Federal Railroad Administration (FRA), Department of Transportation (DOT).
Notice of proposed rulemaking (NPRM).
FRA proposes to revise the existing regulations containing Railroad Locomotive Safety Standards. The proposed revisions would update, consolidate, and clarify the existing regulations. The proposal incorporates existing industry and engineering best practices related to locomotives and locomotive electronics. This includes the development of a safety analysis for new locomotive electronic systems. FRA believes this proposal will modernize and improve its safety regulatory program related to locomotives.
Comments: Written comments must be received by March 14, 2011. Comments received after that date will be considered to the extent possible without incurring additional expenses or delays.
Hearing: FRA anticipates being able to complete this rulemaking without a public, oral hearing. However, if FRA receives a specific request for a public, oral hearing prior to February 11, 2011, one will be scheduled and FRA will publish a supplemental notice in the Federal Register to inform interested parties of the date, time, and location of any such hearing.
Comments: Comments related to Docket No. FRA-2009-0095, may be submitted by any of the following methods: Web Site: Federal eRulemaking Portal, http://www.regulations.gov. Follow the online instructions for submitting comments.
- Fax: 202-493-2251.
- Mail: Docket Management Facility, U.S. Department of Transportation, 1200 New Jersey Avenue, SE., W12-140, Washington, DC 20590.
- Hand Delivery: Room W12-140 on the Ground level of the West Building, 1200 New Jersey Avenue, SE., W12-140, Washington, DC between 9 a.m. and 5 p.m. Monday through Friday, except Federal holidays.
- Federal eRulemaking Portal: Go to http://www.regulations.gov. Follow the online instructions for submitting comments.
Instructions: All submissions must include the agency name and docket number or Regulatory Identification Number (RIN) for this rulemaking. Note that all comments received will be posted without change to http://www.regulation.gov including any personal information. Please see the Privacy Act heading in the SUPPLEMENTARY INFORMATION section of this document for Privacy Act information related to any submitted comments or materials.
Docket: For access to the docket to read background documents or comments received, go to http://www.regulations.gov at any time or to Room W12-140 on the Ground level of the West Building, 1200 New Jersey Avenue, SE., Washington, DC between 9 a.m. and 5 p.m. Monday through Friday, except Federal holidays.Start Further Info
FOR FURTHER INFORMATION CONTACT:
George Scerbo, Office of Safety Assurance and Compliance, Motive Power & Equipment Division, RRS-14, Federal Railroad Administration, 1200 New Jersey Avenue, SE., Washington, DC (telephone 202-493-6249), or Michael Masci, Trial Attorney, Office of Chief Counsel, Federal Railroad Administration, 1200 New Jersey Avenue, SE., Washington, DC (telephone 202-493-6037).End Further Info End Preamble Start Supplemental Information
I. Statutory and Regulatory Background
FRA has broad statutory authority to regulate railroad safety. The Federal railroad safety laws (formerly the Locomotive Boiler Inspection Act at 45 U.S.C. 22-34, repealed and recodified at 49 U.S.C. 20701-20703) prohibit the use of unsafe locomotives and authorize FRA to issue standards for locomotive maintenance and testing. In order to further FRA's ability to respond effectively to contemporary safety problems and hazards as they arise in the railroad industry, Congress enacted the Federal Railroad Safety Act of 1970 (Safety Act) (formerly 45 U.S.C. 421, 431 et seq., now found primarily in chapter 201 of Title 49). The Safety Act grants the Secretary of Transportation rulemaking authority over all areas of railroad safety (49 U.S.C. 20103(a)) and confers all powers necessary to detect and penalize violations of any rail safety law. This authority was subsequently delegated to the FRA Administrator. (49 CFR 1.49) Until July 5, 1994, the Federal railroad safety statutes existed as separate acts found primarily in title 45 of the United States Code. On that date, all of the acts were repealed, and their provisions were recodified into title 49 of the United States Code. All references to parts and sections in this document shall be to parts and sections located in Title 49 of the Code of Federal Regulations.
Pursuant to its general statutory rulemaking authority, FRA promulgates and enforces rules as part of a comprehensive regulatory program to address the safety of, inter alia, railroad track, signal systems, communications, rolling stock, operating practices, passenger train emergency preparedness, alcohol and drug testing, locomotive engineer certification, and workplace safety. In 1980, FRA issued the majority of the regulatory provisions currently found at 49 CFR part 229 (“part 229”) addressing various locomotive related topics including: Inspections and tests; safety requirements for brake, draft, suspension, and electrical systems, and locomotive cabs; and locomotive cab equipment. Since 1980, various provisions currently contained in part 229 have been added or revised on an ad hoc basis to address specific safety concerns or in response to specific statutory mandates.
Topics for new regulation typically arise from several sources. FRA continually reviews its regulations and revises them as needed to address emerging technology, changing operational realities, and to bolster existing standards as new safety concerns are identified. It is also common for the railroad industry to introduce regulatory issues through FRA's waiver process. Several of FRA's proposed requirements have been partially or previously addressed through FRA's waiver process. As detailed in part 211, FRA's Railroad Safety Board (Safety Board) reviews, and approves or denies, waiver petitions submitted by railroads and other parties subject to the regulations. Petitions granted by the Safety Board can be utilized only by the petitioning party. By incorporating existing relevant regulatory waivers into part 229, FRA intends to extend the reach of the regulatory flexibilities permitted under those waivers. Although, FRA is proposing to alter a number of regulatory requirements, the comprehensive safety regulatory structure would remain.
The requirement that a locomotive be safe to operate in the service in which it is placed remains the cornerstone of Federal regulation. Title 49 U.S.C. 20701 provides that “[a] railroad carrier may use or allow to be used a locomotive or tender on its railroad line only when the locomotive or tender and its parts and appurtenances: (1) Are in proper condition and safe to operate Start Printed Page 2201without unnecessary danger of personal injury; (2) have been inspected as required under this chapter and regulations prescribed by the Secretary of Transportation under this chapter; and (3) can withstand every test prescribed by the Secretary under this chapter.”
The statute is extremely broad in scope and makes clear that each railroad is responsible for ensuring that locomotives used on its line are safe. Even the extensive requirements of part 229 are not intended to be exhaustive in scope, and with or without that regulatory structure the railroads remain directly responsible for finding and correcting all hazardous conditions. For example, even without these proposed regulations, a railroad would be responsible for repairing an inoperative alerter and an improperly functioning remote control transmitter, if the locomotive is equipped with these devices.
On July 12, 2004, the Association of American Railroads (AAR), on behalf of itself and its member railroads, petitioned the FRA to delete the requirement contained in 49 CFR 229.131 related to locomotive sanders. The petition and supporting documentation asserted that contrary to popular belief, depositing sand on the rail in front of the locomotive wheels will not have any significant influence on the emergency stopping distance of a train. While contemplating the petition, FRA and interested industry members began identifying other issues related to the locomotive safety standards. The purpose of this task was to develop information so that FRA could potentially address the issues through the Railroad Safety Advisory Committee (RSAC).
The locomotive sanders final rule was published on October 19, 2007 (72 FR 59216). FRA continued to utilize the RSAC process to address additional locomotive safety issues. On September 10, 2009, after a series of detailed discussions, the RSAC approved and provided recommendations on a wide range of locomotive safety issues including, locomotive brake maintenance, pilot height, headlight operation, danger markings, and locomotive electronics. FRA is generally proposing the consensus rule text for these issues with minor clarifying modifications. The RSAC was unable to reach consensus on the issues related to remote control locomotives, cab temperature, and locomotive alerters. Based on its consideration of the information and views provided by the RSAC Locomotive Safety Standards Working Group, FRA is also proposing rule text related to the non-consensus items.
II. RSAC Overview
In March 1996, FRA established the RSAC, which provides a forum for developing consensus recommendations on rulemakings and other safety program issues. The Committee includes representation from interested parties, including railroads, labor organizations, suppliers and manufacturers, and other interested parties. A list of member groups follows:
American Association of Private Railroad Car Owners (AARPCO)
American Association of State Highway & Transportation Officials (AASHTO)
American Public Transportation Association (APTA)
American Short Line and Regional Railroad Association (ASLRRA)
American Train Dispatchers Association (ATDA)
Association of American Railroads (AAR)
Association of Railway Museums (ARM)
Association of State Rail Safety Managers (ASRSM)
Brotherhood of Locomotive Engineers and Trainmen (BLET)
Brotherhood of Maintenance of Way Employes Division (BMWED)
Brotherhood of Railroad Signalmen (BRS)
Federal Transit Administration (FTA)*
High Speed Ground Transportation Association (HSGTA)
International Association of Machinists and Aerospace Workers
International Brotherhood of Electrical Workers (IBEW)
Labor Council for Latin American Advancement (LCLAA)*
League of Railway Industry Women*
National Association of Railroad Passengers (NARP)
National Association of Railway Business Women*
National Conference of Firemen & Oilers
National Railroad Construction and Maintenance Association
National Railroad Passenger Corporation (Amtrak)
National Transportation Safety Board (NTSB)*
Railway Supply Institute (RSI)
Safe Travel America (STA)
Secretaria de Communicaciones y Transporte*
Sheet Metal Workers International Association (SMWIA)
Tourist Railway Association Inc.
Transport Workers Union of America (TWU)
Transportation Communications International Union/BRC (TCIU/BRC)
United Transportation Union (UTU)
*Indicates associate membership.
When appropriate, FRA assigns a task to the RSAC, and after consideration and debate, the RSAC may accept or reject the task. If accepted, the RSAC establishes a working group that possesses the appropriate expertise and representation of interests to develop recommendations to FRA for action on the task. These recommendations are developed by consensus. A working group may establish one or more task forces to develop facts and options on a particular aspect of a given task. The task force then provides that information to the working group for consideration. If a working group comes to unanimous consensus on recommendations for action, the package is presented to the RSAC for a vote. If the proposal is accepted by a simple majority of the RSAC, the proposal is formally recommended to FRA. FRA then determines what action to take on the recommendation. Because FRA staff has played an active role at the working group level in discussing the issues and options and in drafting the language of the consensus proposal, FRA is often favorably inclined toward the RSAC recommendation. However, FRA is in no way bound to follow the recommendation and the agency exercises its independent judgment on whether the recommended rule achieves the agency's regulatory goal, is soundly supported, and is in accordance with policy and legal requirements. Often, FRA varies in some respects from the RSAC recommendation in developing the actual regulatory proposal. If the working group or the RSAC is unable to reach consensus on recommendations for action, FRA moves ahead to resolve the issue through conventional practices including traditional rulemaking proceedings.
III. Proceedings to Date
On February 22, 2006, FRA presented, and the RSAC accepted, the task of reviewing existing locomotive safety needs and recommending consideration of specific actions useful to advance the safety of rail operations. The RSAC established the Locomotive Safety Standards Working Group (Working Group) to handle this task and develop recommendations for the full RSAC to consider. Members of the Working Group, in addition to FRA, included the following:
BNSF Railway Company (BNSF)
California Department of Transportation
Canadian National Railway (CN)
Canadian Pacific Railway (CP)
CSX Transportation (CSXT)Start Printed Page 2202
Florida East Coast Railroad
General Electric (GE)
Genesee & Wyoming Inc.
International Association of Machinists and Aerospace Workers
Kansas City Southern Railway (KCS)
Long Island Rail Road
MTA Long Island
National Conference of Firemen and Oilers
Norfolk Southern Corporation (NS)
Public Service Commission of West Virginia
Rail America, Inc.
Southeastern Pennsylvania Transportation Agency
Tourist Railway Association Inc.
Union Pacific Railroad (UP)
The task statement approved by the full RSAC sought immediate action from the Working Group regarding the need for, and usefulness of, the existing regulation related to locomotive sanders. The task statement established a target date of 90 days for the Working Group to report back to the RSAC with recommendations to revise the existing regulatory sander provision. The Working Group conducted two meetings that focused almost exclusively on the sander requirement. The meetings were held on May 8-10, 2006, in St. Louis, Missouri, and on August 9-10, 2006, in Fort Worth, Texas. Minutes of these meetings have been made part of the docket in this proceeding. After broad and meaningful discussion related to the potential safety and operational benefits provided by equipping locomotives with operative sanders, the Working Group reached consensus on a recommendation for the full RSAC.
On September 21, 2006, the full RSAC unanimously adopted the Working Group's recommendation on locomotive sanders as its recommendation to FRA. The next twelve Working Group meeting addressed a wide range of locomotive safety issues. The meetings were held at the following locations on the following days:
Kansas City, MS, October 30 & 31, 2006;
Raleigh, NC, January 9 & 10, 2007;
Orlando, FL, March 6 & 7, 2007;
Chicago, IL, June 6 & 7, 2007;
Las Vegas, NV, September 18 & 19, 2007;
New Orleans, LA, November 27 & 28, 2007;
Fort Lauderdale, FL, February 5 & 6, 2008;
Grapevine, TX, May 20 & 21, 2008;
Silver Spring, MD, August 5 & 6, 2008;
Overland Park, KS, October 22 & 23, 2008;
Washington, D.C., January 6 & 7, 2009; and
Arlington, VA, April 15 & 16, 2009.
At the above listed meetings, the Working Group successfully reached consensus on the following locomotive safety issues: Locomotive brake maintenance, pilot height, headlight operation, danger markings placement, load meter settings, reorganization of steam generator requirements, and the establishment locomotive electronics requirements. Throughout the preamble discussion of this proposal, FRA refers to comments, views, suggestions, or recommendations made by members of the Working Group. When using this terminology, FRA is referring to views, statements, discussions, or positions identified or contained in the minutes of the Working Group meetings. These documents have been made part of the docket in this proceeding and are available for public inspection as discussed in the ADDRESSES portion of this document. These points are discussed to show the origin of certain issues and the course of discussions on those issues at the task force or working group level. We believe this helps illuminate factors FRA has weighed in making its regulatory decisions, and the logic behind those decisions.
The reader should keep in mind, of course, that only the full RSAC makes recommendations to FRA, and it is the consensus recommendation of the full RSAC on which FRA is primarily acting in this proceeding. As discussed above, the Working Group reported its findings and recommendations to the RSAC at its September 10, 2009 meeting. The RSAC approved the recommended consensus regulatory text proposed by the Working Group, which accounts for the majority of this NPRM. The specific regulatory language recommended by the RSAC was amended slightly for clarity and consistency. FRA independently developed proposals related to remote control locomotives, alerters, and locomotive cab temperature, issues that the Working Group discussed, but ultimately did not reach consensus.
IV. General Overview of Proposed Requirements
Trends in locomotive operation, concern about the safe design of electronics, technology advances, and experience applying Federal regulations provide the main impetus for the proposed revisions to FRA's existing standards related to locomotive safety. An overview of some of the major areas addressed in this proposal is provided below.
A. Remote Control Locomotives
Remote control devices have been used to operate locomotives at various locations in the United States for many years, primarily within yards and certain industrial sites. Railroads in Canada have extensively used remote control locomotives for more than a decade. FRA began investigating remote control operations in 1994 and held its first public hearing on the subject in mid-1990s to gather information and examine the safety issues relating to this new technology. On July 19, 2000, FRA conducted a technical conference in which interested parties, including rail unions, remote control systems suppliers, and railroad representatives, shared their views and described their experiences with remote control operations.
On February 14, 2001, FRA published a Safety Advisory in which FRA issued recommended guidelines for conducting remote control locomotive operations. See 66 FR 10340, Notice of Safety Advisory 2001-01, Docket No. FRA-2000-7325. By issuing these recommendations, FRA sought to identify a set of “best practices” to guide the rail industry when implementing this technology. As this was an emerging technology, FRA believed the approach served the railroad industry by providing flexibility to both manufacturers designing the equipment and to railroads using the technology in their operations, while reinforcing the importance of complying with all existing railroad safety regulations. All of the major railroads have adopted the recommendations contained in the advisory, with only slight modifications to suit their individual operations.
In the Safety Advisory, FRA addressed the application and enforcement of the Federal regulations to remote control locomotives. FRA discussed the existing Federal locomotive inspection requirements and the application of those broad requirements to remote control locomotive technology. The Safety Advisory explains that: “although compliance with this Safety Advisory is voluntary, nothing in this Safety Advisory is meant to relieve a railroad from compliance with all existing railroad safety regulations [and] [t]herefore, when procedures required by regulation are cited in this Safety Advisory, compliance is mandatory.” Id. at 10343. For example, the Safety Advisory states that the remote control locomotive “system must be included as part of the calendar day inspection required by section 229.21, since this equipment becomes an appurtenance to the locomotive.” Id. at 10344. Another example of a mandatory requirement mentioned in the Safety Advisory is that the remote control locomotive “system components that interface with the Start Printed Page 2203mechanical devices of the locomotive, e.g., air pressure monitoring devices, pressure switches, speed sensors, etc., should be inspected and calibrated as often as necessary, but not less than the locomotive's periodic (92-day) inspection.” Id.; see also 49 CFR 229.23. Thus, the Safety Advisory made clear that the existing Federal regulations require inspection of the remote control locomotive equipment.
The Safety Advisory also addressed the application of various requirements related to the operators of remote control locomotives. The Safety Advisory states that “each person operating an RCL [remote control locomotive] must be certified and qualified in accordance with part 240 [FRA's locomotive engineer rule] if conventional operation of a locomotive under the same circumstances would require certification under that regulation.” Id. at 10344. In 2006, FRA codified additional requirements to address specific operational issues such as situational awareness. See 71 FR 60372 (2006).
During several productive meetings, the Working Group identified many areas of agreement regarding the regulation of remote control locomotive equipment. On issues that produced disagreement, FRA gathered useful information. Informed by the Working Group discussions, this proposal would codify the industry's best practices related to the use and operation of remote control locomotives.
B. Electronic Record-Keeping
The development and improved capability of electronic record-keeping systems has led to the potential for safe electronic maintenance of records required by part 229. Since April 3, 2002, FRA has granted a series of waivers permitting electronic record-keeping with certain conditions intended to ensure the safety, security and accessibility of such systems. See FRA-2001-11014. Based on the information gathered under the experiences of utilizing the electronic records permitted under these existing waivers, the Working Group discussed, and agreed to, generally applicable standards for electronic record-keeping systems.
C. Brake Maintenance
Advances in technology have increased the longevity of locomotive brake system components. In conjunction with several railroads and the AAR, FRA has monitored the performance of new brake systems since the Locomotive Safety Standards regulation was first published in 1980. See 45 FR 21092. The proposed revisions to locomotive air brake maintenance are based on this extensive history of study and testing. Over the last several decades, FRA has granted several conditional waivers extending the air brake cleaning, repair, and test requirements of §§ 229.27 and 229.29. These extensions were designed to accommodate testing of the reliability of electronic brake systems and other brake system components, with the intent of moving toward performance based test criterion with components being replaced or repaired based upon their reliability.
In 1981, FRA granted a test waiver (H-80-7) to eight railroads, permitting them to extend the annual and biennial testing requirements contained in §§ 229.27 and 229.29, in order to conduct a study of the safe service life and reliability of the locomotive brake components. On January 29, 1985, FRA expanded the waiver to permit all railroads to inspect the 26-L type brake equipment on a triennial basis. In the 1990's, the Canadian Pacific Railroad (CP) and the Canadian National Railroad (CN) petitioned the FRA to allow them to operate locomotives into the United States that received periodic attention every four years. The requests were based on a decision by Transport Canada to institute a four-year inspection program following a thorough test program in Canada. In November 2000, FRA granted conditional waivers to both the CN and CP, extending the testing interval to four years for Canadian-based locomotives equipped with 26-L type brake systems and air dryers. The waiver also requires all air brake filtering devices to be changed annually and the air compressor to be overhauled not less than every six years. In 2005, this waiver was extended industry-wide. See FRA-2005-21325.
In 2009, AAR petitioned for a waiver that would permit four year testing and maintenance intervals for locomotives that are equipped with 26-L type brake equipment and not equipped with air dryers. The petition assumed that the testing and maintenance intervals that are appropriate for locomotives equipped with air dryers are also appropriate for locomotives without air dryers. FRA denied the request, but granted a limited test program to determine whether the addition of operative air dryers on a locomotive merits different maintenance and testing requirements. FRA recognizes that the results of the test plan may indicate that locomotives that are not equipped with air dryers merit the same treatment as locomotives that operate without air dryers. FRA solicits comments on this issue.
FRA also requests comments on what should constitute an operative air dryer and how a locomotive with an inoperative air dryer should be properly handled. FRA believes that these issues are essential to enforcement of a requirement that includes the use of operative air dryers. The proposed rule text does not address this issue. It is not clear how many days an air dryer would need to stop performing to allow contaminants in the brake line to adversely affect the brake valves to the extent that the air dryer is no longer considered operative. It is also unclear how many days an air dryer could be inoperative before it needs to be repaired in order to preserve the four year testing and maintenance schedule. FRA believes that one reasonable approach would be to permit a locomotive with an inoperative air dryer to run to the next periodic inspection to be repaired.
The New York Air Brake Corporation (NYAB) sought by waiver, and was granted, an extension of the cleaning, repairing, and testing requirements for pneumatic components of the CCBI and CCBII brake systems (FRA-2000-7367, formerly H-95-3), and then modification of that waiver to include its new CCB-26 electronic airbrake system. The initial waiver, which was first granted on September 13, 1996, extended the interval for cleaning, repairing, and testing pneumatic components of the NYAB Computer Controlled Brake (CCB, now referred to as CCB-I) locomotive air brake system under 49 CFR 229.27(a)(2) and 49 CFR 229.29(a) from 736 days to five years. The waiver was modified to include NYAB's CCB-II electronic air brake system on August 20, 1998.
To confirm that the extended brake maintenance interval did not have a negative effect on safety, FRA required quarterly reports listing air brake failures, both pneumatic and electrical, of all locomotives operating under the waiver including: Locomotive reporting marks; and the cause and resolution of the problem. All verified failures were required to be reported to FRA prior to disassembly, so that NYAB, the railroad, and FRA could jointly witness the disassembly of the failed component to determine the cause. The last quarterly submission to FRA listed 1,889 CCBI and 1,806 CCBII equipped locomotives in the United States, all of which were operating at high levels of reliability and demonstrated safety. All past tests and teardown inspections confirm the safety and reliability of the five year interval.Start Printed Page 2204
Based on successful performance of the two NYAB electronic air brake systems under the conditions of the 1996 and 1998 waivers, the waiver was extended for another five years on September 10, 2001, and the conditions of the waiver were modified on September 22, 2003. NYAB described the new CCB-26 electronic air brake system as an adaptation of the CCB-II system designed to be used on locomotives without integrated cab electronics. It used many of the same sub-assemblies of pneumatic valves, electronic controls and software (referred to as line replaceable units or LRUs) as the CCB-II. Some changes were made to simplify the system while maintaining or increasing the level of safety. For example, the penalty brake interface was changed to mimic the 26L system interface, allowing for a fully pneumatic penalty brake application. Also, the brake cylinder pilot pressure development has been simplified from an electronic control to a fully pneumatic version based on proven components.
Much of the software and diagnostic logic which detects critical failures and takes appropriate action to effect a safe stop has been carried over from CCB-II. Overall, NYAB characterized the CCB-26 as being more similar to CCB-II than CCB-II is to CCB-I. As a final check on the performance of the CCB-26 system, it was included in the existing NYAB failure monitoring and recording systems. For the reasons above, FRA extended the waiver of compliance with brake maintenance requirements to locomotives equipped with CCB-26 brake systems.
Similarly, WABCO Locomotive Products (WABCO), a Wabtec company, sought and was granted an extension of the cleaning, repairing, and testing requirements for pneumatic components of the EPIC brake systems (FRA-2002-13397, formerly H-92-3), and then modification of that waiver to include its new FastBrake line of electronic airbrake systems. The initial waiver conditionally extended to five years the clean, repair and test intervals for certain pneumatic air brake components contained in §§ 229.27(a)(2) and 229.29(a) for WABCO's EPIC electronic air brake equipment. WABCO complied with all of the conditions of the waiver. Specifically, WABCO provided regular reports to FRA including summaries of locomotives equipped with EPIC brake systems and all pneumatic and electronic failures. FRA participated in two joint teardown inspections of EPIC equipment after five years of service in June 2000 and May 2002. After five years of service, the EPIC brake systems were found to function normally. No faults were found during locomotive tests, and the teardown revealed that the parts were clean and in working condition.
In support of its proposal to extend brake maintenance for FastBrake brake systems, WABCO stated that virtually all of the core pneumatic technology that has been service proven in EPIC from the time of its introduction and documented as such under the provisions of the above waiver and were transferred into FastBrake with little or no change. They asserted that a further reduction of pneumatic logic devices had been made possible by the substitution of compute based logic. WABCO also provided a discussion of the similarities between the EPIC and FastBrake systems as well as the differences, which are primarily in the area of electronics rather than pneumatics. In conclusion, WABCO stated that the waiver could be amended without compromising safety. For the reasons above, FRA granted the waiver petition.
Over time, several brake systems have been brought into a performance based standard. FRA, along with railroads and brake valve manufacturers, has participated in a series of brake valve evaluations. Each evaluation was performed after extended use of a particular brake valve system to determine whether it can perform safely when used beyond the number of days currently permitted by part 229. The Working Group agreed with the evidence of success and the overall approach taken by FRA. As a result, the Working Group reached consensus on the proposed brake maintenance standards.
D. Brakes, General
In December of 1999, a MP&E Technical Resolution Committee (TRC), consisting of FRA and industry experts, met in Kansas City to consider the proper application of the phrase “operate as intended” contained in § 229.46 when applied to trailing, non-controlling locomotives. Extensive discussion failed to reach consensus on this issue, but revealed valuable insight into the technical underpinnings and operational realities surrounding the issue. The Working Group revived this issue, and after lengthy discussion, reached consensus.
Generally, even if a locomotive has a defective brake valve that prevents it from functioning as a lead locomotive, its brakes will still properly apply and release when it is placed and operated as a trailing locomotive. This situation can apply on either a pneumatic 26-L application or on the electronic versions of the locomotive brake. The electronic brake often will have the breaker turned off, thus making the brake inoperative unless it is being controlled by another locomotive.
Based on reading the plain language of the existing regulation it is not clear under what conditions a trailing, non-controlling locomotive operates as intended. The existing regulation provides that “the carrier shall know before each trip that the locomotive brakes and devices for regulating all pressures, including but not limited to the automatic and independent brake valves, operate as intended * * *” See 49 CFR 229.46. One could reasonably argue that a trailing non-controlling locomotive is operating as intended when the brakes are able to apply and release in response to a command from a controlling locomotive, because the locomotive is not intended to control the brakes when it is used in the trailing position. It could also be argued that the trailing, non-controlling locomotive's automatic and independent brake valves must be able to control the brakes whenever it is called on to do so. Under this reading, a trailing, non-controlling locomotive does not operate as intended when it is not able to control the brakes.
At the TRC meeting, the representatives from NYAB Corporation, a brake manufacturer, asserted that a problem with a faulty automatic or independent brake valve will not create an unsafe condition when the locomotive is operating in the trail position, provided the locomotive consist has a successful brake test (application and release) from the lead unit. The reason offered was that in order for a locomotive to operate in the trailing position, the automatic and independent brake valves must be cut-out. FRA agrees, and currently applies this rationale in regards to performing a calendar day inspection. The calendar day inspection does not require that the operation of the automatic and independent brake controls be verified on trailing locomotives. The Working Group agreed, and recommended adding a tagging requirement to prevent a trailing, non-controlling locomotive with defective independent or automatic brakes from being used as a controlling locomotive.
E. Locomotive Cab Temperature
In 1998, FRA led an RSAC Working Group to address various cab working condition issues. To aid the Working Group discussions, FRA conducted a study to determine the average temperature in each type of locomotive cab commonly used at the time. The Start Printed Page 2205study concluded that at the location where the engineer operates the locomotive, each locomotive maintained an average temperature of at least 60 degrees. The window and door gaskets were maintained in proper condition on the locomotives that were studied. In 1998, FRA believed it was impractical to address the minimum temperature issue by regulation, especially given that, the existing industry practice was appropriate and revision of the regulation would have required considerable resources. Now that the locomotive safety standards are in the process of being revised, FRA proposes to incorporate existing industry practice into the regulation in an effort to maintain the current conditions. For review, the 1998 study has been included in the public docket related to this proceeding.
In addition to proposing an increase in the minimum cab temperature from 50 °F to 60 °F, FRA believes that establishing a maximum cab temperature limit would result in improved locomotive crew performance, which in turn would increase railroad safety. Current literature regarding the effect of low temperature on human performance indicates that performance decreases when the temperature decreases below 60 °F. Similarly, the literature regarding the effect of high temperature and humidity indicates that performance decreases when temperatures increase above 80° F, and that performance decreases to an even greater extent when the temperature increases above 90 °F. Ergonomics, 2002 vol. 45, no. 10, 682-698.
Locomotive crew performance is directly linked to railroad safety through the safe operation of trains. Locomotive engineers are responsible for operating trains in a safe and efficient manner. This requires the performance of cognitive tasks including the mathematical information processing required for train handling, constant vigilance, and accurate perception of the train and outside environment. Conductors are responsible for maintaining accurate train consists, including the contents and position of hazardous materials cars, for confirming the aspects and indications of signals, and for ensuring compliance with written orders and instructions. A decrease in performance of any of these tasks that can be anticipated from relevant scientific findings should be avoided where amelioration can be applied.
In the Human Reliability Analysis (HRA) literature, stressors are considered to be important factors that can affect human performance and produce errors. Such stressors are, in fact, labeled performance-shaping factors (PSFs) and include external (or environmental) factors such as temperature. In general, if one has an estimate of the human error probability (HEP) associated with some generic or specific task, the PSFs that exist are used to modulate the magnitude of that error. For example, an estimate of HEP associated with simple calculations is 0.04, with a lower bound of 0.02 and an upper bound of 0.11. If stress is introduced in a situation in which there is decision-making and multi-tasking (all of which are typical of locomotive engineer work), human factor experts recommend that HEP be increased five-fold for skilled workers and ten-fold for novice workers. Consequently, mean HEP would be estimated at 0.2 for skilled workers and at 0.4 for novices. This same logic can be applied to estimate accident reduction. Accident reduction estimates can be obtained under the assumption that accidents are proportional to the task performance decrements that accrue due to temperature stress. If a proportion of the task performance decrements is eliminated, then accidents should also be proportionately decreased. For example, in 1999, 16 of the human factors train accidents reported to the FRA occurred when the ambient temperatures were 90 °F or above. Conservatively assuming that at least eight (50 percent) of the locomotive cabs did not have operational air conditioning or other measures in place to reduce in cab temperatures below the ambient temperature and applying the overall task decrement of 0.148 as described in the meta-analysis an estimate may be made that a 65/86 temperature rule would prevent more than one in eight of the 1999 human factors train accidents that occurred when ambient and in cab temperatures were 90 °F or above. The results of applying task decrements to human factors train accidents in specific temperature ranges, however, can be considered conservative because the accidents considered only include accidents for which the primary cause was identified as “Human Factors.” Experts on accident causation indicate that accidents very rarely have a single cause. Rather, there are usually multiple factors that together contribute to the generation of an accident.
In many occupational settings it is desirable to minimize the health and safety effects of temperature extremes. Depending upon the workplace, engineering controls may be employed as well as the management of employee exposure to excess cold or heat using such methods as work-rest regimens. Because of the unique nature of the railroad operating environment, the locomotive cab can be viewed as a captive workplace where the continuous work of the locomotive crew takes place in a relatively small space. For this reason, in an excessively hot cab, a locomotive crew member may have no escape from extreme temperatures, since they cannot be expected to readily disembark the train and rest in a cooler environment as part of a work-rest regimen without prior planning by the railroad. As such, FRA expects reliance upon engineering controls to limit temperature extremes. When FRA considered controls for cold and hot temperature cab environments, FRA learned that there is a range of engineering controls available that can be employed. Some of these controls are presently employed to affect the cab temperature environment. Controls include isolation from heat sources such as the prime mover; reduced emissivity of hot surfaces; insulation from hot or cold ambient environments; radiation shielding including reflective shields, absorptive shielding, transparent shielding, and flexible shielding; localized workstation heating or cooling; general and spot (fan) ventilation; evaporative cooling; chilled coil cooling systems.
As noted above, in 1998, FRA led an RSAC Working Group to address various cab working condition issues. To aid the Working Group discussions, FRA conducted a winter time study to determine the average low temperature in each type of locomotive cab commonly used at the time. The study concluded that at the location where the engineer operates the locomotive, each locomotive maintained an average temperature of at least 60 °F. Ergonomics, 2002 vol. 45, no. 10, 682-698. The window and door gaskets were maintained in proper condition on the locomotives that were studied. In 1998, FRA believed it was impractical to address the minimum temperature issue by regulation, especially given that, the existing industry practice was appropriate and revision of the regulation would have required considerable resources. Now that the locomotive safety standards are in the process of being revised, FRA proposes to incorporate existing industry practice into the regulation in an effort to maintain the current minimum cab temperature conditions.
Based on the preceding discussion and its review of existing literature on the subject, FRA believe it is appropriate to consider not only Start Printed Page 2206limiting minimum locomotive cab temperature but also limiting maximum locomotive cab temperature. FRA believes that an appropriate maximum temperature level for a locomotive cab is a wet bulb temperature (WBT) somewhere between 80° and 90 °F. FRA recognizes that the mechanical capabilities of cooling systems on both existing and new locomotives are directly affected by the outside ambient temperature. Thus, FRA expects that the maximum cab temperature limit may need to be flexible in extreme weather conditions due to the limited ability of existing cooling systems to produce a temperature a vast number of degrees cooler than the external ambient temperature. FRA seeks comment and information from interested parties regarding current practices within the industry with regard to maintaining a maximum locomotive cab temperature.
There are a number of factors and issues that must be considered when imposing a maximum locomotive cab temperature. In an effort to develop safe and cost-effective requirements related to establishing a maximum locomotive cab temperature limit FRA seeks comments from interested parties on the following issues:
1. To what locomotives should the maximum cab temperature limits apply?
FRA does not anticipate applying the maximum cab temperature limit to all locomotives. Existing locomotives that are not equipped with air conditioners would not be required to add air conditioning units. A significant portion of the industry's existing locomotive fleet is currently equipped with air conditioners. FRA believes that air conditioning units should remain on locomotives that are currently so equipped and would expect the maximum cab temperature limit to apply to such units. FRA also expects that the maximum temperature limit would be applicable to new locomotives, and remanufactured locomotives as defined in § 229.5. FRA believes that one of the reasons that virtually all of these types of locomotives are constructed with air conditioning units in order to ensure the proper operation of the on-board electronic equipment. Thus, the locomotives are already equipped with the facilities to maintain a cab temperature below the maximum temperatures being contemplated. FRA also recognizes that at some locations the ambient temperature may seldom or never rise above 90 °F. Thus, FRA is considering an approach that might provide an exception for these types of locations from the maximum cab temperature limits. With the above discussion in mind, FRA seeks information and comments from interested parties on the following:
- What percentage of locomotives in the existing fleet are equipped with air conditioning units?
- What percentages of newly constructed or remanufactured locomotives are equipped with air conditioning units?
- What potential requirements could apply to locomotives that spend the majority of their time in locations that rarely rise above 90 °F, but also operate in locations where the temperature does rise above 90 °F?
- How could these locations be properly excluded from the maximum temperature requirements?
- Are there technologies other than air conditioning units that could be utilized in these types of locations?
2. What are the capabilities of existing locomotive cab air conditioning units?
Although FRA has not conducted tests to determine the effectiveness of air conditioning systems, FRA's knowledge of HVAC capabilities and experience riding locomotives with operative air conditioning units indicates that such systems can hold cab temperatures below 90 °F under expected service conditions when properly maintained, as is the case with rail passenger coaches, passenger MU locomotives, motorized vehicles on the highway, and other means of conveyance. However, FRA recognizes that existing air conditioners have technical limitations, and that those limitations need to be considered when developing a maximum cab temperature requirement. FRA seeks comment and information on the following:
- At what rate can air conditioning units currently being used within the industry cool the interior of a locomotive cab?
- What external conditions or factors affect an air conditioning unit's ability to reduce the interior locomotive cab temperature?
- Would it be possible to modify an existing air conditioning unit or interior of the locomotive cab to address the conditions noted above?
3. What is the appropriate method for measuring maximum locomotive cab temperature?
An effective and reliable method for measuring the maximum locomotive cab temperature will need to be included in the final rule in order to make any maximum temperature requirement enforceable. Railroad management, train crews, and FRA will need to be able to accurately measure the maximum cab temperature when a locomotive is in use. The existing and proposed minimum locomotive cab temperature requirement provides that the temperature be measured six inches above each seat in the cab. FRA believes that a similar location for measuring the maximum temperature would appear to be appropriate. FRA also recognizes that any cooling system will require a sufficient amount of time to adequately reduce the interior temperature of a locomotive cab. Thus, the ability to test or measure the temperature may not occur until a locomotive is already in use. In consideration of the above, FRA seeks comment and information from interested parties on the following:
- How do railroads currently measure or monitor locomotive cab temperatures to comply with the existing minimum temperature requirements?
- Do railroads measure cab temperature for other purposes? If so, what are those purposes?
- Could the same methods be used to monitor a maximum temperature requirement?
- Are there locations where testing or monitoring of air conditioning units would be extremely burdensome or impossible?
- The existing minimum cab temperature requirement is based on measurement of the temperature six inches above each seat in the cab. Would that also be an appropriate location in the cab to measure temperature to determine compliance with a maximum temperature requirement?
- Is there an appropriate frequency at which air conditioning units should be tested?
4. How should locomotive air conditioning units be maintained and repaired when found defective or inoperative?
In order to ensure that locomotives to which the maximum cab temperature limits would apply are generally capable of compliance, the final rule would need to contain basic inspection, maintenance, and repair provisions related to on-board cooling systems. FRA recognizes that these maintenance and repair schedules and requirements would be most applicable during those annual periods where extreme hot weather is prevalent across most of the continental United States. Thus, FRA expects to concentrate such provisions during these vital time periods. Similarly, FRA recognizes that appropriate provisions related to the handling and use of a locomotive with an inoperative cooling system would Start Printed Page 2207need to be provided. Under the existing part 229 movement for repair provisions, if a locomotive were required to meet a maximum cab temperature limit and was found unable to do so, then the locomotive could only be moved to the next forward location or to its next calendar day inspection where necessary repairs to the locomotive's cooling system could be performed. FRA realizes such a stringent requirement might unduly hinder a railroad's ability to operate trains or have sufficient locomotive power in certain locations. With the foregoing discussion in mind, FRA seeks comments from interested parties on the following:
- How frequently do railroads currently inspect locomotive air conditioning units for proper operation?
- What would an appropriate interval for testing and maintaining locomotive equipped with air conditioning units?
- What movement or use restrictions should be applied to a locomotive equipped with an air conditioning unit when discovered with a cab temperature that exceeds the maximum limit?
- What maintenance or repair requirements would be appropriate if a lead/occupied locomotive has an air conditioning unit fail en route, when the ambient temperature exceeds a regulatory requirement?
- What maintenance or repair requirements would be appropriate if an air conditioning unit in a lead or occupied locomotive is found to be inoperative or operating insufficiently at pre-departure (after the train has been made up and the air-brake test has been performed)?
- Should consistent management be a factor for determining when an inoperative air conditioning unit will properly be repaired or switched out? Why or why not?
5. What are the potential costs of complying with a maximum locomotive cab temperature limit as described in the preceding discussions?
The cost implications of this proposal will depend on various factors, including temperature requirements, maintenance requirements, repair procedures, and the treatment of existing locomotives already equipped with air conditioning units. The regulatory burden may result from equipping new and remanufactured locomotives with air conditioning units. However, because most, if not all, new locomotives are currently purchased with air conditioning units already installed, the burden would likely come from the testing and maintenance, including repair, of air conditioning units.
FRA estimates that the railroad industry purchases approximately 600-700 new locomotives a year. Most of the new locomotives are purchased by Class I freight railroads. Other railroads such as Alaska Railroad, Amtrak, and some commuter railroads also purchase new locomotives. Generally, FRA does not anticipate that Class III railroads will purchase new locomotives, and thereby, be affected by this proposal in the immediate or near future. FRA is considering requiring air conditioning units on only new or remanufactured locomotives. FRA believes that most, if not all, new and remanufactured locomotives are manufactured with air conditioning units, and most locomotives that receive life extending modifications are also likely equipped. FRA requests information regarding the specifications for air conditioning units currently installed on new, remanufactured, and overhauled locomotives. Specifically, FRA seeks information regarding temperature and humidity capabilities. FRA also seeks information regarding the tolerances of the units in the locomotive running environment, which may include over 12 hours of continuous operation at high temperature and humidity levels. To the extent that new locomotives are already equipped with air conditioning units that can function well in the environment in which they operate, there would be little or no additional regulatory cost associated with the basic requirement to equip new locomotives with such units.
Requirements for periodic testing of air conditioning units could also add regulatory cost. FRA believes that most railroads are prudently testing the air conditioning units on their locomotives annually or periodically at shorter intervals. These tests are most likely conducted when the locomotive is already out of service for a 92 day inspection. FRA requests information on the frequency of testing and the cost associated with conducting the tests. Requirements for repairing air conditioning units could also add regulatory cost. In order to develop a cost analysis of the maintenance and repairs that would be needed to properly utilize the AC units, FRA requests information regarding the frequency of air conditioning failures and the nature of common defects as well as the costs associated with making the repairs. FRA also requests information regarding reasonable ways to address air conditioning units that are discovered defective outside of the maintenance window. FRA estimates that an air conditioning unit has a life-cycle of 8 and 10 years. The cost for testing and repairing air conditioning units on locomotives is most likely the highest cost element of this proposal. However, the potential regulatory cost for such a proposal would depend on the actual requirement that is promulgated. The cost would increase if a lead locomotive is required to be switched out after the initial air-brake test, or if the AC unit on the lead locomotive failed en route.
FRA seeks information and comments on the following issues related to costs:
- What are the costs associated with increased maintenance and modifications to locomotive equipped with air conditioning units to ensure they operate as intended?
- What would be the expected costs to equip new and remanufactured locomotives with air conditioners that are capable of satisfying the type of maximum temperature limit discussed above?
- How many new locomotives are currently equipped with air conditioning units?
- What operational burdens would be placed on the industry should a maximum cab temperature limit be included in the final rule?
The proposed revisions to the headlight provisions would incorporate waiver FRA 2005-23107 into part 229. This would permit a locomotive with one failed 350-watt incandescent lamp to operate in the lead until the next daily inspection, if the auxiliary lights remain continuously illuminated. Currently, a headlight with only one functioning 200-watt lamp is not defective and does not affect the permissible movement of a locomotive. However, a locomotive with only one functioning 350-watt lamp in the headlight can be moved only pursuant to section 229.9. The proposed treatment of locomotives with a failed 350-watt lamp would allow flexibility, and be consistent with the current treatment of 200-watt lamps.
Testing showed that production tolerances for the 350-watt incandescent lamp cause most individual lamps to fall below the 200,000 candela requirement at the center of the beam. As such, two working 350-watt lamps are required to ensure 200,000 candela at the center of the beam. Testing also showed that the 350-watt incandescent lamp produced well over 100,000 candela at the center of the beam, and its high power and the position of the filament within the reflector causes the lamp to be brighter than the 200-watt Start Printed Page 2208incandescent lamp at all angles greater than approximately 2.5 degrees off the centerline. In other words, the only area in which the 350-watt lamp produces insufficient illumination is within 2.5 degrees of the centerline. The proposed requirement would compensate for the reduced amount of illumination by requiring the auxiliary lights to be aimed parallel to the centerline of the locomotive and illuminate continuously.
Significantly, in 1980, when FRA promulgated the 200,000 candela requirement it could not take into consideration the light produced by auxiliary lights, because they were not required and not often used. Today, there is light in front of a locomotive produced by both the headlight and the auxiliary lights. When discussing AAR's request that the final rule permit locomotives with a nonfunctioning 350-watt lamp to operate without restriction, FRA stated that AAR's comments “may have merit when considering locomotives with auxiliary lights aimed parallel to the centerline of the locomotive.” See 69 FR 12533. While the auxiliary lights on some locomotives are aimed parallel to the centerline, on many others the auxiliary lights are aimed so that their light will cross 400 feet in front of the locomotive. The regulations only require auxiliary lights to be aimed within 15 feet of the centerline. FRA is not aware of a basis for assuming that the light from two auxiliary lights complying with the regulations in any fashion would be insufficient, when combined with a 350-watt headlight lamp.
Alerters are a common safety device intended to verify that the locomotive engineer remains capable and vigilant to accomplish the tasks that he or she must perform. An alerter will initiate a penalty brake application to stop the train if it does not receive the proper response from the engineer. As an appurtenance to the locomotive, an alerter must operate as intended when present on a locomotive. Section 20701 of Title 49 of the United States Code prohibits the use of a locomotive unless the entire locomotive and its appurtenances are in proper condition and safe to operate in the service to which they are placed. Under this authority, FRA has issued many violations against railroads for operating locomotives equipped with a non-functioning alerter.
Alerters are currently required on passenger locomotives by § 238.237 (67 FR 19991 (2002)), and are present on most freight locomotives. A long-standing industry standard currently contains more stringent requirements than provisions being proposed in this document. See AAR Standard S-5513, “Locomotive Alerter Requirements,” (November 26, 2007).
After several productive meetings, the Working Group reached partial consensus on requirements related to the regulation of alerters. For those areas where agreement could not be reached, FRA has fully considered the information and views of the Working Group members in developing the proposed requirements related to locomotive alerters. The proposed provisions also take into consideration recommendations made by the NTSB.
On July 10, 2005, at about 4:15 a.m., two Canadian National (CN) freight trains collided head-on in Anding, Mississippi. The collision occurred on the CN Yazoo Subdivision, where the trains were being operated under a centralized traffic control signal system on single track. Signal data indicated that the northbound train, IC 1013 North, continued past a stop (red) signal at North Anding and collided with the southbound train, IC 1023 South, about 1/4 mile beyond the signal. The collision resulted in the derailment of six locomotives and 17 cars. Approximately 15,000 gallons of diesel fuel were released from the locomotives and resulted in a fire that burned for roughly 15 hours. Two crewmembers were on each train; all four were killed. As a precaution, about 100 Anding residents were evacuated; fortunately, they did not report any injuries. Property damages exceeded $9.5 million and clearing and environmental cleanup costs totaled approximately $616,800.
The NTSB has issued a series of safety recommendations that would require freight locomotives to be equipped with an alerter. On April 25, 2007, the NTSB determined that a contributing cause of the head-on collision in Anding, Mississippi was the lack of an alerter on the lead locomotive, which if present, could have prompted the crew to be more attentive to their operation of the train. See Recommendation R-07-1. That recommendation provides as follows: “[r]equire railroads to ensure that the lead locomotives used to operate trains on tracks not equipped with a positive train control system are equipped with an alerter.”
Another NTSB recommendation relating to locomotive alerters was issued as a result of an investigation into the collision of two Norfolk Southern Railway freight trains at Sugar Valley, Georgia, on August 9, 1990. In that incident, the crew of one of the trains failed to stop at a signal. The NTSB concluded that the engineer of that train was probably experiencing a micro-sleep or was distracted. Based on testing, it was determined that as the train approached the stop signal, the alerter would have initiated an alarm cycle. The NTSB concluded that the engineer “could have cancelled the alerter system while he was asleep by a simple reflex action that he performed without conscious thought.” As a result of the investigation, the NTSB made the following recommendation FRA: “[i]n conjunction with the study of fatigue of train crewmembers, explore the parameters of an optimum alerter system for locomotives. See NTSB Recommendation R-91-26.
Typically, alerter alarms occur more frequently as train speed increases. Unlike the Sugar Valley, Georgia, accident in which the train had slowed and entered a siding before overrunning a signal, the northbound train in the Anding, Mississippi, remained on the main track at higher speeds. Had an alerter been installed, there was a four minute time period after passing the approach signal during which the alerter would have activated four to five times. It seems unlikely that the engineer could have reset the alerter multiple times by reflex action without any increase in his awareness. Therefore, the NTSB determined that an alerter likely would have detected the lack of activity by the engineer and sounded an alarm that could have alerted one or both crewmembers. Had the crew been incapacitated or not responded to the alarm, the alerter would have automatically applied the brakes and brought the train to a stop. The NTSB concluded that had an alerter been installed on the lead locomotive of the northbound train, it may have prevented the collision.
The NTSB also closely examined the use of locomotive alerters when investigating the sideswipe collision between two Union Pacific Railroad (UP) freight trains in Delia, Kansas, on July 2, 1997. In that accident, a train entered a siding but did not stop at the other end, and it collided with a passing train on the main track. The NTSB concluded that “had the striking locomotive been equipped with an alerter, it may have helped the engineer stay awake while his train traveled through the siding.” As a result of its investigation, the NTSB made the following recommendation to the FRA: “[r]evise the Federal regulations to require that all locomotives operating on lines that do not have a positive train separation system be equipped with a cognitive alerter system that cannot be Start Printed Page 2209reset by reflex action.” See NTSB Recommendation R-99-53.
FRA believes that the proposed provisions related to alerters incorporate existing railroad practices and locomotive design and address each of the NTSB recommendations discussed above.
F. Locomotive Electronics
After extensive discussion, the Working Group reached consensus on the proposed requirements related to locomotive electronic systems. Advances in electronics and software technology have resulted in changes to the implementation of locomotive control systems. Technology changes have allowed the introduction of new functional capabilities as well as the integration of different functions in ways that advance the building, operation, and maintenance of locomotive control systems. FRA encourages the use of these advanced technologies to improve safe, efficient, and economical operations. However, the increased complexities and interactions associated with these technologies increase the potential for unintentional and unplanned consequences, which could adversely affect the safety of rail operations.
The proposed regulation would prescribe safety standards for safety-critical electronic locomotive control systems, subsystems, and components including requirements to ensure that the development, installation, implementation, inspection, testing, operation, maintenance, repair, and modification of those products will achieve and maintain an acceptable level of safety. This proposal would also prescribe standards to ensure that personnel working with safety-critical products receive appropriate training. Of course, each railroad would be able to prescribe additional or more stringent rules, and other special instructions, provided they are consistent with the proposed standards.
FRA also recognizes that advances in technology may further eliminate the traditional distinctions between locomotive control and train control functionalities. Indeed, technology advances may provide for opportunities for increased or improved functionalities in train control systems that run concurrent with locomotive control. Train control and locomotive control, however, remain two fundamentally different operations with different objectives. FRA does not want to restrict the adoption of new locomotive control functions and technologies by establishing regulations for locomotive control systems intended to address safety issues associated with train control.
G. Periodic Locomotive Inspection
The Locomotive Safety Standards Working Group was unable to reach consensus on whether current locomotive inspection intervals and procedures are appropriate to current conditions. Recently, on June 22, 2009, FRA granted the Burlington Northern Santa Fe's (BNSF) request for waiver from compliance with the periodic locomotive inspection requirements. See Docket FRA-2008-0157. BNSF stated in their request that each of the subject locomotives are equipped with new self-diagnostic technology and advanced computer control, and that the locomotives were designed by the manufacturer to be maintained at a six month interval.
In the waiver petition, BNSF requested that the required 92-day periodic inspection be performed at 184 day intervals on subject locomotives, if qualified mechanical forces perform at least one of the required daily inspections every 31 days and FRA non-complying conditions that are discovered en-route or during any daily inspection are moved to a mechanical facility capable of making required repairs. This approach to conducting inspections based on current conditions may be suitable to other similarly situated railroads. FRA seeks comment on this issue.
H. Rear End Markers
In 2003, the U.S. DOT's Office of Governmental Affairs received a letter from Senator Feinstein on behalf of her constituent, Mr. David Creed. Mr. Creed suggested a revision to FRA's rear end marker regulation, which is found in part 221. Specifically, Mr. Creed suggested that Federal regulations should require trains with distributive power on the rear to have a red marker, because a red marker would make for a safer operating environment by giving a rail worker a better indication of whether he or she is looking at the rear or front end of the train. Mr. Creed made reference to a recent fatality involving a BNSF conductor who jumped from his train because he observed a headlight that he mistakenly believed was a train on the same track, directly ahead of his train. As FRA is currently reviewing its existing requirements for locomotive safety standards, FRA requests comments on this rear end marker issue.
I. Locomotive Horn
FRA solicits comments regarding methods currently being used by railroads to test locomotive horns as required by § 229.129. More than one method of testing will satisfy the current testing requirements. FRA is considering whether certain current methods of testing should be preferred, or additional methods should be permitted.
J. Risk Analysis Standardization and Harmonization
FRA has been actively implementing, whenever practical, performance regulations based on the management of risk. In the process of doing so, a number of different system safety requirements, each unique to a particular regulation, have been promulgated. While this approach is consistent with the widely, and deeply, held conviction that risk management efforts should be specifically tailored for individual situations, it has resulted in confusion regarding the applicable regulatory requirements. This, in turn has defeated one of the primary objectives of using performance based regulations, reduction in costs from simplifying regulations.
The problem is not the concept of tailoring, but the lack of standard terms, basic tools, and techniques. Numerous directives, standards, regulations, and regulatory guides establish the authority for system safety engineering requirements in the acquisition, development, and maintenance of hardware and software-based systems. The lack of commonality makes extremely difficult the task of training system safety personnel, evaluating and comparing programs, and effectively monitoring and controlling system safety efforts for the railroads, their vendors, and the government. Even though tailoring will continue to be an important system safety concept, at some point FRA believes the proliferation of techniques, worksheets, definitions, formats, and approaches has to end, or at least some common ground has to be established.
To accomplish this, FRA proposes to harmonize risk management process requirements across all regulations that have been promulgated by the agency. This will implement a systematic approach to hardware and software safety analysis as an integral part of a project's overall system safety program for protecting the public, the worker, and the environment. Harmonization enhances compliance and improves the efficiency of the transportation system by minimizing the regulatory burden. Harmonization also facilitates interoperability among products and systems, which benefits all stakeholders. By overcoming institutional and financial barriers to Start Printed Page 2210technology harmonization, stakeholders could realize lower life-cycle costs for the acquisition and maintenance of systems. To this end, FRA requests comments on appropriate, cost effective, performance based standards containing precise criteria to be used consistently as rules, guidelines, or definitions of characteristics, to ensure that materials, products, processes and services are fit for purpose, and present an acceptable level of risk that are applicable across all elements of the railroad industry.
K. MCB Contour 1904 Coupler
FRA believes that the existing requirement related to MCB contour 1904 couplers, contained in § 229.61(a)(1), is out dated. The existing regulation prohibits the use of a MCB contour 1904 coupler, if the distance between the guard arm and the knuckle nose is more than 5 1/8 inches. FRA understands that the MCB contour 1904 coupler design has not been used in the railroad industry since the 1930s. Most, if not all, of the current locomotive fleet are equipped with Type E couplers. For these couplers, the maximum distance permitted between the guard arm and the knuckle nose is 5 5/16 inches, as identified in § 229.61(a)(1). FRA seeks comments as to whether any locomotives are currently being operated with MCB contour 1904 couplers, and whether the requirement related to MCB contour 1904 couplers should be removed from the locomotive safety standards.
L. Locomotive Cab Securement
FRA is evaluating securement options for locomotive cab doors. Cab securement can potentially prevent unauthorized access to the locomotive cab, and thereby increase train crew safety. However, cab securement demands a careful and balanced approach because when emergencies requiring emergency egress or rescue access occur, securement systems must not hinder rapid and easy egress by train crews or access by emergency responders without undue delay. FRA is exploring how to achieve greater safety by properly balancing these concerns.
On June 20, 2010, a CSX Conductor was shot and killed in the cab of the controlling locomotive of his standing train in New Orleans, during an attempted robbery. The Locomotive Engineer assigned to that train was also wounded by gunfire during the incident. This incident was particularly tragic, because it resulted in a fatality. By letter dated September 22, 2010, in response to this incident, the BLET requested that FRA require the use of door locks on locomotive cab doors. Under current industry practice, many locomotive cab doors are not locked. According to BLET's letter, requiring the use of door locks would impede unauthorized access to the locomotive cab and reduce the risk of violence to the train crew when confronted by a potential intruder. FRA solicits comments regarding the impact that a locked door would have on train crew safety. More specifically, FRA poses the following questions regarding existing locomotive doors:
- Can a door lock be broken when struck by a heavy, solid object like a baseball bat, sledge hammer, or crowbar?
- Can a door lock be broken by gunfire?
- If a keyed lock is used, is it possible that the lock can be picked by an unauthorized person?
- If a keyed lock is used, is it possible for the key to be lost, stolen, or duplicated without authorization?
- If the door is locked, can a potential intruder gain access to the cab by breaking through the door's window?
- If the door is locked, can gunfire penetrate the door's window, the door itself, or another portion of the car body?
In addition, FRA requests comments regarding the potential effectiveness of using different locking mechanisms to secure the locomotive cab. A portion of the industry is currently equipping new locomotives with dead-bolt door locks. Door locks with quick release mechanisms, keyed locks, and biometric locks could also potentially be used to secure a locomotive cab. FRA seeks comments regarding the potential benefits and concerns for each type of locking mechanism. FRA also requests information concerning the effect of door locks during emergency situations requiring rapid and easy evacuation of the locomotive compartment or rescue access. After an accident or other life threatening situation, a train crew may need to quickly exit a locomotive cab, particularly in the event of a fire or a hazardous materials release, and a train crew may require assistance from emergency responders when injured or incapacitated. To help solicit an abundance of information, FRA poses the following questions:
- To what extent will the use of a door lock to secure the locomotive cab hinder rapid and easy egress of the train crew?
- If keyed locks are used, should emergency responders be given keys?
- To what extent will emergency responders' access to the cab be unduly delayed by door locks?
- Will door locks prohibit emergency responders' access to the cab when the crew is incapacitated?
- How can locomotive cab doors be secured without hindering the crews' ability to egress rapidly and easily or emergency responders' ability to gain access without undue delay?
FRA also requests information related to the costs associated with installing and maintaining various locomotive cab locking mechanisms. More specifically, for existing locomotives how many do not have locking mechanisms? And, what type of locking device would be the most cost effective to install and maintain and also adequately address the three safety needs described above. Finally, are there any locomotives in the US (existing or new) that would be particularly difficult or expensive to equip with a locking mechanism? If so, which locomotives are they, and how many of these locomotives exist? FRA also requests comment as to how many locomotives are currently being manufactured for domestic service with these devices? If FRA decides to establish a uniform cab securement requirement for new locomotives, what type of locking mechanism is recommended, and why? Finally, how much would such a locking mechanism cost to install and maintain on new and existing locomotives?
VI. Section-by-Section Analysis
This section-by-section analysis of the proposed rule is intended to explain the rationale for each section of the proposed rule. The analysis includes the requirements of the proposal, the purpose that the proposal would serve in enhancing locomotive safety, the current industry practice, and other pertinent information. The proposed regulatory changes are organized by section number. FRA seeks comments on all proposals made in this NPRM.
A. Proposed Amendments to Part 229 Subparts A, B, and C
Section 229.5 Definitions
This section contains a set of definitions to be introduced into the regulation. FRA intends these definitions to clarify the meaning of important terms as they are used in the text of the proposed rule. The proposed definitions are carefully worded in an attempt to minimize the potential for misinterpretation of the rule. The definition of alerter introduces an unfamiliar term which requires further discussion.
“Alerter” means a device or system installed in the locomotive cab to promote continuous, active locomotive Start Printed Page 2211engineer attentiveness by monitoring select locomotive engineer-induced control activities. If fluctuation of a monitored locomotive engineer-induced control activity is not detected within a predetermined time, a sequence of audible and visual alarms is activated so as to progressively prompt a response by the locomotive engineer. Failure by the locomotive engineer to institute a change of state in a monitored control, or acknowledge the alerter alarm activity through a manual reset provision, results in a penalty brake application that brings the locomotive or train to a stop. For regulatory consistency FRA is proposing the same definition as the one provided in part 238. FRA intends for a device or system that satisfies an accepted industry standard including, but not limited to, AAR Standard S-5513, “Locomotive Alerter Requirements,” dated November 26, 2007, to constitute an alerter under this definition.
New definitions for terms related to remote control locomotives are also being proposed. The proposed terms, “Assignment Address,” “Locomotive Control Unit,” “Operator Control Unit,” “Remote Control Locomotive,” “Remote Control Operator,” and “Remote Control Pullback Protection” are common to the industry. On February 14, 2001, FRA published a Safety Advisory in which FRA issued recommended guidelines for conducting remote control locomotive operations. See 66 FR 10340, Notice of Safety Advisory 2001-01, Docket No. FRA-2000-7325. The Safety Advisory includes definitions for each of the proposed terms. FRA's proposed definitions for these terms are informed by the Safety Advisory and Working Group discussions.
“Controlling locomotive” means a locomotive from where the operator controls the traction and braking functions of the locomotive or locomotive consist, normally the lead locomotive. This proposed definition is being added to help identify which locomotives are required to be equipped with an alerter, and when the alerter is required to be tested.
Section 229.7 Prohibited Acts and Penalties
Minimal changes are being proposed in this section to update the statutory reference and the statutory penalty information.
Section 229.15 Remote Control Locomotives
After working with the railroad industry for many years to provide a framework for the safe use, development, and operation of remote control devices, FRA proposes to formally codify safety standards for remote control operated locomotives. For convenience, FRA proposes to divide the section into two headings: Design and operation, and inspection and testing.
Generally, the proposed design and operation requirements are intended to prevent interference with the remote control system, maintain critical safety functions if a crew is conducting a movement that involves the pitch and catch of control between more than one operator, tag the equipment to notify anyone who would board the cab that the locomotive is operating remote control, and bring the train to a stop if certain safety hazards arise. The proposed inspection and testing requirements are intended to ensure that each remote control locomotive would be tested each time it is placed in use, and ensure that the operator is aware of the testing and repair history of the locomotive. It is FRA's understanding that virtually all railroads that operate remote control locomotives have already adopted similar standards, and that they have proven to provide consistent safety for a number of years.
Section 229.19 Prior Waivers
FRA proposes to update the language in § 229.19 to address the handling of prior waivers of requirements in part 229 under the proposed rule. A number of existing waivers are incorporated into the proposed rule, others may no longer be necessary in light of the proposal. The proposal allows railroads the opportunity to assert that their existing waiver is necessary, and should be effective after the proposed rule is adopted.
On February 28, 2007, in a notice, FRA proposed the sunset of certain waivers granted for the existing locomotive safety standards. 72 FR 9059. The proposal urged grantees to submit existing waivers for consideration for renewal in light of potential revisions to the regulation, and explained FRA's interest in treating older waivers consistently with newer waivers that were limited to five years. The five year limitations were issued as far back as March of 2000. The notice also established a docket to receive waivers for consideration.
In addition, the notice discussed the possibility of requiring current grantees to re-register waivers. To streamline the process, FRA's proposal does not include a re-registration requirement.
Section 229.20 Electronic Record-keeping
As explained in proposed paragraph (a), FRA would establish standards for electronic record-keeping that a railroad may elect to utilize to comply with many of the record-keeping provisions contained in this part. As with any records, replacing a paper system that requires the physical filing of records with an electronic system and the large and convenient storage capabilities of computers, will result in greater efficiency. Increased safety will also result, as railroads will be able to access and share records with appropriate employees and FRA quicker than with a paper system. To be acceptable, electronic record-keeping systems must satisfy all applicable regulatory requirements for records maintenance with the same degree of confidence as is provided with paper systems. The proposed requirements would be consistent with a series of waivers that FRA has granted since April 3, 2002 (Docket Number FRA-2001-11014), permitting electronic record-keeping with certain conditions intended to ensure safety. In this proposed section, FRA is adopting the Working Group's consensus regulatory text for electronic record-keeping that was approved and recommended to FRA by the RSAC on September 10, 2009. The proposed standards are organized into three categories: (1) Design requirements, (2) operational requirements, and (3) availability and accessibility requirements.
(b) Design requirements. To properly serve the interest of safety, records must be accurate. Inspection of accurate records will reveal compliance or non-compliance with Federal regulations and general rail safety practices. To ensure the authenticity and integrity of electronic records it is important that security measures be in place to prevent unauthorized access to the data in the electronic record and to the electronic system. Proposed paragraphs (b)(1) through (b)(5) are intended to help secure the accuracy of the electronic records and the electronic system by preventing tampering, and other forms of interference, abuse, or neglect.
(c) Operational requirements. Proposed paragraphs (c)(1) and (c)(2) are intended to utilize the improved safety capabilities of electronic systems. The requirements of paragraph (c)(1) would cover both inspection and repair records. In situations when the Hours of Service laws would potentially be violated, the electronic system would be required to prompt the person to input Start Printed Page 2212the data as soon as he or she returns to duty.
(d) Access and availability requirements. To properly serve the interest of safety, the electronic records and the electronic record-keeping system must be made available and accessible to the appropriate people. FRA must have access to the railroads' electronic records and limited access to the electronic record-keeping systems to carry out its investigative responsibilities. During Working Group discussions, a member representing railroad management explained that his railroad currently can produce an electronic record within ten minutes, but that a paper record may take up to two weeks. As such, the proposal provides up to fifteen days to produce paper copies and requires that the electronic records will be provided upon request.
Section 229.23 Periodic Inspection: General
This section would require railroads that choose to maintain and transfer records as provided for in proposed § 229.20, to print the name of the person who performed the inspections, repairs, or certified work on the Form FRA F 6180-49A that is displayed in the cab of each locomotive. This would allow the train crew to know who did the previous inspection when they board the locomotive cab.
Section 229.25 Test: Every Periodic Inspection
Two additional paragraphs are proposed in this section to include inspection requirements for remote control locomotives and locomotive alerters during the 92-day periodic inspection. FRA is proposing new regulations for remote control locomotives, see proposed § 229.15, and locomotive alerters, see proposed section § 229.140. For convenience, the maintenance for remote control locomotives and locomotive alerters that would properly be conducted at intervals matching the 92-day periodic inspection, are being incorporated into this section. The existing paragraphs would also be reorganized for convenience.
Section 229.27 Annual Tests
FRA proposes to amend this section by deleting the following existing language from paragraph (b): “The load meters shall be tested” from paragraph (b). The modification would clarify the regulatory language to reflect the current understanding and application of the load meter requirement. FRA issued a clarification for load meters on AC locomotives on June 15, 1998. In a letter to GE Transportation Systems in March 2005, FRA issued a similar clarification of the requirements related to testing load meters on DC locomotives. The letter explained that on locomotives that are not equipped with load meters there are no testing requirements. Similarly, if a locomotive is equipped with a load meter but is using a proven alternative method for providing safety, and no longer needs to ascertain the current or amperage that is being applied to the traction motors, there are no testing requirements for the dormant load meter. Load meters have been eliminated or deactivated on many locomotives because the locomotives are equipped with thermal protection for traction motors and no longer require the operator to monitor locomotive traction motor load amps.
FRA also proposes removing existing paragraph (a) from this section and merging it into the brake requirements contained in proposed § 229.29. Proposed § 229.29 concerns brake maintenance, and as discussed below, would be reorganized by this proposal to consolidate all existing locomotive brake maintenance into one regulation.
Section 229.29 Air Brake System Calibration, Maintenance, and Testing
This section would be re-titled, and existing requirements would be consolidated and better organized to improve clarity. Because proposed § 229.29 concerns only brakes, it would be re-titled, “Air Brake System Calibration, Maintenance, and Testing” to more accurately reflect the section's content. Existing § 229.27(a), which also addresses brake maintenance would be integrated into this section for convenience and clarity. Record-keeping requirements for this section would be moved from existing paragraphs (a) and (b) and merged into a single new proposed paragraph (g). The date of air flow method (AFM) indicator calibration would also be required to be recorded and certified in the remarks section of Form F6180-49A under paragraph (g).
The proposed brake maintenance in this section would extend the intervals at which required brake maintenance is performed for several types of locomotive brake systems. The length of the proposed intervals reflects the results of studies and performance evaluations related to a series of waivers starting in 1981 and continuing to present day. Overall, the type of brake maintenance that would be required would remain the same. The current regulation provides for two levels of brake maintenance. Existing § 229.27(a) requires routine maintenance for filters and dirt collectors, and brake valves. Existing § 229.29(a) requires maintenance for certain brake components including parts that can deteriorate quickly and pieces of equipment that contain moving parts. To better tailor the maintenance requirements to the equipment needs and based on information ascertained from various studies and performance evaluations, filters and dirt collector maintenance would be required more frequently than brake valve maintenance. As a result, the proposal provides for three levels of brake maintenance instead of two.
Studies and performance evaluations of brake systems continue, and may reach conclusion by the publication of a final rule in this proceeding. In an effort to incorporate FRA's findings in a timely manner, and produce an up-to-date final rule, FRA will consider adjusting the proposed regulations based on its findings. Specifically, FRA is currently studying the effect, if any, that air dryers have on the maintenance of brake systems. FRA seeks comment on this issue.
Proposed paragraph (f)(2) would set maintenance intervals at four years for slug units that are semi-permanently attached to a host locomotive. Slugs are used in situations where high tractive effort is more important than extra power, such as switching operations in yards. A railroad slug is an accessory to a diesel-electric locomotive. It has trucks with traction motors but is unable to move about under its own power, as it does not contain a prime mover to produce electricity. Instead, it is connected to a locomotive, called the host, which provides current to operate the traction motors.
FRA is proposing to incorporate conventional locomotive requirements from part 238 into this section for convenience. FRA believes that there may be some benefit to moving all of the locomotive requirements, including MU locomotives, from part 238 to part 229. FRA seeks comments on this issue.
FRA is also considering whether moving AFM indicator calibration requirements from § 232.205(c)(iii) into this section would be appropriate. Currently, both the calibration and testing requirements for the AFM are contained in part 232. While the testing requirements are most closely related to the subject matter addressed by part 232, power brakes; FRA believes that the calibration requirements are more closely related to the locomotives. FRA requests comments on this issue.Start Printed Page 2213
Section 229.46 Brakes: General
FRA proposes to clarify this section, and provide standards for the safe use of a locomotive with an inoperative or ineffective automatic or independent brake control system. The proposal would allow a locomotive with a defective air brake control valve to run until the next periodic inspection required by § 229.23. However, the requirement to place a tag on the isolation switch would notify the crew that the locomotive could be used only according to § 229.46(b) until it is repaired.
The proposal would also clarify what it means for the brakes to operate as intended, as required by this section. Some Working Group members asserted that the automatic and independent brake valves are not intended to function on a trailing unit that is isolated from the train's air brake system, therefore they were “operating as intended” when not operating at all. Generally, when a unit is found with an automatic or independent brake defect, the railroad may choose to move the unit to a trailing position, and because it is in a trailing position, it may be dispatched without record of the need for maintenance. Proposed paragraph (b)(1) would explicitly permit units with defective independent brakes to be moved in the trailing position. Proposed paragraphs (b)(2) through (b)(6) are intended to ensure that the trailing unit is handled safely, and that appropriate records are kept and repairs are made.
Section 229.85 High Voltage Markings: Doors, Cover Plates, or Barriers
FRA proposes to clarify this section. The purpose of this section is to warn people of a potential shock hazard before the high voltage equipment is exposed. A conspicuous marking on the last cover, door, or barrier guarding the high voltage equipment satisfies the purpose of this section. Many locomotives have multiple doors in front of high voltage equipment. Often there is a door on the car body that provides access to the interior of the car body which contains high voltage equipment that is guarded be an additional door, for example, main generator covers and electrical lockers. FRA's intent has been to require the danger marking only on the last door that guards the high voltage equipment. Thus, FRA is proposing to slightly modify the language currently contained in this section to make this intent clear and unambiguous. To further clarify the intent of this section, FRA is also proposing to change the title.
Section 229.114 Steam Generator Inspections and Tests
FRA proposes to add this section in order to consolidate the steam generator requirements contained in various sections of part 229 into a single section. Currently, requirements related to steam generators can be found in §§ 229.23, 229.25, and 229.27. Consolidating the requirements into one section will make them easier to find for the regulated community, and help simplify and clarify each of the sections that currently include a requirement related to steam generators. The proposal is not intended to change the substance of any of the existing requirements.
Section 229.119 Cabs, Floors, and Passageways
In this section, FRA proposes to raise the minimum allowable temperature in an occupied locomotive cab from 50 degrees to 60 degrees. Each occupied locomotive cab would be required to maintain a minimum temperature of 60 degrees Fahrenheit when the locomotive is in use. FRA recognizes that it takes some time for the cab to heat up when the locomotive is first turned on, and that some crew members may prefer to work in slightly cooler temperatures and temporarily turn off the heater. Thus, FRA would only apply this requirement in situations where the locomotive has had sufficient time to warm-up and where the crew has not adjusted that temperature to a personal setting.
Section 229.123 Pilots, Snowplows, End Plates
FRA proposes to clarify paragraph (a) of this section. Based on experience applying the regulation, FRA recognizes that a reasonable, but improper, reading of the existing language could lead to the incorrect impression that a pilot or snowplow is not required to extend across both rails. To prevent this misunderstanding and to clarify the existing requirement, the phase “pilot, snowplow or end plate that extends across both rails”, would be substituted for “end plate which extends across both rails, a pilot, or a snowplow.” FRA believes this language makes clear that any of the above mentioned items must extend across both rails.
Due to the height of retarders in hump yards, it is not uncommon for the pilot, snowplow, or endplate to strike the retarder during ordinary hump yard operations. To accommodate the retarders and prevent unnecessary damage, FRA has issued waivers to permit more clearance (the amount of vertical space between the bottom of the pilot, snowplow, or endplate and the top of the rail) in hump yards, if certain conditions are met. FRA proposes the addition of paragraph (b) to this section to obviate the need for individual waivers by incorporating these conditions into the revised regulation. The conditions that were included in the waivers, are reflected in paragraphs (b)(1) through (b)(5).
The clearance requirement is intended to ensure that obstructions are cleared from in front of the locomotive and to prevent the locomotive from climbing and derailing. In FRA's experience, hump yards contain few obstructions that present this potential risk. The protections provided by a pilot, snowplow, or endplate are most desirable at grade crossings where the requirement would remain without change. This section also proposes various requirements to ensure that the train crew is notified of the increased amount of clearance and to prevent the improper use of the locomotive. The proposed provisions would require locomotives with additional clearance to be stenciled at two locations, notification to the train crew of any restrictions being placed on the locomotive, and noting the amount of clearance on the Form FRA 6180-49a that is maintained in the cab of the locomotive.
Section 229.125 Headlights and Auxiliary Lights
To incorporate an existing waiver, this proposed section would permit a locomotive to remain in the lead position until the next calendar day inspection after an en route failure of one incandescent PAR-56, 74-volt, 350-Watt lamp, if certain safety conditions are satisfied. FRA also proposes to extend the existing auxiliary intensity requirements at 7.5 degrees and 20 degrees to the headlight to clarify the criteria by which equivalence of new design head light lamps will be evaluated to achieve the same safety benefit.
Recently, information has been submitted by a manufacturer asserting that a new Halogen PAR-56, 350-watt, 74-volt lamp is equivalent to the incandescent PAR-56, 200-watt, 30-volt lamp mentioned in the existing regulation. FRA believes this claim has merit, and the Working Group concurred. Therefore, proposed references to that lamp have been added at appropriate locations in this section.
When one of two lamps in a headlight utilizing PAR-56, 350-watt, 74-volt lamps is inoperative, the center beam illumination for that headlight often drops below 200,000 candela due to manufacturing tolerances. FRA issued a Start Printed Page 2214waiver that allows a locomotive equipped with these lamps to continue in service as a lead unit until the next calendar day inspection, when one of the two lamps becomes inoperative. Alternatively, when locomotives are handled under the general movement for repair provision of § 229.9, they are required to be repaired or switched to a trailing position at the next forward location where either could be accomplished. Proposed paragraph (a)(2)(i) of this section, incorporates the waiver into the regulation. Conditions listed in paragraphs (a)(2)(i)(A), (B), and (C) ensure that neither locomotive conspicuity at grade crossings, nor the illumination of the right of way will be compromised.
Section 229.133 Interim Locomotive Conspicuity Measures—Auxiliary External Lights
To update the regulations related to locomotive conspicuity, FRA proposes to remove the ditch light and crossing light requirements in § 229.133 that have been superseded by similar requirements in § 229.125. Section 229.133 currently contains interim locomotive conspicuity measures that were incorporated into the regulations in 1993 while the final provisions related to locomotive auxiliary lights were being developed. See 58 FR 6899; 60 FR 44457; and 61 FR 8881. The requirements related to ditch lights and crossing lights in § 229.133 were later superseded by similar requirements in § 229.125, published in 1996, and revised in 2003 and 2004. See 68 FR 49713; and 69 FR 12532. In 1996, locomotives equipped with ditch lights or crossing lights that were in compliance with the requirements of § 229.133, were temporarily deemed to be in compliance by § 229.125 (i.e., grandfathered into the new regulation). However, that provision expired on March 6, 2000. As a result, ditch lights and crossing lights that comply with § 229.133 have not satisfied the requirements § 229.125 for more than 10 years. No substantive changes to the auxiliary external light requirements are being proposed in this section.
Section 229.140 Alerters
This section proposes to require locomotives that operate over 25 mph be equipped with an alerter and would require the alerter to perform certain functions. Today, a majority of locomotives are equipped with alerters. As an appurtenance to the locomotive, the alerters are required to function as intended, if present. The proposed requirements would increase the number of locomotives equipped with an alerter, and would provide specific standards to ensure that the alerters are used and maintained in a manner that increases safety.
During Working Group discussions, all parties agreed that an alerter would be considered non-compliant if it failed to reset in response to at least three of the commands listed in proposed paragraphs (b)(1) through (b)(6) of this section, in addition to the manual reset. It is important that locomotives equipped with an alerter adhere to minimum performance standards to ensure that the alerter serves its intended safety function. Utilizing several different reset options for the warning timing cycle increases the effectiveness of the alerter, as it would require differentiated cognitive actions by the operator. This will help prevent the operator from repeating the same reset many times as a reflex, without having full awareness of the action.
FRA believes that tailoring the alerter standard to a minimum operational speed will permit operational flexibility while maintaining safety. Many freight railroads only operate over small territories. They generally move freight equipment between two industries or interchange traffic with other, larger railroads. For these operations, the advantages of and the ability to move at higher speeds are non-existent. Moreover, movements at these lower speeds greatly reduce the risk of injury to the public and damage to equipment. For these reasons, there is a reduced safety need for requiring alerters on locomotives conducting these shorter low speed movements.
Proposed paragraph (f) would ensure that the locomotive alerter on the controlling locomotive is always tested prior to being used as the controlling locomotive. The test would be required during the trip that the locomotive is used as a controlling locomotive. This requirement would allow the crew to know the alerter functions as intended each time a locomotive becomes the controlling locomotive.
B. Proposed Part 229 Subpart E—Locomotive Electronics
Section 229.301 Purpose and Scope
The purpose of this subpart is to promote the safe design, operation, and maintenance of safety-critical electronic locomotive control systems, subsystems, and components. Safety-critical electronic systems identified in proposed paragraph (a) would include, but would not be limited to: directional control, graduated throttle or speed control, graduated locomotive independent brake application and release, train brake application and release, emergency air brake application and release, fuel shut-off and fire suppression, alerters, wheel slip/slide applications, audible and visual warnings, remote control locomotive systems, remote control transmitters, pacing systems, and speed control systems.
In proposed paragraph (b), FRA emphasizes that when a new or proposed locomotive control system function interfaces or comingles with a safety critical train control system covered by 49 CFR part 236 subpart H or I, the locomotive control system functionality would be required to be addressed in the train control systems Product Safety Plan or the Positive Train Control Safety Plan, as appropriate. FRA recognizes that advances in technology may further eliminate the traditional distinctions between locomotive control and train control functionalities. Indeed, technology advances may provide for opportunities for increased or improved functionalities in train control systems that run concurrent with locomotive control. Train control and locomotive control, however, remain two fundamentally different operations with different objectives. FRA does not intend to restrict the adoption of new locomotive control functions and technologies by imposing regulations on locomotive control systems intended to address safety issues associated with train control.
Section 229.303 Applicability
A safety analysis would be required for new electronic equipment that is deployed for locomotives. However, FRA does not intend to impose retroactive safety analysis requirements for existing equipment. FRA recognizes that railroads and vendors may have already invested large sums of time, effort, and money in the development of new products that were envisioned prior to this proposed rule. Accordingly, FRA intends to clarify that the proposed requirements of this subpart are not retroactive and do not apply to existing equipment that is currently in use. The rule would provide sufficient time for railroads and vendors to realize profits on their investment in new technologies made prior to the adoption of this rule. For that reason, FRA would provide a grace period in proposed paragraphs (a) and (b) to allow the completion of existing new developments. Any system that has not been placed in use by the end of the proposed grace period would be required to comply with the safety analysis requirements. Vendors would be required to identify these projects to Start Printed Page 2215FRA within 6 months after the effective date of this rule. FRA believes this will avoid misunderstandings concerning which systems receive the grace period. FRA would consider any systems not identified to FRA within the 6-month window to be a new product start that would require a safety analysis.
In proposed paragraph (d), FRA makes clear that the exemption is limited in scope. Products that result in degradation of safety or a material increase in safety-critical functionality would not be exempt. Products with slightly different specifications that are used to allow the gradual enhancement of the product's capabilities would not require a full safety analysis, but would require a formal verification and validation to the extent that the changes involve safety-critical functions.
Section 229.305 Definitions
Generally, this proposed section standardizes similar definitions between 49 CFR part 236 subpart H and I, and this part. Although 49 CFR part 236 subpart H and I addresses train control systems, and this subpart addresses locomotive control systems, both reflect the adoption of a risk-based engineering design and review process. The definition section, however, does introduce several new definitions applicable to locomotive control systems.
The first new proposed definition is for “New or next-generation locomotive control system.” This term would refer to locomotive control products using technologies or combinations of technologies not in use on the effective date of this regulation, or without established histories of safe practice. Traditional, non-microprocessor systems, as well as microprocessor and software based locomotive control systems, are currently in use. These systems have used existing technologies, existing architectures, or combinations of these to implement their functionality. Development of a safety analysis to accomplish the requirements of this part would require reverse engineering these products. Reverse engineering a product is both time consuming and expensive. Requiring the performance of a safety analysis on existing products would present a large economic burden on both the railroads and the original equipment manufacturers (OEM). The economic burden would likely be significantly less for new combinations of technology and architectures that either implement existing functionality, or implement new functionality. These types of systems lack a proven service history. The safety analysis would mitigate the lack of a proven service history. The fundamental differences make it necessary to clearly distinguished between the two classes of locomotive control systems products.
“Product” means any safety critical locomotive control system processor-based system, subsystem, or component. The proposed definition identifies the covered systems that would require a safety analysis. Generally, locomotive manufactures consider their product to be the entire locomotive. This includes systems and subsystems. In this situation, the manufacturers' extensive knowledge of the product would allow them to conduct a safety analysis on the safety critical elements, including locomotive control systems. Similarly, major suppliers to locomotive manufacturers are also familiar with their own products. They too can clearly identify the safety critical elements and conduct the safety analysis accordingly. However, the same is not necessarily true for suppliers without extensive domain knowledge. These suppliers may not understand that their product requires a safety analysis, or may lack experience to recognize that the subsystems or components of the product are subject to the safety analysis of this part. Accordingly, the proposed definition of “product” indentifies the covered systems requiring a safety analysis.
The proposed definition of “Safety Analysis” would refer to a formal set of documentation that describes in detail all of the safety aspects of the product, including but not limited to procedures for its development, installation, implementation, operation, maintenance, repair, inspection, testing and modification, as well as analyses supporting its safety claims. A Safety Analysis (SA) is similar to the Product Safety Plan (PSP) required by 49 CFR part 236 subpart H or the Positive Train Control Safety Plan (PTCSP) required by 49 CFR part 236 subpart I for signal and train control systems. There is, however, a fundamental difference between the PSP or PTCSP safety analysis, and the SA proposed by this subpart. The PSP requires formal FRA approval and is required prior to the product being placed in use. This difference is rooted in fundamental differences between functionality of signal and train control and locomotive control. Although developers of an SA and a PSP or PTCSP may merge functions to operate together on a common platform, different safety analyses would be required. In order to ensure that there is no confusion between the safety analyses required by 49 CFR part 236 subparts H or I, and the safety analysis required in this subpart, a different definition is being proposed for the SA in this part.
The proposed definition of “Safety-critical,” as applied to a function, a system, or any portion thereof, would mean an aspect of the locomotive electronic control system that requires correct performance to provide for the safety of personnel, equipment, environment, or any combination of the three; or the incorrect performance of which could cause a hazardous condition, or allow a hazardous condition which was intended to be prevented by the function or system to exist. This definition is substantially similar to that found in 49 CFR part 236 subparts H and I. FRA recognizes that functionality differs between locomotive control systems and signal and train control systems, and further recognizes that the failure modes, the probabilities of failure, and the specific consequences of a failure differ. Despite these differences, the result is the same, creation of a hazardous condition that could affect the safety of the personnel, equipment, or the environment. The same is also true for systems designed to prevent adverse hazards in either domain locomotive control systems, signal and train control systems, or both. The failure of these types of systems would either create a new hazard, or allow a system intended to prevent a hazard to occur, regardless of domain.
Section 229.307 Safety Analysis
The proposed SA would serve as the principal safety documentation for a safety-critical locomotive control system product. Engineering best practice today recognizes that elimination of all risk is impossible. It recognizes that the traditional design philosophy, adversely affects a product's cost and performance. Consequently, designers have adopted a philosophy of risk management. Under this philosophy, designers consider both the consequences of a failure and the probability of a failure. Designers then select the appropriate risk mitigation technique. The risk mitigation philosophy reduces the impact of risk mitigation on a cost and performance compared to risk avoidance.
Fundamental to the execution of the risk management philosophy is the development and documentation of a SA that closely examines the relationship between consequences of a failure, probability of occurrence, failure modes, and their mitigation strategies. Proposed paragraph (a) of this section clearly recognizes this, and would address this need by requiring the Start Printed Page 2216development of the SA documentation. It also recognizes that some developers of SAs may have little experience in risk-based design. Appendix F, also being proposed in this proceeding, would offer one approach. There are a number of equally effective or better approaches. FRA encourages railroads and OEMs to select an approach best suited to their business model. FRA would consider as acceptable any approach that would be equal to, or more effective than, the one outlined in proposed Appendix F.
Proposed paragraph (b), along with proposed paragraph (a) of this section would further establish a regulatory mandate for risk management design. FRA would require that railroads electing to allow a locomotive control system to be placed in use on its property would be required to ensure that an appropriate SA is completed first.
Generally, only a single SA would be required for a product. Therefore, FRA would recognize as acceptable any appropriate SA done under the auspices of one railroad, or a consortium of railroads. FRA also recognizes that railroads may lack the necessary product familiarity or technical expertise to prepare the SA. FRA anticipates that vendors will accomplish the bulk of preparing the SA in the course of the product development.
FRA also recognizes that product vendors may develop a product prior to its procurement by a railroad. In this situation, FRA would provide review and comment as requested by the vendor. This review by FRA would not represent an endorsement of the product. FRA expects that the vendor would work with a railroad, or a consortium of railroads, for final review and approval of the SA. FRA also wishes to make clear that the safety analysis would only be required for new or next generation locomotive control systems, as defined in § 229.305, or for substantive changes to an existing product. A SA would only be required when safety critical functionality is added or deleted from the product, or if there has been a significant paradigm shift in the underlying systems' architecture or implementation technologies, or a significant departure from widely accepted and service proven industry best past practices. The half-life of microprocessor-based hardware is relatively short, and the associated software is subject to change as technical issues are discovered with existing functionality. FRA anticipates that there will be maintenance-related changes of software, as well as replacement of functionally identical hardware components as exiting hardware undergoes repair or reaches the end of its useful service life. FRA emphasizes that the later type of changes to safety critical products, and changes to non-safety critical products, would not require a SA. The railroads and vendors have generally demonstrated, with a high degree of confidence, that existing systems can safely operate. In response to potential liability issues, railroads have shown they carefully examine the safety of a product prior to placing it in use. FRA fully expects that the railroads would continue to apply the same due diligence to new or next generation systems as they review the SA for these more complex products. Proposed paragraph (b) is intended to limit FRA's review of the SAs. This of course, would not restrict FRA where it appears that due diligence has not been exercised, there are indications of fraud and malfeasance, or the underlying technology and or architecture represent significant departures from existing practice.
In paragraph (b), FRA proposes that the SA would be required to establish with a high degree of confidence that safety-critical functions of the product will operate in a fail-safe manner in the operating environment in which it will be used. FRA anticipates that the railroad and vendor community would exercise due diligence in the design and review process prior to placing the product in use. Due diligence would typically be demonstrated by the completion, review and internal approval of the SA. The railroad would be required to determine that this standard has been met, prior to a product change, or placing a new or next generation product in use.
Paragraph (b) also proposes that the railroads identify appropriate procedures to immediately repair safety-critical functions when they fail. If the procedures are not followed, it would result in a violation for failing to comply with the SA.
Section 229.309 Safety Critical Changes and Failures
Safety critical microprocessors, like any electronics available today, are subject to significant change. To ensure that safe system operations continue in the event of planned changes to the software or hardware maintenance of hardware and software configurations is necessary. Failure to maintain hardware and software configurations increases the probability that unintended consequences will occur during system operation. These unintended consequences do not necessarily reveal themselves on initial installation and operation, but may occur much later.
Not all railroads may experience the same software or hardware faults. The SA developer's software and hardware development, configuration management, and fault tracking play an important role in ensuring system safety. Without an effective configuration management and fault reporting system, it is difficult, if not impossible to evaluate the associated risks. The number of failures experienced by one railroad may not exceed the number of failures identified in the SA, but the aggregate from multiple railroads may. The vendor is best positioned to aggregate identified faults, and is best able to determine that the design and failure assumptions exceed those predicted by the safety analysis. An ongoing relationship between a railroad and its vendor is therefore essential to ensure that problems encountered by the railroad are promptly reported to the vendor for correction, and that problems encountered and reported by other railroads to the vendor are shared with other railroads. Furthermore, changes to the system developed by the vendor must be promptly provided to all railroads in order to eliminate the reported hazard. A formal, contractual relationship would provide the best vehicle for ensuring this relationship. This section proposes to clearly identify the responsibility of railroads, and car owners, to establish such a relationship for both reporting hazards.
In order to accomplish their responsibilities, FRA expects that each railroad would have a configuration tracking system that will allow for the identification and reporting of hardware and software issues, as well as promptly implementing changes to the safety critical systems provided by the vendor regardless of the original reporting source of the problem. This section proposes to require railroads to identify, and create such a system if they have not already done so.
Proposed paragraph (b) would require immediate notification to a railroad of real or potential safety hazards identified by the private car suppliers and private car owners. This would allow affected railroads to take appropriate actions to ensure the safety of rail operations.
In proposed paragraph (c) the private car owner's configuration/revision control measures should be accepted by the railroad that would be using the car and implementing the system. The private car owner may have placed safety critical equipment on their car that is unfamiliar to the railroad using Start Printed Page 2217that car. And the necessary contractual relationship that would be required in proposed paragraph (a)(3) of this section may not exist because the equipment in question is not part of the railroad's inventory. The private car owner would be expected to communicate with the railroad. This proposed requirement is intended to ensure that the safety-functional and safety-critical hazard mitigation processes are not compromised by changes to software or hardware. Reporting responsibilities, as well as the configuration management and tracking responsibilities would also extend to private car owners.
Section 229.311 Review of SAs
In proposed paragraph (a), FRA would require railroads to notify FRA before these locomotive electronic products are placed in use. As discussed above, FRA anticipates that review of the SA and amendments would be the exception, rather than the normal practice. However, FRA believes it would be appropriate to have the opportunity to review products and product changes to ensure safety. FRA would require the opportunity to have products and product changes identified to it, and the opportunity to elect a review. FRA also realizes that development of these products represents a significant financial investment, and that the railroad would like to utilize the products in order to recover its investment.
Proposed paragraph (b) reflects the expectation that FRA would decide whether to review an SA within 60 days after receipt of the requested information. Based on the information provided to FRA, the Associate Administrator for Safety would evaluate the need and scope of any review. Within 60 days of receipt of the notification required in paragraph (a), FRA will either decline to review or request to review. Examples of causes for a review or audit prior to placing the product in use would include products: With unique architectural concepts; that use design or safety assurance concepts considered outside existing accepted practices; and, products that appear to commingle the locomotive control function with a safety-critical train control processing function. FRA may convene technical consultations as necessary to discuss issues related to the design and planned development of the product. Causes for an audit of the SA would include, but are not limited to, such circumstances as a credible allegation of error or fraud, SA assumptions determined to be invalid as a result of in-service experience, one or more unsafe events calling into question the safety analysis, or changes to the product.
The following are some common reasons that FRA would likely need to review a product after it is placed in use: There is a credible allegation of error or fraud; SA assumptions are determined to be invalid as a result of in-service experience; or, the occurrence of one or more unsafe events related to that product.
If FRA elects not to review a product's SA, railroads would be able to put the product immediately in use after notification that FRA elects not to review. In the event that FRA would elect to review, FRA would attempt to complete the review within 120 days. FRA's ability to complete the review within 120 days would depend upon various factors such as: The complexity of the new product or product change, its deviation from current practice, the functionality, the architecture, the extent of interfacing with other systems, and the number of technical consultations required. Products reviewed by FRA under these circumstances may not be placed in use until FRA's review is complete.
Section 229.313 Product Testing Results and Records
This section would require that records of product testing conducted in accordance with this subpart be maintained. To effectively evaluate the degree to which the SA reflects real, as opposed to predicted performance, it is necessary to keep accurate records of performance for the product. In addition to collecting these records, it is also essential for regular comparison of the real performance results with the predicted performance. Thus, in this section FRA proposes that such records be maintained. Where the real performance, as measured by the collected data, exceeds the predicted performance of the SA, FRA proposes that no action would be required. If the real performance is worse than the predicted performance, this section proposes that the railroad take immediate action to improve performance to satisfy the predicted standard. Prompt and effective action would be required to bring the non-compliant system into compliance.
FRA would not expect a railroad to proactively evaluate their systems, and take corrective action prior to the system becoming non-compliant with the predicted performance standard. If an unpredicted hazard would occur the system would be required to be immediately evaluated, and the appropriate corrective action would need to be taken. FRA would not expect a railroad to defer any corrective action. In addition, FRA would not expect a railroad to proactively evaluate their systems, and take corrective action prior to the system becoming non-compliant with the designed performance specifications.
This section proposes to establish a requirement for a railroad to keep detailed records to evaluate the system. However, the railroad may elect to have the system supplier keep these records. There would be many advantages to the later approach, primarily that the vendor would receive an aggregate of the technical issues, making them better positioned to analyze the system performance. Although a railroad may delegate record keeping, the railroad would retain the responsibility for keeping records of performance on their property. The railroads would be responsible for ensuring the safe operation of systems on their property, and would be required to have access to the performance data if they are to carry out their responsibilities under this proposed section.
This section also proposes detailed handling requirements for required records. Proposed paragraph (a) would require specific content in the record. FRA would accept paper records or electronic records. Electronic record keeping would be encouraged as it reduces storage costs, simplifies collection of information, and allows data mining of the collected information. However, to ensure that the electronic records would provide all required information, approval by the Associate Administrator for Safety would be required.
Signatures on paper records would be required to uniquely identify the person certifying the information contained in the record in such a manner that would enable detection of a forgery. Proposed paragraph (a) would also ensure that an electronic signature could be attributable to single individual as reliably as paper records. It would be possible to meet the storage requirement in several different ways. Physical paper records would be expected to be kept at the physical location of the supervising official. Electronic records would be permitted to be either stored locally, or remotely. FRA would have no preference as long as the records are accessible for FRA review.
Proposed paragraph (b) would specify the required retention period for the records. FRA recognizes that retaining records involves a cost to railroads, and appreciates their desire to minimize both the number, and the required retention period. To this end, FRA has identified two different categories of Start Printed Page 2218records, and proposes differing retention periods for each. The first category involves records associated with installation or modification of a system and would contain data required for evaluating the product's performance and compliance to the safety case conditions throughout the life of the product. FRA would consider the life of the product to begin when the product is first placed in use and end with the permanent withdrawal of the product from service. In the event of permanent transfer of the product to another, the receiving railroad would become responsible for maintaining them. This responsibility would continue until the product is completely withdrawn from rail service. The second category of records would address periodic testing and would have a retention period of at least one year, or the periodicity of the subsequent test, whichever is greater. Results obtained by subsequent a test would supersede the earlier test. The earlier test results would be moot for evaluating the current condition.
Regrettably, in some cases, the use of electronic records may not meet the minimum standards required by FRA. Consequently, FRA is proposing procedures for withdrawing authorization to use electronic records in paragraph (c). If FRA finds it necessary to withdraw an authorization, FRA would explain the reason in writing.
Section 229.315 Operation Maintenance Manual
This section proposes to require that each railroad have a manual covering the requirements for the installation, periodic maintenance and testing, modification, and repair of its safety critical locomotive control systems. This manual could be kept in paper or electronic form. It is recommended that electronic copies of the manual be maintained in the same manner as other electronic records kept for this part and that it be included in the railroad's configuration management plan (with the master copy and dated amendments carefully maintained so that the status of instructions to the field as of any given date can be readily determined).
Proposed paragraph (a) would require that the manual be available to both persons required to perform such tasks and to FRA. Proposed paragraph (b) would require that plans necessary for proper maintenance and testing of products be correct, legible, and available where such systems are deployed or maintained. The paragraph also proposes that the manual identify the current version of software installed, revisions, and revision dates. Proposed paragraph (c) would require that the manual identify the hardware, software, and firmware revisions in accordance with the configuration management requirement. Proposed paragraph (d) would require the identification, replacement, handling, and repair of safety critical components in accordance with the configuration management requirements. Finally, proposed paragraph (e) would require the manual be ready for use prior to deployment of the product, and that it is available for FRA review.
Section 229.317 Training and Qualification Program
This section proposes specific parameters for training railroad employees and contractor employees to ensure they have the necessary knowledge and skills to complete their duties related to safety-critical products. Proposed paragraph (a) would require the training to be formally conducted and documented based on educational best practices. Paragraphs (b) and (c) propose that the employer identify employees that will be performing inspection, testing, maintenance, repairing, dispatching, and operating tasks related to the safety critical locomotive systems, and develop a written task analysis for the performance of duties. The employer to identify additional knowledge and skills above those required for basic job performance necessary to perform each task. Work situations often present unexpected challenges, and employees who understand the context within which the job is to be done would be better able to respond with actions that preserve safety. Further, the specific requirements of the job would be better understood; and requirements that are better understood are more likely to be adhered to. Well-informed employees would be less likely to conduct ad hoc troubleshooting; and therefore, should be of greater value in assisting with troubleshooting.
Proposed paragraph (d) would require the employer to develop a training curriculum that includes either classroom, hands-on, or other formally-structured training designed to impart the knowledge and skills necessary to perform each task.
Paragraph (e) proposes a requirement that all persons subject to training requirements and their direct supervisors must successfully complete the training curriculum and pass an examination for the tasks for which they are responsible. Generally, giving appropriate training to each of these employees prior to task assignment would be required. The exception would be when an employee, who has not received the appropriate training, is conducting the task under the direct, on-site supervision of a qualified person.
Proposed paragraph (f) would require periodic refresher training. This periodic training must include classroom, hands-on, computer-based training, or other formally structured training. The intent would be for personnel to maintain the knowledge and skills required to perform their assigned task safely.
Paragraph (g) proposes a requirement to compare and evaluate the effectiveness of training. The evaluation would first determine whether the training program materials and curriculum are imparting the specific skills, knowledge, and abilities to accomplish the stated goals of the training program; and second, determine whether the stated goals of the training program reflect the correct, and current, products and operations.
Paragraph (h) proposes that the railroad must maintain records that designate qualified persons. Records retention would be required until recording new qualifications, or for at least one year after such person(s) leave applicable service. The records would be required to be available for FRA inspection and copying.
Section 229.319 Operating Personnel Training
This section contains proposed minimum training requirements for locomotive engineers and other operating personnel who interact with safety critical locomotive control systems. “Other operating personnel” would refer to onboard train and engine crew members (i.e., conductors, brakemen, and assistant engineers).
Proposed paragraph (a) would require training to contain familiarization with the onboard equipment and the functioning of that equipment as part of and its relationship to other onboard systems under that person's control. The training program would be required to cover all notifications by the system (i.e., onboard displays) and actions or responses to such notifications required by onboard personnel. The training would also be required to address how each action or response ensures proper operation of the system and safe operation of the train.
During system operations emergent conditions could arise which would affect the safe operation of the system. This section would also require operating personnel to be informed as soon as practical after discovery of the Start Printed Page 2219condition, and any special actions required for safe train operations.
Paragraph (b) proposes that for certified locomotive engineers, the training requirements of this section would be required to be integrated into the training requirements of part 240. Although this requirement would only address engineers, in the event of certification of other operating personnel, the expectation that these requirements would be included into their training requirements.
Appendix F—Recommended Practices for Design and Safety Analysis
Appendix F proposes a set of criteria for performing risk management design of locomotive control systems. FRA recognizes that not all safety risks associated with human error can be eliminated by designs, no matter how well trained and skilled the designers, implementers, and operators. The intention of the appendix would be to provide one set of safety guidelines distilled from proven design considerations. There are numerous other approaches to risk management-based design. The basic principles of this appendix capture the lessons learned from the research, design, and implementation of similar technology in other modes of transportation and other industries. The overriding goal of this appendix is to minimize the potential for design-induced error by ensuring that systems are suitable for operators, and their tasks and environment.
FRA believes that new locomotive systems will be in service for a long period. Over time, there will be system modifications from the original design. FRA is concerned subsequent modifications to a product might not conform to the product's original design philosophy. The original designers of products could likely be unavailable after several years of operation of the product. FRA believes mitigating this is most successful by fully explaining and documenting the original design decisions and their rationale. Further, FRA feels that assumption of a long product life cycles during the design and analysis phase will force product designers and users to consider long-term effects of operation. Such a criterion would not be applicable if, for instance, the railroad limited the product's term of proposed use.
Translation of these guidelines into processes helps ensure the safe performance of the product and minimizes failures that would have the potential to affect the safety of railroad operations. Fault paths are essential to establishing failure modes and appropriate mitigations. Failing to identify a fault path can have the effect of making a system seem safer on paper than it actually is. When an unidentified fault path is discovered in service which leads to a previously unidentified safety-relevant hazard, the threshold in the safety analysis is automatically exceeded, and the both the designer and the railroad must take mitigating measures. The frequency of such discoveries relates to the quality of the safety analysis efforts. Safety analyses of poor quality are more likely to lead to in-service discovery of unidentified fault paths. Some of those paths might lead to potential serious consequences, while others might have less serious consequences.
Given technology, cost, and other constraints there are limitations regarding the level of safety obtainable. FRA recognizes this. However, FRA also believes that there are well-established and proven design and analysis techniques that can successfully mitigate these design restrictions. The use of proven safety considerations and concepts is necessary for the development of products. Only by forcing conscious decisions by the designer on risk mitigation techniques adopted, and justifying those choices (and their decision that a mitigation technique is not applicable) does the designer fully consider the implications of those choices. FRA notes that in normal operation, the product design should preclude human errors that cause a safety hazard. In addition to documenting design decisions, describing system requirements within the context of the concept of operations further mitigates against the loss of individual designers. In summary, the recommended approach ensures retention of a body of corporate knowledge regarding the product, and influences on the safety of the design. It also promotes full disclosure of safety risks to minimize or eliminating elements of risk where practical.
C. Proposed Amendments to Part 238
Section 238.105 Train Electronic Hardware and Software Safety
This section proposes the incorporation of existing waivers and addresses certain operational realities. Since the implementation of the Passenger Equipment Safety Standards, FRA has granted one waiver from the requirements of § 238.105(d) (FRA-2004-19396) for 26 EMU bi-level passenger cars operated by Northeastern Illinois Regional Commuter Railroad Corporation (METRA). FRA is in receipt of a second waiver (FRA-2008-0139) for 14 new EMU bi-level passenger cars to be operated by Northern Indiana Commuter Transportation District. There are over 1000 EMU passenger cars (M-7) being operated by Long Island Railroad & Metro-North Commuter Railroad (MNCW) for the past five years that FRA has discovered will need a waiver to be in compliance with § 238.105(d). The MNCW has placed an order for additional 300 plus options, EMU passenger cars (M-8) that will also need a waiver from the requirements of existing § 238.105(d).
The portion of the requirements that these cars' brake systems cannot satisfy is the requirement for a full service brake in the event of hardware/software failure of the brake system or access to direct manual control of the primary braking system both service and emergency braking. The braking system on these cars does not have the full service function but does default to emergency brake application in the event of hardware/software failure of the brake system and the operator has the ability to apply the brake system at an emergency rate from the conductor's valve located in the cab. A slight change to the language in § 238.105 would alleviate the need for these waivers and would not reduce the braking rate of the equipment or the stop distances.
Section 238.309 Periodic Brake Equipment Maintenance
For convenience and clarity, FRA proposes to consolidate locomotive air brake maintenance for conventional locomotives into part 229. No substantive change to the regulation would result. Currently, because conventional locomotives are used in passenger service, certain air brake maintenance requirements are included in the Passenger Equipment Safety Standards contained in part 238. Placing all of the requirements for conventional locomotives in part 229 would make the standards easier to follow and avoid confusion.
The proposed brake maintenance in this section would also extend the intervals at which required brake maintenance is performed for several types of brake systems for non-conventional locomotives. The length of the proposed intervals reflects the results of studies and performance evaluations related to a series of waivers starting in 1981 and continuing to present day. Overall, the type of brake maintenance that would be required would remain the same.Start Printed Page 2220
VII. Regulatory Impact and Notices
Executive Order 12866 and DOT Regulatory Policies and Procedures
This proposed rule has been evaluated in accordance with existing policies and procedures, and determined to be non-significant under both Executive Order 12866 and DOT policies and procedures (44 FR 11034; February 26, 1979). FRA has prepared and placed in the docket a regulatory analysis addressing the economic impact of this proposed rule. Document inspection and copying facilities are available at Room W12-140 on the Ground level of the West Building, 1200 New Jersey Avenue, SE., Washington, DC 20590.
As part of the regulatory impact analysis FRA has assessed quantitative measurements of cost and benefit streams expected from the adoption of this proposed rule. This analysis includes qualitative discussions and quantitative measurements of costs and benefits of the proposed regulatory text in this rulemaking. The primary costs or burdens in this proposed rule are from the alerter and revised minimum (i.e., cold weather) cab temperature requirements. The savings will accrue from fewer train accidents, future waivers, and waiver renewals. In addition, savings would also accrue from a reduction in downtime for locomotives due to proposed changes to headlight and brake requirements. For the twenty year period the estimated quantified costs have a Present Value (PV) 7% of $7 million. For this period the estimated quantified benefits have a PV, 7% of $7.3 million.
Regulatory Flexibility Act and Executive Order 13272
The Regulatory Flexibility Act (5 U.S.C. 601 et seq.) and Executive Order 13272 require a review of proposed and final rules to assess their impacts on small entities. An agency must prepare an initial regulatory flexibility analysis (IRFA) unless it determines and certifies that a rule, if promulgated, would not have a significant impact on a substantial number of small entities. FRA is confident that this proposed rule would not impose a significant economic impact on a substantial number of small entities. However, FRA is reserving the final decision on certification for the final rule. Hence, interested parties are invited to submit data and information regarding the potential economic impact that would result from adoption of the proposals in the NPRM. Comments and input that FRA receives during the comment period of this rulemaking will assist the agency in making its final decision. FRA estimates that only 12 percent of the total cost associated with implementing the proposed rule would be borne by small entities and most of that will be the cost for the proposed cab temperature change.
Below FRA provides the process it went through when assessing the potential impacts of this rule on small entities.
1. Reasons for Considering Agency Action
As discussed in earlier sections of the preamble to this rulemaking, in its efforts to update and re-evaluate its current regulations FRA formed an RSAC Working Group to review 49 CFR part 229 and recommend revisions as appropriate. Thus the proposed revisions in this rulemaking serve to update a regulation that was originally promulgated prior to 1980. It will clarify some existing requirements, and incorporate some existing industry standards. In addition it will incorporate some current waivers that some members of the industry have, and some engineering best practices. Most of these revisions add clarity to the rule, reduce industry burden to comply with some requirements, and in some cases streamline or consolidate the FRA requirements. Some revisions are intended to enhance railroad safety.
2. Objectives and Legal Basis for the Proposed Rule
(a) Legal Basis for the Proposed Rule
Railroad locomotive inspection requirements are one of the oldest areas of Federal safety regulations. The primary statutory authority, The Locomotive Inspection Act, was enacted in 1911. Pursuant to that authority, in the area of locomotive safety, FRA has issued regulations found at part 229 addressing topics such as inspections and tests, safety requirements for brake, draft, suspension, and electrical systems, and cabs and cab equipment.
FRA has broad statutory authority to regulate railroad safety. The Locomotive Inspection Act (formerly 45 U.S.C. 22-34, now 49 U.S.C. 20701-20703) prohibits the use of unsafe locomotives and authorizes FRA to issue standards for locomotive maintenance and testing. In order to further FRA's ability to respond effectively to contemporary safety problems and hazards as they arise in the railroad industry, Congress enacted the Federal Railroad Safety Act of 1970 (Safety Act) (formerly 45 U.S.C. 421, 431 et seq., now found primarily in chapter 201 of Title 49). The Safety Act grants the Secretary of Transportation rulemaking authority over all areas of railroad safety (49 U.S.C. 20103(a)) and confers all powers necessary to detect and penalize violations of any rail safety law. This authority was subsequently delegated to the FRA Administrator (49 CFR 1.49) (Until July 5, 1994, the Federal railroad safety statutes existed as separate acts found primarily in title 45 of the United States Code. On that date, all of the acts were repealed, and their provisions were recodified into title 49 of the United States Code).
(b) Objective of the Proposed Rule
This action is taken by FRA in an effort to enhance its safety regulatory program. The proposed revision would update, consolidate, and clarify existing rules, and incorporate existing industry and engineering best practices.
3. Description and Estimate of Small Entities Affected
The “universe” of the entities to be considered generally includes only those small entities that can reasonably be expected to be directly regulated by this action. Two types of small entities are potentially affected by this rulemaking: (1) Small railroads, and (2) governmental jurisdictions of small communities.
“Small entity” is defined in 5 U.S.C. 601. Section 601(3) defines a “small entity” as having the same meaning as “small business concern” under section 3 of the Small Business Act. This includes any small business concern that is independently owned and operated, and is not dominant in its field of operation. Section 601(4) includes not-for-profit enterprises that are independently owned and operated, and are not dominant in their field of operations within the definition of “small entities.” Additionally, section 601(5) defines as “small entities” governments of cities, counties, towns, townships, villages, school districts, or special districts with populations less than 50,000.
The U.S. Small Business Administration (SBA) stipulates “size standards” for small entities. It provides that the largest a for-profit railroad business firm may be (and still classify as a “small entity”) is 1,500 employees for “Line-Haul Operating” railroads, and 500 employees for “Short-Line Operating” railroads.
SBA size standards may be altered by Federal agencies in consultation with SBA, and in conjunction with public comment. Pursuant to the authority Start Printed Page 2221provided to it by SBA, FRA has published a final policy, which formally establishes small entities as railroads that meet the line haulage revenue requirements of a Class III railroad. Currently, the revenue requirements are $20 million or less in annual operating revenue, adjusted annually for inflation. The $20 million limit (adjusted annually for inflation) is based on the Surface Transportation Board's threshold of a Class III railroad carrier, which is adjusted by applying the railroad revenue deflator adjustment. The same dollar limit on revenues is established to determine whether a railroad shipper or contractor is a small entity. FRA is proposing to use this definition for this rulemaking.
There are approximately 685 small railroads meeting the definition of “small entity” as described above. FRA estimates that all of these small entities could potentially be impacted by one or more of the proposed changes in this rulemaking. Note, however, that approximately fifty of these railroads are subsidiaries of large short line holding companies with the technical multidisciplinary expertise and resources comparable to larger railroads. It is important to note that many of the changes or additions in this rulemaking will not impact all or many small railroads. The nature of some of the changes would dictate that the impacts primarily fall on large railroads that purchase new and/or electronically advanced locomotives. Small railroads generally do not purchase new locomotives, they tend to buy used locomotives from larger railroads. Also, two of the proposed requirements, i.e., requirements for alerters and RCL standards, would burden very few if any small railroads. The most burdensome requirement for small railroads would be the proposed revisions to cab temperature since older locomotives are less likely to meet the revised standards and small railroads tend to own older locomotives. It is also important to note that the proposed changes only apply to non-steam locomotives. There are some small railroads that own one or more steam locomotives which these changes will not impact. There are a few small railroads that own all or almost all steam locomotives. Most of these entities are either museum railroads or tourist railroads. For these entities this proposed regulations would have very little or no impact. FRA estimates that there are about five small railroads that only own steam locomotives.
(b) Governmental Jurisdictions of Small Communities
Small entities that are classified as governmental jurisdictions would also be affected by the proposals in this rulemaking. As stated above, and defined by SBA, this term refers to governments of cities, counties, towns, townships, villages, school districts, or special districts with populations of less than 50,000. FRA does not expect this group of entities to be impacted.
The rule would apply to governmental jurisdictions or transit authorities that provide commuter rail service—none of which is small as defined above (i.e., no entity serves a locality with a population less than 50,000). These entities also receive Federal transportation funds. Intercity rail service providers Amtrak and the Alaska Railroad Corporation would also be subject to this rule, but they are not small entities and likewise receive Federal transportation funds. While other railroads are subject to this final rule by the application of § 238.3, FRA is not aware of any railroad subject to this rule that is a small entity that will be impacted by this rule.
4. Description of Reporting, Recordkeeping, and Other Compliance Requirements and Impacts on Small Entities Resulting From Specific Requirements
The impacts to small railroads from this rulemaking would primarily result from proposed alerter requirements and cold weather cab temperature change. The rulemaking should result in regulatory relief for many railroads. The proposed rule clarifies some existing sections, adds some existing industry standards, and it incorporates some current waivers.
(a) Remote Control Locomotives § 229.15
FRA proposes to formally codify safety standards for remote control operated locomotives. Such standards should not impact any small railroads. FRA does not know of any small railroads that use RCL operations. In addition, RCL operations are not required to operate a railroad. The conduction of future RCL operations by small railroads would be is a business decision that takes into consideration regulatory costs.
(b) Electronic Recordkeeping § 229.20
This proposed section permits the use of electronic recordkeeping systems related to the maintenance of records related to locomotives. This proposed section does not require electronic recordkeeping. FRA is not aware of any small railroads that would utilize this proposed provision. FRA also anticipates cost savings for any railroad that would utilize the provisions.
(c) Periodic Inspection: General § 229.23
This section would require railroads that choose to maintain and transfer records electronically as provided for in § 229.20, to print the name of the person who performed the inspections, repairs, or certified work on the Form FRA F 6180-49A that is displayed in the cab of each locomotive. As small railroads are not likely to maintain records electronically, the proposed changes to this section would not impact any small railroads.
(d) Test: Every Periodic Inspection § 229.25
Two additional paragraphs are proposed in this section to include inspection requirements for remote control locomotives and locomotive alerters during the 92-day Periodic Inspection. Since almost no small railroads utilize RCL or have locomotives and many small railroad operations would not require alerters, these new paragraphs are not expected to have a significant impact on small railroads. In general, older locomotives, which are less likely to be equipped with alerters, are used for lower speed operations. Small railroads commonly engage in such operations and thus a substantial number would probably not be impacted by the proposed alerter inspection requirement.
(e) Air Brake System Maintenance and Testing § 229.29
This section would be re-titled, and consolidate and better organize existing requirements to improve clarity. Because 49 CFR 229.29 concerns only brakes, it would be re-titled, “Air Brake System Maintenance and Testing” to more accurately reflect the section's content. In addition, the proposed changes to this section would fold the current waivers for air brakes into the regulation. Thus, these changes may seem to add more to the section, but they actually provide longer inspection periods for some air brake systems. This will produces two benefits. First it will produce a cost savings for future waivers and waiver renewals. Second, it will produce a benefit for other entities that happen to have one of these types of air brake systems, and do not currently have a waiver. The length of the proposed intervals reflects the results of studies and performance Start Printed Page 2222evaluations related to a series of waivers starting in 1981 and continuing to present day. The proposed changes for this section will not impact many, if any, small railroads. The air brake systems that the proposed provisions cover are systems used by newer locomotives. Since most small railroads do not own newer locomotives, the proposed changes to this section should have no impact on any small entities.
(f) Brakes General § 229.46
FRA proposes to clarify this section, and provide standards for the safe use of a locomotive with an inoperative or ineffective automatic or independent brake. The proposal would not require the automatic or independent brake to be repaired. However, the requirement to place a tag on the isolation switch would notify the crew that the locomotive could be used only according to § 229.46(b) until it is repaired. Basically under the current rule such a locomotive could only be moved under the requirements of § 229.9, until the next daily inspection or a location where repairs could be made. With the proposed requirement the locomotive can continue to be utilized in a non-lead position until repaired or until it receives a periodic inspection. This proposed change is expected to produce cost savings for railroads and therefore is not expected to impose any negative burdens on small railroads.
(g) Steam Generator Inspections and Tests § 229.4
This proposed section is being added to consolidate the steam generator requirements of part 229 into a single section. The proposal would not change the substance of the requirements. Therefore no small railroads will be negatively impacted by the proposed change.
(h) Locomotive Cab Temperature § 229.119
This rulemaking includes a revision to paragraph (d) of § 229.119, Cab Temperature. The proposed rule is increasing the minimum temperature that must be maintained in the locomotive cab from 50 degree to 60 degrees. This proposed change is not one that the RSAC Working Group agreed to. It is based on an FRA recommendation.
FRA estimates that two percent of the locomotive fleet for the industry will need improved maintenance of their heaters. Also FRA estimates that one percent of the locomotive fleet for the industry will require additional heaters installed to meet the proposed requirement. This represents 530 and 265 locomotives, respectively. This requirement would likely affect many yard/switching locomotives of various size railroads. Such locomotives generally tend to be older than most road locomotives. Small railroads would also be impacted because they generally operate older locomotives as well. The cost of adding a heater to a locomotive is about $500. Annual maintenance cost to ensure heaters work as necessary to comply with the higher minimum temperature requirements is estimated at $100 per locomotive per year. The average life expectancy of a heater is about 10 years and many older locomotives could be retired before replacement is necessary. FRA estimates that approximately 60 percent of this cost would be borne by small railroads. This is the most significant cost that would burden small railroads.
(i) Pilots, Snowplows and End Plates; and Headlights §§ 229.123 through 229.125
The proposed rule includes changes to Sections 229.123 for snowplows and endplates and § 229.125 for headlights. The proposed changes for both sections are more permissive, increase the flexibility of the rule, and will serve to decrease the number of waiver requests that the railroad industry submits to FRA. FRA does not see any negative impact being imposed on small entities by the proposed changes in these sections.
(j) Alerters § 229.140
Alerters are common safety devices intended to verify that locomotive engineers remain capable and vigilant to accomplish the tasks that he or she must perform. This proposed section would require locomotives that operate over 25 mph to be equipped with an alerter, and would require the alerter to perform certain functions. FRA is estimating that there will be a regulatory impact from this proposal. However, very few, if any, shortline railroads operate trains at speed that exceed 25 mph. Therefore this proposal is not expected to have an impact on small entities. FRA specifically requests comments regarding this estimate.
(k) Locomotive Electronics, Subpart E
FRA is proposing a new Subpart titled “locomotive electronics.” The purpose of this subpart is to promote the safe design, operation, and maintenance of safety-critical electronic locomotive systems, subsystems, and components. It is important to first note that these proposed requirements only apply to new locomotives. Second, the effective date for products in development is delayed by a few additional years. As a practical matter, there are no costs for the requirements of this proposed subpart because it is simply codifying good engineering practices. Since generally small railroads do not purchase new locomotives this proposed new subpart is not expected to have an impact on any small railroads.
5. Identification of Relevant Duplicative, Overlapping, or Conflicting Federal Rules
There are no Federal rules that would duplicate, overlap, or conflict with this proposed rule.
6. Alternatives Considered
FRA has identified no significant alternative to the proposed rule which meets the agency's objective in promulgating this rule, and that would minimize the economic impact of the proposed rule on small entities. As in all aspects of this IRFA, FRA requests comments on this finding of no significant alternative related to small entities. The process by which this proposed rule was developed provided outreach to small entities. As noted earlier in sections I, II, and III of this preamble, this notice was developed in consultation with industry representatives via the RSAC, which includes small railroad representatives. On September 21, 2006, the full RSAC unanimously adopted the Working Group's recommendation on locomotive sanders as its recommendation to FRA. The next twelve Working Group meeting addressed a wide range of locomotive safety issues. Minutes of these meetings have been made part of the docket in this proceeding. On September 10, 2009, after a series of detailed discussions, the RSAC approved and provided recommendations on a wide range of locomotive safety issues including, locomotive brake maintenance, pilot height, headlight operation, danger markings, and locomotive electronics.
Paperwork Reduction Act
The information collection requirements in this proposed rule have been submitted for approval to the Office of Management and Budget (OMB) under the Paperwork Reduction Act of 1995, 44 U.S.C. 3501 et seq. The sections that contain the new and current information collection requirements and the estimated time to fulfill each requirement are as follows:Start Printed Page 2223
|CFR Section||Respondent universe||Total annual responses||Average time per response||Total annual burden hours|
|229.9-Movement of Non-Complying Locomotives||44 Railroads||21,000 tags||1 minute||350|
|229.15—Remote Control Locomotives (RCL)—(New Requirements).|
|—Tagging at Control Stand Throttle||44 Railroads||3,000 tags||2 minutes||100|
|—Testing and Repair of Operational Control Unit (OCU) on RCL—Records||44 Railroads||200 testing/repair records||5 minutes||17|
|229.17—Accident Reports||44 Railroads||1 report||15 minutes||.25|
|229.20—Electronic Recordkeeping—Electronic Record of Inspections and Maintenance and Automatic Notification to Railroad that Locomotive is Due for Inspection (New Requirement)||44 Railroads||21,000 notifications||1 second||6|
|229.21—Daily Inspection||720 Railroads||6,890,000 records||16 or 18 min.||1,911,780|
|—MU Locomotives: Written Reports||720 Railroads||250 reports||13 minutes||54|
|Form FRA F 6180.49A Locomotive Inspection/Repair Record||720 Railroads||4,000 forms||2 minutes||133|
|210.31—Main Reservoir Tests—Form FRA F 6180.49A||720 Railroads||19,000 tests/forms||8 hours||152,000|
|229.23/229.27/229.29/229.31—Periodic Inspection/Annual Biennial Tests/Main Res. Tests—Secondary Records of Information on Form FRA F 6180.49A||720 Railroads||19,000 records||2 minutes||633|
|—List of Defects and Repairs on Each Locomotive and Copy to Employees Performing Insp. (New Requirement)||720 Railroads||4,000 lists + 4,000 copies||2 minutes||266|
|Document to Employees Performing Inspections of All Tests Since Last Periodic Inspection (New Requirement)||720 Railroads||19,000 documents||2 minutes||633|
|229.33—Out-of Use Credit||720 Railroads||500 notations||5 minutes||42|
|229.25(1)—Test: Every Periodic Insp.—Written Copies of Instruction||720 Railroads||200 amendments||15 minutes||50|
|229.25(2)—Duty Verification Readout Record||720 Railroads||4,025 records||90 minutes||6,038|
|229.25(3)—Pre-Maintenance Test—Failures||720 Railroads||700 notations||30 minutes||350|
|229.135(A.)—Removal From Service||720 Railroads||1,000 tags||1 minute||17|
|229.135(B.)—Preserving Accident Data||720 Railroads||10,000 reports||15 minutes||2,500|
|229.27—Annual Tests||720 Railroads||700 test records||90 minutes||1,050|
|229.29—Air Brake System Maintenance and Testing (New Requirement)—Air Flow Meter Testing—Record||720 Railroads||88,000 tests/records||15 seconds||367|
|229.46—Brakes General—Tagging Isolation Switch of Locomotive That May Only Be Used in Trailing Position (New Requirement)||720 Railroads||2,100 tags||2 minutes||70|
|229.85—Danger Markings on All Doors, Cover Plates, or Barriers||720 Railroads||1,000 decals||1 minute||17|
|229.123—Pilots, Snowplows, End Plates—Markings—Stencilling (New Requirement)||720 Railroads||20 stencilling||2 minutes||1|
|—Notation on Form FRA F 6180.49A for Pilot, Snowplows, or End Plate Clearance Above Six Inches (New Requirement)||720 Railroads||20 notations||2 minutes||1|
|229.135—Event Recorders 229.135(b)(5)—Equipment Requirements—Remanufactured Locomotives with Certified Crashworthy Memory Module||720 Railroads||1,000 Certified Memory Modules||2 hours||2,000|
|NEW REQUIREMENTS—SUBPART E—LOCOMOTIVE ELECTRONICS|
|229.303—Requests to FRA for Approval of On-Track Testing of Products Outside a Test Facility||720 Railroads||20 requests||8 hours||160|
|—Identification to FRA of Products Under Development||720 Railroads/3 Manufacturers||20 products||2 hours||40|
|229.307—Safety Analysis by RR of Each Product Developed||720 Railroads||300 analyses||240 hours||72,000|
|229.309—Notification to FRA of Safety-Critical Change in Product||720 Railroads||10 notification||16 hours||160|
|Report to Railroad by Product Suppliers/Private Equipment Owners of Previously Unidentified Hazards of a Product||3 Manufacturers||10 reports||8 hours||80|
|229.311—Review of Safety Analyses (SA)|
|—Notification to FRA of Railroad Intent to Place Product In Service||720 Railroads||300 notifications||2 hours||600|
|—RR Documents That Demonstrate Product Meets Safety Requirements of the SA for the Life-Cycle of Product||720 Railroads||300 documents||2 hours||600|
|—RR Database of All Safety Relevant Hazards Encountered with Product Placed in Service||720 Railroads||300 databases||4 hours||1,200|
|—Written Reports to FRA If Frequency of Safety-Relevant Hazards Exceeds Threshold||720 Railroads||10 reports||2 hours||20|
|—Final Reports to FRA on Countermeasures to Reduce Frequency of Safety-Relevant Hazard(s)||720 Railroads||10 reports||4 hours||40|
|229.313—Product Testing Results—Records||720 Railroads||120,000 records||5 minutes||10,000|
|Start Printed Page 2224|
|229.315—Operations and Maintenance Manual—All Product Documents||720 Railroads||300 manuals||40 hours||12,000|
|—Configuration Management Control Plans||720 Railroads||300 plans||8 hours||2,400|
|—Identification of Safety-Critical Components||720 Railroads||60,000 components||5 minutes||5,000|
|229.317—Product Training and Qualifications Program||720 Railroads||300 programs||40 hours||12,000|
|—Product Training of Individuals||720 Railroads||10,000 trained employees||30 minutes||5,000|
|—Refresher Training||720 Railroads||1,000 trained employees||20 minutes||333|
|—RR Regular and Periodic Evaluation of Effectiveness of Training Program||720 Railroads||300 evaluations||4 hours||1,200|
|—Records of Qualified Individuals||727 Railroads||10,000 records||10 minutes||1,667|
|Appendix F—Guidance for Verification and Validation of Product—Third Party Assessment||720 Railroads/3 Manufacturers||1 assessment||4,000 hours||4,000|
|—Reviewer Final Report||720 Railroads/3 Manufacturers||1 report||80 hours||80|
All estimates include the time for reviewing instructions; searching existing data sources; gathering or maintaining the needed data; and reviewing the information. Pursuant to 44 U.S.C. 3506(c)(2)(B), FRA solicits comments concerning: Whether these information collection requirements are necessary for the proper performance of the functions of FRA, including whether the information has practical utility; the accuracy of FRA's estimates of the burden of the information collection requirements; the quality, utility, and clarity of the information to be collected; and whether the burden of collection of information on those who are to respond, including through the use of automated collection techniques or other forms of information technology, may be minimized. For information or a copy of the paperwork package submitted to OMB, contact Mr. Robert Brogan, Office of Safety, Information Clearance Officer, at 202-493-6292, or Ms. Kimberly Toone, Office of Information Technology, at 202-493-6139.
Organizations and individuals desiring to submit comments on the collection of information requirements should direct them to Mr. Robert Brogan or Ms. Kimberly Toone, Federal Railroad Administration, 1200 New Jersey Avenue, SE., 3rd Floor, Washington, DC 20590. Comments may also be submitted via e-mail to Mr. Brogan or Ms. Toone at the following address: Robert.Brogan@dot.gov; Kimberly.Toone@dot.gov
OMB is required to make a decision concerning the collection of information requirements contained in this proposed rule between 30 and 60 days after publication of this document in the Federal Register. Therefore, a comment to OMB is best assured of having its full effect if OMB receives it within 30 days of publication. The final rule will respond to any OMB or public comments on the information collection requirements contained in this proposal.
FRA is not authorized to impose a penalty on persons for violating information collection requirements which do not display a current OMB control number, if required. FRA intends to obtain current OMB control numbers for any new information collection requirements resulting from this rulemaking action prior to the effective date of the final rule. The OMB control number, when assigned, will be announced by separate notice in the Federal Register.
FRA has analyzed this proposed rule in accordance with the principles and criteria contained in Executive Order 13132, issued on August 4, 1999, which directs Federal agencies to exercise great care in establishing policies that have federalism implications. See 64 FR 43255. This proposed rule will not have a substantial effect on the States, on the relationship between the national government and the States, or on the distribution of power and responsibilities among various levels of government. This proposed rule will not have federalism implications that impose any direct compliance costs on State and local governments.
FRA notes that the RSAC, which endorsed and recommended the majority of this proposed rule to FRA, has as permanent members, two organizations representing State and local interests: AASHTO and the Association of State Rail Safety Managers (ASRSM). Both of these State organizations concurred with the RSAC recommendation endorsing this proposed rule. The RSAC regularly provides recommendations to the FRA Administrator for solutions to regulatory issues that reflect significant input from its State members. To date, FRA has received no indication of concerns about the Federalism implications of this rulemaking from these representatives or of any other representatives of State government. Consequently, FRA concludes that this proposed rule has no federalism implications, other than the preemption of state laws covering the subject matter of this proposed rule, which occurs by operation of law as discussed below.
This proposed rule could have preemptive effect by operation of law under certain provisions of the Federal railroad safety statutes, specifically the former Federal Railroad Safety Act of 1970 (former FRSA), repealed and recodified at 49 U.S.C. 20106, and the former Locomotive Boiler Inspection Act at 45 U.S.C. 22-34, repealed and recodified at 49 U.S.C. 20701-20703. The former FRSA provides that States may not adopt or continue in effect any law, regulation, or order related to railroad safety or security that covers the subject matter of a regulation prescribed or order issued by the Secretary of Transportation (with respect to railroad safety matters) or the Secretary of Homeland Security (with respect to railroad security matters), except when the State law, regulation, or order qualifies under the “local safety or security hazard” exception to section 20106. Moreover, the former LIA has been interpreted by the Supreme Court as preempting the field concerning locomotive safety. See Napier v. Atlantic Coast Line R.R., 272 U.S. 605 (1926).
FRA has evaluated this proposed regulation in accordance with its “Procedures for Considering Environmental Impacts” (FRA's Procedures) (64 FR 28545, May 26, 1999) as required by the National Start Printed Page 2225Environmental Policy Act (42 U.S.C. 4321 et seq.), other environmental statutes, Executive Orders, and related regulatory requirements. FRA has determined that this proposed regulation is not a major FRA action (requiring the preparation of an environmental impact statement or environmental assessment) because it is categorically excluded from detailed environmental review pursuant to section 4(c)(20) of FRA's Procedures. 64 FR 28547, May 26, 1999. Section 4(c)(20) reads as follows: (c) Actions categorically excluded. Certain classes of FRA actions have been determined to be categorically excluded from the requirements of these Procedures as they do not individually or cumulatively have a significant effect on the human environment. Promulgation of railroad safety rules and policy statements that do not result in significantly increased emissions or air or water pollutants or noise or increased traffic congestion in any mode of transportation are excluded.
In accordance with section 4(c) and (e) of FRA's Procedures, the agency has further concluded that no extraordinary circumstances exist with respect to this regulation that might trigger the need for a more detailed environmental review. As a result, FRA finds that this proposed regulation is not a major Federal action significantly affecting the quality of the human environment.
Unfunded Mandates Reform Act of 1995
Pursuant to Section 201 of the Unfunded Mandates Reform Act of 1995 (Pub. L. 104-4, 2 U.S.C. 1531), each Federal agency “shall, unless otherwise prohibited by law, assess the effects of Federal regulatory actions on State, local, and tribal governments, and the private sector (other than to the extent that such regulations incorporate requirements specifically set forth in law).” Section 202 of the Act (2 U.S.C. 1532) further requires that “before promulgating any general notice of proposed rulemaking that is likely to result in the promulgation of any rule that includes any Federal mandate that may result in expenditure by State, local, and tribal governments, in the aggregate, or by the private sector, of $100,000,000 or more (adjusted annually for inflation) in any 1 year, and before promulgating any final rule for which a general notice of proposed rulemaking was published, the agency shall prepare a written statement” detailing the effect on State, local, and tribal governments and the private sector. For the year 2010, this monetary amount of $100,000,000 has been adjusted to $140,800,000 to account for inflation. This proposed rule would not result in the expenditure of more than $140,800,000 by the public sector in any one year, and thus preparation of such a statement is not required.
FRA wishes to inform all potential commenters that anyone is able to search the electronic form of all comments received into any agency docket by the name of the individual submitting the comment (or signing the comment, if submitted on behalf of an association, business, labor union, etc.). You may review DOT's complete Privacy Act Statement in the Federal Register published on April 11, 2000 (Volume 65, Number 70; Pages 19477-78) or you may visit http://dms.dot.gov.Start List of Subjects
List of SubjectsEnd List of Subjects
The Proposed Rule
For the reasons discussed in the preamble, FRA proposes to amend parts 229 and 238 of chapter II, subtitle B of Title 49, Code of Federal Regulations, as follows:Start Part
1. The authority citation for part 229 continues to read as follows:
2. Section 229.5 is amended by adding in alphabetical order the following definitions to read as follows:
Alerter means a device or system installed in the locomotive cab to promote continuous, active locomotive engineer attentiveness by monitoring select locomotive engineer-induced control activities. If fluctuation of a monitored locomotive engineer-induced control activity is not detected within a predetermined time, a sequence of audible and visual alarms is activated so as to progressively prompt a response by the locomotive engineer. Failure by the locomotive engineer to institute a change of state in a monitored control, or acknowledge the alerter alarm activity through a manual reset provision, results in a penalty brake application that brings the locomotive or train to a stop.
Assignment Address means a unique identifier of the RCL that insures that only the OCU's linked to a specific RCL can command that RCL.
Controlling locomotive means a locomotive from where the operator controls the traction and braking functions of the locomotive or locomotive consist, normally the lead locomotive.
Locomotive Control Unit (LCU) means a system onboard an RCL that communicates via a radio link which receives, processes, and confirms commands from the OCU, which directs the locomotive to execute them.
Operator Control Unit (OCU) means a mobile unit that communicates via a radio link the commands for movement (direction, speed, braking) or for operations (bell, horn, sand) to an RCL.
Remote Control Locomotive (RCL) means a remote control locomotive that, through use of a radio link can be operated by a person not physically within the confines of the locomotive cab. For purposes of this definition, the term RCL does not refer to a locomotive or group of locomotives remotely controlled from the lead locomotive of a train, as in a distributed power arrangement.
Remote Control Operator (RCO) means a person who utilizes an OCU in connection with operations involving a RCL with or without cars.
Remote Control Pullback Protection means a function of a RCL that enforces speeds and stops in the direction of pulling movement.
3. Section 229.7 is revised to read as follows:
(a) Federal Rail Safety Law (49 U.S.C. 20701-20703) makes it unlawful for any carrier to use or permit to be used on its line any locomotive unless the entire locomotive and its appurtenances—
(1) Are in proper condition and safe to operate in the service to which they are put, without unnecessary peril to life or limb; and
(2) Have been inspected and tested as required by this part.
(b) Any person (including but not limited to a railroad; any manager, supervisor, official, or other employee or agent of a railroad; any owner, manufacturer, lessor, or lessee of Start Printed Page 2226railroad equipment, track, or facilities; any employee of such owner, manufacturer, lessor, lessee, or independent contractor) who violates any requirement of this part or of the Federal Rail Safety Laws or causes the violation of any such requirement is subject to a civil penalty of at least $650, but not more than $25,000 per violation, except that: Penalties may be assessed against individuals only for willful violations, and, where a grossly negligent violation or a pattern of repeated violations has created an imminent hazard of death or injury to persons, or has caused death or injury, a penalty not to exceed $100,000 per violation may be assessed. Each day a violation continues shall constitute a separate offense. Appendix B of this part contains a statement of agency civil penalty policy.
(c) Any person who knowingly and willfully falsifies a record or report required by this part is subject to criminal penalties under 49 U.S.C. 21311.
4. Section 229.15 is added to read as follows:
(a) Design and operation. (1) Each locomotive equipped with a locomotive control unit (LCU) shall respond only to the operator control units (OCUs) assigned to that receiver.
(2) If one or more OCUs are assigned to a LCU, the LCU shall respond only to the OCU that is in primary command. If a subsequent OCU is assigned to a LCU, the previous assignment will be automatically cancelled.
(3) If more than one OCU is assigned to a LCU, the secondary OCUs' man down feature, bell, horn, and emergency brake application functions shall remain active.
The remote control system shall be designed so that if the signal from the OCU to the RCL is interrupted for a set period not to exceed five seconds, the remote control system shall cause:
(i) A full service application of the locomotive and train brakes; and
(ii) The elimination of locomotive tractive effort.
(4) Each OCU shall be designed to control only one RCL at a time. OCUs having the capability to control more than one RCL shall have a means to lock in one RCL “assignment address” to prevent simultaneous control over more than one locomotive.
(5) If an OCU is equipped with an “on” and “off” switch, when the switch is moved from the “on” to the “off” position, the remote control system shall cause:
(i) A full service application of the locomotive train brakes; and
(ii) The elimination of locomotive tractive effort.
(6) Each RCL shall have a distinct and unambiguous audible or visual warning device that indicates to nearby personnel that the locomotive is under active remote control operation.
(7) When the main reservoir pressure drops below 90 psi, a RCL shall initiate a full service application of the locomotive and train brakes, and eliminate locomotive tractive effort.
(8) When the air valves and the electrical selector switch on the RCL are moved from manual to remote control mode or from remote control to manual mode, an emergency application of the locomotive and train brakes shall be initiated.
(9) Operating control handles located in the RCL cab shall be removed, pinned in place, protected electronically, or otherwise rendered inoperable as necessary to prevent movement caused by the RCL's cab controls while the RCL is being operated by remote control.
(10) The RCL system (both the OCU and LCU), shall be designed to perform a self diagnostic test of the electronic components of the system. The system shall be designed to immediately effect a full service application of the locomotive and train brakes and the elimination of locomotive tractive effort in the event a failure is detected.
(11) Each RCL shall be tagged at the locomotive control stand throttle indicating the locomotive is being used in a remote control mode. The tag shall be removed when the locomotive is placed back in manual mode.
(12) Each OCU shall have the following controls and switches and shall be capable of performing the following functions:
(i) Directional control;
(ii) Throttle or speed control;
(iii) Locomotive independent air brake application and release;
(iv) Automatic train air brake application and release control;
(v) Audible warning device control (horn);
(vi) Audible bell control, if equipped;
(vii) Sand control (unless automatic);
(viii) Bi-directional headlight control;
(ix) Emergency air brake application switch;
(x) Generator field switch or equivalent to eliminate tractive effort to the locomotive;
(xi) Audio/visual indication of wheel slip/slide;
(xii) Audio indication of movement of the RCL; and
(xiv) Require at least two separate actions by the RCO to begin movement of the RCL.
(l3) Each OCU shall be equipped with the following features:
(i) A harness with a breakaway safety feature;
(ii) An operator alertness device that requires manual resetting or its equivalent.
The alertness device shall incorporate a timing sequence not to exceed 60 seconds. Failure to reset the switch within the timing sequence shall cause an application of the locomotive and train brakes, and the elimination of locomotive tractive effort.
(iii) A tilt feature that, when tilted to a predetermined angle, shall cause:
(A) An emergency application of the locomotive and train brakes, and the elimination of locomotive tractive effort; and
(B) If the OCU is equipped with a tilt bypass system that permits the tilt protection feature to be temporarily disabled, this bypass feature shall deactivate within 15 seconds on the primary OCU and within 60 seconds for all secondary OCUs, unless reactivated by the RCO.
(14) Each OCU shall be equipped with one of the following control systems:
(A) An automatic speed control system with a maximum 15 mph speed limiter; or
(B) A graduated throttle and brake. A graduated throttle and brake control system built after (90 days after date of rule) shall be equipped with a speed limiter to a maximum of 15 mph.
(15) RCL systems built after (DATE 90 DAYS AFTER EFFECTIVE DATE OF THE FINAL RULE) shall be equipped to automatically notify the railroad in the event the RCO becomes incapacitated or OCU tilt feature is activated.
(16) RCL systems built prior to (DATE 90 DAYS AFTER EFFECTIVE DATE OF THE FINAL RULE) not equipped with automatic notification of operator incapacitated feature may not be utilized in one-person operation.
(b) Inspection, testing, and repair. (1) Each time an OCU is linked to a RCL, and at the start of each shift, a railroad shall test:
(i) The air brakes and the OCU's safety features, including the tilt switch and alerter device; and
(ii) The man down/tilt feature automatic notification.
(2) An OCU shall not continue in use with any defective safety feature identified in paragraph (b)(1) of this section.
(3) A defective OCU shall be tracked under its own identification number assigned by the railroad. Records of repairs shall be maintained by the railroad and made available to FRA upon request.Start Printed Page 2227
(4) Each time an RCL is placed in service and at the start of each shift locomotives that utilize a positive train stop system shall perform a conditioning run over tracks that the positive train stop system is being utilized on to ensure that the system functions as intended.
5. Section 229.19 is revised to read as follows:
Waivers from any requirement of this part, issued prior to January 12, 2011, shall terminate on the date specified in the letter granting the waiver. If no date is specified, then the waiver shall automatically terminate on January 12, 2016.
6. Section 229.20 is added to subpart A to read as follows:
(a) General. For purposes of compliance with the recordkeeping requirements of this part, except for the daily inspection record maintained on the locomotive required by § 229.21, the cab copy of Form FRA F 6180-49-A required by § 229.23, the fragmented air brake maintenance record required by § 229.27, and records required under § 229.9, a railroad may create, maintain, and transfer any of the records required by this part through electronic transmission, storage, and retrieval provided that all of the requirements contained in this section are met.
(b) Design requirements. Any electronic record system used to create, maintain, or transfer a record required to be maintained by this part shall meet the following design requirements:
(1) The electronic record system shall be designed such that the integrity of each record is maintained through appropriate levels of security such as recognition of an electronic signature, or other means, which uniquely identify the initiating person as the author of that record. No two persons shall have the same electronic identity;
(2) The electronic system shall ensure that each record cannot be modified, or replaced, once the record is transmitted;
(3) Any amendment to a record shall be electronically stored apart from the record which it amends. Each amendment to a record shall uniquely identify the person making the amendment;
(4) The electronic system shall provide for the maintenance of inspection records as originally submitted without corruption or loss of data; and
(5) Policies and procedures shall be in place to prevent persons from altering electronic records, or otherwise interfering with the electronic system.
(c) Operational requirements. Any electronic record system used to create, maintain, or transfer a record required to be maintained by this part shall meet the following operating requirements:
(1) The electronic storage of any record required by this part shall be initiated by the person performing the activity to which the record pertains within 24 hours following the completion of the activity; and
(2) For each locomotive for which records of inspection or maintenance required by this part are maintained electronically, the electronic record system shall automatically notify the railroad each time the locomotive is due for an inspection, or maintenance that the electronic system is tracking. The automatic notification tracking requirement does not apply to daily inspections.
(d) Accessibility and availability requirements. Any electronic record system used to create, maintain, or transfer a record required to be maintained by this part shall meet the following access and availability requirements:
(1) The carrier shall provide FRA with all electronic records maintained for compliance with this part for any specific locomotives at any mechanical department terminal upon request;
(2) Paper copies of electronic records and amendments to those records that may be necessary to document compliance with this part, shall be provided to FRA for inspection and copying upon request. Paper copies shall be provided to FRA no later than 15 days from the date the request is made;
(3) Inspection records required by this part shall be available to persons who performed the inspection and to persons performing subsequent inspections on the same locomotive.
7. Section 229.23 is revised to read as follows:
(a) Each locomotive shall be inspected at each periodic inspection to determine whether it complies with this part. Except as provided in § 229.9, all non-complying conditions shall be repaired before the locomotive is used. Except as provided in § 229.33, the interval between any two periodic inspections may not exceed 92 days. Periodic inspections shall only be made where adequate facilities are available. At each periodic inspection, a locomotive shall be positioned so that a person may safely inspect the entire underneath portion of the locomotive.
(b) Each new locomotive shall receive an initial periodic inspection before it is used. Except as provided in § 229.33, each locomotive shall receive an initial periodic inspection within 92 days of the last 30-day inspection performed under the prior rules (49 CFR 230.331 and 230.451). At the initial periodic inspection, the date and place of the last tests performed that are the equivalent of the tests required by §§ 229.27, 229.29, and 229.31 shall be entered on Form FRA F 6180-49A. These dates shall determine when the tests first become due under §§ 229.27, 229.29, and 229.31. Out of use credit may be carried over from Form FRA F 6180-49 and entered on Form FRA F 6180-49A.
(c) Each periodic inspection shall be recorded on Form FRA F 6180-49A. The form shall be signed by the person conducting the inspection and certified by that person's supervisor that the work was done. The form shall be displayed under a transparent cover in a conspicuous place in the cab of each locomotive. A railroad maintaining and transferring records as provided for in § 229.20 shall print the name of the person who performed the inspections, repairs, or certified work on the Form FRA F 6180-49A that is displayed in the cab of each locomotive.
(d) At the first periodic inspection in each calendar year the carrier shall remove from each locomotive Form FRA F 6180-49A covering the previous calendar year. If a locomotive does not receive its first periodic inspection in a calendar year before April 2 because it is out of use, the form shall be promptly replaced. The Form FRA F 6180-49A covering the preceding year for each locomotive, in or out of use, shall be signed by the railroad official responsible for the locomotive and filed as required in § 229.23(f). The date and place of the last periodic inspection and the date and place of the last tests performed under §§ 229.27, 229.29, and 229.31 shall be transferred to the replacement Form FRA F 6180-49A.
(e) The railroad mechanical officer who is in charge of a locomotive shall maintain in his office a secondary record of the information reported on Form FRA F 6180-49A. The secondary record shall be retained until Form FRA F 6180-49A has been removed from the locomotive and filed in the railroad office of the mechanical officer in charge of the locomotive. If the Form FRA F 6180-49A removed from the locomotive is not clearly legible, the secondary record shall be retained until the Form FRA F 6180-49A for the succeeding year is filed. The Form F 6180-49A removed from a locomotive shall be retained until the Form FRA F Start Printed Page 22286180-49A for the succeeding year is filed.
(f) The railroad shall maintain, and provide employees performing inspections under this section with, a list of the defects and repairs made on each locomotive over the last ninety-two days;
(g) The railroad shall provide employees performing inspections under this section with a document containing all tests conducted since the last periodic inspection, and procedures needed to perform the inspection.
8. Section 229.25 is amended by revising paragraphs (d) and (e), and adding paragraph (f) to read as follows:
(d) Event recorder. A microprocessor-based self-monitoring event recorder, if installed, is exempt from periodic inspection under paragraphs (d)(1) through (5) of this section and shall be inspected annually as required by § 229.27(c). Other types of event recorders, if installed, shall be inspected, maintained, and tested in accordance with instructions of the manufacturer, supplier, or owner thereof and in accordance with the following criteria:
(1) A written or electronic copy of the instructions in use shall be kept at the point where the work is performed and a hard-copy version, written in the English language, shall be made available upon request to FRA.
(2) The event recorder shall be tested before any maintenance work is performed on it. At a minimum, the event recorder test shall include cycling, as practicable, all required recording elements and determining the full range of each element by reading out recorded data.
(3) If the pre-maintenance test reveals that the device is not recording all the specified data and that all recordings are within the designed recording elements, this fact shall be noted, and maintenance and testing shall be performed as necessary until a subsequent test is successful.
(4) When a successful test is accomplished, a copy of the data-verification results shall be maintained in any medium with the maintenance records for the locomotive until the next one is filed.
(5) A railroad's event recorder periodic maintenance shall be considered effective if 90 percent of the recorders on locomotives inbound for periodic inspection in any given calendar month are still fully functional; maintenance practices and test intervals shall be adjusted as necessary to yield effective periodic maintenance.
(e) Remote control locomotive. Remote control locomotive system components that interface with the mechanical devices of the locomotive shall be tested including, but not limited to, air pressure monitoring devices, pressure switches, and speed sensors.
(f) Alerters. The alerter shall be tested, and all automatic timing resets shall function as intended.
9. Section 229.27 is revised to read as follows:
(a) All testing under this section shall be performed at intervals that do not exceed 368 calendar days.
(b) Load meters that indicate current (amperage) being applied to traction motors shall be tested. Each device used by the engineer to aid in the control or braking of the train or locomotive that provides an indication of air pressure electronically shall be tested by comparison with a test gauge or self-test designed for this purpose. An error greater than five percent or greater than three pounds per square inch shall be corrected. The date and place of the test shall be recorded on Form FRA F 6180-49A, and the person conducting the test and that person's supervisor shall sign the form.
(c) A microprocessor-based event recorder with a self-monitoring feature equipped to verify that all data elements required by this part are recorded, requires further maintenance and testing only if either or both of the following conditions exist:
(1) The self-monitoring feature displays an indication of a failure. If a failure is displayed, further maintenance and testing must be performed until a subsequent test is successful. When a successful test is accomplished, a record, in any medium, shall be made of that fact and of any maintenance work necessary to achieve the successful result. This record shall be available at the location where the locomotive is maintained until a record of a subsequent successful test is filed; or,
(2) A download of the event recorder, taken within the preceding 30 days and reviewed for the previous 48 hours of locomotive operation, reveals a failure to record a regularly recurring data element or reveals that any required data element is not representative of the actual operations of the locomotive during this time period. If the review is not successful, further maintenance and testing shall be performed until a subsequent test is successful. When a successful test is accomplished, a record, in any medium, shall be made of that fact and of any maintenance work necessary to achieve the successful result. This record shall be kept at the location where the locomotive is maintained until a record of a subsequent successful test is filed. The download shall be taken from information stored in the certified crashworthy crash hardened event recorder memory module if the locomotive is so equipped.
10. Section 229.29 is revised to read as follows:
(a) A locomotive's air brake system shall receive the calibration, maintenance, and testing as prescribed in this section. The level of maintenance and testing and the intervals for receiving such maintenance and testing of locomotives with various types of air brake systems shall be conducted in accordance with paragraphs (d) through (f) of this section. Records of the maintenance and testing required in this section shall be maintained in accordance with paragraph (g) of this section.
(b) Except for DMU or MU locomotives covered under § 238.309 of this chapter, the air flow method (AFM) indicator shall be calibrated in accordance with section 232.205(c)(1)(iii) at intervals not to exceed 92 days, and records shall be maintained as prescribed in paragraph (g)(1) of this section.
(c) Except for DMU or MU locomotives covered under § 238.309 of this chapter, the extent of air brake system maintenance and testing that is required on a locomotive shall be in accordance with the following levels:
(1) Level one: Locomotives shall have the filtering devices or dirt collectors located in the main reservoir supply line to the air brake system cleaned, repaired, or replaced.
(2) Level two: Locomotives shall have the following components cleaned, repaired, and tested: Brake cylinder relay valve portions; main reservoir safety valves; brake pipe vent valve portions; and, feed and reducing valve portions in the air brake system (including related dirt collectors and filters).
(3) Level three: Locomotives shall have the components identified in this paragraph removed from the locomotive and disassembled, cleaned and lubricated (if necessary), and tested. In addition, all parts of such components that can deteriorate within the inspection interval as defined in Start Printed Page 2229paragraphs (d) through (f) of this section shall be replaced and tested. The components include: All pneumatic components of the locomotive equipment's brake system that contain moving parts, and are sealed against air leaks; all valves and valve portions; electric-pneumatic master controllers in the air brake system; and all air brake related filters and dirt collectors.
(d) Except for MU locomotives covered under § 238.309 of this chapter, all locomotives shall receive level one air brake maintenance and testing as described in this section at intervals that do not exceed 368 days.
(e) Locomotives equipped with an air brake system not specifically identified in paragraphs (f)(1) through (3) of this section shall receive level two air brake maintenance and testing as described in this section at intervals that do not exceed 368 days and level three air brake maintenance and testing at intervals that do not exceed 736 days.
(f) Level two and level three air brake maintenance and testing shall be performed on each locomotive identified in this paragraph at the following intervals:
(1) At intervals that do not exceed 1,104 days for a locomotive equipped with a 26-L or equivalent brake system;
(2) At intervals that do not exceed 1,472 days for locomotives equipped with an air dryer and a 26-L or equivalent brake system and for locomotives not equipped with an air compressor and that are semi-permanently coupled and dedicated to locomotives with an air dryer; or
(3) At intervals that do not exceed 1,840 days for locomotives equipped with CCB-1, CCB-2, CCB-26, EPIC 1 (formerly EPIC 3102), EPIC 3102D2, EPIC 2, KB-HS1, or Fastbrake brake systems.
(g) Records of the air brake system maintenance and testing required by this section shall be generated and maintained in accordance with the following:
(1) The date of AFM indicator calibration shall be recorded and certified in the remarks section of Form F6180-49A.
(2) The date and place of the cleaning, repairing and testing required by this section shall be recorded on Form FRA F6180-49A, and the work shall be certified. A record of the parts of the air brake system that are cleaned, repaired, and tested shall be kept in the railroad's files or in the cab of the locomotive.
(3) At its option, a railroad may fragment the work required by this section. In that event, a separate record shall be maintained under a transparent cover in the cab. The air record shall include: The locomotive number; a list of the air brake components; and the date and place of the inspection and testing of each component. The signature of the person performing the work and the signature of that person's supervisor shall be included for each component. A duplicate record shall be maintained in the railroad's files.
11. Section 229.46 is revised to read as follows:
(a) Before each trip, the railroad shall know the following:
(1) The locomotive brakes and devices for regulating pressures, including but not limited to the automatic and independent brake control systems, operate as intended; and
(2) The water and oil have been drained from the air brake system of all locomotives in the consist.
(b) A locomotive with an inoperative or ineffective automatic or independent brake control system will be considered to be operating as intended for purposes of paragraph (a) of this section, if all of the following conditions are met:
(1) The locomotive is in a trailing position and is not the controlling locomotive in a distributed power train consist;
(2) The railroad has previously determined, in conjunction with the locomotive and/or air brake manufacturer, that placing such a locomotive in trailing position adequately isolates the non-functional valves so as to allow safe operation of the brake systems from the controlling locomotive;
(3) If deactivation of the circuit breaker for the air brake system is required, it shall be specified in the railroad's operating rules;
(4) A tag shall immediately be placed on the isolation switch of the locomotive giving the date and location and stating that the unit may only be used in a trailing position and may not be used as a lead or controlling locomotive;
(5) The tag required in paragraph (b)(4) of this section remains attached to the isolation switch of the locomotive until repairs are made; and
(6) The inoperative or ineffective brake control system is repaired prior to or at the next periodic inspection.
12. Section 229.85 is revised to read as follows:
All doors, cover plates, or barriers providing direct access to high voltage equipment shall be marked “Danger—High Voltage” or with the word “Danger” and the normal voltage carried by the parts so protected.
13. Section 229.114 is added to read as follows:
(a) Periodic steam generator inspection. Except as provided in § 229.33, each steam generator shall be inspected and tested in accordance with paragraph (d) of this section at intervals not to exceed 92 days, unless the steam generator is isolated in accordance with paragraph (b) of this section. All non-complying conditions shall be repaired or the steam generator shall be isolated as prescribed in paragraph (b) of this section before the locomotive is used.
(b) Isolation of a steam generator. A steam generator will be considered isolated if the water suction pipe to the water pump and the leads to the main switch (steam generator switch) are disconnected, and the train line shut-off-valve is wired closed or a blind gasket is applied. Before an isolated steam generator is returned to use, it shall be inspected and tested pursuant to paragraph (d) of this section.
(c) Each periodic steam generator inspection and test shall be recorded on Form FRA F6180-49A required by paragraph § 229.23. When Form FRA F6180-49A for the locomotive is replaced, data for the steam generator inspections shall be transferred to the new Form FRA F6180-49A.
(d) Each periodic steam generator inspection and test shall include the following tests and requirements:
(1) All electrical devices and visible insulation shall be inspected.
(2) All automatic controls, alarms and protective devices shall be inspected and tested.
(3) Steam pressure gauges shall be tested by comparison with a dead-weight tester or a test gauge designed for this purpose. The siphons to the steam gauges shall be removed and their connections examined to determine that they are open.
(4) Safety valves shall be set and tested under steam after the steam pressure gauge is tested.
(e) Annual steam generator tests. Each steam generator that is not isolated in accordance with paragraph (b) of this section, shall be subjected to a hydrostatic pressure at least 25 percent above the working pressure and the visual return water-flow indicator shall be removed and inspected. The testing under this paragraph shall be performed at intervals that do not exceed 368 calendar days.Start Printed Page 2230
14. Section 229.119 is amended by revising paragraph (d) to read as follows:
(d) Any occupied locomotive cab shall be provided with proper ventilation and with a heating arrangement that maintains a temperature of at least 60 degrees Fahrenheit 6 inches above the center of each seat in the cab compartment.
15. Section 229.123 is revised to read as follows:
(a) Each lead locomotive shall be equipped with a pilot, snowplow, or end plate that extends across both rails. The minimum clearance above the rail of the pilot, snowplow or end plate shall be 3 inches. Except as provided in paragraph (b) of this section, the maximum clearance shall be 6 inches. When the locomotive is equipped with a combination of the equipment listed in this paragraph, each extending across both rails, only the lowest piece of that equipment must satisfy clearance requirements of this section.
(b) To provide clearance for passing over retarders, locomotives utilized in hump yard or switching service at hump yard locations may have pilot, snowplow, or end plate maximum height of 9 inches.
(1) Each locomotive equipped with a pilot, snowplow, or end plate with clearance above 6 inches shall be prominently stenciled at each end of the locomotive with the words “9-inch Maximum End Plate Height, Yard or Trail Service Only.”
(2) When operated in switching service in a leading position, locomotives with a pilot, snowplow, or end plate clearance above 6 inches shall be limited to 10 miles per hour over grade crossings.
(3) Train crews shall be notified in writing of the restrictions on the locomotive, by label or stencil in the cab, or by written operating instruction given to the crew and maintained in the cab of the locomotive.
(4) Pilot, snowplow, or end plate clearance above 6 inches shall be noted in the remarks section of Form FRA 6180-49a.
(5) Locomotives with a pilot, snowplow, or end plate clearance above 6 inches shall not be placed in the lead position when being moved under section § 229.9.
16. Section 229.125 is amended by revising paragraphs (a) and (d)(2) and (3) to read as follows:
(a) Each lead locomotive used in road service shall illuminate its headlight while the locomotive is in use. When illuminated, the headlight shall produce a peak intensity of at least 200,000 candela and produce at least 3,000 candela at an angle of 7.5 degrees and at least 400 candela at an angle of 20 degrees from the centerline of the locomotive when the light is aimed parallel to the tracks. If a locomotive or locomotive consist in road service is regularly required to run backward for any portion of its trip other than to pick up a detached portion of its train or to make terminal movements, it shall also have on its rear a headlight that meets the intensity requirements above. Each headlight shall be aimed to illuminate a person at least 800 feet ahead and in front of the headlight. For purposes of this section, a headlight shall be comprised of either one or two lamps.
(1) If a locomotive is equipped with a single-lamp headlight, the single lamp shall produce a peak intensity of at least 200,000 candela and shall produce at least 3,000 candela at an angle of 7.5 degrees and at least 400 candela at an angle of 20 degrees from the centerline of the locomotive when the light is aimed parallel to the tracks. The following operative lamps meet the standard set forth in this paragraph: A single incandescent PAR-56, 200-watt, 30-volt lamp; a single halogen PAR-56, 200-watt, 30-volt lamp; a single halogen PAR-56, 350-watt, 75-volt lamp, or a single lamp meeting the intensity requirements given above.
(2) If a locomotive is equipped with a dual-lamp headlight, a peak intensity of at least 200,000 candela and at least 3,000 candela at an angle of 7.5 degrees and at least 400 candela at an angle of 20 degrees from the centerline of the locomotive when the light is aimed parallel to the tracks shall be produced by the headlight based either on a single lamp capable of individually producing the required peak intensity or on the candela produced by the headlight with both lamps illuminated. If both lamps are needed to produce the required peak intensity, then both lamps in the headlight shall be operational. The following operative lamps meet the standard set forth in this paragraph (a)(2): A single incandescent PAR-56, 200-watt, 30-volt lamp; a single halogen PAR-56, 200-watt, 30-volt lamp; a single halogen PAR-56, 350-watt, 75-volt lamp; two incandescent PAR-56, 350-watt, 75-volt lamps; or lamp(s) meeting the intensity requirements given above.
(i) A locomotive equipped with the two incandescent PAR-56, 350-watt, 75 volt lamps which has an en route failure of one lamp in the headlight fixture, may continue in service as a lead locomotive until its next daily inspection required by § 229.21 only if:
(A) Auxiliary lights burn steadily;
(B) Auxiliary lights are aimed horizontally parallel to the longitudinal centerline of the locomotive or aimed to cross no less than 400 feet in front of the locomotive.
(C) Second headlight lamp and both auxiliary lights continue to operate.
(d) * * *
(2) Each auxiliary light shall produce a peak intensity of at least 200,000 candela or shall produce at least 3,000 candela at an angle of 7.5 degrees and at least 400 candela at an angle of 20 degrees from the centerline of the locomotive when the light is aimed parallel to the tracks. Any of the following operative lamps meet the standard set forth in this paragraph: An incandescent PAR-56, 200-watt, 30-volt lamp; a halogen PAR-56, 200-watt, 30-volt lamp; a halogen PAR-56, 350-watt, 75-volt lamp; an incandescent PAR-56, 350-watt, 75-volt lamp; or a single lamp having equivalent intensities at the specified angles.
(3) The auxiliary lights shall be aimed horizontally within 15 degrees of the longitudinal centerline of the locomotive.
17. Section 229.133 is amended by revising paragraphs (b) introductory text, (b)(1) and (2), and (c) to read as follows:
(b) Each qualifying arrangement of auxiliary external lights shall conform to one of the following descriptions:
(1) Strobe lights. (i) Strobe lights shall consist of two white stroboscopic lights, each with “effective intensity,” as defined by the Illuminating Engineering Society's Guide for Calculating the Effective Intensity of Flashing Signal Lights (November 1964), of at least 500 candela.
(ii) The flash rate of strobe lights shall be at least 40 flashes per minute and at most 180 flashes per minute.
(iii) Strobe lights shall be placed at the front of the locomotive, at least 48 inches apart, and at least 36 inches above the top of the rail.
(2) Oscillating light. (i) An oscillating light shall consist of:
(A) One steadily burning white light producing at least 200,000 candela in a moving beam that depicts a circle or a Start Printed Page 2231horizontal figure “8” to the front, about the longitudinal centerline of the locomotive; or
(B) Two or more white lights producing at least 200,000 candela each, at one location on the front of the locomotive, that flash alternately with beams within five degrees horizontally to either side of the longitudinal centerline of the locomotive.
(ii) An oscillating light may incorporate a device that automatically extinguishes the white light if display of a light of another color is required to protect the safety of railroad operations.
(c)(1) Any lead locomotive equipped with oscillating lights as described in paragraph (b)(2) that were ordered for installation on that locomotive prior to January 1, 1996, is considered in compliance with § 229.125(d) (1) through (3).
(2) Any lead locomotive equipped with strobe lights as described in paragraph (b)(1) of this section and operated at speeds no greater than 40 miles per hour, is considered in compliance with § 229.125(d) (1) through (3) until the locomotive is retired or rebuilt, whichever comes first.
18. Section 229.140 is added to subpart C to read as follows:
(a) Except for locomotives covered by part 238 of this chapter, each of the following locomotives shall be equipped with a functioning alerter as described in paragraphs (b) through (d) of this section:
(1) A new locomotive that is placed in service for the first time on or after [DATE 90 DAYS AFTER THE EFFECTIVE DATE OF THE FINAL RULE] when used as a controlling locomotive and operated at speeds in excess of 25 mph.
(2) All controlling locomotives operated at speeds in excess of 25 mph on or after January 1, 2016.
(b) The alerter on locomotives subject to paragraph (a) of this section shall be equipped with a manual reset and the alerter warning timing cycle shall automatically reset as the result of any of the following operations, and at least three of the following automatic resets shall be functional at any given time:
(1) Movement of the throttle handle;
(2) Movement of the dynamic brake control handle;
(3) Movement of the operator's horn activation handle;
(4) Movement of the operator's bell activation switch;
(5) Movement of the automatic brake valve handle; or
(6) Bailing the independent brake by depressing the independent brake valve handle.
(c) All alerters shall provide an audio alarm upon expiration of the timing cycle interval. An alerter on a locomotive that is placed in service on or after [DATE 90 DAYS AFTER THE EFFECTIVE DATE OF THE FINAL RULE] shall display a visual indication to the operator at least five seconds prior to an audio alarm. The visual indication on an alerter so equipped shall be visible to the operator from their normal position in the cab.
(d) Alerter warning timing cycle interval shall be within 10 seconds of the calculated setting utilizing the formula (timing cycle specified in seconds = 2400 ÷ track speed specified in miles per hour).
(e) Any locomotive that is equipped with an alerter shall have the alerter functioning and operating as intended when the locomotive is used as a controlling locomotive.
(f) A controlling locomotive equipped with an alerter shall be tested prior to departure from each initial terminal, or prior to being coupled as the lead locomotive in a locomotive consist by allowing the warning timing cycle to expire that results in an application of the locomotive brakes at a penalty rate.
19. Part 229 is amended by adding a new subpart E to read as follows:
Subpart E—Locomotive Electronics
(a) The purpose of this subpart is to promote the safe design, operation, and maintenance of safety-critical, as defined in § 229.305, electronic locomotive control systems, subsystems, and components.
(b) Locomotive control systems or their functions that commingle or interface with safety critical processor based signal and train control systems are regulated under part 236 subparts H and I of this chapter.
(a) The requirements of this subpart apply to all safety-critical electronic locomotive control systems, subsystems, and components (i.e.; “products” as defined in § 229.305), except for the following:
(1) Products that are in service prior to January 12, 2011.
(2) Products that are under development as of July 12, 2011, and are placed in service prior to July 14, 2014.
(3) Products that commingle or interface with safety critical processor based signal and train control systems;
(4) Products that are used during on-track testing within a test facility; and
(5) Products that are used during on-track testing out-side a test facility, if approved by FRA. To obtain FRA approval of on-track testing outside of a test facility, a railroad shall submit a request to FRA that provides:
(i) Adequate information regarding the function and history of the product that it intends to use;
(ii) The proposed tests;
(iii) The date, time and location of the tests; and
(iv) The potential safety consequences that will result from operating the product for purposes of testing.
(b) Railroads and vendors shall identify all products that are under development to FRA by [DATE 6 MONTHS FROM PUBLICATION OF THE FINAL RULE].
(c) The exceptions provided in paragraph (a) of this section do not apply to products or product changes that result in degradation of safety, or a material increase in safety-critical functionality.
As used in this subpart—
Component means an electronic element, device, or appliance (including hardware or software) that is part of a system or subsystem.
Configuration management control plan means a plan designed to ensure that the proper and intended product configuration, including the electronic hardware components and software version, is documented and maintained through the life-cycle of the products in use.
Executive software means software common to all installations of a given electronic product. It generally is used to schedule the execution of the site-specific application programs, run timers, read inputs, drive outputs, perform self-diagnostics, access and check memory, and monitor the execution of the application software to detect unsolicited changes in outputs.
Initialization refers to the startup process when it is determined that a product has all required data input and the product is prepared to function as intended.Start Printed Page 2232
Materials handling refers to explicit instructions for handling safety-critical components established to comply with procedures specified by the railroad.
New or next-generation locomotive control system means a locomotive control system using technologies or combinations of technologies not in use in revenue service as of January 12, 2011, or without established histories of safe practice.
Product means any safety critical electronic locomotive control system, subsystem, or component.
Revision control means a chain of custody regimen designed to positively identify safety-critical components and spare equipment availability, including repair/replacement tracking.
Safety Analysis refers to a formal set of documentation which describes in detail all of the safety aspects of the product, including but not limited to procedures for its development, installation, implementation, operation, maintenance, repair, inspection, testing and modification, as well as analyses supporting its safety claims.
Safety-critical, as applied to a function, a system, or any portion thereof, means the correct performance of which is essential to safety of personnel or equipment, or both; or the incorrect performance of which could cause a hazardous condition, or allow a hazardous condition which was intended to be prevented by the function or system to exist.
Subsystem means a defined portion of a system.
System refers to any electronic locomotive control system and includes all subsystems and components thereof, as the context requires.
Test facility means a track that is not part of the general railroad system of transportation and is being used exclusively for the purpose of testing equipment and has all of its public grade crossings protected.
(a) A railroad shall develop a Safety Analysis (SA) for each product subject to this subpart prior to the initial use of such product on their railroad.
(b) The SA shall:
(1) Establish and document the minimum requirements that will govern the development and implementation of all products subject to this subpart, and be based on good engineering practice and should be consistent with the guidance contained in Appendix F of this part in order to establish that a product's safety-critical functions will operate with a high degree of confidence in a fail-safe manner;
(2) Include procedures for immediate repair of safety-critical functions; and
(3) Be made available to FRA upon request.
(c) Each railroad shall comply with the SA requirements and procedures related to the development, implementation, and repair of a product subject to this subpart.
(a) Whenever a planned safety-critical design change is made to a product subject to this subpart, the railroad shall:
(1) Notify FRA's Associate Administrator for Safety of the design changes;
(2) Update the SA as required;
(3) Conduct all safety critical changes in a manner that allows the change to be audited;
(4) Specify all contractual arrangements with suppliers and private equipment owners for notification of any and all electronic safety critical changes as well as safety critical failures in their system, subsystem, or components, and the reasons from the suppliers or equipment owners, whether or not the railroad has experienced a failure of that safety critical system, sub-system, or component;
(5) Specify the railroad's procedures for action upon receipt of notification of a safety-critical change or failure of an electronic system, sub-system, or component, and until the upgrade, patch, or revision has been installed; and
(6) Identify all configuration/revision control measures designed to ensure that safety-functional requirements and safety-critical hazard mitigation processes are not compromised as a result of any such change, and that any such change can be audited.
(b) Product suppliers and private equipment owners shall report any safety critical changes and previously unidentified hazards to each railroad using the product.
(c) Private equipment owners shall establish configuration/revision control measures for control of safety critical changes and identification of previously unidentified hazards.
(a) Prior to the initial planned use of a product subject to this subpart, a railroad shall inform the Associate Administrator for Safety, FRA, 1200 New Jersey Avenue, SE., Mail Stop 25, Washington, DC 20590 of the intent to place this product in service. The notification shall provide a description of the product, and identify the location where the complete SA documentation described in § 229.307 and the training and qualification program described in § 229.319 is maintained.
(b) FRA may review and/or audit the SA within 60 days of receipt of the notification or anytime after the product is placed in use.
(c) A railroad shall maintain and make available to FRA upon request all documentation used to demonstrate that the product meets the safety requirements of the SA for the life-cycle of the product.
(d) After a product is placed in service, the railroad shall maintain a database of all safety relevant hazards encountered with the product. The database shall include all hazards identified in the SA and those that had not been previously identified in the SA. If the frequency of the safety-relevant hazards exceeds the threshold set forth in the SA, then the railroad shall:
(1) Report the inconsistency by mail, facsimile, e-mail, or hand delivery to the Director, Office of Safety Assurance and Compliance, FRA, 1200 New Jersey Ave., SE., Mail Stop 25, Washington, DC 20590, within 15 days of discovery;
(2) Take immediate countermeasures to reduce the frequency of the safety relevant hazard(s) below the threshold set forth in the SA; and
(3) Provide a final report to the FRA, Director, Office of Safety Assurance and Compliance, on the results of the analysis and countermeasures taken to reduce the frequency of the safety relevant hazard(s) below the calculated probability of failure threshold set forth in the SA when the problem is resolved. For hazards not identified in the SA the threshold shall be exceeded at one occurrence.
(a) Results of product testing conducted in accordance with this subpart shall be recorded on preprinted forms provided by the railroad, or stored electronically. Electronic record keeping or automated tracking systems, subject to the provisions contained in paragraph (e) of this section, may be utilized to store and maintain any testing or training record required by this subpart.
(b) The testing records shall contain all of the following:
(1) The name of the railroad;
(2) The location and date that the test was conducted;
(3) The equipment tested;
(4) The results of tests;
(5) The repairs or replacement of equipment;
(6) Any preventative adjustments made; and,Start Printed Page 2233
(7) The condition in which the equipment is left.
(c) Each record shall be:
(1) Signed by the employee conducting the test, or electronically coded, or identified by the automated test equipment number;
(2) Filed in the office of a supervisory official having jurisdiction, unless otherwise noted; and
(3) Available for inspection and copying by FRA.
(d) The results of the testing conducted in accordance with this subpart shall be retained as follows:
(1) The results of tests that pertain to installation or modification of a product shall be retained for the life-cycle of the product tested and may be kept in any office designated by the railroad;
(2) The results of periodic tests required for the maintenance or repair of the product tested shall be retained until the next record is filed and in no case less than one year; and
(3) The results of all other tests and training shall be retained until the next record is filed and in no case less than one year.
(e) Electronic or automated tracking systems used to meet the requirements contained in paragraph (a) of this section shall be capable of being reviewed and monitored by FRA at any time to ensure the integrity of the system. FRA's Associate Administrator for Safety may prohibit or revoke a railroad's authority to utilize an electronic or automated tracking system in lieu of preprinted forms if FRA finds that the electronic or automated tracking system is not properly secured, is inaccessible to FRA, or railroad employees requiring access to discharge their assigned duties, or fails to adequately track and monitor the equipment. The Associate Administrator for Safety will provide the affected railroad with a written statement of the basis for the decision prohibiting or revoking the railroad from utilizing an electronic or automated tracking system.
(a) The railroad shall maintain all documents pertaining to the installation, maintenance, repair, modification, inspection, and testing of a product subject to this part in one Operations and Maintenance Manual (OMM).
(1) The OMM shall be legible and shall be readily available to persons who conduct the installation, maintenance, repair, modification, inspection, and testing, and for inspection by FRA.
(2) At a minimum, the OMM shall contain all product vendor operation and maintenance guidance.
(b) The OMM shall contain the plans and detailed information necessary for the proper maintenance, repair, inspection, and testing of products subject to this subpart. The plans shall identify all software versions, revisions, and revision dates.
(c) Hardware, software, and firmware revisions shall be documented in the OMM according to the railroad's configuration management control plan.
(d) Safety-critical components, including spare products, shall be positively identified, handled, replaced, and repaired in accordance with the procedures specified in the railroad's configuration management control plan.
(e) A railroad shall determine that the requirements of this section have been met prior to placing a product subject to this subpart in use on their property.
(a) A railroad shall establish and implement training and qualification program for products subject to this subpart. These programs shall meet the requirements set forth in this section and in § 229.319.
(b) The program shall provide training for the individuals identified in this paragraph to ensure that they possess the necessary knowledge and skills to effectively complete their duties related to the product. These include:
(1) Individuals whose duties include installing, maintaining, repairing, modifying, inspecting, and testing safety-critical elements of the product;
(2) Individuals who operate trains or serve as a train or engine crew member subject to instruction and testing under part 217 of this chapter;
(3) Roadway and maintenance-of-way workers whose duties require them to know and understand how the product affects their safety and how to avoid interfering with its proper functioning; and
(4) Direct supervisors of the individuals identified in paragraphs (b)(1) through (3) of this section.
(c) When developing the training and qualification program required in this section, a railroad shall conduct a formal task analysis. The task analysis shall:
(1) Identify the specific goals of the program for each target population (craft, experience level, scope of work, etc.), task(s), and desired success rate;
(2) Identify the installation, maintenance, repair, modification, inspection, testing, and operating tasks that will be performed on the railroad's products, including but not limited to the development of failure scenarios and the actions expected under such scenarios;
(3) Develop written procedures for the performance of the tasks identified; and
(4) Identify any the additional knowledge, skills, and abilities above those required for basic job performance necessary to perform each task.
(d) Based on the task analysis, a railroad shall develop a training curriculum that includes formally structured training designed to impart the knowledge, skills, and abilities identified as necessary to perform each task;
(e) All individuals identified in paragraph (b) of this section shall successfully complete a training curriculum and pass an examination that covers the product and appropriate rules and tasks for which they are responsible (however, such persons may perform such tasks under the direct onsite supervision of a qualified person prior to completing such training and passing the examination);
(f) A railroad shall conduct periodic refresher training at intervals to be formally specified in the program, except with respect to basic skills for which proficiency is known to remain high as a result of frequent repetition of the task.
(g) A railroad shall conduct regular and periodic evaluations of the effectiveness of the training program, verifying the adequacy of the training material and its validity with respect to the railroad's products and operations.
(h) A railroad shall maintain records that designate individuals who are qualified under this section until new designations are recorded or for at least one year after such persons leave applicable service. These records shall be maintained in a designated location and be available for inspection and replication by FRA and FRA-certified State inspectors.
(a) The training required under § 229.317 for any locomotive engineer or other person who participates in the operation of a train using an onboard electronic locomotive control system shall address all of the following elements and shall be specified in the training program.
(1) Familiarization with the electronic control system equipment onboard the locomotive and the functioning of that equipment as part of the system and in relation to other onboard systems under that person's control;
(2) Any actions required of the operating personnel to enable or enter Start Printed Page 2234data into the system and the role of that function in the safe operation of the train;
(3) Sequencing of interventions by the system, including notification, enforcement, penalty initiation and post penalty application procedures as applicable;
(4) Railroad operating rules applicable to control systems, including provisions for movement and protection of any unequipped trains, or trains with failed or cut-out controls;
(5) Means to detect deviations from proper functioning of onboard electronic control system equipment and instructions explaining the proper response to be taken regarding control of the train and notification of designated railroad personnel; and,
(6) Information needed to prevent unintentional interference with the proper functioning of onboard electronic control equipment.
(b) The training required under this subpart for a locomotive engineer, together with required records, shall be integrated into the program of training required by part 240 of this chapter.
20. Part 229 is amended by adding Appendix F to read as follows:
Appendix F to Part 229—Recommended Practices for Design and Safety Analysis
The purpose of this appendix is to provide recommended criteria for design and safety analysis that will maximize the safety of electronic locomotive control systems and mitigate potential negative safety effects. It seeks to promote full disclosure of potential safety risks to facilitate minimizing or eliminating elements of risk where practicable. It discuses critical elements of good engineering practice that the designer should consider when developing safety critical electronic locomotive control systems to accomplish this objective. The criteria and processes specified this appendix is intended to minimize the probability of failure to an acceptable level within the limitations of the available engineering science, cost, and other constraints. Railroads procuring safety critical electronic locomotive controls are encouraged to ensure that their vendor addresses each of the elements of this appendix in the design of the product being procured. FRA uses the criteria and processes set forth in this appendix (or other technically equivalent criteria and processes that may be recommended by industry) when evaluating analyses, assumptions, and conclusions provided in the SA documents.
In addition to the definitions contained in § 229.305, the following definitions are applicable to this Appendix:
Hazard means an existing or potential condition that can result in an accident.
High degree of confidence, as applied to the highest level of aggregation, means there exists credible safety analysis supporting the conclusion that the risks associated with the product have been adequately mitigated.
Human factors refers to a body of knowledge about human limitations, human abilities, and other human characteristics, such as behavior and motivation, that shall be considered in product design.
Human-machine interface (HMI) means the interrelated set of controls and displays that allows humans to interact with the machine.
Risk means the expected probability of occurrence for an individual accident event (probability) multiplied by the severity of the expected consequences associated with the accident (severity).
Risk assessment means the process of determining, either quantitatively or qualitatively, the measure of risk associated with use of the product under all intended operating conditions.
System Safety Precedence means the order of precedence in which methods used to eliminate or control identified hazards within a system are implemented.
Validation means the process of determining whether a product's design requirements fulfill its intended design objectives during its development and life-cycle. The goal of the validation process is to determine “whether the correct product was built.”
Verification means the process of determining whether the results of a given phase of the development cycle fulfill the validated requirements established at the start of that phase. The goal of the verification process is to determine “whether the product was built correctly.”
Safety Assessments—Recommended Contents
The safety-critical assessment of each product should include all of its interconnected subsystems and components and, where applicable, the interaction between such subsystems. FRA recommends that such assessments contain the following:
(a) A complete description of the product, including a list of all product components and their physical relationship in the subsystem or system;
(b) A description of the railroad operation or categories of operations on which the product is designed to be used;
(c) An operational concepts document, including a complete description of the product functionality and information flows;
(d) A safety requirements document, including a list with complete descriptions of all functions, which the product performs to enhance or preserve safety, and that describes the manner in which product architecture satisfies safety requirements;
(e) A hazard log consisting of a comprehensive description of all safety relevant hazards addressed during the life cycle of the product, including maximum threshold limits for each hazard (for unidentified hazards, the threshold shall be exceeded at one occurrence);
(1) The analysis should document any assumptions regarding the reliability or availability of mechanical, electric, or electronic components. Such assumptions include MTTF projections, as well as Mean Time To Repair (MTTR) projections, unless the risk assessment specifically explains why these assumptions are not relevant to the risk assessment. The analysis should document these assumptions in such a form as to permit later automated comparisons with in-service experience (e.g., a spreadsheet). The analysis should also document any assumptions regarding human performance. The documentation should be in a form that facilitates later comparisons with in-service experience.
(2) The analysis should also document any assumptions regarding software defects. These assumptions should be in a form which permits the railroad to project the likelihood of detecting an in-service software defect and later automated comparisons with in-service experience.
(3) The analysis should document all of the identified safety-critical fault paths. The documentation should be in a form that facilitates later comparisons with in-service faults.
(f) A risk assessment.
(1) The risk metric for the proposed product should describe with a high degree of confidence the accumulated risk of a locomotive control system that operates over a life-cycle of 25 years or greater. Each risk metric for the proposed product should be expressed with an upper bound, as estimated with a sensitivity analysis, and the risk value selected is demonstrated to have a high degree of confidence.
(2) Each risk calculation should consider the totality of the locomotive control system and its method of operation. The failure modes of each subsystem or component, or both, should be determined for the integrated hardware/software (where applicable) as a function of the Mean Time to Hazardous Events (MTTHE), failure restoration rates, and the integrated hardware/software coverage of all processor based subsystems or components, or both. Train operating and movement rules, along with components that are layered in order to enhance safety-critical behavior, should also be considered.
(3) An MTTHE value should be calculated for each subsystem or component, or both, indicating the safety-critical behavior of the integrated hardware/software subsystem or component, or both. The human factor impact should be included in the assessment, whenever applicable, to provide an integrated MTTHE value. The MTTHE calculation should consider the rates of failures caused by permanent, transient, and intermittent faults accounting for the fault coverage of the integrated hardware/software subsystem or component, phased-interval maintenance, and restoration of the detected failures.
(4) MTTHE compliance verification and validation should be based on the assessment of the design for verification and validation process, historical performance data, analytical methods and experimental safety critical performance testing performed on the subsystem or component. The compliance process shall be demonstrated to be compliant and consistent with the MTTHE metric and demonstrated to have a high degree of confidence.
(5) The safety-critical behavior of all non-processor based components, which are part Start Printed Page 2235of a processor-based system or subsystem, should be quantified with an MTTHE metric. The MTTHE assessment methodology should consider failures caused by permanent, transient, and intermittent faults, phase interval maintenance and restoration of failures and the effect of fault coverage of each non-processor-based subsystem or component. The MTTHE compliance verification and validation should be based on the assessment of the design for verification and validation process, historical performance data, analytical methods and experimental safety critical performance testing performed on the subsystem or component. The non-processor based quantification compliance should also be demonstrated to have a high degree of confidence.
(g) A hazard mitigation analysis, including a complete and comprehensive description of all hazards to be addressed in the system design and development, mitigation techniques used, and system safety precedence followed;
(h) A complete description of the safety assessment and verification and validation processes applied to the product and the results of these processes;
(i) A complete description of the safety assurance concepts used in the product design, including an explanation of the design principles and assumptions; the designer should address each of the following safety considerations when designing and demonstrating the safety of products covered by this part. In the event that any of these principles are not followed, the analysis should describe both the reason(s) for departure and the alternative(s) utilized to mitigate or eliminate the hazards associated with the design principle not followed.
(1) Normal operation. The system (including all hardware and software) should demonstrate safe operation with no hardware failures under normal anticipated operating conditions with proper inputs and within the expected range of environmental conditions. All safety-critical functions should be performed properly under these normal conditions. Absence of specific operator actions or procedures will not prevent the system from operating safely. There should be no hazards that are categorized as unacceptable or undesirable. Hazards categorized as unacceptable should be eliminated by design.
(2) Systematic failure. It should be shown how the product is designed to mitigate or eliminate unsafe systematic failures—those conditions which can be attributed to human error that could occur at various stages throughout product development. This includes unsafe errors in the software due to human error in the software specification, design or coding phases, or both; human errors that could impact hardware design; unsafe conditions that could occur because of an improperly designed human-machine interface; installation and maintenance errors; and errors associated with making modifications.
(3) Random failure. The product should be shown to operate safely under conditions of random hardware failure. This includes single as well as multiple hardware failures, particularly in instances where one or more failures could occur, remain undetected (latent) and react in combination with a subsequent failure at a later time to cause an unsafe operating situation. In instances involving a latent failure, a subsequent failure is similar to there being a single failure. In the event of a transient failure, and if so designed, the system should restart itself if it is safe to do so. Frequency of attempted restarts should be considered in the hazard analysis. There should be no single point failures in the product that can result in hazards categorized as unacceptable or undesirable. Occurrence of credible single point failures that can result in hazards shall be detected and the product should achieve a known safe state before falsely activating any physical appliance. If one non-self-revealing failure combined with a second failure can cause a hazard that is categorized as unacceptable or undesirable, then the second failure should be detected and the product should achieve a known safe state before falsely activating any physical appliance.
(4) Common Mode failure. Another concern of multiple failures involves common mode failure in which two or more subsystems or components intended to compensate one another to perform the same function all fail by the same mode and result in unsafe conditions. This is of particular concern in instances in which two or more elements (hardware or software, or both) are used in combination to ensure safety. If a common mode failure exists, then any analysis cannot rely on the assumption that failures are independent. Examples include: the use of redundancy in which two or more elements perform a given function in parallel and when one (hardware or software) element checks/monitors another element (of hardware or software) to help ensure its safe operation. Common mode failure relates to independence, which shall be ensured in these instances. When dealing with the effects of hardware failure, the designer should address the effects of the failure not only on other hardware, but also on the execution of the software, since hardware failures can greatly affect how the software operates.
(5) External influences. The product should operate safely when subjected to different external influences, including:
(i) Electrical influences such as power supply anomalies/transients, abnormal/improper input conditions (e.g., outside of normal range inputs relative to amplitude and frequency, unusual combinations of inputs) including those related to a human operator, and others such as electromagnetic interference or electrostatic discharges, or both;
(ii) Mechanical influences such as vibration and shock; and climatic conditions such as temperature and humidity.
(6) Modifications. Safety must be ensured following modifications to the hardware or software, or both. All or some of the concerns previously identified may be applicable depending upon the nature and extent of the modifications.
(7) Software. Software faults should not cause hazards categorized as unacceptable or undesirable.
(8) Closed Loop Principle. The product design should require positive action to be taken in a prescribed manner to either begin product operation or continue product operation.
(j) A human factors analysis, including a complete description of all human-machine interfaces, a complete description of all functions performed by humans in connection with the product to enhance or preserve safety, and an analysis of the physical ergonomics of the product on the operators and the safe operation of the system;
(k) A complete description of the specific training of railroad and contractor employees and supervisors necessary to ensure the safe and proper installation, implementation, operation, maintenance, repair, inspection, testing, and modification of the product;
(l) A complete description of the specific procedures and test equipment necessary to ensure the safe and proper installation, implementation, operation, maintenance, repair, inspection, test, and modification of the product. These procedures, including calibration requirements, should be consistent with or explain deviations from the equipment manufacturer's recommendations;
(m) A complete description of the necessary security measures for the product over its life-cycle;
(n) A complete description of each warning to be placed in the Operations and Maintenance Manual and of all warning labels required to be placed on equipment as necessary to ensure safety;
(o) A complete description of all initial implementation testing procedures necessary to establish that safety-functional requirements are met and safety-critical hazards are appropriately mitigated;
(p) A complete description of all post-implementation testing (validation) and monitoring procedures, including the intervals necessary to establish that safety-functional requirements, safety-critical hazard mitigation processes, and safety-critical tolerances are not compromised over time, through use, or after maintenance (repair, replacement, adjustment) is performed; and
(q) A complete description of each record necessary to ensure the safety of the system that is associated with periodic maintenance, inspections, tests, repairs, replacements, adjustments, and the system's resulting conditions, including records of component failures resulting in safety relevant hazards;
(r) A complete description of any safety-critical assumptions regarding availability of the product, and a complete description of all backup methods of operation; and
(s) The configuration/revision control measures designed to ensure that safety-functional requirements and safety-critical hazard mitigation processes are not compromised as a result of any change. Changes classified as maintenance require validation.Start Printed Page 2236
Guidance Regarding the Application of Human Factors in the Design of Products
The product design should sufficiently incorporate human factors engineering that is appropriate to the complexity of the product; the gender, educational, mental, and physical capabilities of the intended operators and maintainers; the degree of required human interaction with the component; and the environment in which the product will be used. HMI design criteria minimize negative safety effects by causing designers to consider human factors in the development of HMIs. As used in this discussion, “designer” means anyone who specifies requirements for—or designs a system or subsystem, or both, for—a product subject to this part, and “operator” means any human who is intended to receive information from, provide information to, or perform repairs or maintenance on a safety critical locomotive control product subject to this part.
I. FRA recommends that system designers should:
(a) Design systems that anticipate possible user errors and include capabilities to catch errors before they propagate through the system;
(b) Conduct cognitive task analyses prior to designing the system to better understand the information processing requirements of operators when making critical decisions;
(c) Present information that accurately represents or predicts system states; and
(d) Ensure that electronics equipment radio frequency emissions are compliant with appropriate Federal Communications Commission (FCC) regulations. The FCC rules and regulations are codified in Title 47 of the Code of Federal Regulations (CFR). The following documentation is applicable to obtaining FCC Equipment Authorization:
(1) OET Bulletin Number 61 (October, 1992 Supersedes May, 1987 issue) FCC Equipment Authorization Program for Radio Frequency Devices. This document provides an overview of the equipment authorization program to control radio interference from radio transmitters and certain other electronic products and how to obtain an equipment authorization.
(2) OET Bulletin 63: (October 1993) Understanding The FCC Part 15 Regulations for Low Power, Non-Licensed Transmitters. This document provides a basic understanding of the FCC regulations for low power, unlicensed transmitters, and includes answers to some commonly-asked questions. This edition of the bulletin does not contain information concerning personal communication services (PCS) transmitters operating under Part 15, Subpart D of the rules.
(3) Title 47 Code of Federal Regulations Parts 0 to 19. The FCC rules and regulations governing PCS transmitters may be found in 47 CFR, Parts 0 to 19.
(4) OET Bulletin 62 (December 1993) Understanding The FCC Regulations for Computers and other Digital Devices. This document has been prepared to provide a basic understanding of the FCC regulations for digital (computing) devices, and includes answers to some commonly-asked questions.
II. Human factors issues designers should consider with regard to the general functioning of a system include:
(a) Reduced situational awareness and over-reliance. HMI design shall give an operator active functions to perform, feedback on the results of the operator's actions, and information on the automatic functions of the system as well as its performance. The operator shall be “in-the loop.” Designers should consider at minimum the following methods of maintaining an active role for human operators:
(1) The system should require an operator to initiate action to operate the train and require an operator to remain “in-the-loop” for at least 30 minutes at a time;
(2) The system should provide timely feedback to an operator regarding the system's automated actions, the reasons for such actions, and the effects of the operator's manual actions on the system;
(3) The system should warn operators in advance when they require an operator to take action;
(4) HMI design should equalize an operator's workload; and
(5) HMI design should not distract from the operator's safety related duties.
(b) Expectation of predictability and consistency in product behavior and communications. HMI design should accommodate an operator's expectation of logical and consistent relationships between actions and results. Similar objects should behave consistently when an operator performs the same action upon them. End users have a limited memory and ability to process information. Therefore, HMI design should also minimize an operator's information processing load.
(1) To minimize information processing load, the designer should:
(i) Present integrated information that directly supports the variety and types of decisions that an operator makes;
(ii) Provide information in a format or representation that minimizes the time required to understand and act; and
(iii) Conduct utility tests of decision aids to establish clear benefits such as processing time saved or improved quality of decisions.
(2) To minimize short-term memory load, the designer should integrate data or information from multiple sources into a single format or representation (“chunking”) and design so that three or fewer “chunks” of information need to be remembered at any one time. To minimize long-term memory load, the designer should design to support recognition memory, design memory aids to minimize the amount of information that should be recalled from unaided memory when making critical decisions, and promote active processing of the information.
(3) When creating displays and controls, the designer shall consider user ergonomics and should:
(i) Locate displays as close as possible to the controls that affect them;
(ii) Locate displays and controls based on an operator's position;
(iii) Arrange controls to minimize the need for the operator to change position;
(iv) Arrange controls according to their expected order of use;
(v) Group similar controls together;
(vi) Design for high stimulus-response compatibility (geometric and conceptual);
(vii) Design safety-critical controls to require more than one positive action to activate (e.g., auto stick shift requires two movements to go into reverse);
(viii) Design controls to allow easy recovery from error; and
(ix) Design display and controls to reflect specific gender and physical limitations of the intended operators.
(4) Detailed locomotive ergonomics human machine interface guidance may be found in “Human Factors Guidelines for Locomotive Cabs” (FRA/ORD-98/03 or DOT-VNTSC-FRA-98-8).
(5) The designer should also address information management. To that end, HMI design should:
(i) Display information in a manner which emphasizes its relative importance;
(ii) Comply with the ANSI/HFS 100-1988 standard;
(iii) Utilize a display luminance that has a difference of at least 35cd/m2 between the foreground and background (the displays should be capable of a minimum contrast 3:1 with 7:1 preferred, and controls should be provided to adjust the brightness level and contrast level);
(iv) Display only the information necessary to the user;
(v) Where text is needed, use short, simple sentences or phrases with wording that an operator will understand and appropriate to the educational and cognitive capabilities of the intended operator;
(vi) Use complete words where possible; where abbreviations are necessary, choose a commonly accepted abbreviation or consistent method and select commonly used terms and words that the operator will understand;
(vii) Adopt a consistent format for all display screens by placing each design element in a consistent and specified location;
(viii) Display critical information in the center of the operator's field of view by placing items that need to be found quickly in the upper left hand corner and items which are not time-critical in the lower right hand corner of the field of view;
(ix) Group items that belong together;
(x) Design all visual displays to meet human performance criteria under monochrome conditions and add color only if it will help the user in performing a task, and use color coding as a redundant coding technique;
(xi) Limit the number of colors over a group of displays to no more than seven;
(xii) Design warnings to match the level of risk or danger with the alerting nature of the signal; and
(xiii) With respect to information entry, avoid full QWERTY keyboards for data entry.
(6) With respect to problem management, the HMI designer should ensure that the HMI design:
(i) Enhances an operator's situation awareness;
(ii) Supports response selection and scheduling; and
(iii) Supports contingency planning.
(7) Designers should comply with FCC requirements for Maximum Permissible Exposure limits for field strength and power Start Printed Page 2237density for the transmitters operating at frequencies of 300 kHz to 100 GHz and specific absorption rate (SAR) limits for devices operating within close proximity to the body. The Commission's requirements are detailed in Parts 1 and 2 of the FCC's Rules and Regulations [47 CFR 1.1307(b), 1.1310, 2.1091, 2.1093. The FCC has a number of bulletins and supplements that offer guidelines and suggestions for evaluating compliance. These documents are not intended to establish mandatory procedures, other methods and procedures may be acceptable if based on sound engineering practice.
(i) OET Bulletin No. 65 (Edition 97-01, August 1997), “Evaluating Compliance With FCC Guidelines For Human Exposure To Radio Frequency Electromagnetic Fields”;
(ii) OET Bulletin No 65 Supplement A, (Edition 97-01, August 1997), OET Bulletin No 65 Supplement B (Edition 97-01, August 1997); and
(iii) OET Bulletin No 65 Supplement C (Edition 01-01, June 2001). This bulletin provides assistance in determining whether proposed or existing transmitting facilities, operations, or devices comply with limits for human exposure to radio frequency RF fields adopted by the FCC.
Guidance for Verification and Validation of Products
The goal of this assessment is to provide an evaluation of the product manufacturer's utilization of safety design practices during the product's development and testing phases, as required by the applicable railroad's requirements, the requirements of this part, and any other previously agreed-upon controlling documents or standards. The standards employed for verification or validation, or both, of products shall be sufficient to support achievement of the applicable requirements of this part.
(a) The latest version of the following standards have been recognized by FRA as providing appropriate risk analysis processes for incorporation into verification and validation standards.
(1) U.S. Department of Defense Military Standard (MIL-STD) 882C, “System Safety Program Requirements” (January 19, 1993);
(2) CENELEC Standards as follows:
(i) EN50126: 1999, Railway Applications: Specification and Demonstration of Reliability, Availability, Maintainability and Safety (RAMS);
(ii) EN50128 (May 2001), Railway Applications: Software for Railway Control and Protection Systems;
(iii) EN50129: 2003, Railway Applications: Communications, Signaling, and Processing Systems-Safety Related Electronic Systems for Signaling; and
(iv) EN50155:2001/A1:2002, Railway Applications: Electronic Equipment Used in Rolling Stock.
(3) ATCS Specification 140, Recommended Practices for Safety and Systems Assurance.
(4) ATCS Specification 130, Software Quality Assurance.
(5) Safety of High Speed Ground Transportation Systems. Analytical Methodology for Safety Validation of Computer Controlled Subsystems. Volume II: Development of a Safety Validation Methodology. Final Report September 1995. Author: Jonathan F. Luedeke, Battelle. DOT/FRA/ORD-95/10.2.
(6) IEC 61508 (International Electro-technical Commission), Functional Safety of Electrical/Electronic/Programmable/Electronic Safety (E/E/P/ES) Related Systems, Parts 1-7 as follows:
(i) IEC 61508-1 (1998-12) Part 1: General requirements and IEC 61508-1 Corr. (1999-05) Corrigendum 1-Part 1: General Requirements;
(ii) IEC 61508-2 (2000-05) Part 2: Requirements for electrical/electronic/programmable electronic safety-related systems;
(iii) IEC 61508-3 (1998-12) Part 3: Software requirements and IEC 61508-3 Corr.1(1999-04) Corrigendum 1-Part3: Software requirements;
(iv) IEC 61508-4 (1998-12) Part 4: Definitions and abbreviations and IEC 61508-4 Corr.1(1999-04) Corrigendum 1-Part 4: Definitions and abbreviations;
(v) IEC 61508-5 (1998-12) Part 5: Examples of methods for the determination of safety integrity levels and IEC 61508-5 Corr.1 (1999-04) Corrigendum 1 Part 5: Examples of methods for determination of safety integrity levels;
(vi) 1IEC 61508-6 (2000-04) Part 6: Guidelines on the applications of IEC 61508-2 and -3; and
(vii) IEC 61508-7 (2000-03) Part 7: Overview of techniques and measures.
(b) When using unpublished standards, including proprietary standards, the standards should be available for inspection and replication by the railroad and FRA and should be available for public examination.
(c) Third party assessments. The railroad, the supplier, or FRA may conclude it is necessary for a third party assessment of the system. A third party assessor should be “independent”. An “independent third party” means a technically competent entity responsible to and compensated by the railroad (or an association on behalf of one or more railroads) that is independent of the supplier of the product. An entity that is owned or controlled by the supplier, that is under common ownership or control with the supplier, or that is otherwise involved in the development of the product would not be considered “independent”.
(1) The reviewer should not engage in design efforts, in order to preserve the reviewer's independence and maintain the supplier's proprietary right to the product. The supplier should provide the reviewer access to any, and all, documentation that the reviewer requests and attendance at any design review or walk through that the reviewer determines as necessary to complete and accomplish the third party assessment. Representatives from FRA or the railroad might accompany the reviewer.
(2) Third party reviews can occur at a preliminary level, a functional level, or implementation level. At the preliminary level, the reviewer should evaluate with respect to safety and comment on the adequacy of the processes, which the supplier applies to the design, and development of the product. At a minimum, the reviewer should compare the supplier processes with industry best practices to determine if the vendor methodology is acceptable and employ any other such tests or comparisons if they have been agreed to previously with the railroad or FRA. Based on these analyses, the reviewer shall identify and document any significant safety vulnerabilities that are not adequately mitigated by the supplier's (or user's) processes. At the functional level, the reviewer evaluates the adequacy, and comprehensiveness, of the safety analysis, and any other documents pertinent to the product being assessed for completeness, correctness, and compliance with applicable standards. This includes, but is not limited to the Preliminary Hazard Analysis (PHA), all Fault Tree Analyses (FTA), all Failure Mode and Effects Criticality Analysis (FMECA), and other hazard analyses. At the implementation level the reviewer randomly selects various safety-critical software modules for audit to verify whether the system process and design requirements were followed. The number of modules audited shall be determined as a representative number sufficient to provide confidence that all un-audited modules were developed in similar manner as the audited module. During this phase the reviewer would also evaluate and comment on the adequacy of the plan for installation and test of the product for revenue service.
(d) Reviewer Report. Upon completion of an assessment, the reviewer prepares a final report of the assessment. The report should contain the following information:
(1) The reviewer's evaluation of the adequacy of the risk analysis, including the supplier's MTTHE and risk estimates for the product, and the supplier's confidence interval in these estimates;
(2) Product vulnerabilities which the reviewer felt were not adequately mitigated, including the method by which the railroad would assure product safety in the event of a hardware or software failure (i.e., how does the railroad or vendor assure that all potentially hazardous failure modes are identified?) and the method by which the railroad or vendor addresses comprehensiveness of the product design for the requirements of the operations it will govern (i.e., how does the railroad and/or vendor assure that all potentially hazardous operating circumstances are identified? Who records any deficiencies identified in the design process? Who tracks the correction of these deficiencies and confirms that they are corrected?);
(3) A clear statement of position for all parties involved for each product vulnerability cited by the reviewer;
(4) Identification of any documentation or information sought by the reviewer that was denied, incomplete, or inadequate;
(5) A listing of each design procedure or process which was not properly followed;
(6) Identification of the software verification and validation procedures for the product's safety-critical applications, and the reviewer's evaluation of the adequacy of these procedures;
(7) Methods employed by the product manufacturer to develop safety-critical Start Printed Page 2238software, such as use of structured language, code checks, modularity, or other similar generally acceptable techniques; and
(8) Methods by which the supplier or railroad addresses comprehensiveness of the product design which considers the safety elements.
21. The authority citation for part 238 continues to read as follows:
22. Section 238.105 is amended by revising paragraph (d)(1) to read as follows:
(d) * * *
(1) Hardware and software that controls or monitors a train's primary braking system shall either:
(i) Fail safely by initiating a full service or emergency brake application in the event of a hardware or software failure that could impair the ability of the engineer to apply or release the brakes; or
(ii) Provide the engineer access to direct manual control of the primary braking system (service or emergency braking).
23. Section 238.309 is amended by revising paragraphs (b), (c), and (e) to read as follows:
(b) DMU and MU locomotives. The brake equipment and brake cylinders of each DMU or MU locomotive shall be cleaned, repaired, and tested, and the filtering devices or dirt collectors located in the main reservoir supply line to the air brake system cleaned, repaired, or replaced at intervals in accordance with the following schedule:
(1) Every 736 days if the DMU or MU locomotive is part of a fleet that is not 100 percent equipped with air dryers;
(2) Every 1,104 days if the DMU or MU locomotive is part of a fleet that is 100 percent equipped with air dryers and is equipped with PS-68, 26-C, 26-L, PS-90, CS-1, RT-2, RT-5A, GRB-1, CS-2, or 26-R brake systems. (This listing of brake system types is intended to subsume all brake systems using 26 type, ABD, or ABDW control valves and PS68, PS-90, 26B-1, 26C, 26CE, 26-B1, 30CDW, or 30ECDW engineer's brake valves.);
(3) Every 1,840 days if the DMU or MU locomotive is part of a fleet that is 100 percent equipped with air dryers and is equipped with KB-HL1, KB-HS1, or KBCT1; and,
(4) Every 736 days for all other DMU or MU locomotives.
(c) Conventional locomotives. The brake equipment of each conventional locomotive shall be cleaned, repaired, and tested in accordance with the schedule provided in § 229.29 of this chapter.
(e) Cab cars. The brake equipment of each cab car shall be cleaned, repaired, and tested at intervals in accordance with the following schedule:
(1) Every 1,840 days for locomotives equipped with CCB-1, CCB-2, CCB-26, EPIC 1 (formerly EPIC 3102), EPIC 3102D2, EPIC 2, KB-HS1, or Fastbrake brake systems.
(2) Every 1,476 days for that portion of the cab car brake system using brake valves that are identical to the passenger coach 26-C brake system;
(3) Every 1,104 days for that portion of the cab car brake system using brake valves that are identical to the locomotive 26-L brake system; and
(4) Every 736 days for all other types of cab car brake valves.
Issued in Washington, DC, on December 29, 2010.
Karen J. Rae,
1. “Table of Size Standards,” U.S. Small Business Administration, January 31, 1996, 13 CFR part 121. See also NAICS Codes 482111 and 482112.Back to Citation
[FR Doc. 2010-33244 Filed 1-11-11; 8:45 am]
BILLING CODE 4910-06-P