societal benefits of PTC system implementation and operation, following the analysis, would be much greater than total societal costs, although the costs would fall disproportionately more heavily on the railroads.
At present, the PTC systems contemplated by the railroads, with the possible exception of PATH, would not increase capacity, at least not for some time. If the locomotive braking algorithms need to be made more conservative in order to ensure that each train does not exceed the limits of its authority, PTC system operation may actually decrease rail capacity where applied in the early years. Further investment would be required to bring about the synergy that would result in capacity gains. A more significant business benefit of PTC system operation would be derived from precision dispatching, which decreases the variance of arrival times of delivered freight. To avoid the risk of running out of stock, shippers often overstock their inventory at an annual cost of approximately 25% of its inventory value, regardless of the material being stored. This estimate accounts for shrinkage, borrowing costs, and storage costs. Of course, freight with more value per unit of mass or volume tends to have greater storage costs per unit. At present, no rail precision dispatch system exists. However, if a shipper would take advantage of precision dispatching, thus increasing freight arrival time accuracy, then it could reduce its overstock inventory. Accurate train data is a necessary, but not a sufficient condition, for precision dispatch. At least two of the Class I railroads have unsuccessfully attempted to develop precision dispatch systems. The mandatory installation of PTC systems is likely to divert any resources that might have been devoted to precision dispatch, so these benefits are unlikely during the first several years of this rule.
Applying current factors to the variables used in the 2004 Report to Congress, the resulting analysis indicates that diversion could result in highway annual safety benefits of $744 million by 2022, and $1,148 million by 2032. Of course, these benefits require that the productivity enhancing systems be added to PTC, and are heavily dependent on the underlying assumptions of the 2004 model.
Modal diversion would also yield environmental benefits. The 2004 Report estimated that reduced air pollution costs would have been between $68 million and $132 million in 2010 (assuming PTC would be implemented by 2010), and between $103 million and $198 million in 2020. This benefit would have accrued to the general public. FRA has not broken out the pollution cost benefit of the current rule, but offers the estimates from the 2004 Report as a guide to the order of magnitude of such benefits.
While railroads argued that many of the benefits identified in FRA's 2004 report were exaggerated, shortly after the publication of the report, several railroads began developing strategies for PTC system development and implementation. This investment by the railroads would seem to illustrate that they believe that there is some potential for PTC to provide a boost to railroad profits, beyond providing any of the aforementioned societal benefits.
Modal diversion is highly sensitive to service quality. Problems with terminal congestion and lengthy dwell times might overwhelm the benefits of PTC or other initiatives which the railroads have been pursuing (reconfiguration of yards, pre-blocking of trains, shared power arrangements, car scheduling, Automatic Equipment Identification, etc.) might actually work in synergy with PTC. It should also be noted that, in the years since the 2004 Report was developed, the Class I railroads have shown an increased ability to retain operating revenue as profit, rather than surrendering it in the form of reduced rates. This was particularly true during the period prior to the current recession, when strained highway capacity favored the growth of rail traffic. The sensitivity analysis performed by FRA indicates that realization of business benefits could yield benefits sufficient to close the gap between PTC implementation costs and rail accident reduction benefits within the first 20 years of the rule, applying a 3% discount rate, and by year 25 of the rule, applying a discount rate of 7%. Accordingly, the precise partition of business and societal benefits cannot be estimated with any certainty.
FRA recognizes that the likelihood of business benefits is uncertain and that the cost-to-benefit comparison of this rule, excluding any business benefits, is not favorable. However, FRA has taken measures to minimize the rule's adverse impacts and to provide as much flexibility as FRA is authorized to grant under RSIA08.
B. Regulatory Flexibility Act and Executive Order 13272
The Regulatory Flexibility Act (5 U.S.C. 601 et seq.) and Executive Order 13272 require a review of proposed and final rules to assess their impacts on small entities. An agency must prepare an initial regulatory flexibility analysis (IRFA) unless it determines and certifies that a rule, if promulgated, would not have a significant impact on a substantial number of small entities. FRA has not determined whether this proposed rule would have a significant economic impact on a substantial number of small entities. Therefore, we are publishing this IRFA to aid the public in commenting on the potential small business impacts of the proposals in this NPRM. We invite all interested parties to submit data and information regarding the potential economic impact that would result from adoption of the proposals in this NPRM. We will consider all comments received in the public comment process when making a determination in the Final Regulatory Flexibility Assessment.
In accordance with the Regulatory Flexibility Act, an IRFA must contain:
(1) A description of the reasons why action by the agency is being considered;
(2) A succinct statement of the objectives of, and the legal basis for, the proposed rule;
(3) A description of, and where feasible, an estimate of the number of small entities to which the proposed rule will apply;
(4) A description of the projected reporting, recordkeeping and other compliance requirements of the proposed rule, including an estimate of the classes of small entities that will be subject to the requirement and the type of professional skills necessary for preparation of the report or record;
(5) An identification, to the extent practicable, of all relevant Federal rules that may duplicate, overlap, or conflict with the proposed rule; and
(6) A description of any significant alternatives to the proposed rule that accomplish the stated objectives of applicable statutes and which minimize any significant economic impact of the proposed rule on small entities. 5 U.S.C. 603(b), (c).
1. Reasons for Considering Agency Action
PTC systems will be designed to prevent train-to-train collisions, overspeed derailments, incursions into established work zone limits, and the movement of a train through a switch left in the wrong position.
As discussed in more detail in section I of the preamble, the RSIA08 mandates that widespread implementation of PTC across a major portion of the U.S. rail industry be accomplished by December 31, 2015. RSIA08 requires each Class I carrier and each entity providing regularly scheduled intercity or commuter rail passenger transportation to develop a plan for implementing PTC by April 16, 2010. The Secretary of Transportation is responsible for reviewing and approving or disapproving such plans. The Secretary has delegated this responsibility to FRA. This proposed rule details the process and procedure for obtaining FRA approval of the plans.
2. Legal Basis for the Proposed Rule
As discussed earlier in the preamble, FRA is issuing this proposed rule to provide regulatory guidance and performance standards for the development, testing, implementation, and use of Positive Train Control (PTC) systems for railroads mandated by the Rail Safety Improvement Act of 2008. section 104, Public Law 110-432, 122 Stat. 4848, 4856, (Oct. 16, 2008) (codified at 49 U.S.C. 20157).
3. Description and Estimate of Small Entities Affected
“Small entity” is defined in 5 U.S.C. 601. Section 601(3) defines a “small entity” as having the same meaning as “small business concern” under section 3 of the Small Business Act. This includes any small business concern that is independently owned and operated, and is not dominant in its field of operation. Section 601(4) includes not-for-profit enterprises that are independently owned and operated, and are not dominant in their field of operations within the definition of “small entities.” Additionally, section 601(5) defines as “small entities” governments of cities, counties, towns, townships, villages, school districts, or special districts with populations less than 50,000.
The U.S. Small Business Administration (SBA) stipulates “size standards” for small entities. It provides that the largest a for-profit railroad business firm may be (and still classify as a “small entity”) is 1,500 employees for “Line-Haul Operating” railroads, and 500 employees for “Short-Line Operating” railroads. See “Table of Size Standards,” U.S. Small Business Administration, January 31, 1996, 13 CFR part 121; see also NAICS Codes 482111 and 482112.
SBA size standards may be altered by Federal agencies in consultation with SBA, and in conjunction with public comment. Pursuant to the authority provided to it by SBA, FRA has published a final policy, which formally establishes small entities as railroads that meet the line haulage revenue requirements of a Class III railroad. See 68 FR 24,891 (May 9, 2003). Currently, the revenue requirements are $20 million or less in annual operating revenue, adjusted annually for inflation. The $20 million limit (adjusted annually for inflation) is based on the Surface Transportation Board's threshold of a Class III railroad carrier, which is adjusted by applying the railroad revenue deflator adjustment. See also 49 CFR part 1201. The same dollar limit on revenues is established to determine whether a railroad shipper or contractor is a small entity. FRA proposes to use this definition for this rulemaking.
The IRFA's “universe” of considered entities generally includes only those small entities that can reasonably be expected to be directly regulated by the proposed action. One type of small entity is potentially affected by this proposed rule: railroads. The level of impact on small railroads will vary from railroad to railroad. Class III railroads will be impacted for one or more of the following reasons: (1) They operate on Class I railroad lines that carry PIH materials and are required to have PTC, in which case they would need to equip the portion of their locomotive fleet that operates on such lines; (2) they operate on Amtrak or commuter rail lines, including freight railroad lines that host such service; (3) they host regularly scheduled intercity or commuter rail transportation; or (4) they have at-grade railroad crossings over lines required by RSIA08 to have PTC. Generally, to the extent that Class III railroads incur costs associated with implementation of PTC it will limited to equipping locomotives, and not the wayside, for the reasons discussed below.
The proposed rule would apply to small railroads' tracks over which a passenger railroad conducts intercity or commuter operations and locomotives operating on main lines of Class I freight railroads required to have PTC and on railroads conducting intercity passenger or commuter operations. The impact on Class III railroads that operate on Class I railroad lines required to be equipped with PTC will depend on the nature of such operations. Class III railroads often make short moves on Class I railroad lines for interchange purposes. To the extent that their moves do not exceed four per day or 20 miles in length of haul (one way), Class III railroads will be exempt from the requirement to equip the locomotives. However some Class III railroads operate much more extensively on Class I railroad lines that will be required to have PTC and would have to equip some of their locomotives. It is likely that Class III railroads will dedicate certain locomotives to such service, if they have not done so already. FRA estimates that approximately 55 small railroads would have to equip locomotives with PTC system components because they have trackage rights on Class I freight railroad PIH lines that would be required to have PTC and would not be able to qualify for any of the operational exceptions discussed.
FRA further estimates that 10 small railroads have trackage rights on intercity passenger or commuter railroads or other freight railroads hosting such operations, and might need to equip some locomotives with PTC systems. Half of these would need to equip locomotives anyway, because they also have trackage rights on Class I railroads that haul PIH and would otherwise be required to have PTC.
Thus, a total of 60 railroads would need to equip locomotives. FRA estimates that the average small railroad will need to equip four locomotives, at a per railroad cost of $55,000 each, totaling $220,000, and that the total cost for all 60 small railroads which will need to equip locomotives would be $13,200,000. The annual maintenance cost would be 15% of that total, equaling $33,000 per railroad or $1,980,000 total for all small railroads. FRA requests comments regarding this cost estimate.
In addition, 15 small railroads host commuter or intercity passenger operations on what might be defined as main line track under the accompanying rulemaking; however, only five of these railroads are neither terminal or port railroads, which tend to be owned and operated by large railroads or port authorities, nor subsidiaries of large short line holding companies with the expertise and resources across the disciplines comparable to larger railroads. Of those five railroads, only one has trackage exceeding 3.8 miles. The other four railroads may request that FRA define such track as other than main line after ensuring that all trains will be limited to restricted speed. The cost burden on the remaining railroad will likely be reduced by restricting speed, temporally separating passenger train operations, or by passing the cost to the passenger railroad. Thus, the expected burden to small entities hosting passenger operations is minimal. FRA requests comments related to this analysis.
At rail-to-rail crossings where at least one of the intersecting tracks allows operating speeds in excess of 40 miles per hour, the approaching non-PTC line must have a permanent maximum speed limit of 20 miles per hour and either have some type of positive stop enforcement or a split-point derail incorporated into the signal system on the non-PTC route.. FRA believes that the cost of the derail would be borne by the PTC-equipped railroad, and that slowing to 20 miles per hour reflects current practice at most diamond crossings. FRA estimates that ten crossings exist, on five small railroads with two crossings each, where the newly burdened small railroad will be slowing to 20 miles per hour from a higher track speed. FRA estimates that the average traffic on the newly burdened route is two trains per day, and that the cost to slow from a higher track speed is $30 per train, for a total cost of $60 per crossing per day, a per railroad cost of $120 per day, and a total national cost for all ten small railroads of $600 per day and an annual cost of $43,800 per railroad and a total for all small railroads of $219,000 per year. FRA estimates that only five railroads will be affected by this provision, and that they will be railroads not affected by the requirement to equip locomotives, because railroads with equipped locomotives could simply use the PTC system and avoid the requirement to slow down. This analysis yields a total of 65 affected small entities that may be impacted by implementation of the proposed rule. FRA requests comments regarding this estimate of small entities potentially impacted.
4. Description of Reporting, Recordkeeping, and Other Compliance Requirements and Impacts on Small Entities Resulting From Specific Proposed Requirements
Class III railroads that host intercity or commuter rail service will need to file implementation plans, whether or not they directly procure or manage installation of the PTC system. FRA believes that although the implementation plan must be jointly filed by the small host railroad and passenger tenant railroad, the cost of these plans will be borne by the passenger railroads. FRA believes that only one small entity, as described above, is likely to have PTC installed on its lines. The implementation plan is likely to be an extension of the passenger railroad's plan, and the marginal cost will be the cost of tailoring the plan to the host railroad, which will be borne by the passenger railroad, and maintaining copies of the plan at the host railroad, which FRA estimates to be approximately $1,000 per year.
The total cost to small entities would include the initial cost of equipping locomotives, $13,200,000; annual costs of $1,980,000 for maintenance; $219,000 due to operating speed restrictions at diamond crossings; and $1,000 to maintain a copy of the PTC implementation plan. The total annual costs to small entities after initial acquisition would be $2,200,000 ($1,980,000 + $219,000 + $1,000). Individual railroads affected would either face an initial cost of $220,000 to equip locomotives, and an annual cost of $33,000 to maintain the PTC systems on those locomotives, or would face a per railroad cost of $43,800 per year to slow at diamond crossings.
5. Identification of Relevant Duplicative, Overlapping, or Conflicting Federal Rules
There are no Federal rules that would duplicate, overlap, or conflict with this proposed rule.
6. Alternatives Considered
FRA is unaware of any significant alternatives that would meet the intent of RSIA08 and that would minimize the economic impact on small entities. FRA is exercising its discretion to provide the greatest flexibility for small entities available under RSIA08 by proposing to allow operations of unequipped trains operated by small entities on the main lines of Class I railroads, and in defining main track on passenger railroads to avoid imposing undue burdens on small entities. The definition of passenger main track was adopted based on PTC Working Group recommendations that were backed strongly by representatives of small railroads. The provisions permitting operations of unequipped trains of Class I railroads exceeded the maximum flexibility for which the PTC Working Group could reach a consensus. FRA requests comments on this finding of no significant alternative related to small entities. FRA also requests comments on whether this proposed regulation exercises the appropriate level of discretion and flexibility to comply with RSIA08 in the most cost effective and beneficial manner.
The process by which this proposed rule was developed provided outreach to small entities. As noted earlier in the preamble, this notice was developed in consultation with industry representatives via the RSAC, which includes small railroad representatives. From January to April 2009, FRA met with the entire PTC Working Group five times over the course of twelve days. This PTC Working Group established a task force to focus on issues specific to short line and regional railroads. The discussions yielded many insights and this proposed rule takes into account the concerns expressed by small railroads during the deliberations.
C. Paperwork Reduction Act
The information collection requirements in this proposed rule have been submitted for approval to the Office of Management and Budget (OMB) under the Paperwork Reduction Act of 1995, 44 U.S.C. 3501 et seq. The sections that contain the new information collection requirements and the estimated time to fulfill each requirement are as follows:
|CFR section||Respondent universe||Total annual responses||Average time per response (hours)||Total annual burden hours|
|234.275—Processor-Based Systems—Deviations from Product Safety Plan (PSP)—Letters||20 Railroads||25 letters||4||100|
|236.18—Software Mgmt Control Plan||184 Railroads||184 plans||2,150||395,600|
|—Updates to Software Mgmt. Control Plan||90 Railroads||20 updates||1.50||30|
|236.905—Updates to RSPP||78 Railroads||6 plans||135||810|
|—Response to Request For Additional Info||78 Railroads||1 updated doc||400||400|
|—Request for FRA Approval of RSPP Modification||78 Railroads||1 request/modified RSPP||400||400|
|236.907—Product Safety Plan (PSP)—Dev||5 Railroads||5 plans||6,400||32,000|
|236.909—Minimum Performance Standard.|
|—Petitions For Review and Approval||5 Railroads||2 petitions/PSP||19,200||38,400|
|—Supporting Sensitivity Analysis||5 Railroads||5 analyses||160||800|
|236.913—Notification/Submission to FRA of Joint Product Safety Plan (PSP)||6 Railroads||1 joint plan||25,600||25,600|
|—Petitions for Approval/Informational Filings||6 Railroads||6 petitions||1,928||11,568|
|—Responses to FRA Request For Further Info. After Informational Filing||6 Railroads||2 documents||800||1,600|
|—Responses to FRA Request For Further Info. After Agency Receipt of Notice of Product Development||6 Railroads||6 documents||16||96|
|—Consultations||6 Railroads||6 consults||120||720|
|—Petitions for Final Approval||6 Railroads||6 petitions||16||96|
|—Comments to FRA by Interested Parties||Public/RRs||7 comments||240||1,680|
|—Third Party Assessments of PSP||6 Railroads||1 assessment||104,000||104,000|
|—Amendments to PSP||6 Railroads||15 amendments||160||2,400|
|—Field Testing of Product—Info. Filings||6 Railroads||6 documents||3,200||19,200|
|236.917—Retention of Records.|
|—Results of tests/inspections specified in PSP||6 Railroads||3 documents/records||160,000; 160,000; 40,000||360,000|
|—Report to FRA of Inconsistencies with frequency of safety-relevant hazards in PSP||6 Railroads||1 report||104||104|
|236.919—Operations Maintenance Man.|
|—Updates to O M Manual||6 Railroads||6 updated docs||40||240|
|—Plans For Proper Maintenance, Repair, Inspection of Safety-Critical Products||6 Railroads||6 plans||53,335||320,010|
|—Hardware/Software/Firmware Revisions||6 Railroads||6 revisions||6,440||38,640|
|236.921—Training Programs: Development||6 Railroads||6 Tr. Programs||400||2,400|
|—Training of Signalmen Dispatchers||6 Railroads||300 signalmen; 20 dispatchers||40; 20||12,400|
|236.923—Task Analysis/Basic Requirements: Necessary Documents||6 railroads||6 documents||720||4,320|
|—Records||6 railroads||350 records||110||58|
|SUBPART I—NEW REQUIREMENTS|
|236.1001—RR Development of More Stringent Rules Re: PTC Performance Stds||30 railroads||3 rules||80||240|
|236.1005—Requirements for PTC Systems.|
|—Temporary Rerouting: Emergency Requests||30 railroads||50 requests||8||400|
|—Written/Telephonic Notification to FRA Regional Administrator||30 railroads||50 notifications||2||100|
|—Temporary Rerouting Requests Due to Track Maintenance||30 railroads||95 requests||8||760|
|—Temporary Rerouting Requests That Exceed 30 Days||30 railroads||800 requests||8||6,400|
|236.1006—Requirements for Equipping Locomotives Operating in PTC Territory.|
|—Reports of Movements in Excess of 20 Miles/RR Progress on PTC Locomotives||35 railroads||35 reports||16||560|
|236.1007—Additional Requirements for High Speed Service.|
|—Required HSR-125 Documents with approved PTCSP||30 railroads||11 documents||3,200||35,200|
|—Requests to Use Foreign Service Data||30 railroads||2 requests||8,000||16,000|
|—PTC Railroads Conducting Operations at More than 150 MPH with HSR-125 Documents||30 railroads||11 documents||4,000||44,000|
|—PTC Implementation Plans (PTCIP)||30 Railroads||30 plans||535||16,050|
|—Host Railroads Filing PTCIP or Request for Amendment (RFAs)||30 Railroads||1 PCTIP; 15 RFAs||535; 320||5,335|
|—Notification of Failure to File Joint PTCIP||30 Railroads||30 notifications||32||960|
|—Comprehensive List of Issues Causing Non-Agreement||30 Railroads||30 lists||80||2,400|
|—Conferences to Develop Mutually Acceptable PCTIP||30 Railroads||3 conf. calls||130||2|
|—Type Approval||30 Railroads||10 Type Appr.||8||80|
|—PTC Development Plans Requesting Type Approval||30 Railroads||20 Ltr. + 20 App. + 5 Plans||8; 8; 6,400||32,320|
|—PTCIP/PTCDP/PTCSP Plan Contents—Documents Translated into English||30 Railroads||1 document||8,000||8,000|
|—Requests for Confidentiality||30 Railroads||30 ltrs; 30 docs||8; 800||24,240|
|—Field Test Plans/Independent Assessments—Req. by FRA||30 Railroads||150 field tests; 2 assessments||800||121,600|
|—FRA Access: Interviews with RR PTC Personnel||30 Railroads||60 interviews||130||30|
|236.1011—PTCIP Requirements—Review and Public Comments on PTCIPs, PTCDPs, and PTCSPs||7 Interested Groups||21 reviews + 60 comments||143; 8||3,483|
|236.1015—PTCSP Content Requirements PTC System Certification.|
|—Non-Vital Overlay||30 Railroads||2 PTCSPs||16,000||32,000|
|—Vital Overlay||30 Railroads||16 PTCSPs||22,400||358,400|
|—Stand Alone||30 Railroads||10 PTCSPs||32,000||320,000|
|—Mixed Systems—Conference with FRA regarding Case/Analysis||30 Railroads||3 conferences||32||96|
|—Mixed Sys. PTCSPs (incl. safety case)||30 Railroads||2 PTCSPs||28,800||57,600|
|—FRA Request for Additional PTCSP Data||30 Railroads||15 documents||3,200||48,000|
|—PTCSPs Applying to Replace Existing Certified PTC Systems||30 Railroads||15 PTCSPs||3,200||48,000|
|—Non-Quantitative Risk Assessments Supplied to FRA||30 Railroads||15 assessments||3,200||48,000|
|236.1017—PTCSP Supported by Independent Third Party Assessment||30 Railroads||1 assessment||8,000||8,000|
|—Written Requests to FRA to Confirm Entity Independence||30 Railroads||1 request||8||8|
|—Provision of Additional Information After FRA Request||30 Railroads||1 document||160||160|
|—Independent Third Party Assessment: Waiver Requests||30 Railroads||1 request||160||160|
|—RR Request for FRA to Accept Foreign Railroad Regulator Certified Info||30 Railroads||1 request||32||32|
|236.1019—Main Line Track Exceptions.|
|—Submission of Main Line Track Exclusion Addendums (MTEAs)||30 Railroads||30 MTEAs||160||4,800|
|—Passenger Terminal Exception—MTEAs||30 Railroads||23 MTEAs||160||3,680|
|—Limited Operation Exception—Risk Mitigation Plans||30 Railroads||30 plans||160||4,800|
|—Temporal Separation Procedures||30 Railroads||15 procedures||160||2,400|
|236.1021—Discontinuances, Material Modifications, Amendments—Requests to Amend (RFA) PTCIP, PTCDP or PTCSP||30 Railroads||15 RFAs||80||1,200|
|—Review and Public Comment on RFA||7 Interested Groups||7 reviews + 20 comments||3; 16||341|
|236.1023—PTC Errors and Malfunctions—Notifications||30 Railroads||60 notifications||32||1,920|
|—Notifications of PTC Defect That Decreases Safety||30 Railroads||150 notifications||16||2,400|
|—Notification Updates of PTC Defect||30 Railroads||150 updates||16||2,400|
|—PTC Product Vendor Lists (PTCPVL)||30 Railroads||30 lists||8||240|
|—RR Procedures Upon Notification of PTC System Safety-Critical Upgrades, Rev., Etc||30 Railroads||30 procedures||16||480|
|—Manufacturer's Report of Investigation of PTC Defect||5 System Suppliers||5 reports||400||2,000|
|236.1029—Report of On-Board Lead Locomotive PTC Device Failure||30 Railroads||960 reports||96||92,160|
|236.1031—Previously Approved PTC Systems.|
|—Request for Expedited Certification (REC) for PTC System||30 Railroads||3 REC Letters||160||480|
|—Requests for Grandfathering on PTCSPs||30 Railroads||3 requests||1,600||4,800|
|236.1035—Field Testing Requirements||30 railroads||150 field test plans||800||120,000|
|—Results of Tests in PTCSP and PTCDP||30 railroads||960 records||4||3,840|
|—PTC Service Contractors Training Records||30 Railroads||9,000 records||130||4,500|
|—Reports of Safety Relevant Hazards Exceeding Those in PTCSP and PTCDP||30 Railroads||4 reports||8||32|
|—Final Report of Resolution of Inconsistency||30 Railroads||4 final reports||160||640|
|236.1039—Operations Maintenance Manual (OMM): Development||30 railroads||30 manuals||250||7,500|
|—Positive Identification of Safety-critical Components||30 railroads||75,000 i.d. components||1||75,000|
|—Designated RR Officers in OMM regarding PTC issues||30 railroads||60 designations||2||120|
|236.1041—PTC Training Programs||30 Railroads||30 programs||400||12,000|
|236.1043—Task Analysis/Basic Requirements: Training Evaluations||30 railroads||6 evaluations||720||4,320|
|—Training Records||30 railroads||350 records||110||58|
|236.1045—Training Specific to Office Control Personnel||30 railroads||20 trained employees||20||400|
|236.1047—Training Specific to Loc. Engineers Other Operating Personnel.|
|—PTC Conductor Training||30 railroads||5,000 trained conductors||3||15,000|
All estimates include the time for reviewing instructions; searching existing data sources; gathering or maintaining the needed data; and reviewing the information. Pursuant to 44 U.S.C. 3506(c)(2)(B), FRA solicits comments concerning: Whether these information collection requirements are necessary for the proper performance of the functions of FRA, including whether the information has practical utility; the accuracy of FRA's estimates of the burden of the information collection requirements; the quality, utility, and clarity of the information to be collected; and whether the burden of collection of information on those who are to respond, including through the use of automated collection techniques or other forms of information technology, may be minimized. For information or a copy of the paperwork package submitted to OMB, contact Mr. Robert Brogan, Information Clearance Officer, at 202-493-6292, or Ms. Nakia Jackson at 202-493-6073.
Organizations and individuals desiring to submit comments on the collection of information requirements should direct them to Mr. Robert Brogan or Ms. Nakia Jackson, Federal Railroad Administration, 1200 New Jersey Avenue, SE., 3rd Floor, Washington, DC 20590. Comments may also be submitted via e-mail to Mr. Brogan or Ms. Jackson at the following address: email@example.com; firstname.lastname@example.org.
OMB is required to make a decision concerning the collection of information requirements contained in this proposed rule between 30 and 60 days after publication of this document in the Federal Register. Therefore, a comment to OMB is best assured of having its full effect if OMB receives it within 30 days of publication. The final rule will respond to any OMB or public comments on the information collection requirements contained in this proposal.
FRA is not authorized to impose a penalty on persons for violating information collection requirements which do not display a current OMB control number, if required. FRA intends to obtain current OMB control numbers for any new information collection requirements resulting from this rulemaking action prior to the effective date of the final rule. The OMB control number, when assigned, will be announced by separate notice in the Federal Register.
D. Federalism Implications
As discussed earlier in the preamble, this proposed rule would provide regulatory guidance and performance standards for the development, testing, implementation, and use of Positive Train Control (PTC) systems for railroads mandated by the Railroad Safety Improvement Act of 2008.
Executive Order 13132 requires FRA to develop an accountable process to ensure “meaningful and timely input by State and local officials in the development of regulatory policies that have Federalism implications.” Policies that have “Federalism implications” are defined in the Executive Order to include regulations that have “substantial direct effects on the States, on the relationship between the national government and the States, or on the distribution of power and responsibilities among the various levels of government.” Under Executive Order 13132, the agency may not issue a regulation with Federalism implications that imposes substantial direct compliance costs and that is not required by statute, unless the Federal government provides the funds necessary to pay the direct compliance costs incurred by State and local governments, or the agency consults with State and local government officials early in the process of developing the proposed regulation. Where a regulation has Federalism implications and preempts State law, the agency seeks to consult with State and local officials in the process of developing the regulation.
FRA has determined that this proposed rule would not have substantial direct effects on the States, on the relationship between the national government and the States, nor on the distribution of power and responsibilities among the various levels of government. In addition, FRA has determined that this proposed rule, which is required by the Railroad Safety Improvement Act of 2008, would not impose any direct compliance costs on State and local governments. Therefore, the consultation and funding requirements of Executive Order 13132 do not apply.
However, this proposed rule would have preemptive effect. Section 20106 of Title 49 of the United States Code provides that States may not adopt or continue in effect any law, regulation, or order related to railroad safety or security that covers the subject matter of a regulation prescribed or order issued by the Secretary of Transportation (with respect to railroad safety matters) or the Secretary of Homeland Security (with respect to railroad security matters), except when the State law, regulation, or order qualifies under the local safety or security exception to section 20106. The intent of § 20106 is to promote national uniformity in railroad safety and security standards. 49 U.S.C. 20106(a)(1). Thus, subject to a limited exception for essentially local safety or security hazards, this proposed rule would establish a uniform Federal safety standard that must be met, and State requirements covering the same subject matter would be displaced, whether those State requirements are in the form of a State law, regulation, or order.
In sum, FRA has analyzed this proposed rule in accordance with the principles and criteria contained in Executive Order 13132. As explained above, FRA has determined that this proposed rule has no Federalism implications, other than the preemption of State laws covering the subject matter of this proposed rule, which occurs by operation of law under 49 U.S.C. 20106 whenever FRA issues a rule or order. Accordingly, FRA has determined that preparation of a Federalism summary impact statement for this proposed rule is not required.
E. Environmental Impact
FRA has evaluated this proposed rule in accordance with its “Procedures for Considering Environmental Impacts” (“FRA's Procedures”) (64 FR 28545, May 26, 1999) as required by the National Environmental Policy Act (42 U.S.C. 4321 et seq.), other environmental statutes, Executive Orders, and related regulatory requirements. FRA has determined that this proposed rule is not a major FRA action (requiring the preparation of an environmental impact statement or environmental assessment) because it is categorically excluded from detailed environmental review pursuant to section 4(c)(20) of FRA's Procedures. In accordance with section 4(c) and (e) of FRA's Procedures, the agency has further concluded that no extraordinary circumstances exist with respect to this regulation that might trigger the need for a more detailed environmental review. As a result, FRA finds that this proposed rule is not a major Federal action significantly affecting the quality of the human environment.
F. Unfunded Mandates Reform Act of 1995
The Unfunded Mandates Reform Act of 1995 (Pub. L. 104-4, 2 U.S.C. 1531) requires agencies to prepare a written assessment of the costs, benefits, and other effects of proposed or final rules that include a Federal mandate likely to result in the expenditures by State, local or tribal governments, in the aggregate, or by the private sector, of more than $100 million annually (adjusted annually for inflation with base year of 1995). The value equivalent of $100 million in CY 195, adjusted annually for inflation to CY 2008 levels by the Consumer Price Index for All Urban Consumers (CPI-U) is $141.3 million. The assessment may be included in conjunction with other assessments, as it is here.
The proposed rule itself would not create an unfunded mandate in excess of the threshold amount. The bulk of unfunded mandate for implementation of PTC is attributable to RSIA08. The effects are discussed earlier in this document in the Regulatory Impact Analysis. Any unfunded mandates attributable to the proposed rulemaking would pertain to the costs of filing paperwork to prove compliance with RSIA08.
G. Energy Impact
Executive Order 13211 requires Federal agencies to prepare a Statement of Energy Effects for any “significant energy action.” 66 FR 28355 (May 22, 2001). Under the Executive Order, a “significant energy action” is defined as any action by an agency (normally published in the Federal Register) that promulgates or is expected to lead to the promulgation of a final rule or regulation, including notices of inquiry, advance notices of proposed rulemaking, and notices of proposed rulemaking: (1)(i) That is a significant regulatory action under Executive Order 12866 or any successor order, and (ii) is likely to have a significant adverse effect on the supply, distribution, or use of energy; or (2) that is designated by the Administrator of the Office of Information and Regulatory Affairs as a significant energy action. FRA has evaluated this proposed rule in accordance with Executive Order 13211. FRA has determined that this proposed rule is not likely to have a significant adverse effect on the supply, distribution, or use of energy. Consequently, FRA has determined that this regulatory action is not a “significant regulatory action” within the meaning of Executive Order 13211.
H. Privacy Act
FRA wishes to inform all interested parties that anyone is able to search the electronic form of any written communications and comments received into any of our dockets by the name of the individual submitting the document (or signing the document), if submitted on behalf of an association, business, labor union, etc.). Interested parties may also review DOT's complete Privacy Act Statement in the Federal Register published on April 11, 2000 (65 FR 19477) or visit http://www.regulations.gov.
List of Subjects Back to Top
VIII. The Rule Back to Top
In consideration of the foregoing, FRA proposes to amend chapter II, subtitle B of title 49, Code of Federal Regulations as follows:
PART 229—[AMENDED] Back to Top
1. The authority citation for part 229 continues to read as follows:
2. Section 229.135 is amended by revising paragraphs (b)(3)(xxv) and (b)(4)(xxi) to read as follows:
§ 229.135 Event Recorders.
* * * * *
(b) * * *
(3) * * *
(xxv) Safety-critical train control data routed to the locomotive engineer's display with which the engineer is required to comply, specifically including text messages conveying mandatory directives and maximum authorized speed. The format, content, and proposed duration for retention of such data shall be specified in the product safety plan or PTC Safety Plan submitted for the train control system under subparts H or I, respectively, of part 236 of this chapter, subject to FRA approval under this paragraph. If it can be calibrated against other data required by this part, such train control data may, at the election of the railroad, be retained in a separate certified crashworthy memory module.
(4) * * *
(xxi) Safety-critical train control data routed to the locomotive engineer's display with which the engineer is required to comply, specifically including text messages conveying mandatory directives and maximum authorized speed. The format, content, and proposed duration for retention of such data shall be specified in the product safety plan or PTC Safety Plan submitted for the train control system under subparts H or I, respectively, of part 236 of this chapter, subject to FRA approval under this paragraph. If it can be calibrated against other data required by this part, such train control data may, at the election of the railroad, be retained in a separate certified crashworthy memory module.
PART 234—[AMENDED] Back to Top
3. The authority citation for part 234 continues to read as follows:
4. In § 234.275 revise paragraphs (b)(1), (b)(2), (c), and (f) to read as follows:
§ 234.275 Processor-based systems.
* * * * *
(b) Use of performance standard authorized or required. (1) In lieu of compliance with the requirements of this subpart, a railroad may elect to qualify an existing processor-based product under part 236, subparts H or I, of this chapter.
(2) Highway-rail grade crossing warning systems, subsystems, or components that are processor-based and that are first placed in service after June 6, 2005, which contain new or novel technology, or which provide safety-critical data to a railroad signal or train control system that is governed by part 236, subpart H or I, of this chapter, shall also comply with those requirements. New or novel technology refers to a technology not previously recognized for use as of March 7, 2005.
* * * * *
(c) Plan justifications. The Product Safety Plan in accordance with 49 CFR 236.903—or a PTC Development Plan (PTCDP) and PTC Safety Plan (PTCSP) required to be filed in accordance with 49 CFR 236.1011 and 236.1013—must explain how the performance objective sought to be addressed by each of the particular requiremnts of this subpart is met by the product, why the objective is not relevant to the product's design, or how the safety requirements are satisfied using alternative means. Deviation from those particular requirements is authorized if an adequate explanation is provided, making reference to relevant elements of the applicable plan, and if the product satisfies the performance standard set forth in § 236.909 of this chapter. (See § 236.907(a)(14) of this chapter.)
* * * * *
(f) Software management control for certain systems not subject to a performance standard. Any processor-based system, subsystem, or component subject to this part, which is not subject to the requirements of part 236, subpart H or I, of this chapter but which provides safety-critical data to a signal or train control system shall be included in the software management control plan requirements as specified in § 236.18 of this chapter.
PART 235—[AMENDED] Back to Top
5. The authority citation for part 235 continues to read as follows:
6. In § 235.7, add paragraph (a)(5) to read as follows:
§ 235.7 Changes not requiring filing of application.
(a) * * *
(5) Removal of an intermittent automatic train stop system in conjunction with the implementation of a positive train control system approved by FRA under subpart I of part 236.
* * * * *
PART 236—[AMENDED] Back to Top
7. The authority citation for Part 236 is revised to read as follows:
* * * * *
8. Section 236.0 is amended by revising paragraphs (c) through (e) to read as follows:
§ 236.0 Applicability, minimum requirements, and penalties.
* * * * *
(c)(1) Prior to [insert date 24 months from publication of the final rule in the Federal Register], where a passenger train operates at a speed of 60 or more miles per hour, or a freight train operates at a speed of 50 or more miles per hour—
(i) A block signal system complying with the provisions of this part shall be installed; or
(ii) A manual block system shall be placed permanently in effect that shall conform to the following conditions:
(A) A train shall not be admitted, except for emergency purposes, to a block occupied by another train unless both trains are operating at restricted speed.
(B) A freight train, including a work train, may be authorized to follow a freight train, including a work train, into a block but the following train must proceed at restricted speed.
(2) On and after [insert date 24 months from publication of the final rule in the Federal Register], where a passenger train is permitted to operate at a speed of 60 or more miles per hour, or a freight train is permitted to operate at a speed of 50 or more miles per hour, a block signal system complying with the provisions of this part shall be installed, unless an FRA approved PTC system meeting the requirements of this part for the subject speed and other operating conditions, is installed.
(d)(1) Prior to December 31, 2015, where any train is permitted to operate at a speed of 80 or more miles per hour, an automatic cab signal, automatic train stop, or automatic train control system complying with the provisions of this part shall be installed, unless an FRA approved PTC system meeting the requirements of this part for the subject speed and other operating conditions, is installed.
(2) Subpart I of this part sets forth requirements for installation of PTC systems under conditions specified in that subpart.
(e) Nothing in this section authorizes the discontinuance of a block signal system, interlocking, traffic control system, automatic train control or train stop system, cab signal system, or PTC system without approval by the FRA under part 235 of this title. However, a railroad may apply for approval of discontinuance or material modification of a signal or train control system in connection with a request for approval of a Positive Train Control Development Plan (PTCDP) or Positive Train Control Safety Plan (PTCSP) as provided in subpart I of this part.
* * * * *
9. Section 236.909 is amended by adding a new sentence directly after the first sentence of paragraph (e)(1) and by revising paragraph (e)(2)(i) to read as follows:
§ 236.909 Minimum performance standards.
* * * * *
(e) * * *
(1) * * * The total risk assessment must have a supporting sensitivity analysis. The analysis must confirm that the risk metrics of the system are not negatively affected by sensitivity analysis input parameters including, for example, component failure rates, human factor error rates, and variations in train traffic affecting exposure. The sensitivity analysis must document the sensitivity to worst case failure scenarios. * * *
(2) * * *
(i) In all cases exposure must be expressed as total train miles traveled per year over the relevant railroad infrastructure. Consequences must identify the total cost, including fatalities, injuries, property damage, and other incidental costs, such as potential consequences of hazardous materials involvement, resulting from preventable accidents associated with the function(s) performed by the system.
* * * * *
10. Add a new subpart I to part 236 to read as follows:
- 236.1001 Purpose and scope.
- 236.1003 Definitions.
- 236.1005 Requirements for Positive Train Control systems.
- 236.1006 Equipping locomotives operating in PTC territory.
- 236.1007 Additional requirements for high-speed service.
- 236.1009 Procedural requirements.
- 236.1011 PTCIP content requirements.
- 236.1013 PTCDP content requirements and Type Approval.
- 236.1015 PTCSP content requirements and PTC System Certification.
- 236.1017 Independent third party Verification and Validation.
- 236.1019 Main line track exceptions.
- 236.1021 Discontinuances, material modifications, and amendments.
- 236.1023 Errors and malfunctions.
- 236.1027 Exclusions.
- 236.1029 PTC system use and en route failures.
- 236.1031 Previously approved PTC systems
- 236.1033 Communications and security requirements.
- 236.1035 Field testing requirements.
- 236.1037 Records retention.
- 236.1039 Operations and Maintenance Manual.
- 236.1041 Training and qualification program, general.
- 236.1043 Task analysis and basic requirements.
- 236.1045 Training specific to office control personnel.
- 236.1047 Training specific to locomotive engineers and other operating personnel.
- 236.1049 Training specific to roadway workers.
Subpart I—Positive Train Control Systems Back to Top
§ 236.1001 Purpose and scope.
(a) This subpart prescribes minimum, performance-based safety standards for PTC systems required by 49 U.S.C. 20157, this subpart, or an FRA order including requirements to ensure that the development, functionality, architecture, installation, implementation, inspection, testing, operation, maintenance, repair, and modification of those PTC systems will achieve and maintain an acceptable level of safety. This subpart also prescribes standards to ensure that personnel working with, and affected by, safety-critical PTC system related products receive appropriate training and testing.
(b) Each railroad may prescribe additional or more stringent rules, and other special instructions, that are not inconsistent with this subpart.
(c) This subpart does not exempt a railroad from compliance with any requirement of subpart A through H of this part or parts 233, 234, and 235 of this chapter, unless:
(1) it is otherwise explicitly excepted by this subpart; or
(2) the applicable PTCSP, as defined under § 236.1003 and approved by FRA under § 236.1015 provides for such an exception per § 236.1013.
§ 236.1003 Definitions.
(a) Definitions contained in subparts G and H of this part apply equally to this subpart.
(b) The following definitions apply to terms used only in this subpart unless otherwise stated:
After-arrival mandatory directive means any mandatory directive that makes the authority for train movement contingent upon the arrival of another train.
Associate Administrator means the FRA Associate Administrator for Railroad Safety and Chief Safety Officer.
Class I railroad means a railroad which in the last year for which revenues were reported exceeded the threshold established under regulations of the Surface Transportation Board (49 CFR part 1201.1-1 (2008)).
Cleartext means the un-encrypted text in its original, human readable, form. It is the input of an encryption or encipher process, and the output of an decryption or decipher process.
Host railroad means a railroad that has effective operating control over a segment of track .
Interoperability means the ability of a controlling locomotive to communicate with and respond to the PTC railroad's positive train control system, including uninterrupted movements over property boundaries.
Limited operations means operations on main line track that have limited or no freight operations and are approved to be excepted from this subpart's PTC system implementation and operation requirements in accordance with § 236.1019(c);
Main line means, except as provided in § 236.1019 or where all trains are limited to restricted speed within a yard or terminal area or on auxiliary or industry tracks, a segment or route of railroad tracks:
(1) of a Class I railroad, as documented in current timetables filed by the Class I railroad with the FRA under § 217.7 of this title, over which 5,000,000 or more gross tons of railroad traffic is transported annually; or
(2) used for regularly scheduled intercity or commuter passenger service, as defined in 49 U.S.C. 24102, or both. Tourist, scenic, historic, or excursion operations as defined in part 238 of this chapter are not considered intercity or commuter passenger service for purposes of this part.
Main line track exclusion addendum (“MTEA”) means the document submitted under §§ 236.1011 and 236.1019 requesting to designate track as other than main line.
PTC means positive train control as further described in § 236.1005.
PTCDP means a PTC Development Plan as further described in § 236.1013.
PTCIP means a PTC Implementation Plan as required under 49 U.S.C. 20157 and further described in § 236.1011.
PTC railroad means each Class I railroad and each entity providing regularly scheduled intercity or commuter rail passenger transportation required to implement or operate a PTC system.
PTCSP means a PTC Safety Plan as further described in § 236.1015.
PTCPVL means a PTC Product Vendor List as further described in § 236.1023.
PTC System Certification means certification as required under 49 U.S.C. 20157 and further described in §§ 236.1009 and 236.1015.
Request for Amendment (“RFA”) means a request for an amendment of a plan or system made by a PTC railroad in accordance with § 236.1021.
Request for Expedited Certification (“REC”) means, as further described in § 236.1031, a request by a railroad to receive expedited consideration for PTC System Certification.
Restricted speed means, Speed, restricted, as defined in subpart G of this part.
Safe State means a system configuration that cannot cause harm when the system fails.
Segment of track means any part of the railroad where a train operates.
Temporal separation means the process or processes in place to assure that limited passenger and freight operations do not operate on any segment of shared track during the same period and as further defined under § 236.1019.
Tenant railroad means a railroad, other than a host railroad, operating on track upon which a PTC system is required.
Track segment means segment of track.
Type Approval means a number assigned to a particular PTC system indicating FRA agreement that the PTC system could fulfill the requirements of this subpart.
Train means one or more locomotives, coupled with or without cars.
§ 236.1005 Requirements for Positive Train Control systems.
(a) PTC system requirements. Each PTC system required to be installed under this subpart shall:
(1) Reliably and functionally prevent:
(i) Train-to-train collisions—including collisions between trains operating over at-grade crossings of rail lines—where the risk associated with such collisions is unacceptable in accordance with the following table or alternative arrangements providing an equivalent level of safety as specified in an FRA approved PTCSP:
|Crossing type||Max speed *||Protection required|
|Interlocking—one or more PTC routes intersecting with one or more non-PTC routes||≤40 miles per hour||Interlocking signal arrangement in accordance with the requirements of subparts A-G of this part and PTC enforced stop on PTC routes.|
|Interlocking—one or more PTC routes intersecting with one or more non-PTC routes||40 miles per hour||Interlocking signal arrangement in accordance with the requirements of subparts A-G of this part, PTC enforced stop on all PTC routes, and either the use of other than full PTC technology that provides positive stop enforcement or a split-point derail incorporated into the signal system accompanied by 20 miles per hour maximum allowable speed on the approach of any intersecting non-PTC route.|
|Interlocking—all PTC routes intersecting||Any speed||Interlocking signal arrangements in accordance with the requirements of subparts A-G of this part, and PTC enforced stop on all routes.|
(ii) Overspeed derailments, including derailments related to railroad civil engineering speed restrictions, slow orders, and excessive speeds over switches and through turnouts;
(iii) Incursions into established work zone limits without first receiving appropriate authority and verification from the dispatcher or roadway worker in charge, as applicable and in accordance with part 214 of this chapter; and
(iv) The movement of a train through a main line switch in the improper position as further described in paragraph (e) of this section.
(2) Include safety-critical integration of all authorities and indications of a wayside or cab signal system, or other similar appliance, method, device, or system of equivalent safety, in a manner by which the PTC system shall provide associated warning and enforcement to the extent, and except as, described and justified in the FRA approved PTCDP or PTCSP, as applicable;
(3) As applicable, perform the additional functions specified in this subpart;
(4) Provide an appropriate warning or enforcement when:
(i) A derail or switch protecting access to the main line required by § 236.1007, or otherwise provided for in the applicable PTCSP, is not in its derailing or protecting position, respectively;
(ii) An operational restriction is issued associated with a highway-rail grade crossing warning system malfunction as required by §§ 234.105, 234.106, or 234.107;
(iii) An after-arrival mandatory directive has been issued and the train or trains to be waited on has not yet passed the location of the receiving train;
(iv) Any movable bridge within the route ahead is not in a position to allow permissive indication for a train movement pursuant to § 236.312; and
(v) A hazard detector integrated into the PTC system that is required by paragraph (c) of this section, or otherwise provided for in the applicable PTCSP, detects an unsafe condition or transmits an alarm; and
(5) Limit the speed of passenger and freight trains to 59 miles per hour and 49 miles per hour, respectively, in areas without broken rail detection or equivalent safeguards.
(b) PTC system installation. (1) After December 31, 2015, a PTC system certified under § 236.1015 shall be installed by the host railroad on each:
(i) Main line over which is transported any quantity of poison- or toxic-by-inhalation (PIH) hazardous materials, as defined in §§ 171.8, 173.115 and 173.132 of this title;
(ii) Main line used for regularly provided intercity or commuter passenger service, except as provided in § 236.1019; and
(iii) Additional line of railroad as required by the applicable FRA-approved PTCSP, this subpart, or an FRA order requiring installation of a PTC system.
(2) For the purposes of paragraph (b)(1)(i) of this section, the information necessary to determine whether a Class I railroad's track segment shall be equipped with a PTC system shall be determined and reported as follows:
(i) The traffic density threshold of 5 million gross tons shall be based upon calendar year 2008 gross tonnage.
(ii) The presence or absence of any quantity of PIH hazardous materials shall be determined by whether one or more cars containing such product(s) was transported over the line segment in calendar year 2008.
(3) To the extent increases in freight rail traffic occur subsequent to calendar year 2008 that might affect the requirement to install a PTC system on any line not yet equipped, the railroad shall seek to amend its PTCIP by promptly filing an RFA in accordance with § 236.1021. The following criteria apply:
(i) To the extent rail traffic exceeds 5 million gross tons in any year after 2008, the tonnage shall be calculated for the preceding two calendar years in determining whether a PTCIP or its amendment is required.
(ii) To the extent PIH traffic is carried on a line segment as a result of a request for rail service or rerouting warranted under part 172 of this title, and if the line carries in excess of 5 million gross tons of rail traffic as determined under this paragraph. This does not apply when temporary rerouting is authorized in accordance with paragraph (g) of this section.
(iii) Once a railroad is notified by FRA that its RFA filed in accordance with this paragraph has been approved, the railroad shall equip the line with the applicable PTC system by December 31, 2015, or within 24 months, whichever is later.
(4) If a railroad has filed, and FRA has approved, its initial PTCIP, a railroad may file an RFA to request review of the requirement to install PTC on a line segment where a PTC system is required, but has not yet been installed, based upon changes in rail traffic such as reductions in total traffic volume or cessation of local PIH service. Any such RFA shall be accompanied by estimated traffic projections for the next 5 years (e.g., as a result of planned rerouting, coordinations, location of new business on the line). Where the request involves prior or planned rerouting of PIH traffic, the railroad must provide a supporting analysis that takes into consideration the requirements of subpart I, part 172 of this title, including any railroad-specific and interline routing impacts. FRA may approve the RFA if FRA finds that it would be consistent with safety and in the public interest.
(5) After December 31, 2015, no intercity or commuter rail passenger service shall continue or commence until a PTC system certified under this subpart has been installed and made operative.
(c) Hazard detectors. (1) All hazard detectors integrated into a signal or train control system on or after October 16, 2008, shall be integrated into PTC systems required by this subpart; and their warnings shall be appropriately and timely enforced as described in the applicable PTCSP.
(2) The applicable PTCSP may provide for receipt and presentation to the locomotive engineer and other train crew of warnings from additional hazard detectors using the PTC data network, onboard displays, and audible alerts. If the PTCSP so provides, the action to be taken by the system and by the crew members shall be specified.
(3) The PTCDP (as applicable) and PTCSP for any service described in § 236.1007 to be conducted above 90 miles per hour shall include a hazard analysis describing the hazards relevant to the specific route(s) in question (e.g., potential for track obstruction due to events such as falling rock or undermining of the track structure due to high water or displacement of a bridge over navigable waters), the basis for decisions concerning hazard detectors provided, and the manner in which such additional hazard detectors will be interfaced with the PTC system.
(d) Event recorders. (1) Each lead locomotive, as defined in part 229, of a train equipped and operating with a PTC system required by this subpart must be equipped with an operative event recorder, which shall:
(i) Record safety-critical train control data routed to the locomotive engineer's display that the engineer is required to comply with;
(ii) Specifically include text messages conveying mandatory directives and maximum authorized speeds; and
(iii) Include the display format, content, and data retention duration requirements specified in the PTC safety plan submitted and approved pursuant to this paragraph. If such train control data can be calibrated against other data required by this part, it may, at the election of the railroad, be retained in a separate memory module.
(2) Each lead locomotive, as defined in part 229, manufactured and in service after October 1, 2009, that is equipped and operating with a PTC system required by this subpart, shall be equipped with an event recorder memory module meeting the crash hardening requirements of § 229.135 of this chapter.
(3) Nothing in this subpart excepts compliance with any of the event recorder requirements contained in § 229.135 of this chapter.
(e) Switch position. The following requirements apply with respect to determining proper switch position under this section. When a main line switch position is unknown or improperly aligned for a train's route in advance of the train's movement, the PTC system will provide warning of the condition associated with the following enforcement:
(1) A PTC system must enforce restricted speed over any switch:
(i) Where train movements are made with the benefit of the indications of a wayside or cab signal system or other similar appliance, method, device, or system of equivalent safety proposed to FRA and approved by the Associate Administrator in accordance with this part; and
(ii) Where wayside or cab signal system or other similar appliance, method, device, or system of equivalent safety requires the train to be operated at restricted speed.
(2) A PTC system must enforce a positive stop short of any main line switch, and any switch on a siding where the allowable speed is in excess of 20 miles per hour, if movement of the train over the switch:
(i) Is made without the benefit of the indications of a wayside or cab signal system or other similar appliance, method, device, or system of equivalent safety proposed to FRA and approved by the Associate Administrator in accordance with this part; or
(ii) Would create an unacceptable risk. Unacceptable risk includes conditions when traversing the switch, even at low speeds, could result in direct conflict with the movement of another train (including a hand-operated crossover between main tracks, a hand-operated crossover between a main track and an adjoining siding or auxiliary track, or a hand-operated switch providing access to another subdivision or branch line, etc.).
(3) A PTC system required by this subpart shall be designed, installed, and maintained to perform the switch position detection and enforcement described in paragraphs (e)(1) and (e)(2) of this section, except as provided for and justified in the applicable, FRA-approved PTCDP or PTCSP.
(4) The control circuit or electronic equivalent for any movement authorities over any switches, movable-point frogs, or derails shall be selected through circuit controller or functionally equivalent device operated directly by switch points, derail, or by switch locking mechanism, or through relay or electronic device controlled by such circuit controller or functionally equivalent device, for each switch, movable-point frog, or derail in the route governed. Circuits or electronic equivalent shall be arranged so that any movement authorities can only be provided when each switch, movable-point frog, or derail in the route governed is in proper position, and shall be in accordance with subparts A through G of this part unless it is otherwise provided in a PTCSP approved under this subpart.
(f) Train-to-train collision. A PTC system shall be considered to be configured to prevent train-to-train collisions within the meaning of paragraph (a) of this section if trains are required to be operated at restricted speed and if the onboard PTC equipment enforces the upper limits of the railroad's restricted speed rule (15 or 20 miles per hour). This application applies to:
(1) Operating conditions under which trains are required by signal indication or operating rule to:
(i) Stop before continuing; or
(ii) Reduce speed to restricted speed and continue at restricted speed until encountering a more favorable indication or as provided by operating rule.
(2) Operation of trains within the limits of a joint mandatory directive.
(g) Temporary rerouting. A train equipped with a PTC system as required by this subpart may be temporarily rerouted onto a track not equipped with a PTC system and a train not equipped with a PTC system may be temporarily rerouted onto a track equipped with a PTC system as required by this subpart in the following circumstances:
(1) Emergencies. In the event of an emergency—including conditions such as derailment, flood, fire, tornado, hurricane, or other similar circumstance outside of the railroad's control—that would prevent usage of the regularly used track if:
(i) The rerouting is applicable only until the emergency condition ceases to exist and for no more than 14 consecutive calendar days, unless otherwise extended by approval of the Associate Administrator;
(ii) The railroad provides written or telephonic notification to the applicable Regional Administrator of the information listed in paragraph (i) within one business day of the beginning of the rerouting made in accordance with this paragraph; and
(iii) The conditions under paragraph (j) are followed.
(2) Planned maintenance. In the event of planned maintenance that would prevent usage of the regularly used track if:
(i) The maintenance period does not exceed 30 days;
(ii) A request is filed with the applicable Regional Administrator in accordance with paragraph (i) of this section no less than 10 business days prior to the planned rerouting; and
(iii) the conditions contained in paragraph (j) of this section are followed.
(h) Rerouting requests. (1) For the purposes of paragraph (g)(2) of this section, the rerouting request shall be self-executing unless the applicable Regional Administrator responds with a notice disapproving of the rerouting or providing instructions to allow rerouting. Such instructions may include providing additional information to the Regional Administrator or Associate Administrator prior to the commencement of rerouting. Once the Regional Administrator responds with a notice under this paragraph, no rerouting may occur until the Regional Administrator or Associate Administrator provides his or her approval.
(2) In the event the temporary rerouting described in paragraph (g)(2) of this section is to exceed 30 consecutive calendar days:
(i) The railroad shall provide a request in accordance with paragraphs (i) and (j) of this section with the Associate Administrator no less than 10 business days prior to the planned rerouting; and
(ii) The rerouting contemplated by this paragraph shall not commence until receipt of approval from the Associate Administrator.
(i) Content of rerouting request. Each notice or request referenced in paragraph (g) of this section must indicate:
(1) The dates that such temporary rerouting will occur;
(2) The number and types of trains that will be rerouted;
(3) The location of the affected tracks; and
(4) A description of the necessity for the temporary rerouting.
(j) Rerouting conditions. Rerouting of operations under paragraph (g) of this section may only occur if:
(1) An absolute block is established in advance of each rerouted train movement; and
(2) Each rerouted train movement shall not exceed 59 miles per hour for passenger and 49 miles per hour for freight.
(k) Rerouting cessation. The applicable Regional Administrator may order a railroad to cease any rerouting provided under paragraph (g) or (h) of this section.
§ 236.1006 Equipping locomotives operating in PTC territory.
(a) Except as provided in paragraph (b) of this section, each train operating on any track segment equipped with a PTC system shall be controlled by a locomotive equipped with an on-board PTC apparatus that is fully operative and functioning in accordance with the applicable PTCSP approved under this subpart.
(b) Exceptions. (1) Prior to December 31, 2015, each train controlled by a locomotive not equipped with an onboard PTC apparatus is permitted to operate.
(2) Prior to December 31, 2013, each train controlled by a locomotive equipped with an onboard PTC apparatus that is not fully operative is permitted only if:
(i) The subject locomotive failed initialization at the point of origin for the train or at the location where the locomotive was added to the train;
(ii) The railroad has included in its FRA approved PTC Implementation Plan a system for identifying PTC system reliability exceptions and responding with appropriate remedial actions, the railroad executes that plan, and the documentation for execution of the plan is currently available to FRA upon request; and
(iii) The percentage of controlling locomotives operating out of each railroad's initial terminals after receiving a failed initialization and over a track segment equipped with a PTC system, does not during each calendar month exceed:
(A) 20 percent until December 31, 2011;
(B) 15 percent from the end of the period in paragraph (A) to December 31, 2012; and
(C) 10 percent from the end of the period in paragraph (B) to December 31, 2013.
(3) A train controlled by a locomotive with an onboard PTC apparatus that has failed en route is permitted to operate in accordance with § 236.1029.
(4) A train operated by a Class II or Class III railroad, including a tourist or excursion railroad, and controlled by a locomotive not equipped with an onboard PTC apparatus is permitted to operate on a PTC operated track segment:
(i) That either:
(A) Has no regularly scheduled intercity or passenger rail passenger transportation traffic; or
(B) Has regularly scheduled intercity or passenger rail passenger transportation traffic and the applicable PTCIP permits the operation of a train operated by a Class II or III railroad and controlled by a locomotive not equipped with an onboard PTC apparatus;
(ii) Where operations are restricted to less than four such unequipped trains per day, whereas a train conducting a “turn” operation (e.g., moving to a point of interchange to drop off or pick up cars and returning to the track owned by a Class II or III railroad) is considered two trains for this purpose; and
(iii) Where each movement shall either:
(A) Not exceed 20 miles in length; or
(B) To the extent any movement exceeds 20 miles in length, such movement is not permitted without the controlling locomotive being equipped with an onboard PTC system after December 31, 2020, and each applicable Class II or III railroad shall report to FRA its progress in equipping each necessary locomotive with an onboard PTC apparatus to facilitate continuation of the movement. The progress reports shall be filed not later than December 31, 2017 and, if all necessary locomotives are not yet equipped, on December 31, 2019.
(c) When a train movement is conducted under the exceptions described in paragraph (b)(4) of this section, that movement shall be made in accordance with § 236.1029.
§ 236.1007 Additional requirements for high-speed service.
(a) A PTC railroad that conducts a passenger operation at or greater than 60 miles per hour or a freight operation at or greater than 50 miles per hour shall have installed a PTC system including or working in concert with technology that includes all of the safety-critical functional attributes of a block signal system meeting the requirements of this part, including appropriate fouling circuits and broken rail detection (or equivalent safeguards).
(b) In addition to the requirements of paragraph (a), a host railroad that conducts a freight or passenger operation at more than 90 miles per hour shall:
(1) Have an approved PTCSP establishing that the system was designed and will be operated to meet the failsafe operation criteria described in Appendix C to this part; and
(2) Prevent unauthorized or unintended entry onto the main line from any track not equipped with a PTC system compliant with this subpart by placement of split-point derails or equivalent means integrated into the PTC system; and
(3) Comply with § 236.1029(c).
(c) In addition to the requirements of paragraphs (a) and (b), a host railroad that conducts a freight or passenger operation at more than 125 miles per hour shall have an approved PTCSP accompanied by a document (“HSR-125”) establishing that the system:
(1) Will be operated at a level of safety comparable to that achieved over the 5-year period prior to the submission of the PTCSP by other train control systems that perform PTC functions required by this subpart, and which have been utilized on high-speed rail systems with similar technical and operational characteristics in the United States or in foreign service, provided that the use of foreign service data must be approved by the Associate Administrator before submittal of the PTCSP; and
(2) Has been designed to detect incursions into the right-of-way, including incidents involving motor vehicles diverting from adjacent roads and bridges, where conditions warrant.
(d) In addition to the requirements of paragraphs (a) through (c) of this section, a host railroad that conducts a freight or passenger operation at more than 150 miles per hour, which is governed by a Rule of Particular Applicability, shall have an approved PTCSP accompanied by a HSR-125 developed as part of an overall system safety plan approved by the Associate Administrator.
§ 236.1009 Procedural requirements.
(a) PTC Implementation Plan (PTCIP). (1) By April 16, 2010, each host railroad that is required to implement and operate a PTC system in accordance with § 236.1005(b) shall develop and submit in accordance with § 236.1011(a) a PTCIP for implementing a PTC system required under § 236.1005. Filing of the PTCIP shall not exempt the required filings of a PTCSP, PTCDP, or Type Approval.
(2) After April 16, 2010, a host railroad shall file:
(i) A PTCIP if it becomes a host railroad of a main line track; or
(ii) A request for amendment (“RFA”) of its current and approved PTCIP in accordance with § 236.1021 if it intends to:
(A) Initiate a new category of service (i.e., passenger or freight); or
(B) Add, subtract, or otherwise materially modify one or more lines of railroad for which installation of a PTC system is required.
(3) If the host railroad is a freight railroad, and the subject trackage would require installation and operation of a PTC system in accordance with §§ 236.1005(b)(2) or (b)(3), then a PTCIP required to be filed in accordance with this paragraph (a)(1) or (a)(2) of this section must be jointly filed with each entity providing regularly scheduled intercity or commuter rail passenger transportation over that subject trackage. If railroads are unable to jointly file a PTCIP in accordance with paragraphs (a)(1) and (a)(3) of this section, then they each shall:
(i) Separately file a PTCIP in accordance with paragraph (a)(1);
(ii) Notify the Associate Administrator that the subject railroads were unable to agree on a PTCIP to be jointly filed;
(iii) Provide the Associate Administrator with a comprehensive list of all issues not in agreement between the railroads that would prevent the subject railroads from jointly filing the PTCIP; and
(iv) Confer with the Associate Administrator to develop and submit a PTCIP mutually acceptable to all subject railroads.
(b) Type Approval. A host railroad, or one or more system suppliers and one or more host railroads, shall file prior to or simultaneously with the filing made in accordance with paragraph (a) of this section:
(1) An unmodified Type Approval previously issued by the Associate Administrator in accordance with § 236.1013 or § 236.1031(b) with its associated docket number;
(2) A PTCDP requesting a Type Approval for:
(i) A PTC system that does not have a Type Approval; or
(ii) A PTC system with a previously issued Type Approval that requires one or more variances;
(3) A PTCSP subject to the conditions set forth in paragraph (c) of this section, with or without a Type Approval; or
(4) A document attesting that a Type Approval is not necessary since the host railroad has no territory for which a PTC system is required under this subpart.
(c) PTCSP and PTC System Certification. The following apply to each PTCSP and PTC System Certification.
(1) A PTC System Certification for a PTC system may be obtained by submitting an acceptable PTCSP. If the PTC system is the subject of a Type Approval, the safety case elements contained in the PTCDP may be incorporated by reference into the PTCSP, subject to finalization of the human factors analysis contained in the PTCDP.
(2) Each PTCSP requirement under § 236.1015 shall be supported by information and analysis sufficient to establish that the requirements of this subpart have been satisfied.
(3) If the Associate Administrator finds that the PTCSP and supporting documentation support a finding that the system complies with this part, the Associate Administrator may approve the PTCSP. If the Associate Administrator approves the PTCSP, the railroad shall receive PTC System Certification for the subject PTC system and shall implement the PTC system according to the PTCSP.
(4) A required PTC system shall not:
(i) Be used in service until it receives from FRA a PTC System Certification; and
(ii) Receive a PTC System Certification unless FRA receives and approves an applicable:
(A) PTCIP and PTCSP; or
(B) Request for Expedited Certification (REC) as defined by § 236.1031(a).
(d) Plan contents. (1) No PTCIP shall receive approval unless it complies with § 236.1011. No railroad shall receive a Type Approval or PTC System Certification unless the applicable PTCDP or PTCSP, respectively, comply with §§ 236.1013 and 236.1015, respectively.
(2) All materials filed in accordance with this subpart must be in the English language, or have been translated into English and attested as true and correct.
(3) Each filing referenced in this section may include a request for full or partial confidentiality in accordance with § 209.11 of this chapter. If confidentiality is requested as to a portion of any applicable document, then in addition to the filing requirements under § 209.11 of this chapter, the person filing the document shall also file a copy of the original unredacted document, marked to indicate which portions are redacted in the document's confidential version without obscuring the original document's contents.
(e) Supporting documentation and information. (1) Issuance of a Type Approval or PTC System Certification is contingent upon FRA's confidence in the implementation and operation of the subject PTC system. This confidence may be based on FRA-monitored field testing or an independent assessment performed in accordance with § 236.1035 or § 236.1017, respectively.
(2) Upon request by FRA, the railroad requesting a Type Approval or PTC System Certification must engage in field testing or independent assessment performed in accordance with § 236.1035 or § 236.1017, respectively, to support the assertions made in any of the plans submitted under this subpart. These assertions include any of the plans' content requirements under this subpart.
(f) FRA conditions, reconsiderations, and modifications. (1) As necessary to ensure safety, FRA may attach special conditions to approving a PTCIP or issuing a Type Approval or PTC System Certification.
(2) After granting a Type Approval or PTC System Certification, FRA may reconsider the Type Approval or PTC System Certification upon revelation of any of the following factors concerning the contents of the PTCIP, PTCDP or PTCSP:
(i) Potential error or fraud;
(ii) Potentially invalidated assumptions determined as a result of in-service experience or one or more unsafe events calling into question the safety analysis supporting the approval.
(3) During FRA's reconsideration in accordance with this paragraph, the PTC system may remain in use if otherwise consistent with the applicable law and regulations and FRA may impose special conditions for use of the PTC system.
(4) After FRA's reconsideration in accordance with this paragraph, FRA may:
(i) Dismiss its reconsideration and continue to recognize the existing FRA approved Type Approval;
(ii) Allow continued operations under such conditions the Associate Administrator deems necessary to ensure safety; or
(iii) Revoke the Type Approval or PTC System Certification and direct the railroad to cease operations where PTC systems are required under this subpart.
(g) FRA access. The Associate Administrator, or that person's designated representatives, shall be afforded reasonable access to monitor, test, and inspect processes, procedures, facilities, documents, records, design and testing materials, artifacts, training materials and programs, and any other information used in the design, development, manufacture, test, implementation, and operation of the system, as well as interview any personnel:
(1) Associated with a PTC system for which a Type Approval or PTC System Certification has been requested or provided; or
(2) To determine whether a railroad has been in compliance with this subpart.
(h) Foreign regulatory entity verification. Information that has been certified under the auspices of a foreign regulatory entity recognized by the Associate Administrator may, at the Associate Administrator's sole discretion, be accepted as independently Verified and Validated and used to support each railroad's development of the PTCSP.
§ 236.1011 PTCIP content requirements.
(a) Contents. A PTCIP filed pursuant to this subpart shall, at a minimum, describe:
(1) The technology that will be employed;
(2) How the PTC railroad intends to comply with § 236.1009(c);
(3) How the PTC system will provide for interoperability of the system between the host and all tenant railroads on the lines required to be equipped with PTC systems under this subpart and:
(i) Include copies of relevant provisions of any agreements, executed by all applicable railroads, in place to achieve interoperability;
(ii) List all technologies used to obtain interoperability; and
(iii) Identify any railroads with respect to which interoperability agreements or compatible technology have not been achieved as of the time the plan is filed, the practical obstacles that were encountered that prevented resolution, and the further steps planned to overcome those obstacles;
(4) How, to the extent practical, the PTC system will be implemented to address areas of greater risk to the public and railroad employees before areas of lesser risk;
(5) The sequence and schedule in which line segments will be equipped and the basis for those decisions, and shall at a minimum address the following risk factors by line segment:
(i) Segment traffic characteristics such as typical annual passenger and freight train volume and volume of poison- or toxic-by-inhalation (PIH or TIH) shipments (loads, residue);
(ii) Segment operational characteristics such as current method of operation (including presence or absence of a block signal system), number of tracks, and maximum allowable train speeds, including planned modifications; and
(iii) Route attributes bearing on risk, including ruling grades and extreme curvature;
(6) The following information relating to rolling stock:
(i) What rolling stock will be equipped with PTC technology;
(ii) The schedule to equip that rolling stock by December 31, 2015; and
(iii) Unless the tenant railroad is filing its own PTCIP, the host railroad's PTCIP shall:
(A) Attest that the host railroad has made a formal written request to each tenant railroad requesting identification of each rolling stock to be PTC system equipped and the date each will be equipped; and
(B) Include each tenant railroad's response to the host railroad's written request made in accordance with paragraph (a)(6)(iii)(A) of this section;
(7) The number of wayside devices required for each line segment and the installation schedule to complete wayside equipment installation by December 31, 2015;
(8) which track segments the railroad considers mainline and non-mainline track. If the PTCIP includes a MTEA, as defined by § 236.1019, the PTCIP should identify the tracks included in the MTEA as main line track with a reference to the MTEA; and
(9) to the extent the railroad determines that risk-based prioritization required by paragraph (a)(4) of this section is not practical, the basis for this determination; and
(b) Additional Class I railroad PTCIP requirements. Each Class I railroad shall include:
(1) In its PTCIP a strategy for full deployment of its PTC system, describing the criteria that it will apply in identifying additional rail lines on its own network, and rail lines of entities that it controls or engages in joint operations with, for which full or partial deployment of PTC technologies is appropriate, beyond those required to be equipped under this subpart. Such criteria shall include consideration of the policies established by 49 U.S.C. 20156 (railroad safety risk reduction program), and regulations issued thereunder, as well as non-safety business benefits that may accrue.
(2) In the Technology Implementation Plan of its Risk Reduction Program, when first required to be filed in accordance with 49 U.S.C. 20156 and any regulation promulgated thereunder, a specification of rail lines selected for full or partial deployment of PTC under the criteria identified in its PTCIP.
(3) Nothing in this paragraph shall be construed to create an expectation or requirement than additional rail lines beyond those required to be equipped by this subpart must be equipped or that such lines will be equipped during the period of primary implementation ending December 31, 2015.
(4) As used in this paragraph, “partial implementation” of a PTC system refers to use, pursuant to subpart H of this part, of technology embedded in PTC systems that does not employ all of the functionalities required by this subpart.
(c) FRA review. Within 90 days of receipt of a PTCIP, the Associate Administrator will approve or disapprove of the plan and notify in writing the affected railroad or other entity. If the PTCIP is not approved, the notification will include the plan's deficiencies. Within 30 days of receipt of that notification, the railroad or other entity that submitted the plan shall correct all deficiencies and resubmit the plan in accordance with § 236.1009 and paragraph (a) of this section, as applicable.
(d) Subpart H. A railroad that elects to install a PTC system when not required to do so may elect to proceed under this subpart or under subpart H.
(e) Upon receipt of a PTCIP, PTCDP, or PTCSP, FRA posts on its public Web site notice of receipt and reference to the public docket in which a copy of the filing has been placed. FRA may consider any public comment on each document to the extent practicable within the time allowed by law and without delaying implementation of PTC systems.
§ 236.1013 PTCDP content requirements and Type Approval.
(a) For a PTC system to obtain a Type Approval from FRA, the PTCDP shall be filed in accordance with § 236.1009 and shall include:
(1) A complete description of the PTC system, including a list of all PTC system components and their physical relationships in the subsystem or system;
(2) A description of the railroad operation or categories of operations on which the PTC system is designed to be used, including train movement density (passenger, freight), operating speeds, track characteristics, and railroad operating rules;
(3) An operational concepts document, including a list with complete descriptions of all functions which the PTC system will perform to enhance or preserve safety;
(4) A document describing the manner in which the PTC architecture satisfies safety requirements;
(5) A description of the safety assurance concepts that are to be used for system development, including an explanation of the design principles and assumptions;
(6) A preliminary human factors analysis, including a complete description of all human-machine interfaces and the impact of interoperability requirements on the same;
(7) An analysis of the applicability to the PTC system of the requirements of subparts A-G of this part that may no longer apply or are satisfied by the PTC system using an alternative method, and a complete explanation of the manner in which those requirements are otherwise fulfilled;
(8) A description of the necessary security measures for the system;
(9) A description of target safety levels (e.g., MTTHE for major subsystems as defined in subpart H), including requirements for system availability and a description of all backup methods of operation and any critical assumptions associated with the target levels;
(10) A complete description of how the PTC system will enforce authorities and signal indications;
(11) A description of the deviation required under § 236.1029(c), if applicable; and
(12) A complete description of how the PTC system will appropriate and timely enforce all integrated hazard detectors in accordance with § 236.1005(c)(3), if applicable.
(b) If the Associate Administrator finds that the system described in the PTCDP would satisfy the requirements for PTC systems under this subpart and that the applicant has made a reasonable showing that a system built to the stated requirements would achieve the level of safety mandated for such a system under § 236.1015, the Associate Administrator may grant a numbered Type Approval for the system.
(c) Each Type Approval shall be valid for a period of 5 years, subject to automatic and indefinite extension provided that at least one PTC System Certification using the subject PTC system has been issued within that period and not revoked.
(d) A PTCSP submitted under this subpart may reference and utilize in accordance with this subpart any Type Approval previously issued by the Associate Administrator to any railroad, provided that the railroad:
(1) Maintains a continually updated PTCPVL pursuant to § 236.1023; and
(2) Provides the applicable licensing information.
(e) A railroad submitting a PTCDP under this subpart must show that the supplier from which they are procuring the PTC system has established and can maintain a quality control system for PTC system design and manufacturing acceptable to the Associate Administrator.
(f) The Associate Administrator may prescribe special conditions, amendments, and restrictions to any Type Approval as necessary for safety.
§ 236.1015 PTCSP content requirements and PTC System Certification.
(a) Before placing a PTC system required under this part in service, the host railroad must submit to FRA a PTCSP and receive a PTC System Certification. If the Associate Administrator finds that the PTCSP and supporting documentation support a finding that the system complies with this part, the Associate Administrator approves the PTCSP and issues a PTC System Certification. Receipt of a PTC System Certification affirms that the PTC system has been reviewed and approved by FRA in accordance with, and meets the requirements of, this part.
(b) A PTCSP submitted in accordance with this subpart shall:
(1) Include the applicable FRA approved PTCIP and, if applicable, the PTCDP and Type Approval;
(2)(i) Specifically and rigorously document each variance, including the significance of each variance between the PTC system and its applicable operating conditions as described in the applicable PTCIP and any applicable PTCDP from that as described in the PTCSP, and attest that are no other such variances; or
(ii) Attest that there are no variances between the PTC system and its applicable operating conditions as described in the applicable PTCIP and any applicable PTCDP from that as described in the PTCSP; and
(3) Attest that the system was otherwise built in accordance with the applicable PTCDP and PTCSP and achieves the level of safety represented therein.
(c) A PTCSP shall include the same information required for a PTCDP under § 236.1013(a). If a PTCDP has been filed and approved prior to filing of the PTCSP, PTCSP may incorporate the PTCDP by reference, with the exception that a final human factors analysis shall be provided. The PTCSP shall contain the following additional elements:
(1) A hazard log consisting of a comprehensive description of all safety-relevant hazards not previously addressed by the vendor to be addressed during the life cycle of the PTC system, including maximum threshold limits for each hazard (for unidentified hazards, the threshold shall be exceeded at one occurrence);
(2) A risk assessment of the as-built PTC system described;
(3) A hazard mitigation analysis, including a complete and comprehensive description of each hazard and the mitigation techniques used;
(4) A complete description of the safety assessment and Verification and Validation processes applied to the PTC system, their results, and whether these processes address the safety principles described in Appendix C to this part directly, using other safety criteria, or not at all;
(5) A complete description of the railroad's training plan for railroad and contractor employees and supervisors necessary to ensure safe and proper installation, implementation, operation, maintenance, repair, inspection, testing, and modification of the PTC system;
(6) A complete description of the specific procedures and test equipment necessary to ensure the safe and proper installation, implementation, operation, maintenance, repair, inspection, testing, and modification of the PTC system on the railroad and establish safety-critical hazards are appropriately mitigated. These procedures, including calibration requirements, shall be consistent with or explain deviations from the equipment manufacturer's recommendations;
(7) A complete description of any additional warning to be placed in the Operations and Maintenance Manual in the same manner specified in § 236.919 and all warning labels to be placed on equipment as necessary to ensure safety;
(8) A complete description of the configuration or revision control measures designed to ensure that the railroad or its contractor does not adversely affect the safety-functional requirements and that safety-critical hazard mitigation processes are not compromised as a result of any such change;
(9) A complete description of all initial implementation testing procedures necessary to establish that safety-functional requirements are met and safety-critical hazards are appropriately mitigated;
(10) A complete description of all post-implementation testing (validation) and monitoring procedures, including the intervals necessary to establish that safety-functional requirements, safety-critical hazard mitigation processes, and safety-critical tolerances are not compromised over time, through use, or after maintenance (adjustment, repair, or replacement) is performed;
(11) A complete description of each record necessary to ensure the safety of the system that is associated with periodic maintenance, inspections, tests, adjustments, repairs, or replacements, and the system's resulting conditions, including records of component failures resulting in safety-relevant hazards (see § 236.1033);
(12) A safety analysis to determine whether, when the system is in operation, any risk remains of an unintended incursion into a roadway work zone due to human error. If the analysis reveals any such risk, the PTCDP and PTCSP shall describe how that risk will be mitigated;
(13) A more detailed description of any alternative arrangements as already provided under § 236.1011(a)(10);
(14) A complete description of how the PTC system will enforce authorities and signal indications, unless already completely provided for in the PTCDP;
(15) A description of how the PTCSP complies with § 236.1019(e), if applicable;
(16) A description of the deviation required under § 236.1029(c), if applicable and unless already completely provided for in the PTCDP;
(17) A complete description of how the PTC system will appropriate and timely enforce all integrated hazard detectors in accordance with § 236.1005;
(18) An emergency and planned maintenance temporary rerouting plan indicating how operations on the subject PTC system will take advantage of the benefits provided under § 236.1005(g)-(k); and
(19) Any alternative arrangements for each rail at-grade crossing not adhering to the table under § 236.1005(a)(1)(i).
(d) The following additional requirements apply to:
(1) Non-vital overlay. A PTC system proposed as an overlay on the existing method of operation and not built in accordance with the safety assurance principles set forth in Appendix C of this part must, to the satisfaction of the Associate Administrator, be shown to:
(i) Reliably execute the functions set forth in § 236.1005;
(ii) Obtain at least 80 percent reduction of the risk associated with accidents preventable by the functions set forth in § 236.1005, when all effects of the change associated with the PTC system are taken into account. The supporting risk assessment shall evaluate all intended changes in railroad operations coincident with the introduction of the new system; and
(iii) Maintain a level of safety for each subsequent system modification that is equal to or greater than the level of safety for the previous PTC systems.
(2) Vital overlay. A PTC system proposed on a newly constructed track or as an overlay on the existing method of operation and is built in accordance with the safety assurance principles set forth in Appendix C of this part must, to the satisfaction of the Associate Administrator, be shown to:
(i) Reliably execute the functions set forth in § 236.1005; and
(ii) Have sufficient documentation to demonstrate that the PTC system, as built, fulfills the safety assurance principles set forth in Appendix C of this part. The supporting risk assessment may be abbreviated as that term is used in subpart H of this part.
(3) Stand-alone. A PTC system proposed on a newly constructed track, an existing track for which no signal system exists, as a replacement for an existing signal or train control system, or to otherwise intend to replace or materially modify the existing method of operation, shall:
(i) Demonstrate to reliably execute the functions required by § 236.1005; and
(ii) Have a PTCSP establishing, with a high degree of confidence, that the system will not introduce new hazards that have not been mitigated. The supporting risk assessment shall evaluate all intended changes in railroad operations in relation to the introduction of the new system and shall examine in detail the direct and indirect effects of all changes in the method of operations.
(4) Mixed systems. If a PTC system combining overlay, stand-alone, vital, or non-vital characteristics is proposed, the railroad shall confer with the Associate Administrator regarding appropriate structuring of the safety case and analysis.
(e) When determining whether the PTCSP fulfills the requirements under paragraph (d) of this section, the Associate Administrator may consider all available evidence concerning the reliability and availability of the proposed system and any and all safety consequences of the proposed changes. In any case where the PTCSP lacks data regarding safety impacts of the proposed changes, the Associate Administrator may request the necessary data from the applicant. If the requested data is not provided, the Associate Administrator may find that potential hazards could or will arise.
(f) If a PTCSP applies to a system designed to replace an existing certified PTC system, the PTCSP will be approved provided that the PTCSP establishes with a high degree of confidence that the new system will provide a level of safety not less than the level of safety provided by the system to be replaced.
(g) When reviewing the issue of the potential data errors (for example, errors arising from data supplied from other business systems needed to execute the braking algorithm, survey data needed for location determination, or mandatory directives issued through the computer-aided dispatching system), the PTCSP must include a careful identification of each of the risks and a discussion of each applicable mitigation. In an appropriate case, such as a case in which the residual risk after mitigation is substantial or the underlying method of operation will be significantly altered, the Associate Administrator may require submission of a quantitative risk assessment addressing these potential errors.
§ 236.1017 Independent third party Verification and Validation.
(a) The PTCSP must be supported by an independent third-party assessment when the Associate Administrator concludes that it is necessary based upon the same criteria set forth in § 236.913 of this chapter, with the exception that consideration of the methodology used in the risk assessment (§ 236.913(g)(2)(vii)) shall apply only to the extent that a comparative risk assessment was required. To the extent practicable, FRA makes this determination not later than review of the PTCIP and the accompanying PTCDP or PTCSP. If an independent assessment is required, the assessment may apply to the entire system or a designated portion of the system.
(b) If a PTC system is to undergo an independent assessment in accordance with this section, it may submit to the Associate Administrator a written request that FRA confirm whether a particular entity would be considered an independent third party pursuant to this section. The request should include supporting information in accordance with paragraph (c) of this section. FRA may request further information to make a determination or provide its determination in writing.
(c) As used in this section, “independent third party” means a technically competent entity responsible to and compensated by the railroad (or an association on behalf of one or more railroads) that is independent of the PTC system supplier and vendor. An entity that is owned or controlled by the supplier or vendor, that is under common ownership or control with the supplier or vendor, or that is otherwise involved in the development of the PTC system is not considered “independent” within the meaning of this section.
(d) The independent third party assessment must, at a minimum, consist of the activities and result in the production of documentation meeting the requirements of Appendix F to this part, unless excepted by this part or by FRA order or waiver.
(e) Information provided that has been certified under the auspices of a foreign railroad regulatory entity recognized by the Associate Administrator may, at the Associate Administrator's discretion, be accepted as having been independently verified.
§ 236.1019 Main line track exceptions.
(a) Scope and procedure. This section pertains exclusively to exceptions from the rule that trackage over which scheduled intercity and commuter passenger service is provided is considered main line track requiring installation of a PTC system. One or more intercity or commuter passenger railroads, or freight railroads conducting joint passenger and freight operation over the same segment of track may file a main line track exclusion addendum (“MTEA”) to its PTCIP requesting to designate track as not main line subject to the condition that such trackage may not be trackage otherwise required to be equipped (e.g., because of tonnage and PIH traffic) and to the further conditions set forth in paragraphs (b) and (c) of this section. No track shall be designated as yard or terminal unless it is identified in a MTEA that is part of an FRA approved PTCIP.
(b) Passenger terminal exception. FRA will consider an exception in the case of trackage used exclusively as yard or terminal tracks by or in support of regularly scheduled intercity or commuter passenger service where the MTEA describes in detail the physical boundaries of the trackage in question, its use and characteristics (including track and signal charts) and all of the following apply:
(1) The maximum authorized speed for all movements is not greater than 20 miles per hour, and that maximum is enforced by any available onboard PTC equipment within the confines of the yard or terminal;
(2) Interlocking rules are in effect prohibiting reverse movements other than on signal indications without dispatcher permission; and
(3) No freight operations are permitted.
(c) Limited operations exception. FRA will consider an exception in the case of trackage used for limited operations by at least one passenger railroad subject to at least one of the following conditions:
(1) All trains are limited to restricted speed;
(2) Temporal separation of passenger and other trains is maintained as provided in paragraph (d) of this section; or
(3) Passenger service is operated under a risk mitigation plan submitted by all railroads involved in the joint operation and approved by FRA. The risk mitigation plan must be supported by a risk assessment establishing that the proposed mitigations will achieve a level of safety not less than the level of safety that would obtain if the operations were conducted under paragraph (c)(1) or (c)(2) of this section.
(d) Temporal separation. As used in this section, temporal separation means the processes or physical arrangements, or both, in place to assure that limited passenger and freight operations do not operate on any segment of shared track during the same period. The use of exclusive authorities under mandatory directives is not, by itself, sufficient to establish that temporal separation is achieved. Procedures to ensure temporal separation shall include verification checks between passenger and freight and effective physical means to positively ensure segregation of passenger and freight operations in accordance with this paragraph.
(e) PTCSP requirement. No PTCSP filed after the approval of a PTCIP with an MTEA shall be approved by FRA unless it attests that no changes, except for those included in a FRA approved RFA, have been made to the information in the PTCIP and MTEA required by paragraph (b) or (c) of this section.
(f) Designation modifications. If subsequent to approval of its PTCIP or PTCSP the railroad seeks to modify which track or tracks should be designated as main line or not main line, it shall request modification of its PTCIP or PTCSP, as applicable, in accordance with § 236.1021.
§ 236.1021 Discontinuances, material modifications, and amendments.
(a) No changes, as defined by this section, to a PTC system, PTCIP, PTCDP, or PTCSP, shall be made unless:
(1) The railroad files a request for amendment (“RFA”) to the applicable PTCIP, PTCDP, or PTCSP with the Associate Administrator; and
(2) The Associate Administrator approves the RFA.
(b) After approval of a RFA in accordance with paragraph (a) of this section, the railroad shall immediately adopt and comply with the amendment.
(c) In lieu of a separate filing under part 235 of this chapter, a railroad may request approval of a discontinuance or material modification of a signal or train control system by filing a RFA to its PTCIP, PTCDP, or PTCSP with the Associate Administrator.
(d) A RFA made in accordance with this section will not be approved by FRA unless the request includes:
(1) The information listed in § 235.10 of this chapter and the railroad provides FRA upon request any additional information necessary to evaluate the RFA (see § 235.12), including:
(2) The proposed modifications;
(3) The reasons for each modification;
(4) The changes to the PTCIP, PTCDP or PTCSP, as applicable;
(5) Each modification's effect on PTC system safety;
(6) An approximate timetable for filing of the PTCDP, PTCSP, or both, if the amendment pertains to a PTCIP; and
(7) An explanation of whether each change to the PTCSP is planned or unplanned.
(A) Unplanned changes that affect the Type Approval's PTCDP require submission and approval in accordance with § 236.1013 of a new PTCDP, followed by submission and approval in accordance with § 236.1015 of a new PTCSP for the PTC system.
(B) Unplanned changes that do not affect the Type Approval's PTCDP require submission and approval of a new PTCSP.
(C) Unplanned changes are changes affecting system safety that have not been documented in the PTCSP. The impact of unplanned changes on PTC system safety has not yet been determined.
(D) Planned changes may be implemented after they have undergone suitable regression testing to demonstrate, to the satisfaction of the Associate Administrator, they have been correctly implemented and their implementation does not degrade safety.
(E) Planned changes are changes affecting system safety in the PTCSP and have been included in all required analysis under § 236.1017. The impact of these changes on the PTC system's safety has been incorporated as an integral part of the approved PTCSP safety analysis.
(e) If the RFA includes a request for approval of a discontinuance or material modification of a signal or train control system, FRA will publish a notice in the Federal Register of the application and will invite public comment in accordance with part 211 of this chapter.
(f) When considering the RFA, FRA will review the issue of the discontinuance or material modification and determine whether granting the request is in the public interest and consistent with railroad safety, taking into consideration all changes in the method of operation and system functionalities, both within normal PTC system availability and in the case of a system failed state (unavailable), contemplated in conjunction with installation of the PTC system. The railroad submitting the RFA must, at FRA's request, perform field testing in accordance with § 236.1035 or engage in Verification and Validation in accordance with § 236.1017.
(g) FRA may issue at its discretion a new Type Approval number for a PTC system modified under this section.
(h) Changes requiring filing of an RFA. Except as provided by paragraph (i), an RFA shall be filed to request the following:
(1) Discontinuance of a PTC system, or other similar appliance or device;
(2) Decrease of the PTC system's limits;
(3) Modification of a safety critical element of a PTC system; or
(4) Modification of a PTC system that affects the safety critical functionality of any other PTC system with which it interoperates.
(i) Discontinuances not requiring the filing of an RFA. It is not necessary to file an RFA for the following discontinuances:
(1) Removal of a PTC system from track approved for abandonment by formal proceeding;
(2) Removal of PTC devices used to provide protection against unusual contingencies such as landslide, burned bridge, high water, high and wide load, or tunnel protection when the unusual contingency no longer exists;
(3) Removal of the PTC devices that are used on a movable bridge that has been permanently closed by the formal approval of another government agency and is mechanically secured in the closed position for rail traffic; or
(4) Removal of the PTC system from service for a period not to exceed six months that is necessitated by catastrophic occurrence such as derailment, flood, fire, or hurricane.
(j) Changes not requiring the filing of an RFA. When the resultant change to the PTC system will comply with an approved PTCSP of this part, it is not necessary to file for approval to decrease the limits of a system when it involves the:
(1) Decrease of the limits of a PTC system when interlocked switches, derails, or movable-point frogs are not involved;
(2) Removal of an electric or mechanical lock from hand-operated switch in a PTC system where train speed over switch does not exceed 20 miles per hour; or
(3) Removal of an electric lock from hand-operated switch in a PTC system where trains are not permitted to clear the main track at such switch and the electric lock has not been a part of the conditional approval of a PTCSP.
(k) Modifications not requiring the filing of an RFA. When the resultant arrangement will comply with an approved PTCSP of this part, it is not necessary to file an application for approval of the following modifications:
(1) A modification that is required to comply with an order of the Federal Railroad Administration or any section of part 236 of this title;
(2) Installation of devices used to provide protection against unusual contingencies such as landslide, burned bridges, high water, high and wide loads, or dragging equipment;
(3) Elimination of existing track other than a second main track;
(4) Extension or shortening of a passing siding;
(5) A line relocation;
(6) Installation of new track; or
(7) The temporary or permanent arrangement of existing systems necessitated by highway rail separation construction. Temporary arrangements shall be removed within six months following completion of construction.
§ 236.1023 Errors and malfunctions.
(a) Except as provided in paragraph (g) of this section, when any PTC system, subsystem, component, product, or process fails, malfunctions, or otherwise experiences a defect that decreases, or eliminates, any safety functionality, its vendor—regardless of whether any railroad has indicated whether it experienced the same—shall notify FRA and the affected railroads of the following:
(1) The nature and specificity of the failure, malfunction, or defect;
(2) The vendor's procedures for responding to the issue until the failure, malfunction, or defect is cured;
(3) Any corrective action required;
(4) The risk mitigation actions to be taken pending resolution of the failure cause and issuance of the corrective action; and
(5) The estimated time to correct the failure.
(b) Any railroad implementing or operating a PTC system, subsystem, component, product, or process that fails, malfunctions, or otherwise experiences a defect that decreases, or eliminates, any safety or interoperability functionality, shall:
(1) Notify the applicable vendor and FRA of the failure, malfunction, or defect that decreased or eliminated the safety functionality; and
(2) Keep the applicable vendor and FRA apprised on a continual basis of the status of any and all subsequent failures.
(c) Each railroad implementing a PTC system on its property shall maintain a PTC Product Vendor List (PTCPVL) continually updated to include all vendors of each PTC system, subsystem, component, product, and process currently used in its PTC system. The PTCPVL shall be made available to FRA upon request and without undue delay.
(d) The railroad shall specify to FRA—and the applicable vendor if appropriate—its procedures for action upon notification of a safety critical upgrade, patch, or revision for the PTC system, subsystem, component, product, or process, and until the revision has been installed.
(e) Each notification required by this section shall:
(1) Be made within 7 days after the vendor or railroad discovers the failure, malfunction, or defect. However, a report that is due on a Saturday or a Sunday may be delivered on the following Monday and one that is due on a holiday may be delivered on the next workday;
(2) Be transmitted in a manner and form acceptable to the Associate Administrator and by the most expeditious method available; and
(3) Include as much available and applicable information as possible, including:
(i) PTC system name and model;
(ii) Identification of the part, component, or system involved. The identification must include the part number;
(iii) Nature of the failure, malfunctions, or defects;
(iv) Mitigation to ensure the safety of the crews and public; and
(v) The estimated time to correct the failure.
(f) Whenever any investigation of an accident or service difficulty report shows that an article is unsafe because of a manufacturing or design defect, the manufacturer shall, upon request of the Associate Administrator, report to the Associate Administrator the results of its investigation and any action taken or proposed by the manufacturer to correct that defect.
(g) The requirements of this section do not apply to failures, malfunctions, or defects that:
(1) Are caused by improper maintenance or improper usage; or
(2) Have been previously identified to the FRA, vendor, and applicable railroads.
(h) Any railroad experiencing a failure of a system resulting in a more favorable aspect than intended or another condition hazardous to movement of a train shall comply with the reporting requirements, including the making of a telephonic report of an accident or incident under part 233 of this chapter. Filing of one or more reports under part 233 of this chapter does not exempt a railroad or vendor from the reporting requirements contained in paragraphs (a) through (e) of this section.
§ 236.1027 Exclusions.
(a) The requirements of this subpart apply to each office automation system that performs safety-critical functions within, or affects the safety performance of, the PTC system. For purposes of this section, “office automation system” means any centralized or distributed computer-based system that directly or indirectly controls the active movement of trains in a rail network.
(b) Changes or modifications to PTC systems otherwise excluded from the requirements of this subpart by this section do not exclude those PTC systems from the requirements of this subpart if the changes or modifications result in a degradation of safety or a material decrease in safety-critical functionality.
(c) Primary train control systems cannot be integrated with locomotive electronic systems unless the complete integrated systems:
(1) Have been shown to be designed on fail safe principles;
(2) Have demonstrated to operate in a fail safe mode;
(3) Have a manual fail safe fallback and override to allow the locomotive to be brought to a safe stop in the event of any loss of electronic control; and
(4) Are included in the approved and applicable PTCDP and PTCSP.
(d) PTC systems excluded by this section from the requirements of this subpart remain subject to subparts A through H of this part as applicable.
§ 236.1029 PTC system use and en route failures.
(a) When any safety-critical PTC system component fails to perform its intended function, the cause must be determined and the faulty component adjusted, repaired, or replaced without undue delay. Until repair of such essential components are completed, a railroad shall take appropriate action as specified in its PTCSP.
(b) Where a PTC onboard apparatus on a lead locomotive that is operating in or is to be operated within a PTC system fails or is otherwise cut-out while en route (i.e., after the train has departed it's initial terminal), the train may only continue in accordance with the following:
(1) The train may proceed at restricted speed, or if a block signal system is in operation according to signal indication at medium speed, to the next available point where communication of a report can be made to a designated railroad officer of the host railroad;
(2) Upon completion and communication of the report required in paragraph (b)(1) of this section, or where immediate electronic report of said condition is appropriately provided by the PTC system itself, a train may continue to a point where an absolute block can be established in advance of the train in accordance with the following:
(i) Where no block signal system is in use, the train may proceed at restricted speed, or
(ii) Where a block signal system is in operation according to signal indication, the train may proceed at a speed not to exceed medium speed.
(3) Upon reaching the location where an absolute block has been established in advance of the train, as referenced in paragraph (b)(2) of this section, the train may proceed in accordance with the following:
(i) Where no block signal system is in use, the train may proceed at medium speed; however, if the involved train is a passenger train or a train hauling any amount of PIH material, it may only proceed at a speed not to exceed 30 miles per hour.
(ii) Where a block signal system is in use, a passenger train may proceed at a speed not to exceed 59 miles per hour and a freight train may proceed at a speed not to exceed 49 miles per hour.
(iii) Except as provided in paragraph (c), where a cab signal system with an automatic train control system is in operation, the train may proceed at a speed not to exceed 79 miles per hour.
(c) In order for a PTC train that operates at a speed above 90 miles per hour to deviate from the operating limitations contained in paragraph (b) of this section, the deviation must be described and justified in the FRA approved PTCDP or PTCSP, or the Order of Particular Applicability, as applicable.
(d) Each railroad shall comply with all provisions in the applicable PTCDP and PTCSP for each PTC system it uses and shall operate within the scope of initial operational assumptions and predefined changes identified.
(e) The normal functioning of any safety-critical PTC system must not be interfered with in testing or otherwise without first taking measures to provide for the safe movement of trains, locomotives, roadway workers, and on-track equipment that depend on the normal functioning of the system.
(f) The PTC system's onboard apparatus shall be so arranged that each member of the crew assigned to perform duties in the locomotive can view a PTC display and execute any functions necessary to that crew member's duties. The locomotive engineer shall not be required to perform functions related to the PTC system while the train is moving that have the potential to distract the locomotive engineer from performance of other safety-critical duties.
§ 236.1031 Previously approved PTC systems.
(a) Any PTC system fully implemented and operational prior to [insert effective date of final rule], may receive PTC System Certification if the applicable PTC railroad, or one or more system suppliers and one or more PTC railroads, submits a Request for Expedited Certification (REC) letter to the Associate Administrator. The REC letter must do one of the following:
(1) Reference a product safety plan (PSP) recognized or approved by FRA under subpart H of this part and include a document fulfilling the requirements under §§ 236.1011 and 236.1013 not already included in the PSP;
(2) Attest that the PTC system has been approved by FRA and in operation for at least 5 years and has already received an assessment of Verification and Validation from an independent third party under part 236 or a waiver supporting such operation; or
(3) Attest that the PTC railroad has implemented and is operating a PTC system required by a FRA order issued prior to [insert effective date of final rule].
(b) If a REC letter conforms to paragraph (a)(1) of this section, the Associate Administrator, at his or her sole discretion, may also issue a new Type Approval for the PTC system.
(c) In order to receive a Type Approval or PTC System Certification under paragraph (a) or (b) of this section, the PTC system must be shown to reliably execute the functionalities required by §§ 236.1005 and 236.1007 and otherwise conform to this subpart.
(d) Previous approval or recognition of a train control system, together with an established service history, may, at the request of the PTC railroad, and consistent with available safety data, be credited toward satisfaction of the safety case requirements set forth in this part for the PTCSP with respect to all functionalities and implementations contemplated by the approval or recognition.
(e) To the extent that the PTC system proposed for implementation under this subpart is different in significant detail from the system previously approved or recognized, the changes shall be fully analyzed in the PTCDP or PTCSP as would be the case absent prior approval or recognition.
(f) As used in this section—
(1) Approved refers to approval of a Product Safety Plan under subpart H of this part.
(2) Recognized refers to official action permitting a system to be implemented for control of train operations under an order or waiver, after review of safety case documentation for the implementation.
(g) Upon receipt of a REC, FRA will consider all safety case information to the extent feasible and appropriate, given the specific facts before the agency. Nothing in this section limits re-use of any applicable safety case information by a party other than the party receiving:
(1) A prior approval or recognition referred to in this section; or
(2) A Type Approval or PTC System Certification under this subpart.
§ 236.1033 Communications and security requirements.
(a) All wireless communications between the office, wayside, and onboard components in a PTC system shall provide cryptographic message integrity and authentication.
(b) Cryptographic keys required under paragraph (a) shall:
(1) Use an algorithm approved by the National Institute of Standards (NIST) or a similarly recognized and FRA approved standards body;
(2) Be distributed using manual or automated methods, or a combination of both; and
(3) Be revoked:
(i) If compromised by unauthorized disclosure of the cleartext key; or
(ii) When the key algorithm reaches its lifespan as defined by the standards body responsible for approval of the algorithm.
(c) The cleartext form of the cryptographic keys shall be protected from unauthorized disclosure, modification, or substitution, except during key entry when the cleartext keys and key components may be temporarily displayed to allow visual verification. When encrypted keys or key components are entered, the cryptographically protected cleartext key or key components shall not be displayed.
(d) Access to cleartext keys shall be protected by a tamper resistant mechanism.
(e) Each railroad electing to also provide cryptographic message confidentiality shall:
(1) Comply with the same requirements for message integrity and authentication under this section; and
(2) Only use keys meeting or exceeding the security strength required to protect the data as defined in the railroad's PTCSP and required under § 236.1017(a)(8).
(f) Each railroad, or its vendor, shall have a prioritized service restoration and mitigation plan for scheduled and unscheduled interruptions of service. This plan shall be included in the PTCDP or PTCSP as required by §§ 236.1013 or 236.1015, as applicable, and made available to FRA upon request, without undue delay, for restoration of communication services that support PTC system services.
(g) Each railroad may elect to impose more restrictive requirements than those in this section, consistent with interoperability requirements specified in the PTCSP for the system.
§ 236.1035 Field testing requirements.
(a) Before any field testing of an uncertified PTC system, or a product of an uncertified PTC system, or any regression testing of a certified PTC system is conducted on the general rail system, the railroad requesting the testing must provide:
(1) A complete description of the PTC system;
(2) An operational concepts document;
(3) A complete description of the specific test procedures, including the measures that will be taken to protect trains and on-track equipment;
(4) An analysis of the applicability of the requirements of subparts A-G of this part to the PTC system that will not apply during testing;
(5) The date the proposed testing shall begin;
(6) The test locations; and
(7) The effect on the current method of the PTC system under test operation.
(b) FRA may impose additional testing conditions that it believes may be necessary for the safety of train operations.
(c) Relief from regulations other than from subparts A-G of this part that the railroad believes are necessary to support the field testing, must be requested in accordance with part 211 of this title.
§ 236.1037 Records retention.
(a) Each railroad with a PTC system required to be installed under this subpart shall maintain at a designated office on the railroad:
(1) A current copy of each FRA approved Type Approval, if any, PTCDP, and PTCSP that it holds;
(2) Adequate documentation to demonstrate that the PTCSP and PTCDP meet the safety requirements of this subpart, including the risk assessment;
(3) An Operations and Maintenance Manual, pursuant to § 236.1039; and
(4) Training and testing records pursuant to § 236.1043(b).
(b) Results of inspections and tests specified in the PTCSP and PTCDP must be recorded pursuant to § 236.110.
(c) Each contractor providing services relating to the testing, maintenance, or operation of a PTC system required to be installed under this subpart shall maintain at a designated office training records required under § 236.1039(b).
(d) After the PTC system is placed in service, the railroad shall maintain a database of all safety-relevant hazards as set forth in the PTCSP and PTCDP and those that had not been previously identified in either document. If the frequency of the safety-relevant hazards exceeds the threshold set forth in either of these documents, then the railroad shall:
(1) Report the inconsistency in writing by mail, facsimile, e-mail, or hand delivery to the Director, Office of Safety Assurance and Compliance, FRA, 1200 New Jersey Ave., SE., Mail Stop 25, Washington, DC 20590, within 15 days of discovery. Documents that are hand delivered must not be enclosed in an envelope;
(2) Take prompt countermeasures to reduce the frequency of each safety-relevant hazard to below the threshold set forth in the PTCSP and PTCDP; and
(3) Provide a final report when the inconsistency is resolved to the FRA Director, Office of Safety Assurance and Compliance, on the results of the analysis and countermeasures taken to reduce the frequency of the safety-relevant hazard(s) below the threshold set forth in the PTCSP and PTCDP.
§ 236.1039 Operations and Maintenance Manual.
(a) The railroad shall catalog and maintain all documents as specified in the PTCDP and PTCSP for the installation, maintenance, repair, modification, inspection, and testing of the PTC system and have them in one Operations and Maintenance Manual, readily available to persons required to perform such tasks and for inspection by FRA and FRA-certified State inspectors.
(b) Plans required for proper maintenance, repair, inspection, and testing of safety-critical PTC systems must be adequate in detail and must be made available for inspection by FRA and FRA-certified State inspectors where such PTC systems are deployed or maintained. They must identify all software versions, revisions, and revision dates. Plans must be legible and correct.
(c) Hardware, software, and firmware revisions must be documented in the Operations and Maintenance Manual according to the railroad's configuration management control plan and any additional configuration/revision control measures specified in the PTCDP and PTCSP.
(d) Safety-critical components, including spare equipment, must be positively identified, handled, replaced, and repaired in accordance with the procedures specified in the PTCDP and PTCSP.
(e) Each railroad shall designate in its Operations and Maintenance Manual an appropriate railroad officer responsible for issues relating to scheduled interruptions of service contemplated by § 236.1029.
§ 236.1041 Training and qualification program, general.
(a) Training program for PTC personnel. Employers shall establish and implement training and qualification programs for PTC systems subject to this subpart. These programs must meet the minimum requirements set forth in the PTCDP and PTCSP in §§ 236.1039 through 236.1045 as appropriate, for the following personnel:
(1) Persons whose duties include installing, maintaining, repairing, modifying, inspecting, and testing safety-critical elements of the railroad's PTC systems, including central office, wayside, or onboard subsystems;
(2) Persons who dispatch train operations (issue or communicate any mandatory directive that is executed or enforced, or is intended to be executed or enforced, by a train control system subject to this subpart);
(3) Persons who operate trains or serve as a train or engine crew member subject to instruction and testing under part 217 of this chapter, on a train operating in territory where a train control system subject to this subpart is in use;
(4) Roadway workers whose duties require them to know and understand how a train control system affects their safety and how to avoid interfering with its proper functioning; and
(5) The direct supervisors of persons listed in paragraphs (a)(1) through (a)(4) of this section.
(b) Competencies. The employer's program must provide training for persons who perform the functions described in paragraph (a) of this section to ensure that they have the necessary knowledge and skills to effectively complete their duties related to operation and maintenance of the PTC system.
§ 236.1043 Task analysis and basic requirements.
(a) Training structure and delivery. As part of the program required by § 236.1041, the employer shall, at a minimum:
(1) Identify the specific goals of the training program with regard to the target population (craft, experience level, scope of work, etc.), task(s), and desired success rate;
(2) Based on a formal task analysis, identify the installation, maintenance, repair, modification, inspection, testing, and operating tasks that must be performed on a railroad's PTC systems. This includes the development of failure scenarios and the actions expected under such scenarios;
(3) Develop written procedures for the performance of the tasks identified;
(4) Identify the additional knowledge, skills, and abilities above those required for basic job performance necessary to perform each task;
(5) Develop a training and evaluation curriculum that includes classroom, simulator, computer-based, hands-on, or other formally structured training designed to impart the knowledge, skills, and abilities identified as necessary to perform each task;
(6) Prior to assignment of related tasks, require all persons mentioned in § 236.1041(a) to successfully complete a training curriculum and pass an examination that covers the PTC system and appropriate rules and tasks for which they are responsible (however, such persons may perform such tasks under the direct onsite supervision of a qualified person prior to completing such training and passing the examination);
(7) Require periodic refresher training and evaluation at intervals specified in the PTCDP and PTCSP that includes classroom, simulator, computer-based, hands-on, or other formally structured training and testing, except with respect to basic skills for which proficiency is known to remain high as a result of frequent repetition of the task; and
(8) Conduct regular and periodic evaluations of the effectiveness of the training program specified in § 236.1041(a)(1) verifying the adequacy of the training material and its validity with respect to current railroads PTC systems and operations.
(b) Training records. Employers shall retain records which designate persons who are qualified under this section until new designations are recorded or for at least one year after such persons leave applicable service. These records shall be kept in a designated location and be available for inspection and replication by FRA and FRA-certified State inspectors.
§ 236.1045 Training specific to office control personnel.
(a) Any person responsible for issuing or communicating mandatory directives in territory where PTC systems are or will be in use must be trained in the following areas, as applicable:
(1) Instructions concerning the interface between the computer-aided dispatching system and the train control system, with respect to the safe movement of trains and other on-track equipment;
(2) Railroad operating rules applicable to the train control system, including provision for movement and protection of roadway workers, unequipped trains, trains with failed or cut-out train control onboard systems, and other on-track equipment; and
(3) Instructions concerning control of trains and other on-track equipment in case the train control system fails, including periodic practical exercises or simulations, and operational testing under part 217 of this chapter to ensure the continued capability of the personnel to provide for safe operations under the alternative method of operation.
§ 236.1047 Training specific to locomotive engineers and other operating personnel.
(a) Operating personnel. Training provided under this subpart for any locomotive engineer or other person who participates in the operation of a train in train control territory must be defined in the PTCDP as well as the PTCSP. The following elements must be addressed:
(1) Familiarization with train control equipment onboard the locomotive and the functioning of that equipment as part of the system and in relation to other onboard systems under that person's control;
(2) Any actions required of the onboard personnel to enable, or enter data to, the system, such as consist data, and the role of that function in the safe operation of the train;
(3) Sequencing of interventions by the system, including pre-enforcement notification, enforcement notification, penalty application initiation and post-penalty application procedures;
(4) Railroad operating rules and testing (part 217) applicable to the train control system, including provisions for movement and protection of any unequipped trains, or trains with failed or cut-out train control onboard systems and other on-track equipment;
(5) Means to detect deviations from proper functioning of onboard train control equipment and instructions regarding the actions to be taken with respect to control of the train and notification of designated railroad personnel; and
(6) Information needed to prevent unintentional interference with the proper functioning of onboard train control equipment.
(b) Locomotive engineer training. Training required under this subpart for a locomotive engineer, together with required records, must be integrated into the program of training required by part 240 of this chapter.
(c) Full automatic operation. The following special requirements apply in the event a train control system is used to effect full automatic operation of the train:
(1) The PTCDP and PTCSP must identify all safety hazards to be mitigated by the locomotive engineer.
(2) The PTCDP and PTCSP must address and describe the training required with provisions for the maintenance of skills proficiency. As a minimum, the training program must:
(i) As described in § 236.1047(a)(2), develop failure scenarios which incorporate the safety hazards identified in the PTCDP and PTCSP including the return of train operations to a fully manual mode;
(ii) Provide training, consistent with § 236.1047(a), for safe train operations under all failure scenarios and identified safety hazards that affect train operations;
(iii) Provide training, consistent with § 236.1047(a), for safe train operations under manual control; and
(iv) Consistent with § 236.1047(a), ensure maintenance of manual train operating skills by requiring manual starting and stopping of the train for an appropriate number of trips and by one or more of the following methods:
(A) Manual operation of a train for a 4-hour work period;
(B) Simulated manual operation of a train for a minimum of 4 hours in a Type I simulator as required; or
(C) Other means as determined following consultation between the railroad and designated representatives of the affected employees and approved by FRA. The PTCDP and PTCSP must designate the appropriate frequency when manual operation, starting, and stopping must be conducted, and the appropriate frequency of simulated manual operation.
(d) Conductor training. Training required under this subpart for a conductor, together with required records, must be integrated into the program of training required under this chapter.
§ 236.1049 Training specific to roadway workers.
(a) Roadway worker training. Training required under this subpart for a roadway worker must be integrated into the program of instruction required under part 214, subpart C of this chapter (“Roadway Worker Protection”), consistent with task analysis requirements of § 236.1039. This training must provide instruction for roadway workers who provide protection for themselves or roadway work groups.
(b) Training subject areas. (1) Instruction for roadway workers must ensure an understanding of the role of processor-based signal and train control equipment in establishing protection for roadway workers and their equipment.
(2) Instruction for all roadway workers working in territories where PTC is required under this subpart must ensure recognition of processor-based signal and train control equipment on the wayside and an understanding of how to avoid interference with its proper functioning.
(3) Instructions concerning the recognition of system failures and the provision of alternative methods of on-track safety in case the train control system fails, including periodic practical exercises or simulations and operational testing under part 217 of this chapter to ensure the continued capability of roadway workers to be free from the danger of being struck by a moving train or other on-track equipment.
11. Revise Appendix B to part 236 to read as follows:
Appendix B to Part 236—Risk Assessment Criteria Back to Top
The safety-critical performance of each product for which risk assessment is required under this part must be assessed in accordance with the following minimum criteria or other criteria if demonstrated to the Associate Administrator for Safety to be equally suitable:
(a) How are risk metrics to be expressed? The risk metric for the proposed product must describe with a high degree of confidence the accumulated risk of a train control system that operates over the designated life-cycle of the product. Each risk metric for the proposed product must be expressed with an upper bound, as estimated with a sensitivity analysis, and the risk value selected must be demonstrated to have a high degree of confidence.
(b) How does the risk assessment handle interaction risks for interconnected subsystems/components? The risk assessment of each safety-critical system (product) must account not only for the risks associated with each subsystem or component, but also for the risks associated with interactions (interfaces) between such subsystems.
(c) What is the main principle in computing risk for the previous and current conditions? The risk for the previous condition must be computed using the same metrics as for the new system being proposed. A full risk assessment must consider the entire railroad environment where the product is being applied, and show all aspects of the previous condition that are affected by the installation of the product, considering all faults, operating errors, exposure scenarios, and consequences that are related as described in this part. For the full risk assessment, the total societal cost of the potential numbers of accidents assessed for both previous and new system conditions must be computed for comparison. An abbreviated risk assessment must, as a minimum, clearly compute the MTTHE for all of the hazardous events identified for both previous and current conditions. The comparison between MTTHE for both conditions is to determine whether the product implementation meets the safety criteria as required by Subpart H or Subpart I as applicable.
(d) What major system characteristics must be included when relevant to risk assessment? Each risk calculation must consider the total signaling and train control system and method of operation, as subjected to a list of hazards to be mitigated by the signaling and train control system. The methodology requirements must include the following major characteristics, when they are relevant to the product being considered:
(1) Track plan infrastructure, switches, rail crossings at grade and highway-rail grade crossings as applicable;
(2) Train movement density for freight, work, and passenger trains where applicable and computed over a time span of not less than 12 months;
(3) Train movement operational rules, as enforced by the dispatcher, roadway worker/Employee in Charge, and train crew behaviors;
(4) Wayside subsystems and components;
(5) Onboard subsystems and components;
(6) Consist contents such as hazardous material, oversize loads; and
(7) Operating speeds if the provisions of Part 236 cite additional requirements for certain type of train control systems to be used at such speeds for freight and passenger trains.
(e) What other relevant parameters must be determined for the subsystems and components? In order to derive the frequency of hazardous events (or MTTHE) applicable for a product, subsystem or component included in the risk assessment, the railroad may use various techniques, such as reliability and availability calculations for subsystems and components, Fault Tree Analysis (FTA) of the subsystems, and results of the application of safety design principles as noted in Appendix C. Such failure frequency is to be derived for both fail-safe and non-fail-safe subsystems or components. The lower bounds of the MTTF or MTBF determined from the system sensitivity analysis, which account for all necessary and well justified assumptions, may be used to represent the estimate of MTTHE for the associated non-fail-safe subsystem or component in the risk assessment.
(f) How are processor-based subsystems/components assessed? (1) An MTTHE value must be calculated for each processor-based subsystem or component, or both, indicating the safety-critical behavior of the integrated hardware/software subsystem or component, or both. The human factor impact must be included in the assessment, whenever applicable, to provide the integrated MTTHE value. The MTTHE calculation must consider the rates of failures caused by permanent, transient, and intermittent faults accounting for the fault coverage of the integrated hardware/software subsystem or component, phased-interval maintenance, and restoration of the detected failures.
(2) Software fault/failure analysis must be based on the proper assessment of the design and implementation of the application code, its operating/executive program, and associated device drivers, historical performance data, analytical methods and experimental safety-critical performance testing performed on the subsystem or component. The software assessment process must demonstrate through repeatable predictive results that all software defects have been identified and corrected by process with a high degree of confidence.
(g) How are non-processor-based subsystems/components assessed? (1) The safety-critical behavior of all non-processor-based components, which are part of a processor-based system or subsystem, must be quantified with an MTTHE metric. The MTTHE assessment methodology must consider failures caused by permanent, transient, and intermittent faults, phase-interval maintenance and restoration of operation after failures and the effect of fault coverage of each non-processor-based subsystem or component.
(2) MTTHE compliance verification and validation must be based on the assessment of the design for adequacy by a documented verification and validation process, historical performance data, analytical methods and experimental safety-critical performance testing performed on the subsystem or component. The non-processor-based quantification compliance must be demonstrated to have a high degree of confidence.
(h) What assumptions must be documented for risk assessment? (1) The railroad shall document any assumptions regarding the derivation of risk metrics used. For example, for the full risk assessment, all assumptions made about each value of the parameters used in the calculation of total cost of accidents should be documented. For abbreviated risk assessment, all assumptions made for MTTHE derivation using existing reliability and availability data on the current system components should be documented. The railroad shall document these assumptions in such a form as to permit later automated comparisons with in-service experience.
(2) The railroad shall document any assumptions regarding human performance. The documentation shall be in such a form as to facilitate later comparisons with in-service experience.
(3) The railroad shall document any assumptions regarding software defects. These assumptions shall be in a form which permits the railroad to project the likelihood of detecting an in-service software defect. These assumptions shall be documented in such a form as to permit later automated comparisons with in-service experience.
(4) The railroad shall document all of the identified safety-critical fault paths to a mishap as predicted by the safety analysis methodology. The documentation shall be in such a form as to facilitate later comparisons with in-service faults.
12. Revise Appendix C to read as follows:
Appendix C to Part 236—Safety Assurance Criteria and Processes Back to Top
(a) What is the purpose of this appendix? This appendix provides safety criteria and processes that the designer must use to develop and validate the product that meets safety requirements of this part. FRA uses the criteria and processes set forth in this appendix to evaluate the validity of safety targets and the results of system safety analyses provided in the RSPP, PSP, PTCIP, PTCDP, and PTCSP documents as appropriate. An analysis performed under this appendix must:
(1) Address each of the safety principles of paragraph (b) of this appendix, or explain why they are not relevant, and
(2) Employ a validation and verification process pursuant to paragraph (c) of this appendix.
(b) What safety principles must be followed during product development? The designer shall address each of the following safety considerations principles when designing and demonstrating the safety of products covered by subpart H or I of this part. In the event that any of these principles are not followed, the PSP or PTCDP or PTCSP shall state both the reason(s) for departure and the alternative(s) utilized to mitigate or eliminate the hazards associated with the design principle not followed.
(1) System safety under normal operating conditions. The system (all its elements including hardware and software) must be designed to assure safe operation with no hazardous events under normal anticipated operating conditions with proper inputs and within the expected range of environmental conditions. All safety-critical functions must be performed properly under these normal conditions. Absence of specific operator actions or procedures will not prevent the system from operating safely. The designer must identify and categorize all hazards that may lead to unsafe system operation. Hazards categorized as unacceptable or undesirable, which is determined by hazard analysis, must be eliminated by design. Those undesirable hazards that cannot be eliminated should be mitigated to the acceptable level as required by this part.
(2) System safety under failures.
(i) It must be shown how the product is designed to eliminate or mitigate or eliminate unsafe systematic failures—those conditions which can be attributed to human error that could occur at various stages throughout product development. This includes unsafe errors in the software due to human error in the software specification, design or coding phases, or both; human errors that could impact hardware design; unsafe conditions that could occur because of an improperly designed human-machine interface; installation and maintenance errors; and errors associated with making modifications.
(ii) The product must be shown to operate safely under conditions of random hardware failure. This includes single as well as multiple hardware failures, particularly in instances where one or more failures could occur, remain undetected (latent) and react in combination with a subsequent failure at a later time to cause an unsafe operating situation. In instances involving a latent failure, a subsequent failure is similar to there being a single failure. In the event of a transient failure, and if so designed, the system should restart itself if it is safe to do so. Frequency of attempted restarts must be considered in the hazard analysis required by § 236.907(a)(8).
(iii) There shall be no single point failures in the product that can result in hazards categorized as unacceptable or undesirable. Occurrence of credible single point failures that can result in hazards must be detected and the product must achieve a known safe state before falsely activating any physical appliance.
(iv) If one non-self-revealing failure combined with a second failure can cause a hazard that is categorized as unacceptable or undesirable, then the second failure must be detected and the product must achieve a known safe state before falsely activating any physical appliance.
(v) Another concern of multiple failures involves common mode failures in which two or more subsystems or components intended to compensate one another to perform the same function all fail by the same mode and result in unsafe conditions. This is of particular concern in instances in which two or more elements (hardware or software, or both) are used in combination to ensure safety. If a common mode failure exists, then any analysis performed under this appendix cannot rely on the assumption that failures are independent. Examples include: The use of redundancy in which two or more elements perform a given function in parallel and when one (hardware or software) element checks/monitors another element (of hardware or software) to help ensure its safe operation. Common mode failure relates to independence, which must be ensured in these instances. When dealing with the effects of hardware failure, the designer shall address the effects of the failure not only on other hardware, but also on the execution of the software, since hardware failures can greatly affect how the software operates.
(3) Closed loop principle. System design adhering to the closed loop principle requires that all conditions necessary for the existence of any permissive state or action be verified to be present before the permissive state or action can be initiated. Likewise the requisite conditions shall be verified to be continuously present for the permissive state or action to be maintained. This is in contrast to allowing a permissive state or action to be initiated or maintained in the absence of detected failures. In addition, closed loop design requires that failure to perform a logical operation, or absence of a logical input, output or decision shall not cause an unsafe condition, i.e., system safety does not depend upon the occurrence of an action or logical decision.
(4) Safety assurance concepts. The product design must include one or more of the following Safety Assurance Concepts as described in IEEE-1483 standard to ensure that failures are detected and the product is placed in a safe state. One or more different principles may be applied to each individual subsystem or component, depending on the safety design objectives of that part of the product.
(i) Design diversity and self-checking concept. This concept requires that all critical functions be performed in diverse ways, using diverse software operations and/or diverse hardware channels, and that critical hardware be tested with Self-Checking routines. Permissive outputs are allowed only if the results of the diverse operations correspond, and the Self-Checking process reveals no failures in either execution of software or in any monitored input or output hardware. If the diverse operations do not agree or if the checking reveals critical failures, safety-critical functions and outputs must default to a known safe state.
(ii) Checked redundancy concept. The Checked Redundancy concept requires implementation of two or more identical, independent hardware units, each executing identical software and performing identical functions. A means is to be provided to periodically compare vital parameters and results of the independent redundant units, requiring agreement of all compared parameters to assert or maintain a permissive output. If the units do not agree, safety-critical functions and outputs must default to a known safe state.
(iii) N-version programming concept. This concept requires a processor-based product to use at least two software programs performing identical functions and executing concurrently in a cycle. The software programs must be written by independent teams, using different tools. The multiple independently written software programs comprise a redundant system, and may be executed either on separate hardware units (which may or may not be identical) or within one hardware unit. A means is to be provided to compare the results and output states of the multiple redundant software systems. If the system results do not agree, then the safety-critical functions and outputs must default to a known safe state.
(iv) Numerical assurance concept. This concept requires that the state of each vital parameter of the product or system be uniquely represented by a large encoded numerical value, such that permissive results are calculated by pseudo-randomly combining the representative numerical values of each of the critical constituent parameters of a permissive decision. Vital algorithms must be entirely represented by data structures containing numerical values with verified characteristics, and no vital decisions are to be made in the executing software, only by the numerical representations themselves. In the event of critical failures, the safety-critical functions and outputs must default to a known safe state.
(v) Intrinsic fail-safe design concept. Intrinsically fail-safe hardware circuits or systems are those that employ discrete mechanical and/or electrical components. The fail-safe operation for a product or subsystem designed using this principle concept requires a verification that the effect of every relevant failure mode of each component, and relevant combinations of component failure modes, be considered, analyzed, and documented. This is typically performed by a comprehensive failure modes and effects analysis (FMEA) which must show no residual unmitigated failures. In the event of critical failures, the safety-critical functions and outputs must default to a known safe state.
(5) Human factor engineering principle. The product design must sufficiently incorporate human factors engineering that is appropriate to the complexity of the product; the educational, mental, and physical capabilities of the intended operators and maintainers; the degree of required human interaction with the component; and the environment in which the product will be used.
(6) System safety under external influences. The product must be shown to operate safely when subjected to different external influences, including:
(i) Electrical influences such as power supply anomalies/transients, abnormal/improper input conditions (e.g., outside of normal range inputs relative to amplitude and frequency, unusual combinations of inputs) including those related to a human operator, and others such as electromagnetic interference or electrostatic discharges, or both;
(ii) Mechanical influences such as vibration and shock; and
(iii) Climatic conditions such as temperature and humidity.
(7) System safety after modifications. Safety must be ensured following modifications to the hardware or software, or both. All or some of the concerns identified in this paragraph may be applicable depending upon the nature and extent of the modifications. Such modifications must follow all of the concept, design, implementation and test processes and principles as documented in the PSP for the original product. Regression testing must be comprehensive and documented to include all scenarios which are affected by the change made, and the operating modes of the changed product during normal and failure state (fallback) operation.
(c) What standards are acceptable for verification and validation? (1) The standards employed for verification or validation, or both, of products subject to this subpart must be sufficient to support achievement of the applicable requirements of subpart H and subpart I of this part.
(2) U.S. Department of Defense Military Standard (MIL-STD) 882C, “System Safety Program Requirements” (January 19, 1993), is recognized as providing appropriate risk analysis processes for incorporation into verification and validation standards.
(3) The following standards designed for application to processor-based signal and train control systems are recognized as acceptable with respect to applicable elements of safety analysis required by subpart H and subpart I of this part. The latest versions of the standards listed below should be used unless otherwise provided.
(i) IEEE standards as follows:
(A) IEEE 1483-2000, Standard for the Verification of Vital Functions in Processor-Based Systems Used in Rail Transit Control.
(B) IEEE 1474.2-2003, Standard for user interface requirements in communications based train control (CBTC) systems.
(C) IEEE 1474.1-2004, Standard for Communications-Based Train Control (CBTC) Performance and Functional Requirements.
(ii) CENELEC Standards as follows:
(A) EN50129: 2003, Railway Applications: Communications, Signaling, and Processing Systems-Safety Related Electronic Systems for Signaling; and
(B) EN50155:2001/A1:2002, Railway Applications: Electronic Equipment Used in Rolling Stock.
(iii) ATCS Specification 200 Communications Systems Architecture.
(iv) ATCS Specification 250 Message Formats.
(v) AREMA 2009 Communications and Signal Manual of Recommended Practices, Part 16, Part 17, 21, and 23.
(vi) Safety of High Speed Ground Transportation Systems. Analytical Methodology for Safety Validation of Computer Controlled Subsystems. Volume II: Development of a Safety Validation Methodology. Final Report September 1995. Author: Jonathan F. Luedeke, Battelle. DOT/FRA/ORD-95/10.2.
(vii) IEC 61508 (International Electrotechnical Commission), Functional Safety of Electrical/Electronic/Programmable/Electronic Safety (E/E/P/ES) Related Systems, Parts 1-7 as follows:
(A) IEC 61508-1 (1998-12) Part 1: General requirements and IEC 61508-1 Corr. (1999-05) Corrigendum 1-Part 1: General Requirements.
(B) IEC 61508-2 (2000-05) Part 2: Requirements for electrical/electronic/programmable electronic safety-related systems.
(C) IEC 61508-3 (1998-12) Part 3: Software requirements and IEC 61508-3 Corr.1 (1999-04) Corrigendum 1-Part3: Software requirements.
(D) IEC 61508-4 (1998-12) Part 4: Definitions and abbreviations and IEC 61508-4 Corr.1 (1999-04) Corrigendum 1-Part 4: Definitions and abbreviations.
(E) IEC 61508-5 (1998-12) Part 5: Examples of methods for the determination of safety integrity levels and IEC 61508-5 Corr.1 (1999-04) Corrigendum 1 Part 5: Examples of methods for determination of safety integrity levels.
(F) IEC 61508-6 (2000-04) Part 6: Guidelines on the applications of IEC 61508-2 and -3.
(G) IEC 61508-7 (2000-03) Part 7: Overview of techniques and measures.
(H) IEC62278: 2002, Railway Applications: Specification and Demonstration of Reliability, Availability, Maintainability and Safety (RAMS);
(I) IEC62279: 2002 Railway Applications: Software for Railway Control and Protection Systems;
(4) Use of unpublished standards, including proprietary standards, is authorized to the extent that such standards are shown to achieve the requirements of this part. However, any such standards shall be available for inspection and replication by FRA and for public examination in any public proceeding before the FRA to which they are relevant.
13. A new Appendix F to part 236 is added to read as follows:
Appendix F to Part 236—Requirements of Mandatory Independent Third-Party Assessment of PTC System Safety Verification and Validation Back to Top
(a) This appendix provides minimum requirements for mandatory independent third-party assessment of PTC system safety verification and validation pursuant to subpart H or I of this part. The goal of this assessment is to provide an independent evaluation of the PTC system manufacturer's utilization of safety design practices during the PTC system's development and testing phases, as required by the applicable PSP, PTCDP, and PTCSP, the applicable requirements of subpart H or I of this part, and any other previously agreed-upon controlling documents or standards.
(b) The supplier may request advice and assistance of the independent third-party reviewer concerning the actions identified in paragraphs (c) through (g) of this appendix. However, the reviewer should not engage in design efforts in order to preserve the reviewer's independence and maintain the supplier's proprietary right to the PTC system.
(c) The supplier shall provide the reviewer access to any and all documentation that the reviewer requests and attendance at any design review or walkthrough that the reviewer determines as necessary to complete and accomplish the third party assessment. The reviewer may be accompanied by representatives of FRA as necessary, in FRA's judgment, for FRA to monitor the assessment.
(d) The reviewer shall evaluate with respect to safety and comment on the adequacy of the processes which the supplier applies to the design and development of the PTC system. At a minimum, the reviewer shall compare the supplier processes with acceptable methodology and employ any other such tests or comparisons if they have been agreed to previously with FRA. Based on these analyses, the reviewer shall identify and document any significant safety vulnerabilities which are not adequately mitigated by the supplier's (or user's) processes. Finally, the reviewer shall evaluate the adequacy of the railroad's applicable PSP or PTCSP, and any other documents pertinent to the PTC system being assessed.
(e) The reviewer shall analyze the Preliminary Hazard Analysis (PHA) for comprehensiveness and compliance with industry, national, or international standards.
(f) The reviewer shall analyze all Fault Tree Analyses (FTA), Failure Mode and Effects Criticality Analysis (FMECA), and other hazard analyses for completeness, correctness, and compliance with industry, national, or international standards.
(g) The reviewer shall randomly select various safety-critical software modules, as well as safety-critical hardware components if required by FRA for audit to verify whether the vendors and industry, national, or international standards were followed. The number of modules audited must be determined as a representative number sufficient to provide confidence that all unaudited modules were developed in compliance industry, national, or international standards
(h) The reviewer shall evaluate and comment on the plan for installation and test procedures of the PTC system for revenue service.
(i) The reviewer shall prepare a final report of the assessment. The report shall be submitted to the railroad prior to the commencement of installation testing and contain at least the following information:
(1) Reviewer's evaluation of the adequacy of the PSP or PTCSP including the supplier's MTTHE and risk estimates for the PTC system, and the supplier's confidence interval in these estimates;
(2) PTC system vulnerabilities, potentially hazardous failure modes, or potentially hazardous operating circumstances which the reviewer felt were not adequately identified, tracked or mitigated;
(3) A clear statement of position for all parties involved for each PTC system vulnerability cited by the reviewer;
(4) Identification of any documentation or information sought by the reviewer that was denied, incomplete, or inadequate;
(5) A listing of each applicable vendor, industry, national or international standard, process, or procedure which was not properly followed;
(6) Identification of the hardware and software verification and validation procedures for the PTC system's safety-critical applications, and the reviewer's evaluation of the adequacy of these procedures;
(7) Methods employed by PTC system manufacturer to develop safety-critical software, such as use of structured language, code checks, modularity, or other similar generally acceptable techniques; and
(8) If directed by FRA, methods employed by PTC system manufacturer to develop safety-critical hardware.
Karen J. Rae,
[FR Doc. E9-17184 Filed 7-15-09; 4:15 pm]
BILLING CODE 4910-06-P