[Federal Register Volume 66, Number 155 (Friday, August 10, 2001)]
[Proposed Rules]
[Pages 42352-42396]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 01-19428]



[[Page 42351]]

-----------------------------------------------------------------------

Part V





Department of Transportation





-----------------------------------------------------------------------



Federal Railroad Administration



-----------------------------------------------------------------------



49 CFR Part 209 et al.



Standards for Development and Use of Processor-Based Signal and Train 
Control Systems; Proposed Rule

  Federal Register / Vol. 66, No. 155 / Friday, August 10, 2001 / 
Proposed Rules  

[[Page 42352]]


-----------------------------------------------------------------------

DEPARTMENT OF TRANSPORTATION

Federal Railroad Administration

49 CFR Parts 209, 234, and 236

[Docket No. FRA-2001-10160]
RIN 2130-AA94


Standards for Development and Use of Processor-Based Signal and 
Train Control Systems

AGENCY: Federal Railroad Administration (FRA), Department of 
Transportation (DOT).

ACTION: Notice of proposed rulemaking.

-----------------------------------------------------------------------

SUMMARY: FRA is proposing a performance standard for the development 
and use of processor-based signal and train control systems. The 
proposed rule also covers systems which interact with highway-rail 
grade-crossing systems, requirements for notifying FRA prior to 
installation, and requirements for training and recordkeeping. FRA is 
proposing these standards to ensure the safe operation of trains on 
railroads using processor-based signal and train control equipment.

DATES: Written Comments. Comments must be received by October 9, 2001. 
Comments received after that date will be considered to the extent 
possible without incurring additional expense or delay.
    Public Hearings: Upon specific request, FRA will hold public 
hearings as appropriate to receive oral comments from any interested 
party.

ADDRESSES: Comments should be sent to the Docket Clerk, Docket 
Management System, U.S. Department of Transportation Room PL 401, 400 
Seventh Street, SW., Washington, DC 20590-0001. If you wish to receive 
confirmation of receipt of your written comments, please include a 
self-addressed, stamped postcard.
    The docket management system is located on the Plaza level of the 
Nassif Building at the Department of Transportation at the above 
address. You can review public dockets there between the hours of 9 
a.m. and 5 p.m., Monday through Friday, except federal holidays. You 
can also review comments on-line at the DOT Docket Management System 
web site at http://dms.dot.gov.
    You may submit comments electronically by accessing the Docket 
Management System web site at http://dms.dot.gov and following the 
instructions for submitting a document electronically.

FOR FURTHER INFORMATION CONTACT: William H. Goodman, Staff Director, 
Railroad Signal Program, Office of Safety, FRA, 1120 Vermont Avenue, 
NW, Washington, DC 20590 (telephone: 202-493-6325); Grady C. Cothen, 
Jr., Deputy Associate Administrator for Safety Standards, FRA, 1120 
Vermont Avenue, NW, Mail Stop 25, Washington, D.C. 20590 (telephone: 
202-493-6302); Cynthia B. Walters, Office of Chief Counsel, FRA 1120 
Vermont Avenue, NW, Mail Stop 10, Washington, DC 20590 (telephone: 202-
493-6064); or David T. Matsuda, Office of Chief Counsel, FRA, 1120 
Vermont Avenue, NW, Mail Stop 10, Washington, DC 20590 (telephone: 202-
493-6046).

SUPPLEMENTARY INFORMATION:

I. Statutory Background

    The Federal Railroad Administration (FRA) has broad statutory 
authority to regulate all areas of railroad safety. 49 U.S.C. 20103(a); 
49 CFR 1.49. Until July 5, 1994, the Federal railroad safety statutes 
existed as separate acts found primarily in Title 45 of the United 
States Code. On that date all of the acts were repealed and their 
provisions were recodified into Title 49. The older safety laws had 
been enacted in a piecemeal approach and addressed specific fields of 
railroad safety. For instance, the Signal Inspection Act, 49 U.S.C. 26 
(recodified at 49 U.S.C. 20502 et seq. (1994)), has in large part 
governed the installation and removal of signal equipment for most of 
the previous century.
    Pursuant to its general statutory rulemaking authority, FRA 
promulgates and enforces rules as part of a comprehensive regulatory 
program to address the safety of railroad track, signal systems, 
railroad communications, rolling stock, operating practices, passenger 
train emergency preparedness, alcohol and drug testing, locomotive 
engineer certification, and workplace safety. For example, in the area 
of railroad signal and train control systems, FRA has issued 
regulations, found at 49 CFR part 236 (``Part 236''), addressing the 
security of signal apparatus housings (49 CFR 236.3), location of 
roadway signals (49 CFR 236.21), and the testing of relays (49 CFR 
236.106). Hereafter all references to parts shall be parts located in 
Title 49 of the Code of Federal Regulations.

II. Regulatory Background

    Part 236 was last amended in 1984. At that time, signal and train 
control functions were performed principally through use of electrical 
circuits employing relays as the means of effecting system logic. This 
approach had proven itself capable of supporting a very high level of 
safety for over half a century. However, electronic controls were 
emerging on the scene, and several sections of the regulations were 
amended to take a more technology-neutral approach to the required 
functions (see Secs. 236.8, 236.51, 236.101, 236.205, 236.311, 
236.813a). This approach has fostered introduction of new, more cost 
effective technology while providing FRA with strong enforcement powers 
over systems that fail to work as intended in the field.
    Since that time, FRA has worked with railroads and suppliers to 
apply the principles embodied in the regulations to emerging technology 
and to identify and remedy initial weaknesses in some of the new 
products. As a result, thousands of interlocking controllers and other 
electronic applications are embedded in traditional signal systems. 
Further technological advances may provide additional opportunities to 
increase safety levels and achieve economic benefits as well. For 
instance, implementation of innovative positive train control (PTC) 
systems may employ new ways of detecting trains, establishing secure 
routes, and processing information. This presents a far greater 
challenge to both signal and train control system developers and FRA. 
This challenge involves retaining a corporate memory of the intricate 
logic associated with railway signaling, while daring to use whole new 
approaches to implement that logic--at the same time stretching the 
technology to address risk reduction opportunities that previously were 
not available. For FRA, the challenge is to continue to be prepared to 
make safety-based decisions regarding this new technology, without 
impairing the development of this field. Providing general standards 
for the development and implementation of products utilizing this new 
technology is needed to facilitate realization of the potential of 
electronic control systems and for safety and efficiency.
    FRA has already used its authority to grant waivers and issue 
orders to support innovation in the field of train control technology. 
FRA has granted test waivers for the Union Pacific (UP)/Burlington 
Northern Santa Fe (BNSF) Positive Train Separation (PTS) project in the 
Pacific Northwest, the National Railroad Passenger Corporation 
(``Amtrak'') Incremental Train Control System (ITCS) in the State of 
Michigan, the CSX Transportation Inc. (CSX) Communication-Based Train 
Management (CBTM) project in Georgia, and the Alaska Railroad PTC 
project. FRA recently granted conditional

[[Page 42353]]

revenue demonstration authority for ITCS. In 1998, FRA issued a final 
order for the installation of the Advanced Civil Speed Enforcement 
System (ACSES) on the Northeast Corridor (63 FR 39343, Aug. 21, 1998). 
See also 64 FR 54410, Oct. 6, 1999 (delaying effective date of such 
order).
    Although FRA expects to continue its support for responsible tests, 
demonstrations, and implementations, the need for controlling 
principles in this area is becoming increasingly obvious. This 
rulemaking provides the forum for identifying and codifying those 
principles.
    FRA's need to review its regulatory scheme with respect to emerging 
technology in the signal and train control arena was acknowledged by 
Congress in Section 11 of the Rail Safety Enforcement and Review Act 
(RSERA) (Pub. L. 102-365, Sep. 3, 1992), entitled ``Railroad Radio 
Communications.'' The RSERA mandated that the Secretary conduct a 
safety inquiry to assess, among other areas, the status of advanced 
train control systems and the need for federal standards to ensure that 
such systems provide for positive train separation and are compatible 
nationwide. FRA conducted such an inquiry and submitted a comprehensive 
Report to Congress on July 8, 1994.
    As part of this Report, FRA called for implementation of an action 
plan to deploy PTC systems (``Railroad communications and Train 
Control,'' FRA, July 1994). The report forecast substantial benefits of 
advanced train control technology to support a variety of business and 
safety purposes, but noted that an immediate regulatory mandate for PTC 
could not be currently justified based upon normal cost-benefit 
principles relying on direct safety benefits. The report outlined an 
aggressive Action Plan implementing a public/private sector partnership 
to explore technology potential, deploy systems for demonstration, and 
structure a regulatory framework to support emerging PTC initiatives.
    Following through on the Report, the FRA committed approximately 
$40 million through the Next Generation High Speed Rail Program and the 
Research and Development Program to support development, testing and 
deployment of PTC prototype systems in the Pacific Northwest, Michigan, 
Illinois, Alaska, and the Eastern railroads' on-board electronic 
platforms. As called for in the Action Plan, the FRA also launched an 
effort to structure an appropriate regulatory framework for 
facilitating implementation of PTC technology and for evaluating future 
safety needs and opportunities. For such a task, FRA desired input from 
the developers, prospective purchasers and operators of this new 
technology. Thus, in September of 1997, the Federal Railroad 
Administrator (``Administrator'') asked the Railroad Safety Advisory 
Committee to address several issues involving PTC.

III. Railroad Safety Advisory Committee (RSAC)

A. RSAC

    Since 1993, FRA has been taking action to promote earlier and more 
extensive participation by all interested parties in the agency's 
regulatory processes. That year, the Administrator conducted a series 
of roundtables on all aspects of FRA's safety program. FRA initiated 
its first formal negotiated rulemaking in 1994 on the topic of roadway 
worker safety.
    FRA also conducted outreach and a review of its regulatory program 
under the President's Regulatory Reinvention Initiative and the 
National Performance Review. FRA concluded that railroad safety would 
be best served if the agency varied its traditional ``hear and decide'' 
regulatory style to a new one founded on consensus among those who are 
benefitted and burdened by the agency's regulations. Implicit in this 
change is the concept that decisions regarding the best approach to 
resolution of safety issues should be made with the full participation 
of all affected parties.
    In March 1996, FRA established the RSAC, which provides a forum for 
consensual rulemaking and program development. The Committee includes 
representation from all of the agency's major customer groups, 
including railroads, labor organizations, suppliers and manufacturers, 
and other interested parties. A list of member groups follows:

American Association of Private Railroad Car Owners (AARPCO)
American Association of State Highway & Transportation Officials 
(AASHTO)
American Public Transit Association (APTA)
American Short Line and Regional Railroad Association (ASLRRA)
American Train Dispatchers Department/BLE (ATDD/BLE)
Association of American Railroads (AAR)
Association of Railway Museums (ARM)
Association of State Rail Safety Managers (ASRSM)
Brotherhood of Locomotive Engineers (BLE)
Brotherhood of Maintenance of Way Employes (BMWE)
Brotherhood of Railroad Signalmen (BRS)
High Speed Ground Transportation Association
Hotel Employees & Restaurant Employees International Union
International Association of Machinists and Aerospace Workers
International Brotherhood of Boilermakers and Blacksmiths
International Brotherhood of Electrical Workers (IBEW)
Labor Council for Latin American Advancement (LCLAA) (non-voting)
League of Railway Industry Women (non-voting)
National Association of Railroad Passengers (NARP)
National Association of Railway Business Women (non-voting)
National Conference of Firemen & Oilers
National Railroad Construction and Maintenance Association
Amtrak
Railway Progress Institute (RPI)
Safe Travel America
Secretaria de Communicaciones y Transporte (non-voting)
Sheet Metal Workers International Association
Tourist Railway Association Inc.
Transport Canada (non-voting)
Transport Workers Union of America (TWUA)
Transportation Communications International Union/BRC (TCIU/BRC)
United Transportation Union (UTU)
National Transportation Safety Board (NTSB) (non-voting)
Federal Transit Administration (FTA) (non-voting)

When appropriate, FRA assigns a task to RSAC, and after consideration 
and debate, RSAC may accept or reject the task. If accepted, RSAC 
establishes a working group that possesses the appropriate expertise 
and representation of interests to develop recommendations to FRA for 
action on the task. These recommendations are developed by consensus. 
If a working group comes to consensus on recommendations for action, 
the package is presented to the RSAC for a vote. If the proposal is 
accepted by a simple majority of the RSAC, the proposal is formally 
recommended to FRA. If the working group is unable to reach consensus 
on recommendations for action, FRA moves ahead to resolve the issue 
through traditional rulemaking proceedings.
    Recommendations from RSAC come in all varieties. RSAC may recommend 
continued implementation of existing measures, voluntary initiatives by 
individual parties, concerted voluntary initiatives by several parties, 
amendment of existing regulations, new regulatory requirements, or 
enactment

[[Page 42354]]

of legislation, as appropriate. The advice and recommendations of RSAC 
form the basis for this proposed rule.
    On September 30, 1997, the RSAC accepted a task (No. 97-6) entitled 
``Standards for New Train Control Systems.'' The purpose of this task 
was defined as follows: ``To facilitate the implementation of software 
based signal and operating systems by discussing potential revisions to 
the Rules, Standards and Instructions (Part 236) to address processor-
based technology and communication-based operating architectures.'' The 
task called for the formation of a working group to include 
consideration of the following:
     Disarrangement of microprocessor-based interlockings;
     Performance standards for PTC systems at various levels of 
functionalities (safety-related capabilities); and
     Procedures for introduction and validation of new systems.

RSAC also accepted two other tasks related to PTC, task Nos. 97-4 and 
97-5. These tasks dealt primarily with issues related to the 
feasibility of implementation of PTC technology.

B. The PTC Working Group

    FRA gratefully acknowledges the participation and leadership of 
representatives of the following organizations who served on the PTC 
Working Group:
    AAR, including members from

BNSF
Canadian National
Conrail
CSX
Metra
Norfolk Southern Railway Company
UP
Amtrak
AASHTO
APTA
ASLRRA
ATDD/BLE
BLE
BMWE
BRS
FRA
FTA (non-voting)
HSR/MAG LEV
IBEW
NTSB (non-voting)
RPI
UTU

    In order to efficiently accomplish the three tasks assigned to it 
involving PTC issues, the PTC Working Group empowered two task forces 
to work concurrently: the Data and Implementation Task Force, which 
handled tasks 97-4 and 97-5, and the Standards Task Force, which 
handled task 97-6.
    The Data and Implementation Task Force finalized a report on the 
future of PTC systems and presented it, with the approval of RSAC, to 
the Administrator on September 8, 1999. Report of the Railroad Safety 
Advisory Committee to the Federal Railroad Administrator, 
``Implementation of Positive Train Control Systems,'' (September 8, 
1999). The Data and Implementation Task Force will be involved in 
monitoring implementation of PTC technology on the joint Illinois/AAR/
UP/FRA project.
    The Working Group also employed several teams, comprised of 
representatives from RSAC member organizations, who provided invaluable 
assistance. An Operating Rules Team was charged with working to ensure 
that appropriate railroad operating rules are part of any PTC 
implementation process, and a Human Factors Team was charged with 
evaluating human factor aspects of PTC systems. Members of these teams 
serve on both the PTC Standards Task Force and the Data and 
Implementation Task Force, and additional team members were drawn from 
the railroad community.
    In addition to providing assistance from FRA staff and staff from 
the Volpe National Transportation Safety Center, FRA responded to a 
consensus request from the Standards Task Force by contracting for 
assistance from the Center for Safety-Critical Systems at the 
University of Virginia.

C. The Standards Task Force

    The Working Group, consisting of both the Data and Implementation 
Task Force and the Standards Task Force, held a meeting at Ponte Vedra 
Beach, Florida in November 1997 to set the direction of the Standards 
Task Force. An informal first meeting of the Standards Task Force was 
held in Washington DC on December 18, 1997, followed by the first 
formal meeting on February 25, 1998, in Fort Worth, Texas. The 
Standards Task Force is primarily responsible, with the FRA Office of 
Chief Counsel and Office of Safety, for drafting this proposed rule.
    After the initial informal meeting, the Standards Task Force met 
almost every month until the last meeting in New Orleans, LA on June 
28-29 of 2000. Much documentation was produced at these meetings, due 
to extensive discussions, presentations and tutorials. This 
documentation has been placed in the docket for this rulemaking.
    The primary mission of the Standards Task Force was to develop 
regulations that would address the new PTC systems, as well as 
subsystems and components thereof. PTC systems were described as 
achieving three core functions: (1) Preventing train-to-train 
collisions (positive train separation); (2) enforcing speed 
restrictions, including civil engineering restrictions and temporary 
slow orders; and (3) providing protection for roadway workers and their 
equipment operating under specific authorities.
    At each meeting, proposed standards were continually developed and 
modified. The text of the proposed regulation became known as the 
``Master Draft.'' Four primary stakeholder groups worked on the Master 
Draft and presented their own views and opinions as to what should be 
included in the regulations. As such, consensus was very difficult to 
obtain. The four stakeholder groups involved were: (1) The federal 
government, (2) railroad management, (3) railroad labor, and (4) 
railroad signal and train control system suppliers. The first three 
groups had voting powers. The supplier group did not have voting 
powers, but their input was essential and valuable to the other 
interest groups, especially railroad management, their primary 
customers. All Standards Task Force meetings were open to all 
interested parties, and on the average, 30 to 35 people attended. The 
final two meetings recorded over 50 attendees each. Any attendee was 
considered a member of the Standards Task Force and had the right to 
express an opinion at the meeting. However, when consensus was called 
for, only actual voting members from the PTC Working Group were 
counted.
    In December 1999, the Standards Task Force reached consensus on 
most outstanding issues. Chiefly, these included the adoption of risk 
assessment criteria, requirements for independent third party review of 
validation and verification, applicability of the proposed rule to 
existing systems, life cycle recordkeeping and reporting, and related 
matters.
    On June 29, 2000, the Standards Task Force presented its consensus 
recommendation to the entire working group. The PTC Working Group 
accepted the recommendation with minor changes and forwarded its 
consensus recommendation to RSAC, which approved it on September 14, 
2000.

IV. Major Issues

A. Why a Performance-Based Approach?

What is a Performance Standard?
    During the Standards Task Force discussion, FRA noted that the 
existing ``Rules, Standards and Instructions'' (Part 236) take a 
performance-oriented approach at the functional level,

[[Page 42355]]

although--by virtue of the historical context in which they were 
initially prepared--they most often reference older technology. During 
the last decade and a half, this performance-oriented approach to 
specified functions has permitted the growth of electronic systems 
within signal and train control systems without substantial regulatory 
change (albeit with growing ambiguity concerning the application of 
individual provisions to novel technical approaches). Wishing to 
maintain historical continuity and hasten preparation of a proposed 
rule, FRA offered for consideration an initial redraft of Part 236 that 
attempted a more technology-neutral approach to performance at the 
functional level, while also addressing PTC functions, as a possible 
starting point for the group's work.
    Carrier representatives found the FRA draft to be unduly 
constricting, and asked that the group pursue higher-level performance 
standards. Supplier and labor representatives agreed to this approach, 
and FRA has endeavored to support the Standards Task Force in pursuing 
it.
    Early in the deliberations of the Standards Task Force, carrier 
representatives requested that FRA arrange presentations on the use of 
performance standards in lieu of prescriptive regulations. The group 
heard from representatives of the Research and Special Programs 
Administration (RSPA), Federal Highway Administration's Office of Motor 
Carrier Safety (now Federal Motor Carrier Safety Administration 
(FMCSA)), and APTA. FRA distributed a guidance document entitled 
``Performance Standards: A Practical Guide to the Use of Performance 
Standards as a Regulatory Alternative,'' (Project on Alternative 
Regulatory Approaches, September 1981), a copy of which has been placed 
in the docket of this rulemaking.
    In brief overview, the term ``performance standard'' has been 
variously applied to describe many different forms of regulatory 
approaches that avoid design specifications and other prescriptive 
requirements, such as mandates that actions be taken in a particular 
sequence, or in a particular manner, by the regulated entity. At the 
most permissive extreme, a performance standard for a railroad 
operating system might specify an ``acceptable'' level of safety 
performance (e.g., number of fatalities per million train miles) and 
avoid any intervening action unless and until the performance of the 
regulated entity fell below that level. FRA believes that this type of 
approach would represent an abandonment of the agency's responsibility 
to promote safety, since it would necessarily assume optimum 
performance by the regulated entity (a condition not realized in 
practice) and would prevent helpful intervention until unacceptable 
consequences had already occurred. The Working Group has not sought to 
pursue this approach.
    The least permissive performance standards include such approaches 
as requiring that a metal skin on the front of a locomotive have 
penetration resistance equivalent to that of a given thickness of a 
specified steel. In this example, the choice of material is left to the 
designer, but the options are not extensive. See, e.g., 49 CFR 238.209.
    In the middle range of permissiveness, a performance standard might 
address acceptable performance parameters for a particular, mandated 
device, in lieu of a fixed physical description. For instance, FRA 
requirements for railroad tank cars carrying flammable compressed gas 
require the application of high temperature thermal protection that can 
be accomplished using a variety of materials, together with pressure 
relief valve capacity requirements adequate to permit safe evacuation 
and burn-off of the car's contents prior to catastrophic failure of the 
vessel in a fire environment (part 179, appendix B (qualification test 
procedure)). This combination of regulatory requirements has been 
highly effective in preventing loss of life from violent detonation of 
tank cars involved in derailments (although compliance issues have been 
presented by disintegration of insulation blankets that could not be 
readily detected under the outer jacket of a car).
    Some of the safety statutes administered by FRA contain 
performance-related criteria. For instance, the Signal Inspection Act, 
as codified at 49 U.S.C. 20502(b), states:

    A railroad carrier may allow a signal system to be used on its 
railroad line only when the system, including its controlling and 
operating appurtenances . . . may be operated safely without 
unnecessary risk of personal injury.

However, recognizing the need to make a practical application of this 
broad statement, the law also requires that the system ``has been 
inspected and can meet any test prescribed under this chapter.'' What 
could otherwise be deemed a very broad performance standard is thus 
made more specific in practice (though just how specific the 
requirements should remain is one of the subjects of this proceeding).

Criteria for Evaluation of Performance-Related Approach

    The discussion that follows identifies some of the general 
considerations that apply to use of performance standards and some of 
the practical factors that come into play with respect to the safety of 
processor-based signal and train control technologies.
    In response to the report of the Vice President's Commission on 
Aviation Safety and Security, the Federal Aviation Administration (FAA) 
published a brief ``Performance-Based Regulations Guide'' (October 31, 
1997). That guide notes four ``substantive criteria'' that can be used 
to determine whether regulations can be written in a performance-based 
manner:
    1. Can the regulatory requirement be stated in terms of a practical 
goal that can be understood by an individual or company (e.g., meeting 
a prescribed climb gradient with one engine inoperative)?
    2. Will a regulation stated in performance terms be enforceable?
    3. Will a performance-based regulation discriminate against smaller 
companies?
    4. Is it possible to establish an equivalency rule that will itself 
be considered a performance-based regulation? (In FAA terminology, ``an 
equivalency rule'' is one that is based upon a command-and-control 
requirement but allows the regulated party to demonstrate that an 
alternative approach provides an equivalent level of safety.)

The FAA guide noted performance-based regulations should not be used 
if:
    1. Congress has mandated a specific outcome (e.g., ``no smoking'' 
on domestic flights).
    2. The standard would be so vague as to be unenforceable (e.g., 
``fly safely'').
    3. The FAA cannot agree on an acceptable alternative to a command-
and-control standard (e.g., the age 60 rule [for air transport pilots] 
could be eliminated only if the FAA could prescribe medical and flight 
testing standards that would provide an equivalent level of safety).

These criteria are generally applicable to the issue presented by this 
proposal, and other possible concerns can be added. For instance, what 
if administration of a performance standard would involve too much cost 
to all regulated entities, small entities only, or the government? What 
if the performance standard is clear, but verifiable only after the 
fact and thus enforceable only in a reactive sense? What if the 
standard is very clear, but the analytical techniques needed to

[[Page 42356]]

verify compliance are poorly developed or are not validated?
    FRA has identified several criteria of its own with respect to 
promulgating a performance standard for this area of regulation: 
simplicity, relevancy, reliability, cost, and objectivity.
    First, FRA feels the standard should be simple, because it will 
apply to many regulated entities. If the standard requires complex 
mathematics, there may be no way for many of the entities to comply, 
and if complicated enough, the standard may be beyond FRA's capacity to 
enforce. For instance, the Standards Task Force has been exposed to 
many briefings on mathematical techniques used to measure product 
safety. Often, the mathematics were extremely complicated, the issues 
surrounding selection of a model so esoteric that only a small fraction 
of the expert population present fully understood the issues, and at no 
point was there a consensus that any particular technique was 
technically superior.
    Second, FRA feels the standard should be relevant with respect to 
safety. There may be many convenient measurable qualities of processor-
based systems which are not relevant to safety. For example, the mean 
time to repair a product subsystem may or may not necessarily be 
relevant to safety, depending upon the backup method of operation in 
place.
    Third, FRA believes the standard should be reliable in that the 
test applied should yield similar results each time it is applied.
    Fourth, FRA believes demonstrating compliance with the standard 
should not be unduly expensive. Train control systems have a very good 
safety record. The cost of proving compliance with the standard should 
not cost more than the benefits it will bring. Furthermore, a standard 
could be so exacting that it would prevent the deployment of systems 
which would very likely improve safety, but which do not meet some 
extremely difficult or expensive test. Thus a purported safety standard 
might actually impose safety costs.
    Fifth, FRA feels the standard should be objective. A completely 
objective standard would allow for compliance to be determined through 
scientific study or investigation. This is critical from a regulatory 
perspective, because FRA feels it would not be fulfilling its safety 
mission if it could not verify compliance with the performance 
standard. Also, an objective standard would allow for sound business 
planning with respect to budgeting for and development of processor-
based systems. Thus, FRA can realize additional safety benefits from 
this standpoint.

Development of the Proposed Standard

    The Standards Task Force considered only two different performance 
standards, yet determining an adequate method for demonstrating 
compliance was the key factor in the Standards Task Force's final 
decision.
    The first standard proposed for discussion by the Standards Task 
Force was a standard which would have required that the implementation 
of proposed systems lead to safety improvements of 33% to 50%. This 
standard was proposed in order to address the uncertainties involved in 
the safety determinations. The theory behind the proposal was that an 
actual increase in safety by a discrete relative amount would overcome 
any uncertainties involved in the safety assessment process. In 
addition to the objectivity problems involved in not necessarily 
requiring a certain level of confidence in the safety measurements, the 
most disconcerting issue to the group was the cost of such a standard. 
It would impose burdensome safety and operational costs. The safety 
costs would result primarily from railroads not being able to replace 
products with those which would improve safety by less than the desired 
margin. The operational costs would result from not being able to 
replace a product with one that was equally as safe, but less costly. 
These shortcomings were too severe for the Standards Task Force to 
warrant further consideration of this option.
    The only other performance standard considered by the Standards 
Task Force was the one which led to the proposed rule: that new 
products must not degrade safety. This standard was not formally agreed 
to by the Standards Task Force until a means for demonstrating 
compliance could be agreed upon. The remainder of the discussions 
focused on the various ways in which compliance with this standard 
could be determined, and which of them is the most appropriate.
    The first proposal under this standard would have required a 
comparison of the sample means of the distributions of risk for the 
proposed product and the current system. This proposal would require 
demonstration with a minimum ninety-five percent confidence level that 
the likelihood that the distribution of risk for the proposed system is 
not less than the sample mean for the current system. The Standards 
Task Force found cost to be the most serious concern with this 
proposal. For relatively simple products this approach may be cost-
effective. It would be moderately expensive, as it requires some 
modeling of the risk, but the cost of modeling might still be less than 
the costs of complying with a specification standard. The most 
significant costs would be incurred when a proposed system takes 
advantage of current-generation, high-capability processors. The 
expense of computing time required to generate statistically 
significant modeling results would be prohibitive.
    A slightly different approach would be to test the standard 
deviations of the differences in sample means. This approach is not 
much more complicated than simply testing against the standard 
deviations. The cost would be roughly the same, however, this approach 
would pose reliability problems. If the number of simulation cycles 
were held to a fixed ratio between cycles for the current system and 
cycles for the proposed product, the standard deviation of the sample 
mean would decrease in proportion to the square root of the number of 
simulation cycles. Furthermore, the looseness of the assumptions would 
affect reliability of this approach as a measurement tool. There could 
also be significant problems with non-random re-selection of paths in 
simulations.
    The next approach proposed was to weight each risk calculation by a 
factor of uncertainty, and then run the simulation to see what the 
relationship is between current risk levels and levels of risk 
associated with use of the proposed product. This approach would 
require a higher level of confidence for a lower subjective confidence 
in the underlying assumptions. This option is more complex than any yet 
discussed by the Standards Task Force, and does not appear to be either 
reliable or objective. The Standards Task Force ultimately concluded 
that this test is too subjective for their purpose.
    Also suggested was an approach utilizing statistics of extremes, or 
extreme value theory. This objective technique is favored for risk 
analysis in civil engineering and environmental science applications 
and is designed to overcome the problems which arise when using 
traditional distribution models to analyze low probability, high 
consequence events. It is sufficiently complex that there was no 
consensus in the group as to its effectiveness for train control 
applications, although the University of Virginia continues to provide 
the group with more information on this technique. An informal survey 
of group members revealed that fewer than one tenth of an expert group 
claimed to be familiar with extreme value analysis. Thus, the Standards 
Task Force concluded

[[Page 42357]]

unfamiliarity with this approach within the industry would probably 
make it expensive to require.
    The final mathematical approach suggested was described as a 
Bayesian belief network. This is also a complicated test, which appears 
not totally objective. This approach would require the railroad to show 
by some high evidentiary standard, such as ``demonstrating to a high 
degree of confidence,'' that the proposed product would result in no 
loss of safety. It is this final test which FRA proposes. The Standards 
Task Force has developed more specific criteria for satisfying the 
performance standard under this approach using current safety 
engineering practices and principles within the industry.
    Although advantages of and concerns with the proposed standard are 
addressed in the sections which follow, FRA seeks comments addressing 
the decisions reached by the Standards Task Force concerning the 
various standards and compliance methodologies considered and rejected.

Advantages of a Performance-Based Standard

    This NPRM presents the highest level performance requirements ever 
attempted by FRA. To informed advocates of performance-based 
regulations, the reasons for taking this course are obvious. The 
emerging technologies documented in the RSAC's Report to the 
Administrator (``Implementation of Positive Train Control Systems,'' 
September 8, 1999), reflect an extensive array of electronic 
applications, including short-range radio frequency (RF) data links 
(transponders), medium-range RF data links, train location systems 
employing GPS/DGPS positioning supported by inertial guidance and track 
database analysis, and logic controllers placed at central office 
locations, on the wayside and onboard trains. Inputs may be derived 
from a variety of on-board systems, automatic equipment identification 
systems, two-way end-of-train telemetry, existing signal and train 
control systems, and other sources. Additional technologies are on the 
horizon, and others will no doubt emerge between the date of 
publication of a final rule in this proceeding and the next revision of 
the regulations by FRA.
    While some new train control systems may not yield all of the same 
safety benefits that are supported by traditional track circuits (e.g., 
detection of some broken rails), they may be capable of very nearly 
eliminating train-to-train collisions and addressing the other PTC core 
functions. Data derived from train control applications may be used for 
improved train management, crew management, and other business 
purposes. Ultimately, PTC technology may permit the transfer of train 
movement information for use in providing warning at highway-rail grade 
crossings under conditions that are, today, prohibitively expensive.
    In short, the future benefits of emerging railway electronic 
systems will be substantial, and suppliers and carriers will need a 
great deal of flexibility to avoid inadvertent limitations on the 
growth of important safety systems. This rulemaking was commenced to 
facilitate introduction of these new technologies. A performance-based 
approach should be the most powerful means of accomplishing that 
objective because it would:
     Provide the maximum flexibility to design capable systems, 
increasing the likelihood that all possibilities will be carefully 
explored;
     Permit designers to optimize systems to address safety and 
other needs, making systems more attractive to those making capital 
allocation decisions; and
     Avoid inappropriate requirements that could drive up costs 
and put the technology out of reach for years to come.

Concerns With a Performance-Based Standard

    This notice embodies a very high-level approach to performance 
standards that would offer unprecedented flexibility for carriers to 
design and deploy new signal and train control technologies. At the 
same time, it would require extensive documentation of the safety of 
the system prior to its introduction in revenue service. This approach 
has many profound advantages, and notable disadvantages, that deserve 
scrutiny in this rulemaking.
    FRA has also noted significant obstacles to successful 
implementation of performance standards in this context, as well as 
reservations with respect to the utility of such standards. These 
concerns are sufficient to warrant caution and a vigorous public 
debate.
    The first concern that has arisen is the static nature of a fixed 
performance standard grounded in current safety performance levels. As 
noted above, this proceeding is intended to facilitate safety 
improvement through accelerated introduction of new technology. The 
proposed performance standard described below, which basically provides 
that the safety of a new system may not fall below the base condition 
(existing technology, with certain adjustments), sets a modest 
objective for suppliers and railroads. However, progress is not the 
inevitable result of technological innovation. It is at least 
theoretically possible for a railroad to claim greater efficiencies 
associated with new technology, add modest safety enhancements that go 
beyond the capabilities of existing signal technology, but delete 
certain functionalities associated with the existing system or 
implement the system in a manner that includes significant safety 
vulnerabilities. The net result could be cost savings with no advance 
in safety. Yet, unlike today, FRA would lack leverage under the 
regulations to insist that known vulnerabilities in the system be 
corrected, even if that could be done on a highly cost effective basis. 
(FRA would retain its general authority under the Signal Inspection 
Act, but the extent to which that authority might be impaired could 
only be determined after extensive litigation, should its exercise be 
challenged.)
    The thought that a performance standard might stagnate safety 
improvements is not a fanciful concern. Since economic deregulation of 
the railroad industry (signified most notably by enactment of the 
Staggers Rail Act of 1980), railroads have progressed toward 
profitability principally by cutting costs. Strong intermodal 
competition has caused the railroads to turn much of the resulting 
savings back to shippers in the form of reduced contract rates. 
Particularly in the wake of major mergers and consolidations (a 
condition applicable to each of the four largest railroads today), the 
pressure from the financial community for cost reduction is 
particularly strong. This has sometimes led to management decisions 
based on short-term considerations. FRA regularly deals with the 
effects of this phenomenon in the context of Safety Assurance and 
Compliance Programs on the various properties.
    Clearly, the railroads have managed to improve their overall safety 
performance during the past 20 years while also cutting costs, in part 
by using technology to good advantage. However, the low-hanging fruit 
is largely gone. Managers and employees are increasingly asked to do 
more with less, which is a confining business practice. Properly 
implemented, new signal and train control technology can help reduce 
workload requirements while also improving asset utilization. 
Improperly implemented, the technology could stagnate safety 
improvements.
    Second, doubt remains whether the relevant technical, scientific, 
and railroad signaling communities are fully

[[Page 42358]]

prepared to support implementation of this rule. FRA has funded 
significant research into the safety of processor-based systems. See, 
e.g., ``Analytical Methodology for Safety Validation of Computer 
Controlled Subsystems,'' (Luedeke, John, (Battelle) for Volpe National 
Transportation Systems Center; DOT-VNTSC-FRA-95-8 (April 1994)). 
Administration of existing regulations, including consideration of 
waivers associated with novel train control proposals, has provided FRA 
with the opportunity to become familiar with strengths and limitations 
of the safety programs of major signal suppliers. Field compliance 
efforts have provided a reasonably good view of railroads' efforts to 
implement processor-based technologies. FRA's observations from this 
experience follow.
    The field of system safety for safety-critical control systems is 
relatively young and remains in flux. Military Standard 882C, ``System 
Safety Program Requirements'' (U.S. Department of Defense; January 18, 
1993), provides an overall framework for safety planning and analysis. 
A growing body of literature documents good practice in the field. See, 
e.g., Leveson, Nancy G., ``Safeware: System Safety and Computers,'' 
Addison Wesley Publishing Company, Inc., 1995. FRA purchased and 
distributed to Standards Task Force members copies of ``Safety-Critical 
Computer Systems'' (Storey, Neil; Addison-Wesley Longman (Harlow, 
England 1996)), a text addressing the subject matter in a way 
characterized as suitable for a final-year undergraduate or masters-
level program in engineering. The FAA, the Nuclear Regulatory 
Commission, and other Federal agencies have addressed this issue in 
various ways and continue to conduct relevant research. Parallel 
efforts internationally include the European Committee for Electrical 
Standardization (CENELEC) standard prEN50129 ``Railway Applications--
Safety-Related Electronic Systems for Signaling,'' (May 18, 1998).
    Railroad signal suppliers maintain a strong emphasis on the safety 
of their systems. However, formal processes to conduct and document 
safety analyses for new products are not uniform in their content; and 
FRA is aware of departures from what might be deemed acceptable within 
the framework of a rule implementing the proposals set forth below. In 
general, suppliers employ varying safety assurance concepts for their 
products and are not currently able to provide quantitative information 
concerning the projected life-cycle safety performance of new products. 
The vigorous emphasis on more formal methods of safety assurance in the 
supply community is exemplified by the recent adoption by the Institute 
of Electrical and Electronic Engineers, Inc. (IEEE), of the new 
``Standard for the Verification of Safety for Processor-based Systems 
Used in Rail Transit Control'' (No. 1483). The lack of complete 
consensus on the issue of proofs of safety is perhaps best exemplified 
by the fact that the IEEE standard just referenced does not address 
validation of these systems.
    Recognizing that any performance standard must provide a level 
playing field for the supply community and clear decisional criteria 
for FRA's review of safety documentation, FRA asked the Standards Task 
Force to focus specifically on the requirements for verification and 
validation and the associated quantization of safety (further discussed 
below). Although the supply community representatives were able to 
agree with other Standards Task Force members on general principles 
that should apply to these safety processes and the metric of Mean Time 
to Hazardous Event (MTTHE), suppliers were not able to agree to provide 
estimates of MTTHE based on fully quantitative inputs derived from 
uniform analytical methods. The possibility remains, therefore, that 
estimates of residual risk from different suppliers might have 
different meanings and be based on differing levels of confidence. As 
public comment is received and considered, FRA will continue to work 
with the parties to ensure that information provided in support of 
various products is reasonably comparable.
    FRA has also funded research into the application of risk 
assessment techniques to railroad operations and has made use of risk 
studies in the development of its own rules and in the evaluation of 
system safety estimates presented by various parties. Although FRA 
decision-making with respect to safety has always been founded on a 
keen appreciation for the elements of risk (event likelihood, severity, 
and an appropriate means for normalizing exposure), FRA recognizes that 
future advances in safety and transportation efficiency will 
necessitate a heavier reliance on often complex risk assessment 
techniques, as well as system safety principles. Quantitative risk 
assessments can enlighten decision making by taking into consideration 
a variety of relevant factors, providing a means of testing the 
sensitivity of key assumptions, and projecting the risk environment 
into the future. In an ideal circumstance, risk assessment may help 
identify critical system safety decisions and shed light on their 
mitigation well before the potential for hazardous events is realized 
in the field.
    However, at the outset it must be said that use of risk assessment 
to determine compliance with performance criteria embodied in a 
regulation presents an awkward problem. Practitioners of risk 
assessment are the first to point out that they do not purport to 
provide information that will predict actual levels of performance. 
Rather, they provide analysis that suggests the ``relative safety'' of 
the projected system in relation to a base case construct against which 
it is evaluated. This is a particularly powerful technique to improve 
the safety of a system, if properly executed. But the results do not 
constitute direct proof that a particular level of safety will be 
achieved.
    Obviously, this problem could be ``solved'' by simply requiring 
that an analysis meeting certain criteria show an improvement in 
safety. However, FRA believes that this approach would ask the wrong 
question and result in an increasingly parochial focus on the 
techniques of risk assessment and their proper execution, to the 
exclusion of the concrete safety issues presented by particular 
systems. FRA was not established to regulate risk assessment 
techniques, and attempting to do so would only inhibit the growth of 
the discipline. Accordingly, FRA has insisted that the proposed 
performance criterion be stated in absolute terms, with latitude 
afforded to scale the analytical effort to the problem at hand. 
Obviously, in the end FRA would have to be convinced that the 
particular showing was persuasive with respect to the likelihood that 
the new system would meet or exceed the safety performance of the 
existing system.
    Further, quantitative risk assessment as applied to the safety of 
railroad operations is best viewed as an art, rather than a science. A 
proper analysis must correctly describe salient elements of the 
operating system, correctly assess the contribution of the risk 
dimension under review to key scenarios, accurately estimate the 
frequency with which the risk will arise, accurately describe the 
severity of hazardous events that may occur, and fairly evaluate the 
impact of mitigating measures on the prevention, or reduction in 
severity, of the hazardous event. This requires that the analyst(s) be 
fully conversant with the railroad operating system, that input data be 
available (and be properly selected if various data are available), 
that the analysis be structured to produce a credible result, and that 
the result be

[[Page 42359]]

appropriately characterized. There are challenges associated with each 
of these steps.
    FRA is also concerned that a requirement for a risk assessment 
based on probability or likelihood will refocus safety efforts during 
development from optimization to post-design justification. That is, 
FRA fears that the focus will shift to proving that the product is safe 
enough after it has been designed. This concern is fueled by such facts 
as: (1) Subsystems and components involving software and/or human 
factors do not readily lend themselves to risk quantization as electro-
mechanical ones do, (2) risk calculations for current operations will 
most likely be limited in precision, and (3) early FRA involvement in 
the product development process is not mandated. As William D. 
Ruckelshaus, former two-time Director of the U.S. Environmental 
Protection Agency (EPA), has pointed out, ``risk assessment data can be 
like the captured spy; if you torture it long enough, it will tell you 
anything you want to know.'' Leveson at 60.
    In practice, FRA has had occasion to substantially discount the 
value of risk assessments in some cases, while relying heavily on the 
results (together with other information) in other cases. FRA expects 
that the quality of risk assessment practice will improve over time, as 
experience is gained and as peer review strengthens the quality of 
analysis.
    Recognizing the need to advance the state of the art with respect 
to analysis of risk specifically associated with various methods of 
operations and train control technologies, the Standards Task Force 
established a team to support development of an ``Axiomatic Safety-
Critical Assessment Process'' (ASCAP). At the request of the Standards 
Task Force, FRA engaged the University of Virginia to develop the ASCAP 
model as a risk assessment ``toolkit'' for use in implementing this 
proposed rule. The initial challenge for the ASCAP team and contractor 
has been to describe the relative safety of the current method of 
operation on a CSXT line which is operated without a signal system 
using direct traffic control system rules (the ``base case''). The 
first comparison case will be the safety of operations on the same line 
should a traffic control system be installed. The second comparison 
case will be implementation of the proposed CBTM system, an innovative 
technology that addresses the PTC core functions.
    As this proposed rule was being finalized for review and 
publication, the ASCAP effort was progressing toward generation of the 
base case and an initial comparison case. The University of Virginia 
principal researcher continued to meet with the ASCAP team providing 
peer review and support for the project. Data was being assembled and 
reviewed for suitability. A Human Factors Team had been established to 
assist in formulating input assumptions with respect to the anticipated 
actions of employees under various conditions associated with the three 
methods of operations.
    FRA believes that the ASCAP model (more fully described below) will 
represent a significant step forward in the quality of risk assessment 
methodologies related to train control. If successful, the technique 
may provide a level of analytical refinement significantly exceeding 
other known techniques. However, the success of this effort is not 
inevitable, given the degree of technical difficulty, the relative 
paucity of detailed data available for use within the model, and the 
uncertainties with respect to the role of human factors under the three 
cases. (For instance, CSXT and it employees who will be responsible for 
maintenance of various aspects of the system have not had experience 
with respect to maintenance of CBTM in the field. It may be difficult 
to project all failure modes that could be associated with routine 
maintenance and with modification of the system over its life cycle.) 
While it should be possible to benchmark the estimated risk for the 
base case and the traffic control system against experience on the CSXT 
line and for similar operations nationally, being certain of the 
validity for the CBTM case would require extensive, long-term 
experience in revenue service.
    Indeed, for many risk assessment problems, the base case will not 
be ``known'' in a statistical sense before the work begins because 
there will not have been sufficient exposure in the specific territory 
affected, under current or projected conditions, to make collision and 
other data representative of actual long-term performance. This will 
require somewhat elaborate construction of a base case scenario (as in 
the current CSXT ``dark territory'' case mentioned immediately above) 
to permit consideration of the extent to which local conditions may 
affect national statistics that could otherwise be applied to the 
problem.
    The Standards Task Force has discussed the fact that some margin of 
error will be associated with both base and comparison cases in any 
risk assessment. The group has discussed the need to employ sensitivity 
analysis to determine the effect of key assumptions and the 
desirability of putting a value on the extent to which the underlying 
analysis supports confidence in estimated risk, expressed as a point 
value or range. After examining several options, the group agreed to a 
standard fairly characterized as one of reasonableness, with respect to 
the current state of the art.
    Whatever formal risk values emerge from an assessment conducted in 
conformity with the proposed rule, some statistical variability would 
apply to post-implementation review of systems. This is true both 
because risk assessments will provide an imperfect view of a very 
complex reality, but also because the wide dispersion of the pertinent 
risk and the seemingly random nature of potentiating events (e.g., a 
maintenance of way employee leaving a switch open on the main line) 
make precise predictions impossible. For instance, take the case of 
removal of an existing automatic block system (ABS) and its replacement 
by a non-vital communication-based train control system overlaid on 
track warrant control. The safety documentation for this ``product,'' 
as reviewed under this proposed rule (including part 235), might show 
an actual accident history of 2 severe events in the last 20 years, an 
estimated base risk level of 2.5 such events, and a predicted accident 
frequency for the new system of one severe event over 20 years into the 
future. Should the actual experience under the new system (with no 
change in traffic levels) be one severe event and one moderate event in 
the first five years, this could indicate the emergence of risk factors 
not foreseen when the analysis was conducted or simply the occurrence 
of events well within the range of expected outcomes.
    FRA is particularly concerned that, under these circumstances, the 
dialogue between the FRA and the railroad not proceed based only upon 
the narrow technical details of risk assessment. Instead, the dialogue 
should center around the extent to which the events that occurred 
involved unnecessary harm to employees or the public and require 
remedial action that is practical and cost effective. If the public is 
to be served, FRA should not be shackled by its own performance 
criteria, and pro forma compliance with risk assessment should not bar 
inquiry into whether, as a practical matter, systems ``may be operated 
safely without unnecessary risk of personal injury.'' No amount of 
research is likely to make risk assessment a pure science, and no 
amount of litigation over it will protect employees and the public from 
patent hazards identified after the fact. FRA is not reassured by the 
discussion that led

[[Page 42360]]

to this proposal that this concern is frivolous, and FRA will not 
proceed with a final rule in this proceeding until a way has been found 
to resolve it.
    FRA invites comments specifically addressing any of the agency's 
concerns detailed in this proposal.

Application to Part 235: Risk Assessments and Material Modification 
of Systems

    This set of regulatory proposals includes performance-based rules 
for new signal and train control systems (including subsystems and 
components) but does not alter part 235, which governs applications for 
discontinuance or material modification of a signal system. FRA 
believes that risk assessment techniques can be helpful in evaluating 
applications for modification or discontinuance of existing signal 
systems. However, FRA is not prepared at this time to be bound by risk 
assessment outcomes in evaluating these applications.
    In enacting the Signal Inspection Act, the Congress both authorized 
FRA to require installation of signal systems and required that FRA 
review their removal or any reduction in their effectiveness. FRA has 
been reluctant to order new signal system installations, because it 
appears that the market functions reasonably well due to the natural 
constraints associated with the growth of rail traffic. Railroads 
continue to install traffic control systems where capacity requires it, 
and those investments provide efficiencies that benefit the health of 
the railroads while also enhancing safety over the long term, both 
directly and indirectly.
    FRA has also been reluctant, however, to allow removal of signal 
systems where current travel levels benefit from the safety that they 
provide, even if the agency would not order installation of a new 
system under the same circumstances. Tools such as the CRAM II model 
and the ASCAP model should assist FRA in determining the circumstances 
under which signalization is helpful. However, FRA is not convinced 
that the precision those tools can provide will always exceed in 
quality the judgment of railroad safety professionals who are 
intimately familiar with the territory and operations, particularly as 
applied to matters of limited scale.
    FRA has also been reluctant to allow, and in recent years has been 
steadfastly opposed to allowing, elimination of automatic cab signal 
(ACS) and automatic train control (ATC) functions--functions that 
directly address, to a considerable degree, the issues of collision 
avoidance and protection of roadway workers. Certainly risk assessment 
techniques will be useful in the future to analyze proposals to replace 
ACS/ATC systems with communication-based PTC alternatives. However, FRA 
would not expect to seriously entertain arguments, based upon elaborate 
risk analysis, that less certain safety strategies or modest declines 
in traffic would support removal of ACS/ATC systems.

B. How Does This Proposal Affect Locomotive Electronics and Train 
Control?

    This rule is prepared against a background of rapid and significant 
change in locomotive design. This change has direct implications for 
the future of train control systems onboard locomotives.
    In the past, train control functions and systems for control of 
normal locomotive operating functions have been kept separate. Train 
control apparatus has applied independent of the normal throttle and 
braking functions, which were traditionally accomplished by mechanical 
and pneumatic controls used by the locomotive engineer. Cab signals and 
ATC/ATS appliances have included a separate antenna for interfacing 
with the track circuit or inductive devices on the wayside. The power 
supply and control logic for train control have been separate from 
other locomotive functions, and cab signals have been displayed from a 
special-purpose unit. Penalty brake applications have been accomplished 
by direct operation of a valve that accomplishes a service reduction of 
brake pipe pressure, and the train control system also functions to 
``knock down'' the locomotive's tractive power. In keeping with this 
physical and functional separation, train control systems on board a 
locomotive have been considered exclusively within Part 236, rather 
than the locomotive inspection requirements of part 229.
    Onboard locomotives, braking and throttle functions have 
traditionally worked independently, with discrete mechanical and 
pneumatic controls. As electronic systems were initially introduced, 
controls remained separate and distinct. Until recently, electronic 
controls have been packaged incrementally by various vendors (e.g., 
speed sensor vendor, brake system vendor, locomotive manufacturer). In 
locomotives that employ this arrangement, control functions may be 
distributed among several processors using proprietary software.
    During the 1990's locomotive manufacturers (``original equipment 
manufacturers'' or ``OEMs'') began to integrate discrete functions, 
tapping certain inputs or outputs of the proprietary systems for 
informational or control purposes. Most new locomotives are controlled 
by microprocessors that respond to operator commands while making 
numerous automatic adjustments to locomotive systems to ensure 
efficient operation. In lieu of individual gages, operating parameters 
(such as speed, brake pipe pressure, and amperage) are displayed to the 
engineer on a single electronic display. The AAR has established 
Locomotive System Integration (LSI) criteria to promote compatibility 
among systems and uniformity in the information displayed to the 
locomotive engineer.
    Currently, manufacturers are deploying central processors that may 
``run'' a variety of systems simultaneously in a multi-tasking 
environment. While ``integration'' has been largely functional in the 
past, including the common display, the control systems themselves may 
be unified in the future.
    Locomotive manufacturers are preparing more capable electronic 
platforms to support locomotive and train control functions, but to 
date FRA has taken the position that train control functions should 
remain separate. Historically, and within the context of existing ACS/
ATC systems, train control functions have been required to be carried 
out in a failsafe manner by ``vital'' systems. Locomotive electronic 
controls, while designed with a high degree of attention to safety, 
have thus far not been demonstrated to fail safely with a high degree 
of reliability, and in individual cases unsafe failures have occurred. 
In effect, electronic control of locomotive functions has arisen in 
recent years without regulation, and in some cases products have been 
deployed prior to adequate analysis and testing. As a result, 
locomotive engineers have expressed concern regarding the safety 
characteristics of certain electronic features. Despite the best 
efforts of OEMs and suppliers, in some cases engineers have been 
relegated to use of emergency brake valves in the face of blank screens 
and uncertain availability of normal control functions.
    Very clearly, certain locomotive controls are highly safety-
critical, and FRA is working with the OEMs to encourage adoption of 
formal safety methods in the design, verification and validation of 
locomotive systems. FRA is confident that, over the next few years, 
OEMs and their suppliers will succeed in improving the quality of 
safety-relevant locomotive electronic

[[Page 42361]]

systems. As that occurs, integration of train control functions with 
other on-board functions will be appropriate. Until that time, FRA 
believes that cab signal and train control functions, including 
innovative PTC technologies, should continue to operate independent of 
locomotive information and control systems. In the context of 
developing PTC projects, and with respect to application of required 
ACS/ATC systems on new locomotives, FRA will for the time being 
continue to insist upon separation of locomotive and train control 
functions (absent an affirmative showing by the OEM that essential 
functions are effectively isolated and implemented in a failsafe manner 
as required in part 236). However, both for today and the future, FRA 
sees value in use of the electronic display for cab signal and train 
control functions, if the generation of the relevant attributes of the 
display can be made failsafe (with the exception of the very low-
probability possibility of a transient fault in the display itself).
    FRA seeks comment on this issue and the circumstances under which 
the final rule should authorize or prohibit integration of locomotive 
control and train control functions. Should integration of these 
functions be allowed? If they are integrated, how should in-service 
failures of various kinds be handled (e.g., failure of one of two 
displays available to the engineer or failure of the conductor's 
display). If these functions are integrated, should the entire 
locomotive electronic system be subject to verification and validation 
under the new performance standards? If so, to what extent might train 
control functions be partitioned from other applications to simplify 
the problem, and in what way?

C. What Risk Assessment Methods Will Be Considered Adequate?

    One of FRA's greater challenges concerning this proposed rule will 
be verification of compliance with the performance-based standard. The 
Standards Task Force has recommended an enforcement scheme under which 
railroads would conduct, when required, a risk assessment to show that 
the performance standard is met. In most cases, FRA envisions that the 
risk assessment will identify the assigned risk classes for the system, 
assign a numerical expression for each safety integrity level, specify 
a target failure rate, and identify the standards upon which the 
assessment and calculations were made. This information can be used as 
a basis to measure and identify the likelihood of a hazardous event and 
the potential for the system to function as intended. With this 
information, the railroad and FRA can confirm compliance with the 
performance standard.
    The primary goal of the risk assessment required by this proposed 
rule is to give an objective measure of the levels of safety risk 
involved for comparison purposes. As such, FRA believes the focus of 
the risk assessment ought to be the determination of relative risk 
levels, rather than absolute risk levels. Most of the analytical 
techniques explored by the Standards Task Force analyzed relative risk 
levels much more effectively than they analyzed absolute risk levels. 
Thus, the proposed rule attempts to emphasize the determination of 
relative risk.
    The Standards Task Force realized that risk assessments may be 
performed using a variety of methods, so they proposed creation of 
certain guidelines to be followed when conducting risk assessments. FRA 
feels these guidelines, captured in Sec. 236.909(e) and Appendix B, 
adequately state the objectives and major considerations of any risk 
assessment it would expect to see submitted per subpart H. FRA also 
feels these guidelines allow sufficient flexibility in the conduct of 
risk assessments, yet provide sufficient uniformity by helping to 
ensure final results are presented in familiar units of measurement.
    One of the major characteristics of a risk assessment is whether it 
is performed using qualitative methods or quantitative methods. The 
proposed rule would allow both quantitative and qualitative risk 
assessment methods to be used, as well as combinations of the two. FRA 
expects that qualitative methods should be used only where appropriate, 
and only when accompanied by an explanation as to why the particular 
risk cannot be fairly quantified. Initially, the Standards Task Force 
considered allowing only quantitative risk assessment methods to 
facilitate relative risk comparison. However, suppliers noted that 
certain risks, such as software coding errors, cannot be fairly or 
easily quantified, and that the industry practice is to assess such 
risks qualitatively. FRA invites comments addressing the extent to 
which qualitative risk assessment methods ought to be considered 
sufficient.
    The Standards Task Force further recommended that railroads/
suppliers not be limited in the type of risk assessments they should be 
allowed to perform to demonstrate compliance with the minimum 
performance standard. FRA feels that state of the art of risk 
assessment methods could potentially change more quickly than the 
regulatory process will allow, and not taking advantage of these 
innovations could slow the progress of implementation of safer signal 
and train control systems. Thus, FRA proposes that risk assessment 
methods not meeting the guidelines of this proposed rule be allowed, so 
long as it could be demonstrated to the FRA Associate Administrator for 
Safety that the risk assessment method used is suitable in the context 
of the particular product. FRA believes this determination is best left 
to the FRA Associate Administrator for Safety because the FRA would 
retain authority to ultimately prevent implementation of a system whose 
Product Safety Plan does not adequately demonstrate compliance with the 
performance standard under the proposed rule.
    Regardless of the risk assessment method used, FRA prefers the same 
method to be used for both previous condition (base case) calculations 
and calculations of risk associated with the proposed product. FRA 
prefers similar if not identical methods to be used so that meaningful 
comparisons can be made.
    However, the proposed rule does not mandate that identical methods 
be used in every case. FRA is aware that some types of risk are more 
amenable to measurement by using certain methods rather than others 
because of the type and amount of data available. For example, in 
almost all situations where advanced train control technology will be 
economically viable, safety risk data and accident histories will often 
be more abundant for the previous condition than for operation with the 
proposed product. The latter calculation will normally be based on 
supplier data about the product and modeling of how it is intended to 
be used on the railroad. Because FRA is interested in ensuring that 
each relative risk determination is accurate, the proposed rule does 
not outright mandate that the same assessment method be used. If a 
railroad does elect to use two different risk assessment methods, FRA 
will consider this as a factor for PSP approval (see Sec. 236.915(g)). 
Also, in such cases, FRA will be more likely to require an independent 
third party review and assessment (see Sec. 236.915(h)).

Section-by-Section Analysis

Section 209.11  Request for Confidential Treatment

    FRA proposes an amendment to this section, as recommended by the 
Standards Task Force, to clarify existing procedures for requesting 
confidential treatment for documents provided to the

[[Page 42362]]

FRA in connection with the agency's enforcement activities. First, the 
section would be amended to indicate that the procedures governing 
requests for confidential treatment apply to documents provided to the 
FRA in connection with the agency's enforcement of both the railroad 
safety statutes and the railroad safety implementing regulations. 
Second, the section would be amended to clarify the definition of what 
activities constitute FRA enforcement activities. Under the revised 
definition, enforcement would include receipt by the FRA of documents 
required to be submitted by FRA regulations, and all documents received 
by the FRA in connection with FRA's investigative and compliance 
activities, in addition to the development of violation reports and 
recommendations for prosecution.

Section 234.275  Processor-Based Systems

    Section 234.275 proposes standards for highway-rail grade crossing 
warning systems using new or novel technology or providing safety-
critical data to any product governed by subpart H of part 236. 
Currently part 234 provides requirements for the maintenance, 
inspection, and testing of highway-rail grade crossing warning systems. 
In September 1994, FRA issued a final rule on part 234 (Grade Crossing 
Signal System Safety, 59 FR 50,086, Sep. 30, 1994), but the final rule 
did not address processor-based warning systems which are integrated 
with signal and train control systems. FRA feels it is necessary for 
these types of systems to be addressed in subpart H because of the 
potential for their integration or interaction with processor-based 
signal and train control systems. With the large number of processor-
based warning systems currently installed at the nation's highway-rail 
grade crossings, however, it would be unrealistic to attempt to bring 
all of those within the scope of subpart H. The processor-based warning 
systems currently in use and meeting the maintenance, inspection, and 
testing requirements of part 234 do an admirable job of warning highway 
users. The Standards Task Force formed a team of its members to 
identify such items as PTC system data to be transmitted to and 
integrated with highway traffic control/information systems (future 
capability). See ``Implementation of Positive Train Control Systems,'' 
page viii (September 8, 1999). This focus captured the potential uses 
of Intelligent Transportation System (ITS) technology at highway-rail 
grade crossings. This proposed requirement identifies which processor-
based highway-rail grade crossing warning systems are subject to the 
requirements of subpart H of part 236.
    Paragraph (a) provides that relevant definitions of part 236, 
subpart H, apply to this section.
    Paragraph (b) proposes a standard for whether a highway-rail grade 
crossing warning system must meet the requirements of subpart H. ``New 
or novel technology'' is defined in the third sentence of the 
paragraph. FRA envisions new or novel technology to include such 
technology as that incorporated in new designs which do not use 
conventional track circuits or that used in ITS, which utilize data 
provided through advanced signal and train control systems to warn 
motor vehicle drivers of approaching trains. FRA does not intend for 
new or novel technology to include any technology used in current 
systems (as of the effective date of this rule). FRA is considering 
tailoring this definition to more accurately reflect the intent of the 
Standards Task Force, which was to include only technology not 
previously recognized for use in applications subject to part 234.
    Paragraph (c) proposes requirements for equipment subject to this 
section. These are additional requirements which must be included in 
the PSP.
    Paragraph (d)(1) is proposed to confirm that this section in no way 
authorizes deviation from the requirements of the Manual for Uniform 
Traffic Control Devices (MUTCD). Current ``wayside'' warning devices 
are standardized by the MUTCD. The MUTCD sets forth the basic 
principles that govern the design and usage of traffic control devices 
for all streets and highways open to public travel regardless of type 
of class or the governmental agency having jurisdiction. Part VIII of 
the MUTCD applies to traffic control systems for highway-rail grade 
crossings. Traffic control systems for such crossings include all 
signs, signals, markings and illumination devices along highways 
approaching and at crossings. Traffic control systems are required to 
be consistent with the design and application of the standards 
contained within the MUTCD.

Section 236.0  Application

    As a general matter, this proposed rule would apply to all 
railroads, with two exceptions. First, railroads which operate on track 
wholly separate from the general railroad system of transportation are 
excepted from all requirements of part 236. Second, rapid transit 
operations in an urban area which are not connected to the general 
railroad system of transportation would be unaffected by the 
requirements of part 236. FRA proposes this change in language solely 
to standardize the application of all of the federal regulations 
related to railroad safety. For additional information on the extent 
and exercise of FRA's safety jurisdiction, see 49 CFR part 209 appendix 
A as amended on July 10, 2000 (65 FR 42544).

Section 236.18  Software Management Control Plan

    This section proposes a requirement for all railroads to adopt a 
software management control plan to assure that software used in 
processor-based signal and train control equipment in service is the 
version intended by the railroad to be in service at each location. 
Simply put, a software management control plan is an inventory of 
software at each equipment location. As a processor-based signal and 
train control system ages and experiences modifications (i.e., changing 
operating conditions or upgrades in hardware and software), the 
software management control plan should be updated accordingly, 
providing traceability to previous versions of software. One should 
always be able to determine from the software management control plan 
precisely what software is installed at each equipment location in the 
field. This proposed requirement would provide an audit trail to 
determine if the correct software is installed at the correct locations 
for all processor-based signal and train control systems on a railroad.
    FRA proposes this requirement because for a considerable time after 
the introduction of processor-based equipment into signaling systems, 
components of such systems were not always handled responsibly. It was 
not unusual for railroad employees to carry in their clothing pockets 
printed circuit (PC) boards and the programmable memory devices (PROMs) 
which plug into those boards. When driving to equipment locations, 
sometimes remote, these employees would even recklessly place PC boards 
and PROMs in tool bins and tool boxes. When troubleshooting a piece of 
equipment, it was common practice to simply exchange the failed PC 
board with ones from the selection the employee had on hand until the 
device appeared to function as intended. The pulled board was often 
saved for the purpose that it might work in another device. For this 
and other reasons, in the Orders of Particular Applicability for 
processor-based train control systems on the Northeast Corridor (63 FR 
39343, 52 FR 44510),

[[Page 42363]]

PROMs were required to be soldered in place in order to assure proper 
software versions were installed on locomotives.
    With the proliferation of processor-based equipment and use of 
PROMs with both erasable and non-erasable memory, it is no longer 
practical to require the soldering of PROMs on PC boards. A software 
management plan will track the version of software which should be and 
is in use at all equipment locations on a signal and train control 
system. Therefore, a requirement for software management control plans 
would provide adequate assurance that processor-based equipment is 
programmed with the correct software version.
    The inventory should identify, among other things, the software by 
version number. FRA would expect the software management control plan 
identify and document for each equipment location the executive or 
application software name, software version number, software revision 
number, date of software revision, and a description of cyclic 
redundancy check for verifying PROM contents. The Task Force had 
initially considered a requirement that railroads adopt configuration 
management plans, which would cover both software and hardware dealing 
with safety-critical aspects of processor-based signal and train 
control systems. Railroads expressed concern that such a requirement 
would be unduly burdensome since there is no current configuration 
management requirement in place, and that certainly simple one-for-one 
hardware changes need not be tracked. As a practical matter, FRA 
envisions a limited amount of hardware tracking as a necessary element 
of software management, since software can reside in portable hardware 
elements. FRA invites comments specifically addressing this issue.
    There is currently no recognized industry standard for software 
management; however FRA is aware that other computerized systems on 
railroads such as accounting and communications systems use 
configuration management control principles. FRA believes that a 
requirement for software management control plans on signal and train 
control equipment will enhance the safety of these systems and 
ultimately provide other benefits to the railroad as well.
    This proposed requirement holds railroads responsible for all 
changes to the software configuration of their products in use, 
including both changes resulting from maintenance and engineering 
control changes, which result from manufacturer modifications to the 
product. In FRA's view, both of these types of changes carry 
significant safety implications, and should be tracked by the railroad. 
FRA is aware that most maintenance changes involve replacement of PC 
boards or software on PROMs, and that changes such as replacement of 
resistors on PC boards are not normally made by the railroad, but 
rather the product manufacturer. FRA feels that it would be appropriate 
for the railroad to track changes no deeper than at the PROM software 
levels; however, it would be unrealistic and cumbersome to expect the 
railroad to document changes such as replacement of resistors on PC 
boards. FRA invites comments specifically addressing this issue.
    It is also recognized that this requirement may unduly burden the 
railroads in situations where they receive inaccurate information from 
the product manufacturer concerning manufacturer modifications. This 
poses safety risks because a railroad relying on a manufacturer's 
statement certifying compatibility, for example, with another 
manufacturer's system may create a dangerous situation if in fact the 
two products are not compatible. FRA feels that the railroads should be 
entitled to rely on the manufacturers' product information since 
manufacturers obviously know much more about the specifics of their 
products. In essence, the proposed requirement would impose a strict 
liability standard on the railroads regardless of culpability. FRA 
invites comments addressing the issue of whether railroads and 
suppliers ought to share responsibility for the duty of maintaining 
proper software configuration, and if so, how such responsibility can 
be effectively delineated. FRA further invites comments concerning the 
scope of a product manufacturer's duty to provide accurate information 
concerning initial software configuration of its products and any 
engineering control changes.
    Paragraph (a) discusses the proposed application of this 
requirement to all railroads and how it applies to railroads not in 
operation as of the effective date of this rule. The Standards Task 
Force intended for this requirement to apply to all systems which would 
be specifically excluded by the Sec. 236.911 in subpart H. For subpart 
H products, configuration management for each product must be specified 
in the PSP and the Operations and Maintenance Manual, as required by 
Secs. 236.907(a)(13) and 236.919(b). These specifications must comply 
with the railroad's RSPP.
    Although the issue of allowance time for compliance was not covered 
by the Standards Task Force, FRA proposes a 24-month time period as 
sufficient. FRA welcomes comments specifically addressing this issue.
    Paragraph (b) proposes a requirement for software management 
control plans, and further would require that the plan identify tests 
required by the system developer and/or the railroads in the event of 
replacement, modification, and disarrangement.

Section 236.110  Results of Tests

    FRA proposes modification of existing Sec. 236.110 to include 
record keeping requirements for processor-based signal and train 
control systems under part 236, subpart H and to make it consistent 
with current agency policy concerning record keeping. As modified, 
Sec. 236.110 would incorporate in four paragraphs new language and 
language from current Sec. 236.110.
    Paragraph (a) outlines four primary changes. First, FRA proposes to 
add two new sections to the list of sections to which Sec. 236.110 
applies: Secs. 236.911 and 236.917(a), both of which apply to 
processor-based equipment covered by subpart H. Currently, there is no 
established safety record or performance history for these new types of 
systems.
    Second, paragraph (a) proposes to allow for electronic record 
keeping. In conjunction with FRA's policy of encouraging such methods 
where available and appropriate, FRA would like to allow for railroads 
to be able to avail themselves of this method. FRA proposes that 
carriers adopting electronic means to record results of tests first 
obtain FRA's approval through an application process. Requiring FRA 
approval will establish a process whereby FRA can ensure all the proper 
information (prescribed in proposed paragraph (a)) is recorded. FRA 
will also be able to determine where and how the electronic records are 
available for inspection. FRA notes that if tests are performed by 
Automated Test Equipment (ATE) the test equipment shall be identified 
by a unique number, and the test record must reflect that number.
    Third, FRA offers changes to Sec. 236.110 to make clear that 
records filed with a railroad supervisory officer with jurisdiction are 
subject to inspection and replication by FRA. Railroad supervisory 
officer is intended to mean an assistant signal supervisor, signal 
supervisor, or any responsible divisional officer. If a railroad 
receives approval for electronic record keeping, the railroad shall 
inform FRA how and where the electronic records will be available for 
inspection during normal business hours. However, in the case of life 
cycle records required by proposed Sec. 236.110(c)(1), the railroad 
shall inform

[[Page 42364]]

FRA of the office location(s) where these life cycle records will be 
kept. If electronic recordkeeping (in accordance with paragraph (e)) is 
not used for train control test records, then these records must be 
kept at the locomotive office nearest the test point location(s).
    Fourth, paragraph (a) corrects a misprint in current Sec. 236.110, 
concerning the list of sections to which it applies. The proposed 
paragraph lists in proper numerical order the sections to which 
Sec. 236.110 applies.
    Paragraphs (b), (c), and (d) provide requirements for how long such 
records specified in paragraph (a) are to be maintained. Paragraph (b) 
simply restates a current requirement of Sec. 236.110 (fourth 
sentence).
    Paragraph (c) proposes a requirement to specify the length of time 
records made in compliance with Sec. 236.917(a) are to be kept. 
Paragraph (c)(1) proposes a requirement for all railroads to maintain 
records for results of tests conducted when a processor-based signal or 
train control system is installed or modified. These records must be 
retained for the life cycle of the equipment. FRA feels tracking 
modifications to processor-based equipment is necessary, because such 
changes, especially those concerning software, are not often readily 
apparent, yet may lead to hazardous conditions. Whenever processor-
based equipment or software is modified or revised, it must be tested 
to ensure it is still functioning as intended. FRA believes these 
records will also provide valuable information to the railroad and 
manufacturer pertaining to the reliability of the equipment.
    Paragraph (c)(2) deals with maintenance and repair records. For the 
following two reasons, the Standards Task Force recommended that these 
records be kept for one year, or until the next record is made. First, 
a subset of these records (those involving hazardous events) will be 
tracked in the product's hazard log (see Sec. 236.907(a)(6)). Second, 
many repairs to signal and train control equipment are not performed by 
the railroad, but rather by contractors. It would be burdensome for 
repair records to be tracked by the railroad for the lifetime of the 
product when different contractors might be performing the actual 
repair work over the product's lifetime. Thus, a requirement for 
lifetime record retention of test records pertaining to product repairs 
would be substantially duplicative and burdensome. However, the Task 
Force noted that PSPs should address issues of railroad signal employee 
access to repair records and hazard logs for products used throughout 
the railroad, as these may contain important information for 
performance of their duties.
    Paragraph (d) simply restates a current requirement of Sec. 236.110 
(fifth sentence).
    Paragraph (e) proposes to allow electronic recordkeeping in lieu of 
preprinted paper forms.

Section 236.787a.  Railroad

    FRA proposes this definition to aid in standardizing the 
application provisions of its regulations. See also 49 CFR 238.5.

Section 236.901  Purpose and Scope

    This section describes both the purpose and the scope of subpart H.

Section 236.903  Definitions

    The term ``component'' is intended to signify an identifiable part 
of a larger program or construction. A component usually provides a 
particular function or group of related functions. By proposing such a 
definition, FRA does not intend to overburden railroads or suppliers by 
requiring safety performance data and analysis on the least significant 
of these identifiable parts. Rather, FRA encourages railroads to take 
advantage of supplier data, which is normally readily available for 
off-the-shelf components. FRA assumes that railroads and suppliers will 
use discretion to appropriately define components at levels not quite 
as simple as a resistor, but also not quite so complex that they could 
not be readily replaced. For instance, FRA envisions components defined 
no more specifically than at the printed circuit board level, or E-PROM 
level.
    The term ``executive software'' is intended to encompass that 
software which affects the overall structure of a signal or train 
control system and the nature of the interfaces between its various 
subsystems and components. Executive software remains the same from 
installation to installation; the design is not changed and it is not 
recompiled.
    The term ``full automatic operation'' is defined per recommendation 
from the Standards Task Force. This definition was crafted with respect 
to the railroad industry, which involves both freight and passenger 
operations. Other definitions come from the transit industry and 
involve such nuances as door control. The definition captures the 
notion that locomotive engineers/operators may act as both passive 
monitors and active controllers in an full automatic operating mode.
    This proposed rule is not designed to address all of the various 
safety issues which would accompany full automatic operation. Indeed, 
FRA would anticipate the need for further rulemaking to address the 
wide range of issues that would be presented should automatic operation 
be seriously contemplated. However, insofar as skills maintenance of 
the operator is concerned, the proposed rule offers standards in 
Sec. 236.927.
    The term ``human factors'' refers to the limitations in human 
performance, abilities, and characteristics that designers should 
consider when designing subpart H products. FRA believes that designers 
can improve the safety of products by considering human factors as 
early as possible in the design process. Design that does not account 
for human factors, however, can degrade safety.
    The term ``human-machine interface'' refers to the way an operator 
interacts with the product. FRA feels designers who incorporate human 
factors design principles in a human-machine interface can increase 
system safety and performance.
    The term ``Mean Time To Hazardous Event'' is used to capture the 
parameter widely accepted in the safety/reliability engineering 
discipline as a scientifically-based prediction of the measure of time 
likely to pass before the occurrence of a hazardous event. Railroads 
have indicated objection to the use of the term ``average'' or 
``expected'' in the definition of MTTHE. FRA invites comments 
addressing this issue specifically.
    The term ``new or next-generation train control system'' is 
intended to capture the notion of a train control system utilizing a 
relatively new technology or new generation of technology, not 
currently in use in revenue service. Under this definition, a 
significant change in the way signal and train control systems work, 
such as that brought about by Locomotive Speed Limiter (LSL), could be 
trigger classification as a new or next-generation train control 
system. Other factors, such as the relative maturity of the product 
brought to market, may be relevant to this determination.
    The term ``predefined change'' is intended to signify any change 
likely to have an effect on the risk assessment for the product. FRA 
imagines that predefined changes will include: additions, removals, or 
other changes in hardware, software, or firmware to safety-critical 
products, application software, or physical configuration description 
data, under circumstances capable of being anticipated when the initial 
PSP is developed. FRA is considering amending the definition of 
predefined change to includes both

[[Page 42365]]

changes made directly to the product and changes to how the product is 
used. FRA urges parties developing product PSPs to consider all likely 
configurations for the product, and include such considerations in the 
risk assessment. This will reduce the likelihood of being required to 
file a PSP amendment at a later date when the railroad wishes to 
slightly reconfigure their product or make a slight change to it.
    The term ``preliminary hazard analysis'' is intended to signify the 
process used to develop a comprehensive listing of all safety-enhancing 
or safety-preserving functions which safety-critical products will 
perform. This listing should address the requirements currently used to 
provide for safety of train movements in the Rules, Standards & 
Instructions (RS&I) (part 236). It should also be consistent with those 
requirements derived from laws of physics, such as minimum required 
braking distances, and provide guidance as to how such requirements 
should be met.
    The term ``product'' is proposed to encompass all signal or train 
control equipment which is processor-based, including: (i) A processor-
based component of a signal or train control system, and (ii) a 
processor-based subsystem of a signal or train control system, or the 
system itself, if processor-based. A processor-based subsystem is 
intended to signify a signal or train control system's subsystem which 
contains a processor-based component. A processor-based signal or train 
control system is intended to mean a signal or train control system 
which contains a processor-based component.
    For issues related to the definition of ``risk assessment,'' please 
see major issue (c)-Risk Assessment Methods.
    The term ``safety-critical'' is intended to apply to any function 
which must be correctly performed in order to avoid causing a hazardous 
condition to equipment or personnel. If not performing correctly, a 
safety-critical system, subsystem, or component could cause a hazardous 
condition or permit the occurrence of a hazardous condition which it 
was designed to prevent. An example of the latter would be an 
``overlay'' system that does not constitute any part of the method of 
operation, but maintains safe system operation should any one of the 
safety-critical functions be omitted or not performed correctly (e.g., 
human error).
    The term ``subsystem'' is intended to mean, for purposes of this 
rule, any defined portion of a system. Subsystems will normally have 
distinct functions, and may be constitute systems themselves.
    The term ``system'' is intended to mean a composite of people, 
procedures and equipment which are integrated to control signals or 
train movement within a railroad. (Adapted from Roland, Harold E. and 
Moriarty, Brian, ``System Safety Engineering and Management,'' Second 
Edition, John Wiley and Sons, Inc., 1990, p. 6.)
    The term ``system safety precedence'' is intended to capture the 
concept of a priority of means for hazard elimination or mitigation, as 
stated in Military Standard 882C, ``System Safety Program 
Requirements'' (U.S. Department of Defense; January 18, 1993).
    The term ``validation'' is slightly modified from the IEEE 
definition to incorporate the notion that validation procedures do not 
end with the end of the development cycle. Validation can be performed 
at any stage of a product's life cycle, including and especially after 
modifications are made to it. One supplier indicated that this proposed 
definition ought to be modified to exclude references to what stages in 
a product's life cycle validation is performed. Commenters are invited 
to address this issue specifically.

Section 236.905  Railroad Safety Program Plan (RSPP)

    The system approach to safety is used pervasively in a variety of 
industries to reduce the risk of accidents and injuries. FRA has 
discussed the need for this approach to safety in three recent 
rulemakings: FOX High Speed Rail Safety Standards, 62 FR 65478, Dec. 
12, 1997; Passenger Train Emergency Preparedness, 63 FR 24630, May 4, 
1998; and Passenger Equipment Safety Standards, 64 FR 25540, May 12, 
1999. System safety means the application of design, operating, 
technical, and management techniques and principles throughout the life 
cycle of a system to reduce hazards and unsafe conditions to the lowest 
level possible, through the most effective use of available resources. 
The system safety approach requires an organization to identify and 
evaluate safety hazards that exist in any portion of the organization's 
``system,'' including those caused by interrelationships between 
various subsystems or components of that system. The organization then 
creates a plan designed to eliminate or mitigate those hazards. Where 
possible, the development of a system safety plan precedes the design, 
implementation, and operation of the system, so that potential risks 
are eliminated at the earliest possible opportunity. System safety 
plans are viewed as living documents, which should be updated as 
circumstances or safety priorities change or new information becomes 
available.
    This section proposes that railroads implement FRA-approved system 
safety plans, enforce them, and update them as necessary. In this 
process, FRA proposes that the railroad implement their RSPP to 
identify and manage safety risks, and generate data for use in making 
safety decisions. Based on the philosophy of system safety planning, 
FRA believes that initiating this process prior to design and 
implementation of products covered by subpart H is necessary for 
development of safety-critical processor-based signal and train control 
systems.
    Paragraph (a) would require the railroad to adopt an RSPP. FRA 
envisions that the RSPP will be a living document that evolves as new 
information and knowledge become available. Due to the critical role 
that the RSPP plays in this proposed rule, FRA proposes that the 
railroad submit their initial plan for FRA review and approval prior to 
implementation of safety-critical products. Since the development of 
many safety-critical features in products will be guided by the RSPP, 
FRA believes that its review and approval is essential. FRA feels this 
role is a logical and necessary outgrowth of its responsibility to 
promulgate clear, enforceable, and effective safety standards. This 
paragraph also requires the railroad to submit their initial RSPP to 
FRA. FRA believes that the RSPP must be used as a guide in the earliest 
conceptual stages of a project.
    Paragraph (b) proposes that the RSPP address minimum requirements 
for development of products. It provides minimum requirements which the 
RSPP must address. FRA intends the plan to be a formal step-by-step 
process which covers: identification of all safety requirements that 
govern the operation of a system; evaluation of the total system to 
identify known or potential safety hazards that may arise over the life 
cycle of the system; identification of all safety issues during the 
design phase of the process; elimination or reduction of the risk posed 
by the hazards identified; resolution of safety issues presented; 
development of a process to track progress; and development of a 
program of testing and analysis to demonstrate that safety requirements 
are met. These minimum requirements are addressed in paragraphs (b)(1) 
through (b)(4).
    Paragraph (b)(1) proposes a requirement that the RSPP provide a 
detailed description of the tasks to be completed during the 
preliminary hazard analysis for every safety-critical

[[Page 42366]]

product developed for use on the railroad. Paragraphs (b)(1)(i) through 
(b)(1)(iv) list several types of tasks which must be included in the 
RSPP. Railroads have indicated that requirement (iv), the 
identification of the safety assessment process, appears to duplicate 
(ii), the complete description of risk assessment procedures. FRA 
intends the risk assessment to be a measurement tool, used to benchmark 
safety levels and hopefully to provide valuable safety insight to 
designers. FRA views the safety assessment process as a more 
comprehensive process in which design for safety concerns are 
effectively identified and addressed at all stages of product 
development. FRA welcomes further comments concerning the railroad's 
claim and this distinction.
    Paragraph (b)(2) discusses how the RSPP identifies validation and 
verification methods for the initial design/development process and 
future changes, including any standards to be complied with in the 
validation and verification process. The objective is that railroad 
create and maintain documentation which will facilitate an independent 
third party assessment, if required (see Sec. 236.915(h)). FRA believes 
this process will also help to refine and standardize validation and 
verification processes for each railroad.
    Paragraph (b)(3) proposes a requirement that the RSPP contain a 
description of the process used during product development to identify 
and consider the human-machine interfaces (HMIs) which affect safety. 
The proposed requirements set forth in this paragraph and in appendix E 
attempt to mandate design consideration of, among other concerns, sound 
ergonomic design practices for cab layout in order to minimize the risk 
of human error, attention loss, and operator fatigue. FRA believes it 
is necessary for railroads/product manufacturers to be able to 
demonstrate how their human factors design requirements are developed 
and that they are developed at an early stage in the product 
development process.
    Paragraph (b)(4) discusses how the RSPP identifies configuration 
management requirements for the configuration of products subject to 
subpart H. The Standards Task Force felt this requirement was necessary 
to help railroads maintain consistency in the configuration management 
of the products they use.
    Paragraph (c) describes the proposed initial review and approval 
procedures FRA will utilize when considering each railroad's RSPP. 
Paragraph (c)(1) indicates that the petition must be delivered to the 
Docket Clerk, Office of Chief Counsel, for action by the FRA Associate 
Administrator for Safety. Paragraph (c)(2) establishes the timing of 
the petition process. FRA normally responds in some fashion within 180 
days with one of the responses listed (grant the petition, deny the 
petition, or request additional information). However, there may be 
circumstances in which FRA is unable to respond as planned. 
Consequently, paragraph (c)(3) indicates that inaction by FRA within 
the 180-day period means the petition will remain pending. The petition 
is not approved until the railroad receives an affirmative grant from 
FRA. Railroad members of the Standards Task Force suggested that FRA 
should notify them if an extension to the 180-day period will be 
needed, and provide the reasons therefore. FRA invites comments 
addressing FRA's handling of RSPP petitions beyond 180 days after 
filing. Paragraph (c)(4) proposes that FRA be able to reopen 
consideration for any previously-approved petition for cause. This will 
help ensure that FRA has the ability to preempt problems erupting as a 
result of widely disparate safety priorities being implemented 
throughout the industry.
    Paragraph (d) proposes requirements for how and when RSPPs can be 
modified. First, FRA believes railroads can and should modify their 
RSPPs at any time. However, when RSPP modifications related to safety-
critical PSP requirements are involved, FRA feels its approval is 
necessary. Paragraph (d)(1) proposes a requirement that railroads 
obtain FRA approval in these cases. In any other case, the railroad 
would be able to implement the modification without FRA approval. 
Paragraph (d)(2) proposes that procedures for obtaining FRA approval of 
RSPP modifications are the same for those used to obtain initial FRA 
approval, with the added requirements that the petition identify the 
proposed modifications, the reason for the modifications, and the 
effect of the modifications on safety. FRA notes that it may not be 
necessary to remit copies of the entire RSPP.

Section 236.907  Product Safety Plan (PSP)

    This section describes the contents of the Product Safety Plan 
(PSP) that must be developed to govern each product. The provisions of 
this section require each PSP to include all the elements and practices 
listed in this section to assure these products are developed 
consistent with generally-accepted principles and risk-oriented proof 
of safety methods surrounding this technology. Further, each PSP must 
include acceptable procedures for the implementation, testing, and 
maintenance of the product.
    FRA's existing regulations covering signal and train control 
systems do not include requirements of such detail since they are based 
on minimum design standards of long standing application that are 
recognized as appropriate to achieve the expected level of performance. 
As a result of the industry's desire to move to ``performance-based 
standards'' for signal and train control systems, FRA believes it is 
necessary to include the provisions contained in this section in order 
to assure safety of railroad employees, the public, and the movement of 
trains. In addition, FRA must ensure that key elements in the 
development of products correlate with the concepts of proven standards 
for existing signal and train control systems. FRA seeks comments on 
whether the elements contained in this section are adequate or whether 
there are other requirements that should be included to assure safety.
    Paragraph (a)(1) would require the PSP include system 
specifications that describe the overall product and identify each 
component and its physical relationship in the system. FRA will not 
dictate a specific product architecture but will examine each to fully 
understand how various parts relate to one another within a system. 
Safety-critical functions in particular will be reviewed to determine 
whether they are designed on the failsafe principle. FRA believes this 
provision is an important element that can be applied to determine 
whether safety is maximized and maintainability can be achieved. 
Railroads have expressed concern over the level of detail required in 
describing the product. Commenters are invited to address this issue.
    Paragraph (a)(2) would require a description of the operation where 
the product will be used. FRA is essentially attempting to determine 
the type of operation on which the product is designed to be used. One 
signal system supplier noted that this paragraph may not be applicable 
to products which are independent of some or all of the railroad 
operation characteristics described in this paragraph. FRA invites 
comments addressing this issue.
    Paragraph (a)(3) requires the PSP to include a concepts of 
operations document containing a description of the product functional 
characteristics and how various components within the system are 
controlled. FRA believes that this provision along with that contained 
in paragraph (a)(1) above will assist in a thorough understanding of 
the

[[Page 42367]]

product. FRA will use this information to review the product for 
completeness of design for safety by comparing the functionalities with 
those contained in standards for existing signal and train control 
systems. While FRA will not prescribe standards for product design, FRA 
would require that the applicant compare the concepts contained in 
existing standards to the operational concepts, functionalities, and 
control contemplated for the product. For example, FRA requirements 
prescribe that where a track relay is de-energized, a switch or derail 
is improperly lined, a rail is removed, or a control circuit is opened, 
each signal governing movements into a block occupied by a train, 
locomotive, or car must display its most restrictive aspect for the 
safety of train operations. FRA intends to apply the same concept, 
among others, when reviewing PSPs to assure such minimum safety 
requirements exist.
    Paragraph (a)(4) proposes that the PSP include a safety 
requirements document that identifies and describes each safety-
critical function of the product. FRA intends to use this information 
to determine that appropriate safety concepts have been incorporated 
into the proposed product. For example, existing regulations require 
that when a route has been cleared for a train movement it cannot be 
changed until the governing signal has been caused to display its most 
restrictive indication and a predetermined time interval has expired 
where time locking is used or where a train is in approach to the 
location where approach locking is used. FRA will apply this concept, 
among others, to determine whether all the safety-critical functions 
are included. Where such functionalities are not clearly determined to 
exist as a result of technology development, FRA will expect the 
reasoning to be stated and justification provided how that technology 
provides equivalent or greater safety. Where FRA identifies a void in 
safety-critical functions, FRA will expect remedial action prior to use 
of the system. Interested parties are asked to comment on the adequacy 
of this process for preserving railroad safety.
    Paragraph (a)(5) would require the PSP to contain a document 
demonstrating that the product architecture satisfies the safety 
requirements. The product architecture is expected to cover both 
hardware and software aspects which identify the protection developed 
against random hardware faults and systematic errors. Further, the 
document should identify the extent to which the architecture is fault 
tolerant. This provision may be included in the requirements of 
paragraph (a)(1).
    Paragraph (a)(6) proposes that a hazard log be included in the PSP. 
This log consists of a comprehensive description of all hazards to be 
addressed during the life cycle of the product, including maximum 
threshold limits for each hazard (for unidentified hazards, the 
threshold shall be exceeded at one occurrence). The hazard log 
addresses safety-relevant hazards, or incidents/failures which affect 
the safety and risk assumptions of the product. Safety-relevant hazards 
include events such as false proceed signal indications and false 
restrictive signal indications. If false restrictive signal indications 
happen on any type of frequency, they could cause train crew members or 
other users (roadway workers, dispatchers, etc.) to develop a 
lackadaisical attitude towards complying with signal indications or 
instructions from the product, creating human factors problems. 
Incidents in which stop indications are inappropriately displayed may 
also necessitate sudden brake applications that may involve risk of 
derailment due to in-train forces. Other unsafe or wrong-side failures 
which affect the safety of the product will be recorded on the hazard 
log. The intent of this paragraph is to identify all possible safety-
relevant hazards which would have a negative effect on the safety of 
the product. Right-side failures, or product failures which have no 
adverse effect on the safety the product (i.e., do not result in a 
hazard) would not be required to be recorded on the hazard log.
    Paragraph (a)(7) would require that a risk assessment be included 
in the PSP. See major issue (c)-Risk Assessment Methods. FRA will use 
this information as a basis to confirm compliance with the minimum 
performance standard.
    Paragraph (a)(8) proposes that a hazard mitigation analysis be 
included in the PSP. The hazard mitigation analysis must identify the 
techniques used to investigate the consequences of various hazards and 
list all hazards addressed in the system hardware and software 
including failure mode, possible cause, effect of failure, and remedial 
actions. A safety-critical system must satisfy certain specific safety 
requirements. Leveson, Nancy G., ``Safeware: System Safety and 
Computers,'' Addison-Wesley Publishing Company, 1995. To determine if 
these requirements are satisfied, the safety assessor must review and 
assess the results of the following tasks:
    1. Hazards associated with the system have been comprehensively 
identified.
    2. Hazards have been appropriately categorized according to risk 
(likelihood and severity).
    3. Appropriate techniques for mitigating the hazards have been 
identified.
    4. Hazard mitigation techniques have been effectively applied.
FRA does not expect that the safety assessment will prove absolutely 
that a product is safe. However, the safety assessment should provide 
evidence that risks associated with the product have been carefully 
considered and that steps have been taken to eliminate or mitigate 
them. Hazards associated with product use need to be identified, with 
particular focus on those hazards found to be have significant safety 
effects. Then, the designer must take steps to remove them or mitigate 
their effects. Hazard analysis methods are employed to identify, 
eliminate and mitigate hazards. Under certain circumstances, these 
methods will be required to be reviewed by an independent third party 
for FRA approval.
    Paragraph (a)(9) would also require that the PSP address safety 
verification and validation procedures. FRA believes verification and 
validation for safety are vital parts of the development of products 
and, in certain cases, should be performed by a third party. 
Verification and validation requires forward planning and, 
consequently, the PSP should identify the test planning at each stage 
of development and the levels of rigor applied during the testing 
process. FRA will use this information to assure the adequacy and 
coverage of the tests are appropriate.
    Paragraph (a)(10) would require the PSP to include the results of 
the safety assessment process by analysis that identifies each 
potential hazard and an evaluation of the events leading to the hazard; 
identification of safety-critical subsystems; the safety integrity 
level of each safety-critical subsystem; design of each safety-critical 
subsystem; results of a safety integrity analysis to assess the safety 
integrity level achieved by the safety-critical subsystems; and ensure 
from the analysis that the safety integrity levels have been achieved. 
FRA expects the safety assessment process to be clearly stated and 
thorough according to the complexity of the product. FRA realizes that 
paragraphs (a)(9) and (a)(10) may overlap in terms of requirements, and 
is considering consolidation of the concepts required in these two 
paragraphs.
    Paragraph (a)(11) would require a human factors analysis which 
addresses

[[Page 42368]]

all human-machine interfaces (HMI's) and all product functions to be 
performed by humans to enhance or preserve safety. FRA expects this 
analysis to place special emphasis on human factors coverage of safety-
critical hazards including the consequences of human failure to 
perform. Each HMI is to be addressed including the basis of assumptions 
used for selecting each such interface, its effect upon safety and 
identification of potential hazards associated with each interface. 
Where more than one employee is expected to perform duties dependent 
upon the output of, or input to, the HMI, the analysis must address the 
consequences of human failure to perform singly or in multiple. FRA 
uses this information to determine the HMI's effect upon the safety of 
railroad operations. The human factors analysis must address all 
criteria listed in Appendix E, unless approval is obtained from the 
Associate Administrator for Safety to use other equally suitable 
criteria. The Standards Task Force felt this flexibility is necessary 
for designers to have.
    Paragraph (a)(12) would require the railroad to include in its PSP 
the training, qualification, and designation program for workers who 
perform inspection, testing, and maintenance tasks involving the 
product. FRA believes many benefits accrue from the investment in 
comprehensive training programs which, among other things, are 
fundamental to creating a safe workforce. Effective training programs 
can result in fewer instances of human casualties and defective 
equipment, leading to increased operating efficiencies, less 
troubleshooting, and decreased costs. FRA expects any training program 
to include employees, supervisors and contractors engaged in railroad 
operations, installation, repair, modification, testing, or maintenance 
of equipment and structures associated with the product.
    Paragraph (a)(13) would require the PSP to identify specific 
procedures and test equipment necessary to ensure the safe operation, 
installation, repair, modification and testing of the product. 
Requirements for operation of the system must be succinct in every 
respect. The procedures must be specific about the methodology to be 
employed for each test to be performed that is required for 
installation, repair, or modification including documenting the results 
thereof. FRA will review and compare the repair and test procedures for 
adequacy against existing similar requirements prescribed for signal 
and train control systems. FRA will use this information to ascertain 
the product will be properly installed, maintained and tested.
    Paragraph (a)(14) provides that products may be so designed that 
existing requirements contained in part 236, subparts A, B, C, D, E, 
and F are not applicable. In this event, the PSP must identify each 
pertinent requirement considered to be inapplicable, fully describe the 
alternative method used that equates to that requirement and explain 
how the alternative method fulfills or exceeds the provisions of the 
requirement. FRA notes that certain sections of part 236 may always be 
applicable to subpart H products. For example, Sec. 236.0 prescribes, 
among other requirements, the conditions and speeds for which block 
signal systems and automatic cab signal, train stop, and train control 
systems must be installed. These are benchmark safety levels related to 
operational considerations against which the safety performance of 
innovative newer systems will be compared. Further, FRA will determine 
whether the product fully embodies the concepts of proven standards for 
existing signal and train control systems, as captured by subparts A-G 
of part 236.
    Paragraph (a)(15) would require the PSP to include a description of 
the security measures necessary to meet the specifications for each 
product. Security is an important element in the design and development 
of products and covers issues such as developing measures to prevent 
hackers from gaining access to software and developing measures to 
preclude sudden system shutdown. The description should identify the 
formal method used in development of the system software, identify each 
hazard and its consequence in event of failure that was mitigated by 
using the formal method, and indicate the results of the formal proofs 
of correctness of the design. Where two or more subsystems or 
components within a system have differing specifications, the 
description should address the safety measures for each subsystem or 
component and how the correctness of the relationships between the 
different specifications were verified. Where two formal methods are 
used in developing safety-critical software from the same 
specification, the description should explain why the more rigorous 
method was not used throughout development process and the effect on 
the design and implementation.
    Paragraph (a)(16) would require warnings to ensure safety be 
addressed in the Operations and Maintenance Manual and warning labels 
placed on the equipment of each product as necessary. Such warnings 
include, but are not limited to, means to prevent unauthorized access 
to the system; warnings of electrical shock hazards; cautionary notices 
opposing improper usage, testing or operation; and configuration 
management of memory and databases. The PSP should provide an 
explanation justifying each such warning and an explanation of why 
there are no alternatives that would mitigate or eliminate the hazard 
for which the warning is placed.
    Paragraph (a)(17) would require the railroad to develop 
comprehensive plans and procedures for product implementation. 
Implementation (validation or cutover) procedures must be prepared in 
detail and identify the processes necessary to verify the product is 
properly installed and documented, including measures to provide for 
the safety of train operations during installation. FRA will use this 
information to ascertain the product will be properly installed, 
maintained and tested.
    Paragraph (a)(18)(i) would require the railroad to provide a 
complete description of the particulars concerning measures required to 
assure products, once implemented, continue to provide the expected 
safety level without degradation or variation over their life cycles. 
The measures must be specific regarding prescribed intervals and 
criteria for testing, scheduled preventive maintenance requirements, 
procedures for configuration management, modifications, and repair, 
replacement and adjustment of equipment. FRA intends to use this 
information, among other data, to monitor the product to assure it 
continues to function as intended.
    Paragraph (a)(18)(ii) discusses a PSP requirement to include a 
description of each record concerning safe operation. Recordkeeping 
requirements for each product are discussed in Sec. 236.917.
    Paragraph (a)(19) proposes a requirement that the PSP include a 
description of all backup methods of operation and safety critical 
assumptions regarding availability of the product. FRA believes this 
information is essential for making determinations about the safety of 
a product and both the immediate and long-term effect of its failure. 
Railroads have indicated concern that product availability is not in 
itself a safety function, and that therefore this requirement may be 
too broad. FRA suggests that availability is directly related to safety 
to the extent the backup means of controlling operations involves 
greater risk (either inherently

[[Page 42369]]

or because it is infrequently practiced) and invites comments 
addressing this issue.
    Paragraph (b) discusses predefined changes. PSPs should identify 
the various configurable applications of the product, since this rule 
mandates use of the product only in the manner described in its PSP 
(see Sec. 236.915(d)). FRA recognizes that railroads' rights-of-way 
vary with regard to the number of tracks and layouts of interlockings, 
junctions and stations over which train movements are made at various 
speeds and density. Products may contain identical subsystems or 
components having configurable features to provide the capability of 
controlling a variety of track layout schemes. The PSP must clearly set 
forth those attributes in such equipment that may be employed or 
expunged without degradation or variation of safety over the life cycle 
of the system, as well as the impact such changes may have in the risk 
assessment. Satisfaction of the minimum performance standard must be 
demonstrated for each predefined change. Also, the PSP must fully 
describe the procedures to be followed for each change and the 
inspections and tests necessary to assure the system functions as 
intended.
    Paragraph (c) discusses incremental and maintenance changes. The 
term ``incremental change'' is intended to capture the concept of 
planned version changes to a product, usually software-type changes. 
FRA believes these changes will be necessary in order for products to 
acquire capabilities to perform added functions as safety requirements 
change. The goal of this paragraph is to encourage as many subsequent 
product changes as possible to be considered by initial designers 
during the product development stage, in order to avoid, to the extent 
possible, changes made by persons with no link to initial safety design 
considerations.

Section 236.909  Minimum Performance Standard

    FRA has attempted to craft a substantive standard which is 
performance-based rather than prescriptive. In short, FRA desires to 
establish what level of performance must be achieved, but not how it 
must be achieved. The objective of the minimum performance standard FRA 
proposes is simple: new processor-based signal and train control 
systems must be at least as safe as the systems they would replace. The 
challenge inherent in this performance-based standard is measuring 
performance levels. For FRA, this challenge becomes one of being able 
to confirm compliance.
    Paragraph (a) proposes the performance standard for all products to 
be covered by this rule. The railroad must establish with a high degree 
of confidence through its safety analysis that introduction of the 
system will not result in a safety risk level that exceeds the level of 
safety risk in the previous condition. In short the railroad must prove 
that safety is not degraded. This proposed standard places the burden 
on the railroad to demonstrate that the safety analysis provides a high 
degree of confidence. Under the proposed regulatory scheme, FRA will 
have access to the railroads' analyses, and will remain as likely to 
detect obvious shortcomings in them.
    FRA is considering moving the second clause of the last sentence of 
paragraph (a), which requires the railroads to make available the 
necessary analyses and documentation. This requirement may be moved for 
organizational purposes to a more specific section in the proposed 
rule.
    Paragraph (b) indicates that FRA would rely on the factors listed 
in Sec. 236.915(g)(2) when assessing whether the petitioner made has 
met the performance standard for the product through employment of 
sufficient safety analysis. ``FRA review of PSP'' is intended to apply 
to both FRA review of petitions for approval and FRA review of 
informational filings, which, for good cause, are treated as petitions 
for approval. Railroads have indicated concern that this proposal does 
not provide for an administrative appeals procedure. FRA believes that 
determinations under this subpart should be made at the technical 
level, rather than the policy level, due to the complex and sometimes 
esoteric subject matter. FRA invites comments specifically addressing 
this issue.
    Paragraphs (c) and (d) propose standards for the scope of the risk 
assessment to be conducted. Unless criteria for an abbreviated risk 
assessment are met, a full risk assessment would be required for each 
product.
    Paragraph (c) describes the proposed scope for a full risk 
assessment. The Standards Task Force desired to clearly define the 
scope of the risk assessment by addressing only risks relevant to 
safety of the product. Thus, they decided that only affected risks need 
be addressed. Take, for instance, the risk of injury due to a broken 
handhold on a freight car. It is obvious that this risk would not be 
affected by implementation of a new signal and train control system, 
and therefore need not be included in the risk assessment. However, any 
risk which is affected by introduction, modification, replacement or 
enhancement of the product must be accounted for. The proposed standard 
further explains that these risks can be broken down into three 
categories to include: new risks, eliminated risks, and risks neither 
new nor eliminated whose nature (probability of occurrence or severity) 
has changed. FRA understands that many of the affected risks relate to 
very low probability events with severe consequences. These risks might 
be overwhelmed if analyzed in combination with other, more probable 
risks, which would not be affected by the change.
    Paragraph (d) proposes a simpler approach to demonstrate compliance 
with the performance standard for less complex changes such as 
replacement of certain signal and train control system components. The 
Standards Task Force recommended allowing for this simpler approach 
when the type of change is sufficiently basic. This proposed class of 
changes is defined as one which does not introduce any new hazards into 
the railroad operation (that is, different from the previous method of 
operation) and which maintains the same (or less) levels of risk 
exposure and severity for hazards associated with the previous 
condition. The Standards Task Force felt comfortable with this 
distinction since no new hazards are introduced with introduction of 
the product, and hazards which were present in the original operation 
are sufficiently contained (not increased in severity or exposure 
thereto). An example of this type of change would be replacement of a 
component in a signal and train control system with a newer-generation 
processor-based component which performs the same function. No new 
hazards would likely be introduced that weren't already there, original 
hazards would not be subject to higher exposure, and original hazards 
would not be subject to an increase in severity. Unless introduction of 
the new product is accompanied by changes in operation, the hazards 
encountered by the new product (which will normally be a component of 
the system) would be identical in both severity and exposure.
    For changes analyzed using this simplified analysis, risk 
associated with operation under the new product is assumed to be 
proportional to its Mean Time to Hazardous Event (MTTHE). Therefore, 
changes in risk are assumed to be proportional to changes in MTTHE. The 
Standards Task Force proposed this simplified approach based on the 
principle that when risk severity and risk exposure remain constant, 
risk is directly proportional to the probability of a hazardous event

[[Page 42370]]

occurring. This is demonstrated by the equation:

riskh = probabilityh * severityh

which, in basic terms, states that the risk of a hazard occurring is 
equal to the probability of the hazard occurring multiplied by the 
severity of the hazard. The product's MTTHE is a convenient indication 
of hazard probability levels for two reasons. First, suppliers have 
indicated that MTTHE figures can be made readily available since they 
are already used by some railroad signal and train control system 
suppliers of off-the-shelf components used in those systems. Second, 
MTTHE is inversely related to the hazard probability identified in the 
equation above.
    If in the above equation the hazard severity is kept constant, 
hazard probability remains directly proportional to the risk. This is 
true only if the exposure to the risk, which is related primarily to 
railroad operating practices (i.e., train speeds, train volumes, 
utilization of product, etc.), remains the same. This way risk 
associated with operation under the resulting system is directly 
proportional to the MTTHE of the new product. This condition on risk 
exposure is necessary since it precludes changes in train volume or 
other operating practices which may affect the actual safety risk 
encountered.
    Suppliers requested that severity not be locked into place in order 
to fit into this exception, but also to allow for cases where 
introduction of the product may bring about a reduction in hazard 
severity. Although an example might be difficult to imagine, FRA is 
confident that in such case it is mathematically impossible for safety 
risk levels to increase.
    Under these conditions, the FRA feels MTTHE is a sufficient 
indication of risk, thereby warranting a simplified risk assessment. 
The FRA seeks comments on whether this exception from the full rigors 
of the risk assessment is appropriate, and if not, to what extent the 
required analysis should become more rigorous as the complexity of the 
proposed system increases.
    Paragraph (e) proposes general principles for the conduct of risk 
assessments and which methods may be used (see Major Issue (c)--``Risk 
Assessment Methods'').
    Paragraph (e)(2) contains general criteria for each risk 
calculation. FRA has identified three variables which must be provided 
with risk calculations: accident frequency, severity, and exposure. 
Traditionally, risk is defined as the expected frequency of unsafe 
events multiplied by the expected consequences. FRA feels that exposure 
should be identified because increases in risk due to increased 
exposure could be easily distinguished from increases in risk due 
solely to implementation and use of the proposed product. FRA is 
primarily interested in risks relevant to use of the proposed product. 
FRA feels it would be inconsistent policy to insist to a railroad which 
intends to double its traffic on one rail line that it halve its 
accident rate if it puts in a new signal or train control system. 
Conversely, FRA feels a railroad should not be allowed to implement a 
new signal or train control system which projects double the original 
accident rate on a line simply because it intends to reduce its traffic 
volume on that line by one half. A requirement to identify exposure 
will help define risks relevant to use of the proposed product.
    Risk exposure may be indicated by the total number of train miles 
traveled per year or total passenger miles traveled per year, if 
passenger operations are involved. FRA believes risk to operations 
involving passengers is highly relevant, since advanced train control 
technology will most certainly find uses on such lines. NTSB has 
specifically recommended application of advanced train control 
technology to lines with passenger traffic. NTSB/Railroad Accident 
Report-93/01. FRA believes any change should not adversely affect the 
safety of passenger operations. However, a risk assessment method which 
does not account separately for passenger miles could, in theory, 
obscure an increase in risk for passengers that was offset by a 
reduction in freight-related damages.
    In earlier drafts the FRA had proposed to the Standards Task Force 
that risk measurements be adjusted for exposure in units of train-miles 
per year, passenger miles per year or ton-miles per year, but that the 
units not be mandated in the rule. Since most freight railroads keep 
safety data in terms of train-miles and gross train-miles for each 
railroad must be reported to FRA under part 225, FRA does not believe 
many railroads will burden themselves additionally by maintaining other 
data for purposes of this requirement.
    The FRA seeks comment on this proposed requirement to account for 
exposure in the units mentioned above, specifically regarding the 
appropriateness of this approach and other possible approaches.
    Paragraph (e)(2) also covers a proposed requirement for risk 
severity measurements. FRA proposes to allow railroads to measure risk 
severity either in terms of total accident costs, including property 
damage, injuries and fatalities, or in simpler terms of expected 
fatalities only. FRA proposes the two alternatives in order to allow 
flexibility, and to permit the railroads to avoid metrics which could 
be misconstrued as trading dollars for lives, when in fact they would 
be more comprehensive in avoiding accident consequences.
    FRA wishes to make clear that the sole purpose of the risk 
assessment in this proposed rule is to require railroads to produce 
certain safety risk data which will allow the agency to make informed 
decisions concerning projected safety costs and benefits. FRA feels 
this is a necessary component of the proposed performance standard in 
order for FRA to be able to effectively carry out its statutory duties 
as a regulatory agency. By proposing a requirement for a risk 
assessment, FRA does not intend to create a presumptive amount of 
damages for tort liability after an accident occurs. In order to help 
maintain the safety focus of this requirement, FRA proposes an 
allowance for railroads to use only fatality costs. FRA believes that 
for the types of safety risks involving signal and train control, total 
accident costs and total fatalities correspond closely enough to allow 
an accurate view. Thus FRA believes that allowing the alternative 
measure would not change substantially the risk assessment.
    Paragraph (e)(3) involves the issue of concurrent changes in 
railroad operations. Railroads intending to implement products covered 
by subpart H may intend to change operational characteristics at the 
same time to take advantage of the benefits of the new technology. FRA 
envisions increased train volumes, passenger volumes, and/or operating 
speeds to be likely changes to accompany implementation of subpart H 
products. The proposal would require the railroad to analyze the total 
change in risk, then separately identify and distinguish risk changes 
associated with the use of the product itself from risk changes due to 
changes in operating practices (i.e., risk changes due to increased/
decreased operating speed, etc.). FRA believes this procedure will be 
necessary to make an accurate comparison of the relevant risks for 
purposes of determining compliance with the minimum performance 
standard in Sec. 236.909(a).
    The second sentence of paragraph (e)(3) concerns changes in 
operating speeds related to required signal and train control systems 
for passenger and freight traffic. In such case, the provisions of 
Sec. 236.0 would normally apply, mandating the use of certain 
technologies/operating methods. Thus,

[[Page 42371]]

for changes to operating speeds, the previous condition calculation 
must be made according to the assumption that such systems required by 
Sec. 236.0(c) (and Sec. 236.0(d), if applicable) are in use. This 
proposed requirement ensures that a minimum level of safety set by 
Sec. 236.0, which would otherwise normally apply, is respected and not 
circumvented.
    In addition to including an adjustment in the previous condition to 
account for increases in train speeds as addressed in Sec. 236.0, FRA 
also intends that an adjustment be made if necessary to take into 
consideration the need for fluid traffic management. For instance, if 
the railroad proposed to implement a non-vital overlay train control 
system in dark territory in connection with major projected increases 
in traffic, the previous condition would need to be adjusted to assume 
installation of a traffic control system (which, under the options 
available under current part 236, would be needed as a practical matter 
to move the increased numbers of train across the territory). Since 
research in connection with the Corridor Risk Assessment Model 
indicates that operations in dark territory have a much higher risk of 
collision than in signal territory (when normalized on a train mile 
basis), this adjustment will set the safety baseline at an appropriate 
level for purpose of making the necessary comparison. Failure to make 
this adjustment within the previous condition would at least 
theoretically permit a progressive worsening of the safety situation as 
new technology is brought on line.
    FRA specifically invites comments addressing this method of 
accounting for concurrent changes in operating practices and comments 
proposing other methods.

Section 236.911  Exclusions

    Paragraph (a) addresses the exclusion from the requirements of 
subpart H, or grandfathering, of existing products. Railroads employ 
numerous safety-critical products in their existing signal and train 
control systems. These existing systems have proven to provide a very 
high level of safety, reliability, and functionality. FRA believes it 
would be a tremendous burden on the rail industry to apply this subpart 
to all existing systems, which have to date proven safe.
    Paragraph (b) addresses the products that are designed in 
accordance with part 236, subparts A through G, not in service at 
present but which will be in the developmental stage or completely 
developed prior to the effective date of this subpart. The Standards 
Task Force felt these products ought to be excluded from the 
requirements of subpart H upon notification to FRA. FRA agrees that it 
would be too costly for the railroads and suppliers to redo work and 
analysis for a product on which development efforts have already begun. 
Similarly, it would be unfair to subject later implementations of such 
technology to the requirements of subpart H. In addition, the Standards 
Task Force felt that railroads ought to be given the option to have 
products which are excluded made subject to subpart H by submitting a 
PSP and otherwise complying with subpart H.
    Paragraph (c) addresses the exclusion of existing and future 
deployments of existing office systems technology. Currently, some 
railroads employ these dispatch systems as part of their existing 
signal and train control systems. These existing systems have proven to 
provide a very high level of safety, reliability, and functionality. It 
would be a tremendous burden on the rail industry to apply subpart H to 
this proven technology. The Standards Task Force recommended that a 
subsystem or component of an office system must comply with subpart H 
if it performs safety-critical functions within a new or next-
generation signal and train control system. The Standards Task Force 
felt this would assure the safe performance of the system.
    Paragraph (d) proposes requirements for modifications of excluded 
products. The Standards Task Force felt that at some point changes to 
excluded products qualified as significant enough to require the safety 
assurance processes of subpart H to be followed. This point exists when 
a change results in degradation of safety or in a material increase in 
safety-critical functionality.
    Paragraph (e) clarifies the application of subparts A through G to 
products excluded by this section.

Section 236.913  Notification to FRA of PSPs

    This section describes the railroad's requirements for notifying 
FRA of its preparation of a PSP to ensure compliance with procedures 
established in the RSPP and the requirements of this subpart.
    Paragraph (a) proposes a requirement for preparation of a PSP, and 
discusses the circumstances under which a joint PSP must be prepared. 
``Normally subject to joint operations'' is intended to mean any 
territory over which trains are regularly operated by more than one 
railroad. FRA does not intend to require a joint PSP for territory over 
which trains are re-routed on an emergency basis, unless there are 
other, scheduled trains conducted over this territory by more than one 
railroad. Railroads have expressed concern that this standard may be 
too restrictive if it includes any territory over which more than one 
railroad has operating rights. However, where a railroad has operating 
rights over a territory where a new train control system will be 
installed, that railroad's locomotives will need to be appropriately 
equipped. FRA invites comments specifically addressing this issue.
    In paragraph (b), FRA proposes a two-tiered approach where some 
products require an informational filing, while others will necessitate 
full FRA review and approval by petition. The railroad must submit a 
petition for approval only when installation of new or next-generation 
train control systems is involved. During the course of its 
deliberations, the Standards Task Force developed a matrix of railroad 
actions regarding processor-based signal and train control systems and 
what level of FRA scrutiny ought to be required. Eventually, the group 
whittled this matrix down to three situations for which the railroad 
must petition the FRA for approval. These were: (1) Any installation of 
a new or next-generation train control system; (2) any replacement of 
an existing PTC system with a new or next-generation train control 
system, and (3) any replacement of an existing PTC system with an 
existing PTC system. All other situations would require an 
informational filing, subject to the procedures proposed in 
Sec. 236.913(e). The Standards Task Force ultimately recommended that 
existing processor-based train control systems should be subject to the 
requirements of proposed Sec. 236.911, so the third situation was no 
longer considered as subject to petition procedures. Also, since the 
second situation is a subset of the first, only one situation remains 
for which a petition for FRA approval is required. FRA agrees with the 
recommendation, that review and approval is merited for all 
installations involving new or next-generation train control systems; 
mere informational filings will not be sufficient in this case. 
However, FRA invites comments specifically addressing this issue.
    In addition, some changes requiring a PSP are most appropriately 
combined with modifications made in accordance with part 235. Any 
product change or implementation needs an information filing at a 
minimum. Paragraph (b) also notes that some issues may be addressed 
through FRA's waiver process in part 211.
    Paragraph (c) proposes procedures for submitting informational 
filings.

[[Page 42372]]

Informational filings are less formal and detailed than full petitions 
for approval, and FRA will in most instances merely audit to determine 
whether the railroad has followed the requirements established in its 
RSPP. Since this process is expected to be less complicated and formal 
than a full petition for approval review, FRA anticipates being able to 
respond within 60 days. The railroad must specify where the PSP is 
physically located since FRA may want to inspect it during normal 
business hours. This might alleviate any FRA concerns, negating the 
need for treating the informational filing as a petition for approval. 
Upon recommendation by the Standards Task Force, FRA has attempted to 
provide general criteria for situations in which FRA would require an 
informational filing to be upgraded to a full petition for approval. 
FRA proposes these filings will be upgraded only for good cause, and 
gives examples of what would be considered good cause. FRA invites 
comments specifically addressing these criteria for upgrading of 
informational filings.
    Paragraph (d) discusses proposed requirements for petitions for 
approval. FRA classifies petitions for approval into two categories: 
those involving prior FRA consultation (covered in paragraph (d)(1)) 
and those that do not (covered in paragraph (d)(2)). In this proposed 
rule, FRA does not require prior consultation but attempts to 
accommodate railroads' often tight development and implementation 
schedule by getting involved early. Optimally, FRA feels it should be 
involved at the system design review phase of development, thereby 
reducing the scope of FRA review which might otherwise be required. FRA 
believes that a railroad's failure to involve FRA early enough in the 
process could potentially delay FRA approval and system implementation, 
which is often a result of delayed government involvement. This 
proposed rule invites the railroad to garner government involvement at 
an early stage in the development of a product requiring a petition for 
approval or a product change for which a petition for approval is 
required. Paragraph (d)(1) discusses for petitions for approval 
involving prior FRA consultation. Under this procedure, FRA issues a 
letter of preliminary review within 60 days of receiving the Notice of 
Product Development. This process allows FRA to more easily reach a 
decision on a petition for approval within 60 days of receipt.
    Paragraph (d)(2) discusses petitions for approval which do not 
involve prior FRA consultation. When railroads wait to involve FRA 
until they are approaching use of the system in revenue service, 
paragraph (d)(2)(iii) specifies that the agency will attempt to act on 
the petition within 180 days of filing. If FRA does not act on the 
petition, within 180 days it will notify the petitioner as to why the 
petition remains pending. The Standards Task Force felt that railroads 
should be encouraged to take necessary safety assurance steps to cure a 
petition of any apparent inadequacies before FRA requires a third party 
review.
    Paragraph (e)(1) proposes a role for product users in the review 
process. FRA believes comments from employees who will be working with 
products covered by this subpart will provide useful safety insight. 
Accordingly, FRA will consider them to the degree practicable.
    Paragraph (e)(2) proposes that FRA provide notice to the public of 
pending filings and petitions. This method of notice would allow local, 
national and international labor organizations to get involved with 
issues of interest. FRA believes that information provided by 
organizations whose members work directly with or will work directly 
with products subject to this subpart is important. FRA will consider 
any information it receives to the degree practicable, when involved in 
the review of informational filings and petitions for approval.
    Paragraph (f) would allow for railroads to file petitions for 
approval prior to field testing and validation of the product. The 
petition for approval process must provide information necessary to 
allow FRA involvement in monitoring of the test program. FRA would 
encourage railroads to avail themselves of this provision so as to 
provide FRA with notice of the product development earlier rather than 
later in the development process.
    Paragraph (g) describes the approval process of a PSP. A PSP gains 
approval when the requirements listed in paragraph (g)(1) have been 
met.
    Paragraph (g)(2) lists the factors which FRA will consider when 
evaluating the railroad's risk assessment. As the Standards Task Force 
toiled with this subject it was felt that some guidance or 
acknowledgment of what factors would be considered by FRA during this 
process should be spelled out. Paragraph (g)(2)(i) explains FRA will 
consider the product's compliance with recognized standards in product 
development. FRA feels the use of recognized standards in system design 
and safety analyses, accepted methods in risk estimates and proven 
safety records for proposed products would benefit their ability to act 
safely, consistently, and in a timely manner on PSP approvals. 
Paragraph (g)(2)(iii) states FRA will consider as a factor the overall 
complexity and novelty of the product design. Railroads have indicated 
this factor appears to be a barrier to innovation. FRA invites comments 
specifically addressing this topic. Paragraph (g)(2)(vii) lists as a 
factor whether or not the same risk assessment method was used for both 
the previous condition and the risk calculation for the proposed 
product. FRA feels this is important because risk assessment methods 
vary widely in nature. A common characteristic is their ability to 
describe relative differences in risk associated with changes in the 
environment, rather than predicting absolute values for future safety 
performance. However, railroads have indicated their belief that so 
long as the methods are acceptable to FRA, it should not matter whether 
a different one was used. FRA has indicated its position with respect 
to the choice of risk assessment method in its discussion of entitled 
``Major Issues (c)--Risk Assessment Methods.'' FRA specifically invites 
comments addressing whether factor (vii) ought to be included as a 
factor either in the PSP approval decision or the decision to recommend 
a third party assessment.
    Paragraph (g)(3) discusses additional factors FRA considers in its 
decision concerning use of the product by the railroad. Paragraph 
(g)(4) indicates that FRA is not limited to either granting or denying 
a petition for approval as is, but rather may approve it with certain 
conditions. Paragraph (g)(5) includes the proposal that FRA be able to 
reopen consideration of a petition for cause and sets forth potential 
reasons for reopening, including such circumstances as credible 
allegation of error or fraud, assumptions determined to be invalid as a 
result of in-service experience, or one or more unsafe events calling 
into question the safety analysis underlying the approval.
    Paragraph (h) proposes factors considered by FRA when requiring a 
third party assessment and who qualifies as an independent third party.
    Paragraph (h)(1) lists those factors, as developed by the Standards 
Task Force, many of which are the same used in deciding whether to 
approve a PSP. The Standards Task Force developed this list as guidance 
to product developers for criteria they would be expected to meet to 
avoid the prospect of a third party assessment.
    Paragraph (h)(2) defines the term ``independent third party'' as 
recommended by the Standards Task

[[Page 42373]]

Force. FRA may maintain a roster of recognized technically competent 
entities, as a service to railroads selecting reviewers under this 
subpart. Interested parties may submit credentials to the Associate 
Administrator for Safety for consideration to be included in such a 
roster. Railroads have indicated concern that the proposed definition 
is unduly restrictive because it limits independent third parties to 
ones ``compensated by'' the railroad. FRA believes that requiring the 
railroad to compensate a third party will heighten the railroad's 
interest in obtaining a quality analysis and will avoid ambiguous 
supplier/third party relationships that could indicate possible 
conflicts of interest. FRA specifically invites comments addressing 
this issue.
    Paragraph (h)(3) notes that the minimum requirements of a third 
party audit are outlined in Appendix D and that FRA limits the scope of 
the assessment to areas of the safety validation and verification which 
deserve scrutiny. This will allow reviewers to focus on areas of 
greatest safety concern and eliminate any unnecessary expense to the 
railroad. In order to limit the number of third party assessments, FRA 
first strives to inform the railroad as to what portions of a submitted 
PSP could be amended to avoid the necessity and expense of a third 
party assessment altogether.
    Paragraph (i) discusses handling of PSP amendments. The procedures 
which apply to notifying FRA of initial PSPs also apply to PSP 
amendments. However, PSP amendments may take effect immediately if they 
are necessary in order to mitigate risk, and if they affect the safety-
critical functionality of the product. The Standards Task Force agreed 
that a more informal process is warranted in order to alleviate safety 
concerns which are discovered after FRA is notified of the initial PSP. 
The Standards Task Force had considered a rule which would allow for 
all PSP amendments to be handled via informational filing, however, FRA 
felt the same concerns which apply to initial filing (either as a 
petition or as an informational filing) should apply to the PSP 
amendment.
    Paragraph (j) discusses procedures for obtaining FRA approval to 
field test a subpart H product. FRA approval is necessary where the 
railroad seeks to test any product for which they would otherwise be 
required to seek a waiver for exemption of specific part 236 
regulations. For instance, when field testing of the product will 
involve direct interface with train crew members, there may be a 
requirement for some control mechanisms to be in place. Also, railroads 
will likely need to test products for operational concepts and safety-
critical consideration of the product prior to implementation. This 
paragraph proposes an alternative to the waiver process when only Part 
236 regulations are involved. When regulations concerning track safety, 
grade crossing safety, or operational rules are involved, however, this 
process would not be available. Such testing may also implicate other 
safety issues, including adequacy of warning at highway-rail crossings 
(including part 234 compliance), qualification of passenger equipment 
(part 238), sufficiency of the track structure to support higher speeds 
or unbalance, and a variety of other safety issues, not all of which 
can be anticipated in any special approval procedure. ``Clearing the 
railroad'' for the test train answers only a portion of these issues. 
Typically, waiver proceedings under part 211 allow a forum for review 
of all relevant issues. Based on available options, FRA would foresee 
the need to continue this approach in the future. Nonetheless, FRA 
invites comments specifically addressing this issue. Under this 
paragraph, railroads may also integrate this informational filing with 
the filing of a petition for approval or informational filing involving 
a PSP. The information required for this filing, as described in 
paragraphs (j)(1)-(j)(7), are necessary in order for FRA to make 
informed decisions regarding the safety of testing operations.

Section 236.915  Implementation and Operation

    This section proposes minimum requirements, in addition to those 
found in the PSP, for product implementation and operation.
    Paragraph (a) proposes requirements relating to when products may 
be implemented and used in revenue service. Paragraph (a)(1) discusses 
the standard for products which do not require FRA approval, but rather 
an informational filing. Paragraph (a)(2) addresses the standard for 
products which require that a petition for approval be submitted to FRA 
for approval. Paragraph (a)(3) excepts from the requirements of 
paragraphs (a)(1) and (a)(2) those products for which an informational 
filing had been filed initially, then FRA elected after implementation 
to treat its filing as a petition for approval. In the case where FRA 
chooses to treat an informational filing as a petition for approval 
after implementation, ``for cause'' is not intended to be restricted to 
the same interpretation given in Sec. 236.913(c) for ``good cause.'' 
FRA envisions that cause for review after implementation will more 
likely be related more to actual in-service performance than initial 
design safety considerations.
    Paragraph (b) proposes a requirement that railroads will not exceed 
maximum volumes, speeds, or any other parameter limit or provision in 
the PSP. On the other hand, a PSP could be based upon speed/volume 
parameters that are broader than the intended initial application, so 
long as the full range of sensitivity analyses are included in the 
supporting risk assessment. FRA feels this requirement will help ensure 
that comprehensive product risk assessments are performed before 
products are implemented. This paragraph also makes allowance for 
amendment of PSPs even after implementation. Railroads indicated they 
will need the ability to amend PSPs to correct initial assumptions 
after implementation. Furthermore, railroads feel that if operating 
conditions for which a product was designed are no longer applicable 
and safety levels have not been reduced, the necessary corresponding 
PSP amendments should be allowed. FRA invites comments specifically 
addressing this issue.
    Paragraph (c) proposes that each railroad ensure the integrity of a 
processor-based system not be compromised by prohibiting the normal 
functioning of such system to be interfered with by testing or 
otherwise without first taking measures to provide for the safety of 
train movements, roadway workers, and on-track equipment that depends 
on the normal functioning of the system. This provision parallels 
current Sec. 236.4, which applies to all devices. By proposing this 
paragraph, FRA merely intends to clarify that the standard in current 
Sec. 236.4 applies to subpart H products.
    Paragraph (d) proposes that, in the event of the failure of a 
component essential to the safety of a processor-based system to 
perform as intended, the cause be identified and corrective action 
taken without undue delay. The paragraph also proposes that until 
repair is completed, the railroad be required to take appropriate 
measures to assure the safety of train movements, roadway workers, and 
on-track equipment. This requirement mirrors current requirement 
Sec. 236.11, which applies to all signal system components.
    Paragraph (e) simply intends to convey that the standard in current 
Sec. 236.11 would apply to subpart H products.

[[Page 42374]]

Section 236.917  Retention of Records

    Paragraph (a) proposes the documents and records the railroad would 
be required to maintain at a designated office on the railroad for the 
life cycle of the product. All documents and records must be available 
for FRA inspection and copying during normal business hours. First, the 
railroad would need to maintain adequate documentation to demonstrate 
that the product PSP meets the safety requirements of the railroad's 
RSPP and applicable standards in this subpart, including the risk 
assessment. The risk assessment must contain all initial assumptions 
for the system that are listed in paragraph (i) of Appendix B--Risk 
Assessment Criteria. Second, the product Operations and Maintenance 
Manual, as described in Sec. 236.919, would need to be kept for the 
life cycle of the product. Third, railroads would be required to 
maintain training records which designate persons who are qualified 
under Sec. 236.923(b). These records will be kept until new 
designations are recorded or for at least one year after such person(s) 
leave applicable service. Paragraph (a) also would require that 
implementation, maintenance, inspection, and testing records as 
described in Sec. 236.907(a)(18)(ii) be recorded as prescribed in 
Sec. 236.110.
    Railroads have indicated that the product life cycle is too long a 
term to keep the data proving PSP compliance with the railroad's RSPP 
and training records. FRA is sympathetic to this concern but wishes to 
ensure that all records relevant to the current configuration and 
operation of the system remain available. FRA invites comments 
specifically concerning this issue.
    After the product is placed in service, paragraph (b) would require 
the railroad to maintain a database of safety relevant hazards as 
described in Sec. 236.907(a)(6), which occur or are discovered on the 
product. This database information shall be available for inspection 
and replication by FRA during normal business hours. Paragraph (b) also 
provides the procedure which must be followed if the frequency of 
occurrence for a safety-relevant hazard exceeds the threshold value 
provided in its PSP. This procedure involves taking immediate steps to 
reduce the frequency of the hazard and report the hazard occurrence to 
FRA. FRA realizes the scope and difficulty of undertaking these actions 
could vary dramatically. In some cases, an adequate response could be 
completed within days. In other cases the total response could take 
years, even with prompt, deliberate action. If the action were to take 
a significant time, FRA would expect the railroad to make progress 
reports to FRA.
    The reporting requirement of Sec. 236.917(b) is not intended to 
preempt current reporting requirements of part 233. In the case of a 
false proceed signal indication, FRA would not expect the railroad to 
wait for the frequency of such occurrences to exceed the threshold 
reporting level assigned in the hazard log. Rather, current Sec. 233.7 
requires all such instances to be reported.
    FRA notes that the Standards Task Force recommended that railroads 
take prompt countermeasures to reduce only the frequency of the safety-
relevant hazard. There may be situations where reducing the severity of 
such hazards will suffice for an equivalent reduction in risk. For 
example, reducing operating speed may not reduce the frequency of 
certain hazards involving safety-critical products, but it would in 
most cases reduce the severity of such hazards. FRA invites comments 
specifically addressing this issue.
    Also, railroads have expressed concern that 15 days is not enough 
time to be held to report any inconsistency to FRA, especially when 
traditional postal service is used to deliver the report. As such, 
railroads have proposed that they be given 30 days to report any 
inconsistencies. FRA is considering an allowance for railroads to fax 
or e-mail this report, which would relieve concerns about traditional 
postal service. FRA currently allows faxing or e-mailing of reports 
required by Secs. 233.7 and 234.9, involving signal failure and grade 
crossing signal system failure, respectively. Commenters are invited to 
address this issue.

Section 236.919  Operations and Maintenance Manual

    This section proposes that each railroad develop a manual covering 
the requirements for the installation, periodic maintenance and 
testing, modification, and repair for its processor-based signal and 
train control systems. The Standards Task Force recognized it was 
necessary for railroad employees working with safety-critical products 
in the field to have complete and current information for installation, 
maintenance, repair, modification, inspection, and testing of the 
product being worked on. It was also suggested that this information be 
portable. As a result the Standards Task Force decided that this 
information be placed in a manual that could easily be carried into the 
field by the employee for use at the product work site.
    Paragraph (a) works with Secs. 236.905 and 236.907 and proposes 
that all specified documentation contained in the PSP necessary for the 
installation, repair, modification and testing of a product be placed 
in an Operations and Maintenance Manual for that product and be made 
available to both persons required to perform such tasks and FRA.
    Paragraph (b) proposes that plans necessary for proper maintenance 
and testing of products be correct, legible, and available where such 
systems are deployed or maintained. The paragraph also proposes that 
plans identify the current version of software installed, revisions, 
and revision dates.
    Paragraph (c) proposes that the Operations and Maintenance Manual 
identify the hardware, software, and firmware revisions in accordance 
with the configuration management requirements specified in the PSP. 
This proposed requirement is most easily understood in the context of 
the requirement for a configuration management control plan as 
specified in Sec. 236.18.
    Paragraph (d) proposes that safety-critical components contained in 
processor-based systems, including spare equipment, be identified, 
replaced, handled, and repaired in accordance with the configuration 
management requirements specified in the PSP.

Section 236.921  Training and qualification program, general

    This section sets forth the general requirements for the railroads 
training and qualification programs related to safety-critical 
processor-based signal and train control products. This section works 
in conjunction with Sec. 236.907 which requires the PSP to provide a 
description of the specific training necessary to ensure the safe 
installation, implementation, operation, maintenance, repair, 
inspection, testing, and modification of the product. This section does 
not restrict the railroad from adopting additional or more stringent 
training requirements. The training program takes on particular 
importance with respect to safety-critical processor-based signal and 
train control products, and in particular, processor-based train 
control products, because the industry's workforce generally does not 
have thorough knowledge of the operation of such equipment and 
appropriate practices for its operation and maintenance. FRA believes 
employee training and qualification on how to properly and safely 
perform assigned duties is crucial

[[Page 42375]]

to maintain safe railroad equipment and a safe workplace.
    FRA believes that many benefits will be gained from the railroads' 
investment in a comprehensive training program. The quality of 
inspections will improve, which will result in fewer instances of 
defective equipment in revenue service and increased operational 
safety. Under an effective training program: Equipment conditions that 
require maintenance attention are more likely to be discovered and 
repairs can be completed safely and efficiently; trouble-shooting will 
more likely take less time; and maintenance will more likely be 
completed correctly the first time, resulting in increased safety and 
decreased costs.
    The program will provide training for persons whose duties include 
inspecting, testing, maintaining or repairing elements of the 
railroad's safety-critical processor-based signal and train control 
systems, including central office, wayside, or onboard subsystems. In 
addition, it will include training required for personnel dispatching 
and operating trains in territory where advanced train control is in 
use and roadway workers whose duties require knowledge and 
understanding of operating rules.
    Paragraph (a) proposes the general requirement for when a training 
program is necessary and who must be trained. Training programs must 
meet the minimum requirements listed in Secs. 236.923 through 236.929, 
as appropriate, and any more stringent requirements in the PSP for the 
product.
    Paragraph (b) proposes the general requirement that the persons 
cited in paragraph (a) must be trained to the appropriate degree to 
ensure that they have the necessary knowledge and skills to effectively 
complete their duties related to operation and maintenance of products.

Section 236.923  Task Analysis and Basic Requirements

    This section sets forth specific parameters for training employees 
and contractor's employees to assure they have the necessary knowledge 
and skills to effectively complete their duties as related to safety-
critical products and the functioning of advanced train control 
systems. This section explains that the functions performed by an 
individual will dictate what type of training that person should 
receive related to the railroad's processor-based signal and train 
control system. For example, a person that operates a train would not 
require training on how to inspect, test, and maintain the system 
equipment unless they were also assigned to perform those tasks.
    The intent of this section is to ensure that employees who work 
with products, including contractors, know how to keep them operating 
safely. The proposed rule grants the railroad flexibility to focus and 
provide training that is needed in order to complete a specific task. 
However, this proposal is designed to prevent the railroad from using 
under-trained and unqualified people to perform safety-critical tasks.
    This section describes that the training and qualification programs 
specified in Sec. 236.919 must include a minimum group of identified 
requirements. These minimum requirements will be described in the PSP. 
This required training is for railroad employees and contractors' 
employees to assure they have the necessary knowledge and skills to 
effectively complete their duties related to processor-based signal and 
train control systems.
    Paragraphs (a)(2) and (a)(3) provide that the railroad will 
identify inspection, testing, maintenance, repairing, dispatching, and 
operating tasks for the equipment and develop written procedures for 
performance of same. Paragraph (a)(4) proposes that the railroad 
identify additional knowledge and skills above those required for basic 
job performance necessary to perform each task. Railroads have 
expressed concern regarding this requirement, and commenters are 
invited to address this issue.
    Paragraph (a)(5) proposes that the railroad develop a training 
curriculum which includes either classroom, hands-on, or other 
formally-structured training designed to impart the knowledge and 
skills necessary to perform each task.
    Paragraph (a)(6) proposes that all persons subject to training 
requirements and their direct supervisors must successfully complete 
the training curriculum and pass an examination for the tasks for which 
they are responsible. For example, a person who operates a train would 
not require training on how to inspect, test, or maintain the equipment 
unless they were assigned to also perform those tasks. Generally, 
appropriate training must be given to each of these employees prior to 
task assignment; however, an employee may be allowed to perform a task 
for which that person has not received the appropriate training only if 
they do so under the direct on-site supervision of a qualified person. 
Direct supervisor is intended to mean the immediate, first-level 
supervisor to whom the employee reports.
    Paragraph (a)(7) proposes that periodic refresher training be 
conducted at intervals specified in the PSP. This periodic training 
must include either classroom, hands-on, computer-based training, or 
other formally-structured training in order that employees and 
contractors' employees maintain the knowledge and skills necessary to 
safely perform their assigned tasks. Paragraph (a)(8) proposes a 
requirement to compare actual and desired success rates for the 
examination. Railroads have expressed concern about this particular 
requirement, and commenters are invited to address this issue.
    Paragraph (b) conveys that in addition to the training of persons 
described in paragraph (a), the training program must require that only 
persons designated as qualified under the railroad's training program 
will be allowed to perform safety-related inspection, testing, 
maintenance, repairing, dispatching, or operating tasks. The railroad 
must maintain records which designate persons who are qualified to 
perform these tasks per the requirements of this section. These records 
must be kept until new designations are recorded or for at least one 
year after such person(s) leave applicable service, and must be 
available for FRA inspection and copying.

Section 236.925  Training Specific to Control Office Personnel

    This section explains the training that must be provided to 
employees responsible for issuing or communicating mandatory 
directives. This training must include instructions concerning the 
interface between computer-aided dispatching systems and processor-
based train control systems as applicable to the safe movement of 
trains and other on-track equipment. In addition, the training must 
include operating rules that pertain to the train control system, 
including the provision for moving unequipped trains and trains on 
which the train control system has failed or been cut out en route.
    This section sets forth the requirements of instructions for 
control of trains and other on-track equipment when the advanced train 
control system fails. It also includes periodic practical exercises or 
simulations and operational testing under part 217 to assure that 
personnel are capable of providing for safe operations under 
alternative operation methods.

[[Page 42376]]

Section 236.927  Training Specific to Locomotive Engineers and Other 
Operating Personnel

    This section proposes minimum training requirements for locomotive 
engineers and other operating personnel who interact with processor-
based train control systems. ``Other operating personnel'' is intended 
to refer to on-board train and engine crew members (i.e, conductors, 
brakemen, and assistant engineers). FRA invites comments addressing the 
issue of whether a formal definition is needed for ``other operating 
personnel.'' Paragraph (a) requires that the training contain 
familiarization with the onboard processor-based equipment and the 
functioning of that equipment as part of a train control system and its 
relationship to other onboard systems under that person's control. The 
training program must cover all notifications by the system (i.e. 
onboard displays) and actions or responses to such notifications 
required by onboard personnel, as well as how that action or response 
ensures proper operation of the system and safe operation of the train.
    Paragraph (b) notes that with respect to certified locomotive 
engineers, the training requirements of this section must be integrated 
into the training requirements of 49 CFR part 240.
    Paragraph (c) discusses requirements for use of a train control 
system to effect full automatic operation, as defined in Sec. 236.903. 
FRA acknowledges that this proposed rule is not designed to address all 
of the various safety issues which accompany full automatic operation 
(although it by no means discourages their development and 
implementation); however, insofar as skills maintenance of the operator 
is concerned, the proposed rule offers the standards in this paragraph.
    Paragraph (c)(1) proposes the requirement that the PSP must 
identify all safety hazards to be mitigated by the locomotive engineer.
    Paragraph (c)(2) discusses required areas of skills maintenance 
training. In particular, this requirement recognizes the significance 
which the Standards Task Force placed on skills maintenance by manual 
starting and stopping of the train. Although manual starting and 
stopping, manual operation, and simulation training are all necessary 
to ensure effective maintenance of skills, the Standards Task Force 
felt that other options must be available. For instance, it may be 
burdensome for railroads, especially smaller operations, to offer 
simulator training to its locomotive engineers/operators. Thus, the 
Standards Task Force felt that in this instance training requirements 
can be worked out individually between the railroad, its labor 
representative and the FRA. In all cases, the PSP must define the 
appropriate training intervals for these tasks.

Section 236.929  Training Specific to Roadway Workers

    This section would require the railroad to incorporate appropriate 
training in the program of instruction required under part 214 subpart 
C, Roadway Worker Protection. This training is designed to provide 
instruction for workers who obtain protection for roadway work groups 
or themselves and will specifically include instruction to ensure an 
understanding of the role of a processor-based train control system in 
establishing protection for workers and their equipment, whether at a 
work zone or while moving on track between work locations. Also, this 
section requires that training include recognition of processor-based 
train control equipment on the wayside and how to avoid interference 
with its proper functioning.

Appendix B to Part 236--Risk Assessment Criteria

    FRA proposes Appendix B as a set of criteria for performing risk 
assessments for products sought to be implemented on a railroad. During 
the Standards Task Force deliberations, suppliers indicated concern for 
flexibility in performing risk assessments. FRA recognizes this 
concern, yet must balance it against the need for uniformity in the 
conduct of risk assessments performed under this subpart. This need for 
uniformity across all products covered by subpart H is necessary when a 
performance standard is sought to be used. FRA has sought to balance 
these two seemingly competing concerns by proposing a requirement that 
the risk assessment criteria be followed, but allowing for other 
criteria to be used if FRA agrees it is suitable. FRA feels this 
strategy adequately allows for the flexibility of a performance 
standard, yet offers concrete guidance on how a railroad or supplier 
can comply with the standard. As a practical matter, FRA believes that 
the overwhelming majority of risk assessments will seldom vary widely 
from the Appendix B criteria. FRA is aware of few known reasonable 
alternatives, and the criteria themselves are for the most part 
conventional, common sense methods of achieving the stated objectives.
    Paragraph (a) addresses the life-cycle term for purposes of the 
risk assessment. FRA believes new signal and train control systems will 
be in place for at least 25 years, based on the life cycles of current 
systems. Over time, these systems will be modified from their original 
design. FRA is concerned that subsequent modifications to a product 
might not conform with the product's original design philosophy. The 
original designers of products covered by this subpart could likely be 
unavailable after several years of operation of the product. FRA feels 
that requiring an assumption of a 25-year life-cycle for products will 
adequately address this problem. FRA believes this proposed criterion 
will aid the quality of risk assessments conducted per this subpart by 
forcing product designers and users to consider long-term effects of 
operation. However, FRA feels such a criterion would not be applicable 
if, for instance, the railroad limited the product's term of proposed 
use. In such case, FRA would only be interested in the projected risks 
over the projected life-cycle, even if less than 25 years.
    Paragraph (a) also addresses the scope of the risk assessment for 
the risk calculation of the proposed product. The assessment must 
measure the accumulated residual risk of a train system, after all 
mitigating measures have been implemented. This means that the risk 
calculation shall attempt to assess actual safety risks remaining after 
implementation of the proposed product. FRA is fairly certain that 
railroads proposing new products will have planned or taken measures to 
eliminate or mitigate any hazards which remain after the product has 
been designed. These might include training or warning measures. For 
the purpose of the risk calculation for proposed product, FRA is only 
interested in residual risks, or those which remain even after all 
mitigating measures have been taken.
    Paragraph (b) discusses risks concerned with the interaction of 
product components. Each signal and train control system covered by 
this subpart is considered to be subject to hazards associated with 
failure of individual components, as well as hazards associated with 
improper interaction of those components. FRA is aware that many 
unanticipated computer system faults have arisen from incomplete 
analysis of how components will interact. This problem is of vital 
importance when safety-critical systems are involved, such as those 
targeted by subpart H.
    Paragraph (c) discusses how previous condition is computed. The 
proposed requirement mandates the identification of each subsystem and 
component in the previous condition and estimation of an MTTHE value 
for each of those

[[Page 42377]]

subsystems and components. FRA feels the MTTHE is an adequate measure 
of the reliability and safety of those subsystems and components, and 
it facilitates the comparison of subsystems and components which are to 
be substituted on a one-for-one basis (see Sec. 236.909(d)). In some 
cases, current safety data for the particular territory on which the 
product is proposed to be implemented may be used to determine MTTHE 
estimates. The purpose of this provision is to require railroads to 
produce the basis for any previous condition calculations.
    Paragraphs (d) and (e) deal with some types of risks which must be 
considered when performing the risk assessment. FRA believes that the 
listed items are relevant to any risk assessment of signal and train 
control systems and thus ought to be considered. However, there may 
exist situations when one or more of the categories of risk are not 
relevant, such as when a system does not involve any wayside subsystems 
or components. In such case, FRA would obviously not require 
consideration of such risks, but would expect the risk assessment to 
briefly explain why.
    Paragraph (f)(1) addresses how MTTHE figures are calculated at the 
subsystem and component level. FRA feels MTTHE should be calculated for 
each integrated hardware/software subsystem and component. FRA expects 
that quantitative MTTHE calculation methods will be used where it is 
appropriate and when sufficient data is available. For factors such as 
non-processor based systems which are connected to processor-based 
subsystems, software subsystems/components, and human factors, FRA 
realizes quantitative MTTHE values may be difficult to assign. In these 
cases, FRA proposes allowing qualitative values to be used or 
estimated. Furthermore, for all human-machine interface components/
subsystems, FRA proposes appropriate MTTHE estimates be assigned. FRA 
feels this is necessary because an otherwise reliable product which 
encourages human errors could result in a dramatic degradation of 
safety. FRA believes this risk should be identified in the risk 
assessment.
    Paragraph (f)(2) addresses the MTTHE estimates. Under the proposed 
rule, all MTTHE estimates must be made with a high degree of 
confidence, and must relate to scientific analysis or expert opinion 
based on documented qualitative analysis. This paragraph also indicates 
the railroad must devise a compliance process which ensures that the 
analysis is valid under actual operating conditions. Since the relevant 
Standards Task Force recommendation did not provide any criteria as to 
how such a compliance process would be expected to operate, FRA invites 
comments addressing this issue.
    Paragraph (g) proposes criteria for calculation of MTTHE values for 
non-processor-based components which are part of a processor-based 
system or subsystem. FRA believes that it will be common for future 
systems to combine processor-based components with other components, 
such as relay-based components. Thus, failures of non-processor-based 
components must be considered when determining the safety of the total 
system.
    Paragraph (h) proposes a requirement to document all assumptions 
made for purposes of the risk assessment. FRA does not intend to hold 
the railroads to directly document these assumptions, but rather to be 
responsible for their documentation and production if so requested by 
FRA. FRA imagines that suppliers will in most cases perform the actual 
documenting task.
    Paragraph (h)(1) discusses documentation of assumptions concerning 
reliability and availability of mechanical, electric, and electronic 
components. In order to assure FRA that risk assessments will be 
performed diligently, FRA proposes a requirement for documentation of 
assumptions. FRA envisions sampling and reviewing fundamental 
assumptions both prior to a product is implemented and after operation 
for some time. FRA intends for railroads to confirm the validity of 
initial risk assessment assumptions by comparing to actual in-service 
data. FRA is aware that mechanical and electronic component failure 
rates and times to repair are easily quantified data, and usually are 
kept as part of the logistical tracking and maintenance management of a 
railroad.
    Paragraph (h)(2) addresses assumptions regarding human performance. 
Assumptions about human performance should consider all the categories 
of unsafe acts as described by Reason (1990). Some methods to assess 
human reliability, such as the Human Cognitive Reliability model 
(Kumamoto and Henley, 1996, pp. 506-508), assume that unsafe acts of 
certain types (e.g., lapses and slips) do not occur. Such a method must 
be supplemented with other methods, such as THERP (Technique for Human 
Error-Rate Prediction), that are designed to assess these unsafe acts 
(Kumamoto and Henley, 1996, p. 508). The hazard log required by 
Sec. 236.907(a)(6) will help determine the appropriateness of the 
assumptions employed. This database should contain sufficient 
quantitative detail and narrative text to allow a systematic human 
factors analysis (examples of procedures to accomplish this can be 
found in Gertman and Black, 1994, Ch.2) to determine the nature of the 
unsafe acts involved and their relationship to the deployment of PTC 
technology, procedures and underlying factors. Thus, FRA does not 
intend to require railroads to maintain electronic databases solely 
containing human performance data. However, FRA envisions this 
requirement will have the effect of railroads maintaining what relevant 
data they can on human performance. For instance, programs of 
operational tests and inspections (part 217) will have to be adapted to 
take into consideration changes in operating rules incident to 
implementation of new train control systems.
    Paragraph (h)(3) discusses risk assessment assumptions pertaining 
to software defects. FRA believes that projected risks of software 
failures are difficult to forecast. Therefore, FRA feels it is 
important to verify that software assumptions are realistic and not 
overly optimistic.
    Paragraph (h)(4) proposes a requirement for the documentation of 
identified fault paths. Fault paths are key safety risk assumptions. 
Failing to identify a fault path can have the effect of making a system 
seem safer on paper than it actually is. However, if an unidentified 
fault path is discovered in service which leads to an previously 
unidentified safety-relevant hazard, then the threshold for defects in 
the PSP is automatically exceeded, and the railroad must take 
mitigating measures pursuant to proposed Sec. 236.917(b). FRA believes 
it is possible that railroads will encounter previously unidentified 
fault paths after product implementation. The frequency of such 
discoveries would likely be related to the quality of the railroad's 
safety analysis efforts. Safety analyses of poor quality are more 
likely to lead to in-service discovery of unidentified fault paths. 
Some of those paths might lead to potential serious consequences, while 
others might have less serious consequences. FRA would require the 
railroads to estimate the consequences of these unidentified faults as 
if they would continue being detected over the twenty-five year life of 
the product. Each product would be treated as though it would be in 
service for twenty-five years from the current date, and unidentified 
faults would continue to be discovered at the same rate as they had 
been for the greater of the previous ten years in service or the life 
of the product. All new products are to be treated as though they had 
been in service for at least six months in order

[[Page 42378]]

to prevent an early-discovered fault path from having drastic impact.

Appendix C to Part 236--Safety Assurance Criteria and Processes

    Appendix C sets forth minimum criteria and processes for safety 
analyses conducted in support of RSPPs and PSPs. The intention of 
Appendix C is to provide safety guidelines distilled from proven design 
considerations. These guidelines can be translated into processes 
designed to ensure the safe performance of the product. The analysis 
required in Appendix C is designed to minimize failures that would have 
the potential to affect the safety of railroad operations. FRA 
recognizes there are limitations as to how much safety can be achieved 
due to technology limitations, cost, and other constraints, and, upon 
recommendation from the Standards Task Force, proposes this appendix, 
recognizing this principle.
    Paragraph (a) discusses the purpose of this appendix. Appendix C 
sets forth minimum criteria and processes for safety analyses conducted 
in support of RSPPs and PSPs.
    Paragraph (b) covers safety considerations and principles which the 
designer must follow unless the consideration or principle does not 
apply to the product. In the latter case, the designer is required to 
state why they believe it does not apply. These safety considerations 
and principles resulted from early Standards Task Force meetings and 
are recognized by the industry to be recommended practices for the 
development of safety-critical systems. FRA believes these proven 
safety considerations and concepts are a necessary starting point for 
the development of products under subpart H.
    Paragraph (b)(1) discusses design considerations for normal 
operation of the product. FRA notes that in normal operation, the 
product should be designed such that human error would not cause a 
safety hazard. This principle recognizes that safety risks associated 
with human error cannot be totally eliminated by design, no matter how 
well-trained and skilled the operators are.
    Paragraph (b)(2) addresses design considerations dealing with 
systematic error. Systematic errors are those that can occur when the 
product is poorly developed and/or the human-machine interface is not 
given proper design attention.
    Paragraph (b)(3) addresses random failure. FRA recognizes hardware 
can fail when components fail due to wear and tear, overheating, harsh 
environmental conditions, etc. This consideration ensures that such 
hardware failures do not compromise safety.
    Paragraph (b)(4) deals with common mode failure. The common mode 
failures are those that stem from a component failure that can cause 
other components to fail due to close association among components. 
These failures are due primarily to poor design practices with respect 
to interaction among and between components.
    Paragraph (b)(5) discusses external influences. FRA notes that 
external influences need to be taken into account for the safety of the 
product. Close attention needs to be given to the environment in which 
the equipment operates.
    Paragraph (b)(6) addresses product modifications. In addition to 
PSP requirements and other relevant requirements of subpart H, close 
attention needs to be given as to how these modifications affect safety 
when modifications are made.
    Paragraph (b)(7) deals with software design. Software integrity is 
crucial to the safety of the product. Non-vital (or non-fail-safe) 
components need to be controlled in such a manner so their failure does 
not create a hazard. For example, if a semiconductor memory fails, 
software checks into the semiconductor locations can determine if a 
potential data corruption has occurred and take appropriate action so 
that the corrupted data does not constitute a hazard. Hence the 
importance of software design for the software controlling these types 
of components.
    Paragraph (b)(8) addresses the closed loop principle. Closed loop 
means that a ``handshake'' in the design will determine whether 
received data is corrupted or not.
    FRA is considering adding a separate paragraph in this appendix 
specifically to discuss human factors design considerations. Human-
centered design principles recognize that machines can only be as 
effective as the humans who use them. The goals of human factors 
requirements and concepts in product design are to enhance safety, 
increase the effectiveness and efficiency of work, and reduce human 
error, fatigue and stress. Since the implementation of any new system, 
subsystem or component can directly or indirectly change the nature of 
tasks that humans perform, both negative and positive consequences of 
implementation should be considered in design. FRA believes that these 
principles need to be adequately addressed early in the product 
development stage rather than at the end of it. Often times, an 
engineer or evaluator unfamiliar with human factors issues will attempt 
to address human factors issues as the end of the product development 
stage nears, at which point only changes in the way the product is 
implemented are possible (i.e., accommodating changes in operations, 
additional training, etc.). Thus, FRA envisions compliance with this 
paragraph to be satisfied with consideration of input from a qualified 
human factors professional as early as possible in the development 
process.
    Paragraph (c) proposes that certain listed standards be used for 
verification and validation procedures. These standards are already 
current industry/consensus standards and are more specifically describe 
the particular types of products.

Appendix D to Part 236--Independent Review and Assessment of Validation 
and Verification

    Paragraph (a) discusses the purpose of an independent third party 
assessment of product validation and verification. FRA believes this 
requirement, as recommended by the Standards Task Force, is necessary 
for two primary reasons which became apparent through FRA's experience 
with earlier advanced signal and train control system projects.
    By the early 1990's it was evident that technology could be 
fashioned to end the continuing series of collisions that plagued the 
railroad industry. The National Transportation Safety Board (NTSB) had 
studied 50 major rail collision incidents that NTSB determined could 
have been prevented had a system of positive train separation been in 
use. NTSB's recommendations for the need of a positive train separation 
system are given in its accident report titled ``Head on Collision 
Between Burlington Northern Railroad Freight Trains 602 and 603 near 
Ledger, Montana, on August 30, 1991'' (NTSB/RAR-93/01). However, it was 
also apparent that the railroad industry was not persuaded that such 
technology represented a sound investment in light of other capital 
needs.
    The FRA Administrator held a series of round table discussions with 
members of industry to come up with ways to increase railway safety. 
Industry responded with the creation of various communications-based 
positive train separation and positive train control projects. Also 
during this time, under the New Generation High Speed program, 59 FR 
46470 (September 8, 1994), the FRA initiated a new Incremental Train 
Control System (ITCS) train control system project in

[[Page 42379]]

Michigan. The ITCS project, known within Michigan DOT as the Mercury 
Project, is jointly funded by FRA, the State of Michigan, and Amtrak. 
Harmon Industries, the project supplier and builder, describes ITCS as 
a ``vital overlay'' system. This means that it utilizes the existing 
track circuits as part of its safety-critical communication-based 
system to allow higher train operating speeds, particularly at railroad 
crossings. As of the date of this printing, the first phase of the ITCS 
system is being tested in the Detroit-to-Chicago line in a 71-mile 
length of track between Kalamazoo and New Buffalo, Michigan.
    Due to the novelty of the use of such complex technology in a 
railroad signal and train control application, FRA felt a validation 
and verification process, particularly for the software, was necessary 
to assure safety. FRA and Harmon agreed that Harmon should employ 
industry-accepted methods and procedures for safety validation and 
verification of their hardware and software. In addition, FRA felt that 
an independent third party should be involved in an assessment of the 
supplier's safety efforts. The necessity of an assessment was prompted 
by two concerns. First, FRA was concerned that some safety-related 
activities during development may be sacrificed in the event the 
supplier came under pressure to meet a project deadline. Second, a 
third party auditor often brings a variety of fresh ideas and methods 
to plug any unintended safety gaps.
    FRA feels the ITCS concerns may apply to certain products developed 
under subpart H in order to ensure their safety integrity. This is 
particularly important when there are no safety records available on 
which FRA can assess a new product's reliability and endurance during 
operations. FRA feels an independent review will greatly enhance the 
safety of the systems and will ultimately work to the railroad's 
advantage. The Standards Task Force has recommended specific criteria 
for determining whether a third party assessment ought to be performed. 
See Sec. 236.913(h).
    Paragraphs (c) through (f) discuss the substance of the third party 
assessment. This assessment should be performed on the system as it is 
finally configured, before revenue operations commence, and requires 
the reviewer to prepare a final report. A typical assessment can be 
divided into four levels as it progresses: the preliminary level, the 
functional level, the implementation level, and the closure level.
    Paragraph (c) addresses the reviewer's tasks at the preliminary 
level. Here, the assessor reviews the supplier's processes as set forth 
in the documentation and provides comments to the supplier. The 
reviewer should be able to determine vulnerabilities in the supplier's 
processes and the adequacy of the RSPP and PSP as they apply to the 
product. ``Acceptable methodology'' is intended to mean standard 
industry practice, as contained in MIL-STD-882C, such as hazard 
analysis, fault tree analysis, failure mode and effect criticality 
analysis, or other accepted applicable methods such as fault injection, 
Monte Carlo or Petri-net simulation. FRA is aware of many acceptable 
industry standards, but usage of a less common one in PSP analysis 
would most likely require a higher level of FRA scrutiny. In addition, 
the reviewer considers the completeness and adequacy of the safety 
requirements documents, including the PSP itself.
    Paragraph (d) discusses the reviewer's tasks at the functional 
level. Here, the reviewer will analyze the supplier's methods to 
establish that they are complete and correct. First, Preliminary Hazard 
Analysis (PHA) is performed in the design stage of a product. It 
attempts, in an early stage, to classify the severity of the hazards 
and to assign an integrity level requirement to each major function. 
PHA is part of the preliminary safety analysis, as required by the 
railroad's RSPP.
    Traditional methodology practices widely accepted within industry 
and recognized by military standard MIL-STD-882C include: Hazard 
Analysis, Fault Tree Analysis (FTA), Failure Mode and Effects Analysis 
(FMEA), and Failure Modes, Effects, and Criticality Analysis (FMECA).
    Hazard analysis is an extension of the PHA performed in the later 
phases of product development. This hazard analysis focuses more on the 
detailed functions of the product and its components. A hazard analysis 
can be repeated as needed as the product matures. A competent safety 
assessor should be able to determine if sufficient hazard analyses were 
performed during the product development cycle.
    FTA starts with an identification of all hazards and determines 
their possible causes. Data from earlier incidents can also be used as 
a starting point for the analysis. This method concentrates on events 
that are known to lead to hazards.
    FMEA considers the failure of any component within a system, tracks 
the effects of the failure and determines its consequences. FMEA is 
particularly good at detecting conditions where a single failure can 
result in a dangerous situation; however, its primary drawback is that 
it doesn't consider multiple failures. FMEA involves much detailed work 
and is expensive to apply to large complex systems. FMEA is usually 
used at a late stage in the development process, and is applied to 
critical areas, rather than to the complete system.
    FMECA is an extension of FMEA that identifies the areas of greatest 
need.
    The above descriptions are taken from ``Safety-Critical Computer 
Systems'' (Storey, Neil; Addison-Wesley Longman (Harlow, England 1996)) 
pp. 33-57.
    Other simulation methods may also be used in conjunction with the 
above methods, or by themselves when appropriate. These simulation 
methods include fault injection, a technique that evaluates performance 
by injecting known faults at random times during a simulation period; 
Markov modeling, a modeling technique that consists of states and 
transitions that control events; Monte Carlo model, a simulation 
technique based on randomly-occurring events; and Petri Net, an 
abstract, formal model of information flow that shows static and 
dynamic properties of a system. A petri-net is usually represented as a 
graph having two types of nodes (called places and transitions) 
connected by arcs, and markings (called tokens) indicating dynamic 
properties.
    Paragraph (e) addresses what must be performed at the 
implementation level. At this stage, the product is now beginning to 
take form. The reviewer typically evaluates the software. Most likely, 
the software will be in modular form, such that software modules are 
produced in accordance to a particular function. The reviewer must 
select a significant number of modules to be able to establish that 
software is being developed in a safe manner.
    Paragraph (f) discusses the reviewer's tasks at closure. The 
reviewer's primary task at this stage is to prepare a final report 
where all product deficiencies are noted in detail. This final report 
may include material previously presented to the supplier during 
earlier development stages.

Appendix E to Part 236--Human-Machine Interface (HMI)

    This appendix provides human factors design criteria. A small group 
of members from the PTC Working Group comprised the Human Factors Task 
Force. The task given them was to develop comprehensive design 
considerations for human factors and human-machine interfaces. This 
appendix outlines their efforts, which address the basic human factors 
principles for the design and operation of displays, controls, 
supporting software functions, and other

[[Page 42380]]

components in processor-based signal or train control systems and 
subsystems. The HMI requirements proposed in this appendix attempt to 
capture the lessons learned from the research, design, and 
implementation of similar technology in other modes of transportation 
and other industries. FRA has placed in the docket for this rulemaking 
a research document that contains a broad spectrum of references to the 
literature in this area.
    The overriding goal of this appendix is to minimize the potential 
for design-induced error by ensuring that processor-based signal or 
train control systems are suitable for operators, and their tasks and 
environment. The overriding conclusion from the research is that 
processor-based signal or train control systems that have been designed 
with human-centered design principles in mind--system products that 
keep human operators as the central active component of the system--are 
more likely to result in improved safety.
    Paragraph (a) addresses the purpose of the HMI requirement. The 
task force concluded from its research that increased automation of 
systems through the use of products involves negative safety effects, 
as well as positive ones. Products with human-centered design features, 
however are more likely to result in improved system safety. The human-
centered systems approach recognizes that technology is only as 
effective as the humans who must use it. HMIT designs that do not 
consider human capabilities, limitations, characteristics and 
motivation will be less efficient, less effective and less safe to 
operate. Therefore, the HMI requirement articulated in this appendix 
proposes to promote consideration of these issues by designers during 
the development of HMIs.
    Paragraph (b) defines two essential terms, ``designer'' and 
``operator,'' which are critical to a clear understanding of the HMI 
requirement.
    Paragraph (c) highlights various issues that designers should be 
aware of and attempt to prevent during the design process. For example, 
paragraph (c)(1) addresses ``reduced situation awareness and over-
reliance,'' which can result when products transform the role of a 
human operator from an active system controller to a passive system 
monitor. Essentially, a passive operator is less alert to what the 
system is doing, may rely too heavily on the system and become less 
capable of reacting properly when the system requires the operator's 
attention. For that reason the HMI requirement promotes operator action 
to maintain operation of the equipment and provide numerous 
opportunities for practice. The requirement further provides that 
operator action be sustained for a period of at least 30 minutes so 
that an operator remains involved and resistant to distraction, e.g., 
management by consent rather than management by exception. In addition, 
the HMI requirement promotes advance warning. This requirement is 
designed to prevent an overreaction by operators who need to respond to 
an emergency. By warning operators in advance when action is required, 
the operator is more likely to take appropriate action. The final 
requirement addressing situation awareness involves equalization of the 
workload. Essentially, the operator should be assisted more during high 
workload conditions and less during low workload conditions. To the 
extent the HMI design addresses the proposed situation awareness 
requirements, operators are more likely to be alert and react properly 
when the system requires their attention.
    Paragraph (c)(2) addresses another HMI issue, ``predictability and 
consistency'' in product behavior. For example, objects designed for 
predictability should move forward when an operator pushes the object 
or its controller forward and valves designed for consistency should 
open in the same direction. In addition, new controls that require 
similar actions to older like controls should minimize the interference 
of learning in the transfer of knowledge and take advantage of already 
automated behaviors (i.e., new controls should be ``backwards 
compatible''). The consistency envisioned by the HMI requirement would 
also apply to the terminology used for text and graphic displays.
    Paragraph (c)(3) addresses a third HMI issue, which involves a 
human's limited memory and ability to process information. The fact 
that humans can process only one or two streams of information at a 
time without loss of information is termed ``selective attention.'' A 
remedy for selective attention is reducing an operator's information 
processing load by focusing on integrated information, the format of 
the information, and by testing decision aids to evaluate their true 
benefits. These solutions are proposed in this paragraph. Finally, 
paragraph (c)(4) addresses miscellaneous human factor concerns that 
must be addressed at the design stage.
    Paragraph (d) addresses design elements for on-board displays and 
controls. Paragraph (d)(1) articulates specific requirements for the 
location of displays and controls. These requirements need little 
explanation, since they are well-known principles. However, it must be 
recognized that these principles may at times conflict with each other. 
For example, it may not be possible to arrange controls according to 
their expected order of use and locate displays as close as possible to 
the controls that affect them. Trade-offs are often required in the 
design of effective, efficient and safe HMIs. System designers must 
ensure that appropriate personnel evaluate these critical decisions and 
make the appropriate trade-offs.
    Paragraph (d)(2) pertains to information management by highlighting 
some of the industry recognized minimum standards for human-centered 
design of displays. Important information management issues include 
displaying information to emphasize its importance (i.e. alarms and 
other significant changes or unusual events presented with clear 
salient indicators, not by small changes or ambiguous displays that are 
easy to miss), avoiding unnecessary detail where text is used, avoiding 
text in all capital letters, and designing warnings to match the level 
of risk so that more dangerous conditions have aural and or visual 
signals that are associated with a higher level of urgency. Finally, 
paragraph (e) of the HMI appendix addresses requirements for problem 
management. These requirements essentially address in the design and 
implementation phase of development, the need to support situation 
awareness, response selection and contingency planning under unusual 
circumstances. These types of requirements are designed to avoid the 
errors humans tend to make during emergency situations and provide 
alternatives when the initial responses to the emergency fail.
    Generally, all the literature concludes that as the nature of the 
task changes, performance related to those tasks inevitably changes. 
The nature and potential consequences of these changes can be 
determined by comparing the functions of an old system to that which is 
proposed in a new system. System evaluations of the impact of new 
technology on human operators must be conducted to help identify new 
sources of error. FRA believes that HMI evaluations conducted in 
accordance with the requirements of this appendix prior to 
implementation of new processor based signal and train control 
technology will render products that are safe and efficient.

[[Page 42381]]

Regulatory Impact

Executive Order 12866 and DOT Regulatory Policies and Procedures

    This proposed rule has been evaluated in accordance with existing 
policies and procedures and is considered ``nonsignificant'' under 
Executive Order 12866. It is considered to be significant under DOT 
policies and procedures (see 44 FR 11034).
    FRA has prepared an Initial Regulatory Evaluation addressing the 
economic impact of the proposed rule. This regulatory evaluation has 
been placed in the docket and is available for public inspection and 
copying during normal business hours at FRA's docket room at the Office 
of Chief Counsel, FRA, 1120 Vermont Avenue, NW, Washington, DC 20590. 
Copies may also be obtained by submitting a written request to the FRA 
Docket Clerk at the above address.

Anticipated Costs and Benefits

    Signal and train control systems act to prevent collisions between 
on-track equipment, in some cases to warn of defective track or other 
hazards and in some cases to govern train speed, preventing speed-
related derailments. Thus the ultimate benefit of any signal and train 
control systems safety regulation is the provision of a safe operating 
environment for trains. The particular benefit of this proposed rule is 
the facilitation of introducing new technology into the field of signal 
and train control under minimal government scrutiny.
    The proposed rule would regulate processor based signal and train 
control systems. Technological advances have made these systems 
increasingly more attractive to railroads, yet existing FRA rules 
concerning design and testing of these systems impose restrictions 
which are unrealistic when applied to processor-based systems. In 
addition, in many instances, these systems are simply beyond the scope 
of current rules regulating traditional relay-based signal and train 
control systems. Consequently, FRA has been forced to regulate by 
exception, by issuing waivers or exemptions to its regulations on a 
case-by-case basis. This process has generally been recognized as time-
consuming and unpredictable for the industry.
    The proposed performance standard is that any new system must be at 
least as safe as the existing system. It does not mandate use of 
processor-based systems, but rather proposes performance standards for 
their design and use, should a railroad intend to implement one. FRA 
believes that a railroad would adopt a new system under these rules 
only for one or more of the following three reasons:
    (1) The new system is safer;
    (2) The new system is less expensive and will not diminish the 
existing level of safety; or
    (3) Continued maintenance of the existing system is no longer 
feasible.
    In the first case, if a new system is safer, FRA assumes the 
railroad would adopt it only if it provided benefits which exceed costs 
to the railroad. Also, because the new system is safer, society at 
large would benefit. In the second case, if a new system were equally 
safe but less expensive, then the benefits would outweigh the costs to 
the railroad. Third, if the existing system is no longer feasible to 
maintain, the railroad under existing rules would be required to 
petition FRA in order to remove it, or would be required to replace it 
with a new system. FRA is not bound to grant such petitions, and the 
proposed rule does not eliminate current rules regarding this 
abandonment process. In this instance, if the railroad replaces its 
system, FRA assumes it will choose the most cost effective alternative, 
and the proposed rule would ensure these alternatives are at least as 
safe as the current system. Thus, FRA envisions only one case where the 
proposed rule could possibly impose a situation not in the railroad's 
best interest. FRA does not believe this case would be a common 
occurrence.
    The proposed rule would require substantial safety documentation 
from the railroad. The documentation is required to explain how each 
railroad will comply with the performance standard. FRA expects these 
internal procedures to be more efficient than current FRA rules, since 
they will be particularized for each railroad.
    An undetermined question is whether the cost of writing the 
railroad's safety plan and product safety plan exceed the benefit from 
the increased flexibility. FRA does not believe so. It appears that the 
costliest part of the documentation will be the risk assessment. 
Currently, a substantial portion of this work is performed by 
suppliers. Each supplier now serving the rail industry uses some form 
of risk/safety analysis which can be documented. The primary cost of 
this proposed rule is the gathering of that safety information into one 
source. This would likely be a single time expense for each system, 
unless the system were not to perform as expected in service. The 
corresponding benefit would be the railroad's ability to use the more 
flexible maintenance standards over the life of the system. An offset 
to the recurring benefit would be the cost of tracking failures which 
might lead to an unsafe condition.
    Under the proposed rule, railroads using existing processor-based 
signal and train control systems would be required to maintain a 
software management control plan. FRA believes this is a desirable 
safety practice, as it would avoid incorrectly installing the wrong 
programming, either through hardware or software, in a system. FRA also 
believes that under the current regulations, replacing a processor or 
program would constitute disarrangement and would require physical 
testing of every device or appliance affected by that processor. In 
some cases, all of the switches and signals on a line are tied to a 
processor. It is not feasible to conduct the currently required tests, 
and it is certainly less expensive to maintain a software management 
control plan. Thus, insofar as existing processor-based systems are 
concerned, the proposed rule would be less costly than the current 
rule, and FRA believes it would be more effective in promoting safety.
    FRA has not quantified the above benefits because it has no way to 
estimate how many systems are likely to be covered by this rule, what 
the incremental costs would be, and when the benefits would occur. 
Because of the industry consensus involved (labor, management, and 
suppliers), FRA believes the benefits appear to outweigh the cost. The 
rule does not appear to have any effect of transferring costs from the 
railroads to the suppliers. Thus, FRA believes the railroads' assent 
appears to be based on genuine economics.
    In short, FRA does not know the magnitude of the benefits and costs 
because of the performance standard concepts embodied in the proposed 
rule, but believes that benefits will outweigh costs.

Regulatory Flexibility Act

    The Regulatory Flexibility Act of 1980 (5 U.S.C. 601 et seq.) 
requires a review of final rules to assess their impact on small 
entities, unless the Secretary certifies that a final rule will not 
have a significant economic impact on a substantial number of small 
entities. This proposed rule should not have a significant economic 
impact on small entities. The proposed rule does not require the 
implementation of processor-based signal and train control systems, but 
merely proposes a performance standard for the design and operation of 
them. Smaller entities are not required to develop new systems with 
costly risk analyses. In fact, the proposed rule has been designed to

[[Page 42382]]

allow small entities to be able to ``recycle'' risk analyses by taking 
advantage of commercially-available products. Previously-developed risk 
analyses should require only minor further changes to reflect how the 
product is to be used in the railroad's own operating environment. In 
conclusion, FRA believes that any impact on small entities will be 
minimal.

Paperwork Reduction Act

    The information collection requirements in this proposed rule have 
been submitted for approval to the Office of Management and Budget 
(OMB) under the Paperwork Reduction Act of 1995, 44 U.S.C. 3501 et seq. 
The sections that contain the new information collection requirements 
and the estimated time to fulfill each requirement are as follows:

----------------------------------------------------------------------------------------------------------------
                                 Respondent      Total annual     Average time     Total annual    Total annual
         CFR section              universe        responses       per response     burden hours     burden cost
----------------------------------------------------------------------------------------------------------------
234.275--Processor Based      100 Railroads..  25 letters.....  2 hours........  50 hours.......          $1,900
 Systems--Deviations from
 requirements.
236.18--Software Management   100 Railroads..  30 plans.......  20 hours.......  600 hours......          22,800
 Control Plan.
236.905--Railroad Safety      100 Railroads..  10 plans.......  50 hours.......  500 hours......          21,800
 Program Plan (RSPP).
RSPP Modifications..........  100 Railroads..  5 RSPP Mod.....  20 hours.......  100 hours......           4,360
236.907--Product Safety Plan  100 Railroads..  20 plans.......  80 hours.......  1,600 hours....          60,800
 (PSP).
236.909--Minimum Performance  100 Railroads..  5 petitions....  60 minutes.....  5 hours........             330
 Standard--Petitions for
 Review and Approval.
    Full Risk Assessment....  100 Railroads..  3 full assess..  1,000 hours....  3,000 hours....         375,000
    Abbreviated Risk          100 Railroads..  16 abb. assess.  80 hours.......  1,280 hours....         160,000
     Assessments.
    Subsequent Years--Full    100 Railroads..  5 amend docs...  400 hours......  2,000 hours....         250,000
     Risk Assessments.
    Subsequent Years--        100 Railroads..  5 amend docs...  20 hours.......  100 hours......          12,500
     Abbreviated Risk Assess.
    Alternative Risk          100 Railroads..  3 documents....  40 hours.......  120 hours......           4,560
     Assessments.
236.911--Exclusions--Notific  100 Railroads..  20               2 hours........  40 hours.......           1,520
 ations.                                        notifications.
    Additional Product        100 Railroads..  2 plans........  80 hours.......  160 hours......           6,080
     Safety Pans (PSPs).
236.913--Notifications to
 FRA of PSPs.
    Informational Filings/    100 Railroads..  5 notifications  60 minutes.....  5 hours........             190
     Petitions for Approval.
    Informational Filing--    100 Railroads..  32 filings.....  8 hours........  256 hours......           9,728
     Add'l Info. Requested.
    Additional Documents      100 Railroads..  10 data calls..  8 hours........  80 hours.......           3,040
     Requested/by FRA.
    Technical Consultations.  100 Railroads..  10 data calls..  4 hours........  40 hours.......           1,520
    Petitions for Final       100 Railroads..  5 consultations  8 hours........  40 hours.......           1,400
     Approval.
    Additional Documents      100 Railroads..  20 petitions...  4 hours........  80 hours.......           3,040
     Requested by FRA.
    Further Consultations...  100 Railroads..  5 data calls...  8 hours........  40 hours.......           1,520
    Other Petitions for       100 Railroads..  5 consultations  4 hours........  20 hours.......             760
     Approval.
    Additional Documents/     100 Railroads..  5 petitions....  60 minutes.....  5 hours........             190
     Info. Requested.
236.917--Retention of         100 Railroads..  22 documents...  4 hours........  88 hours.......           3,344
 Records.
    PSPs--Safety Hazards--    100 Railroads..  80 reports.....  2 hours........  160 hours......           6,080
     Reporting
     Inconsistencies.
236.919--Operations and       100 Railroads..  25 manuals.....  4 hours........  100 hours......           3,800
 Maintenance Manual.
    Plans For Safety-         100 Railroads..  20 plans.......  40 hours.......  800 hours......          30,400
     Critical Products.
    Hardware/Software Revi.   100 Railroads..  5 revisions....  2 hours........  10 hours.......             380
     Documented in OMM.
    Identification of Safety- 100 Railroads..  10,000 markng..  1 minute.......  167 hours......           4,843
     Critical Components.
236.921--Training Programs..  100 Railroads..  20 programs....  80 hours.......  1,600 hours....          60,800
    Training Sessions--       100 Railroads..  220 sessions...  40 hours/20      8,400 hours....       1,050,000
     Railroad Employees.                                         hours.
236.923--Task Analysis/Basic  4,400 RR         4,400 records..  10 minutes.....  733 hours......          27,854
 Requirements--Records.        Employees.
----------------------------------------------------------------------------------------------------------------

    All estimates include the time for reviewing instructions, 
searching existing data sources, gathering or maintaining the needed 
data, and reviewing the information. Pursuant to 44 U.S.C. 
3506(c)(2)(B), the FRA solicits comments concerning: whether these 
information collection requirements are necessary for the proper 
performance of the function of FRA, including whether the information 
has practical utility; the accuracy of FRA's estimates of the burden of 
the information collection requirements; the quality, utility, and 
clarity of the information to be collected; and whether the burden of 
collection of information on those who are to respond, including 
through the use of automated collection techniques or other forms of 
information technology, may be minimized. For information or a copy of 
the paperwork package submitted to OMB contact Robert Brogan at (202) 
493-6292.

[[Page 42383]]

    FRA believes that soliciting public comment will promote its 
efforts to reduce the administrative and paperwork burdens associated 
with the collection of information mandated by Federal regulations. In 
summary, FRA reasons that comments received will advance three 
objectives: (i) Reduce reporting burdens; (ii) ensure that it organizes 
information collection requirements in a ``user friendly'' format to 
improve the use of such information; and (iii) accurately assess the 
resources expended to retrieve and produce information requested. See 
44 U.S.C. 3501.
    Comments must be received no later than October 9, 2001. 
Organizations and individuals desiring to submit comments on the 
collection of information requirements should direct them to Robert 
Brogan, Federal Railroad Administration, RRS-21, Mail Stop 17, 1120 
Vermont Ave., NW., MS-17, Washington, DC 20590.
    OMB is required to make a decision concerning the collection of 
information requirements contained in this proposed rule between 30 and 
60 days after publication of this document in the Federal Register. 
Therefore, a comment to OMB is best assured of having its full effect 
if OMB receives it within 30 days of publication. The final rule will 
respond to any OMB or public comments on the information collection 
requirements contained in this proposal.
    FRA cannot impose a penalty on persons for violating information 
collection requirements which do not display a current OMB control 
number, if required. FRA intends to obtain current OMB control numbers 
for any new information collection requirements resulting from this 
rulemaking action prior to the effective date of a final rule. The OMB 
control number, when assigned, will be announced by separate notice in 
the Federal Register.

Environmental Impact

    FRA has evaluated this proposed regulation in accordance with the 
agency's ``Procedures for Considering Environmental Impacts'' as 
required by the National Environmental Policy Act (42 U.S.C. 4321 et 
seq.) and related statutes and directives. The agency has determined 
that the proposed regulation would not have a significant impact on the 
human or natural environment and is categorically excluded from 
detailed environmental review pursuant to section 4(c)(20) of FRA's 
Procedures. Neither an environmental assessment or an environmental 
impact statement is required in this instance. The agency's review has 
confirmed the applicability of the categorical exclusion to this 
proposed regulation and the conclusion that the proposed rule would 
not, if implemented, have a significant environmental impact.

Federalism Implications

    This proposed rule has been analyzed in accordance with the 
principles and criteria contained in Executive Order 13132, and it has 
been determined that the proposed rule does not have sufficient 
federalism implications to warrant the preparation of a federalism 
summary impact statement. However, if it is determined through the 
comment period that federalism is impacted, FRA will document its 
consultations with State and local officials as appropriate and a 
federalism summary impact statement will be included in any final rule. 
FRA has consulted State and local officials in developing this proposed 
rule. The RSAC, which recommended this proposed rule, has as permanent 
members two organizations representing State and local interests: the 
AASHTO and the ASRSM. RSAC regularly provides recommendations to the 
FRA Administrator for solutions to regulatory issues that reflect 
significant input from its State members.

Compliance With the Unfunded Mandates Reform Act of 1995

    Pursuant to the Unfunded Mandates Reform Act of 1995 (Pub. L. 104-
4) each federal agency ``shall, unless otherwise prohibited by law, 
assess the effects of Federal Regulatory actions on State, local, and 
tribal governments, and the private sector (other than to the extent 
that such regulations incorporate requirements specifically set forth 
in law).'' Sec. 201. Section 202 of the Act further requires that 
``before promulgating any general notice of proposed rulemaking that is 
likely to result in promulgation of any rule that includes any Federal 
mandate that may result in the expenditure by State, local, and tribal 
governments, in the aggregate, or by the private sector, of 
$100,000,000 or more (adjusted annually for inflation) in any 1 year, 
and before promulgating any final rule for which a general notice of 
proposed rulemaking was published, the agency shall prepare a written 
statement * * *'' detailing the effect on State, local and tribal 
governments and the private sector. The proposed rules issued today do 
not include any mandates which will result in the expenditure, in the 
aggregate, of $100,000,000 or more in any one year, and thus 
preparation of a statement is not required.

Request for Public Comments

    FRA proposes to amend parts 209, 234, and 236 of title 49, Code of 
Federal Regulations, as set forth below. FRA solicits comments on all 
aspects of the proposed rule whether through written submissions, 
participation in a public hearing, or both. FRA may make changes in the 
final rule based on comments received in response to this proposed 
rule.

List of Subjects

49 CFR Part 209

    Administrative practice and procedure.

49 CFR Part 234

    Highway safety, Railroad safety.

49 CFR Part 236

    Railroad safety, Reporting and recordkeeping requirements.

The Proposed Rule

    In consideration of the foregoing, FRA proposes to amend chapter II 
of title 49, Code of Federal Regulations as follows:

PART 209--[AMENDED]

    1. The authority citation for part 209 continues to read as 
follows:

    49 U.S.C. 20103, 20107, 20111, 20112, 20114, and 49 CFR 1.49.

    2. Revise paragraph (a) of section 209.11 to read as follows:
    (a) This section governs the procedures for requesting confidential 
treatment of any document filed with or otherwise provided to FRA in 
connection with its enforcement of statutes or FRA regulations related 
to railroad safety. For purposes of this section, ``enforcement'' shall 
include receipt of documents required to be submitted by FRA 
regulations, and all investigative and compliance activities, in 
addition to the development of violation reports and recommendations 
for prosecution.
* * * * *

PART 234--[AMENDED]

    3. The authority citation for part 234 continues to read as 
follows:
    49 U.S.C. 20103, 20107, and 49 CFR 1.49.
    4. Add a new undesignated centerheading and new section 234.275 to 
read as follows:
Requirements for Processor-Based Systems


Sec. 234.275  Processor-based systems.

    (a) The definitions in Sec. 236.903 of this chapter shall apply to 
this section, where applicable.

[[Page 42384]]

    (b) In lieu of compliance with the requirements of this subpart, a 
railroad may elect to qualify an existing product under part 236, 
subpart H of this chapter. Highway-rail grade crossing warning systems 
which contain new or novel technology or provide safety-critical data 
to a railroad signal system shall comply with part 236, subpart H of 
this chapter. New or novel technology refers to a technology not 
previously recognized for use as of (date of final rule publication).
    (c) The Product Safety Plan must explain how the performance 
objective sought to be addressed by each of the particular requirements 
of this subpart is met by the product, why the objective is not 
relevant to the product's design, or how safety requirements are 
satisfied using alternative means. Deviation from those particular 
requirements is authorized if an adequate explanation is provided, 
making reference to relevant elements of the Product Safety Plan, and 
if the product satisfies the performance standard set forth in 
Sec. 236.909 of this chapter. (See Sec. 236.907(a)(14) of this 
chapter). Any existing products both used at highway-rail grade 
crossing warning systems and which provide safety-critical data to or 
receive safety-critical data from a railroad signal or train control 
system shall be included in the software management control plan as 
required in Sec. 236.18 of this chapter.
    (d) The following exclusions from the latitude provided by this 
section apply:
    (1) Nothing in this section authorizes deviation from applicable 
design requirements for automated warning devices at highway-rail grade 
crossings in the Manual on Uniform Traffic Control Devices (MUTCD), 
2000 Millennium Edition, Federal Highway Administration (FHWA), dated 
December 18, 2000, including Errata #1 to MUTCD 2000 Millennium Edition 
dated June 14, 2001 (http://mutcd.fhwa.dot.gov/).
    (2) Nothing in this section authorizes deviation from the following 
requirements of this subpart:

(i) Sec. 234.207(b) (Adjustment, repair, or replacement of a 
component);
(ii) Sec. 234.209(b) (Interference with normal functioning of system);
(iii) Sec. 234.211 (Security of warning system apparatus);
(iv) Sec. 234.217 (Flashing light units);
(v) Sec. 234.219 (Gate arm lights and light cable);
(vi) Sec. 234.221 (Lamp voltage);
(vii) Sec. 234.223 (Gate arm);
(viii) Sec. 234.225 (Activation of warning system);
(ix) Sec. 234.227 (Train detection apparatus)--if a train detection 
circuit is employed to determine the train's presence;
(x) Sec. 234.229 (Shunting sensitivity)--if a conventional track 
circuit is employed;
(xi) Sec. 234.231 (Fouling wires)--if a conventional train detection 
circuit is employed;
(xii) Sec. 234.233 (Rail joints)--if a track circuit is employed;
(xiii) Sec. 234.235 (Insulated rail joints)--if a track circuit is 
employed;
(xiv) Sec. 234.237 (Reverse switch cut-out circuit); or
(xv) Sec. 234.245 (Signs).
    (e) Deviation from the requirement of Sec. 234.203 (Control 
circuits) that circuits be designed on a fail-safe principle must be 
separately justified at the component, subsystem and system level using 
the criteria of Sec. 236.909 of this chapter.

PART 236--[AMENDED]

    5. Revise the authority citation to part 236 to read as follows:

    Authority: 49 U.S.C. 20103, 20107, 20501-20505, and 49 CFR 1.49.

    6. Amend Sec. 236.0 to revise paragraphs (a) and (b), redesignate 
paragraph (f) as paragraph (g), and add new paragraph (f) to read as 
follows:


Sec. 236.0  Applicability.

    (a) Except as provided in paragraph (b) of this section, this part 
applies to all railroads.
    (b) This part does not apply to-
    (1) a railroad that operates only on track inside an installation 
that is not part of the general railroad system of transportation; or
    (2) Rapid transit operations in an urban area that are not 
connected to the general railroad system of transportation.
* * * * *
    ( f) The requirements of subpart H of this part apply to safety-
critical processor-based signal and train control systems, including 
subsystems and components thereof, developed under the terms and 
conditions of that subpart.
    7. Add new Sec. 236.18 to read as follows:


Sec. 236.18  Software management control plan.

    (a) Within 24 months of (date 60 days after publication of final 
rule), each railroad shall adopt a software management control plan for 
signal and train control systems. Railroads commencing operations after 
(date 60 days after publication of final rule) shall adopt a software 
management control plan for signal and train control systems prior to 
commencing operations.
    (b) For purposes of this section, ``software management control 
plan'' means a plan designed to ensure that the proper and intended 
software version for each specific site and location is documented 
(mapped) and maintained through the life cycle of the system. The plan 
must further identify the tests required by the system developer and/or 
the railroads in the event of replacement, modification, and 
disarrangement.
    8. Revise Sec. 236.110 to read as follows:


Sec. 236.110  Results of tests.

    (a) Results of tests made in compliance with Secs. 236.102 to 
236.109, inclusive; 236.376 to 236.387, inclusive; 236.576; 236.577; 
236.586 to 236.589, inclusive; and 236.917(a) must be recorded on 
preprinted forms provided by the railroad or by electronic means, 
subject to approval by the FRA Associate Administrator for Safety. 
These records must show the name of the railroad, place, and date, 
equipment tested, results of tests, repairs, replacements, adjustments 
made, and condition in which the apparatus was left. Each record must 
be:
    (1) Signed by the employee making the test, or electronically coded 
or identified by number of the automated test equipment (where 
applicable);
    (2) Unless otherwise noted, filed in the office of a supervisory 
official having jurisdiction; and
    (3) Available for inspection and replication by FRA.
    (b) Results of tests made in compliance with Sec. 236.587 must be 
retained for 92 days.
    (c) Results of tests made in compliance with Sec. 236.917(a) must 
be retained as follows:
    (1) Results of tests that pertain to installation or modification 
must be retained for the life cycle of the equipment tested and may be 
kept in any office designated by the railroad; and
    (2) Results of periodic tests required for maintenance or repair of 
the equipment tested must be retained until the next record is filed 
but in no case less than one year.
    (d) Results of all other tests listed in this section must be 
retained until the next record is filed but in no case less than one 
year.
    (e) Electronic or automated tracking systems used to meet the 
requirements contained in paragraph (a) of this section must be capable 
of being reviewed and monitored by FRA at any time to ensure the 
integrity of the system. FRA's Associate Administrator for Safety may 
prohibit or revoke a railroad's authority to utilize an electronic or 
automated tracking system in lieu of preprinted forms if FRA finds

[[Page 42385]]

that the electronic or automated tracking system is not properly 
secure, is inaccessible to FRA or railroad employees requiring access 
to discharge their assigned duties, or fails to adequately track and 
monitor the equipment. In such case, FRA records such a determination 
in writing, includes a statement of the basis for such action, and 
provides a copy of the document to the affected railroad.
    9. Add new Sec. 236.787a to read as follows:


Sec. 236.787a  Railroad.

    Railroad means any form of non-highway ground transportation that 
runs on rails or electromagnetic guideways and any entity providing 
such transportation, including--
    (a) Commuter or other short-haul railroad passenger service in a 
metropolitan or suburban area and commuter railroad service that was 
operated by the Consolidated Rail Corporation on January 1, 1979; and
    (b) High speed ground transportation systems that connect 
metropolitan areas, without regard to whether those systems use new 
technologies not associated with traditional railroads; but does not 
include rapid transit operations in an urban area that are not 
connected to the general railroad system of transportation.
    10. Add new subpart H to read as follows:

Subpart H--Standards for Processor-Based Signal and Train Control 
Systems

Sec.
236.901   Purpose and scope.
236.903   Definitions.
236.905   Railroad Safety Program Plan (RSPP).
236.907   Product Safety Plan (PSP).
236.909   Minimum performance standard.
236.911   Exclusions.
236.913   Notification to FRA of PSPs.
236.915   Implementation and operation.
236.917   Retention of records.
236.919   Operations and Maintenance Manual.
236.921   Training and qualification program, general.
236.923   Task analysis and basic requirements.
236.925   Training specific to control office personnel.
236.927   Training specific to locomotive engineers and other 
operating personnel.
236.929   Training specific to roadway workers.
Subpart H--Standards for Processor-Based Signal and Train Control 
Systems


Sec. 236.901  Purpose and scope.

    (a) What is the purpose of this subpart?
    The purpose of this subpart is to ensure the safe operation of 
trains using safety-critical products, as defined in Sec. 236.903, and 
to facilitate the development of those products.
    (b) What topics does it cover?
    This subpart prescribes minimum, performance-based safety standards 
for safety-critical products, including requirements to ensure that the 
development, installation, implementation, inspection, testing, 
operation, maintenance, repair, and modification of those products will 
achieve and maintain an acceptable level of safety. This subpart also 
prescribes standards to ensure that personnel working with safety-
critical products receive appropriate training. Each railroad may 
prescribe additional or more stringent rules, and other special 
instructions, that are not inconsistent with this subpart.
    (c) What other rules apply?
    (1) This subpart does not exempt a railroad from compliance with 
the requirements of subparts A through G of this part, except to the 
extent a PSP satisfactorily explains:
    (i) How the objectives of any such requirements are met by the 
product;
    (ii) Why the objectives of any such requirements are not relevant 
to the product; or
    (iii) How the requirement is satisfied using alternative means. 
(See Sec. 236.907(a)(14)).
    (2) Products subject to this subpart are also subject to applicable 
requirements of parts 233, 234 and 235 of this chapter. See 
Sec. 234.275 of this chapter with respect to use of this subpart to 
qualify certain products for use within highway-rail grade crossing 
warning systems.
    (3) Information required to be submitted by this subpart that a 
submitter deems to be trade secrets, or commercial or financial 
information that is privileged or confidential under Exemption 4 of the 
Freedom of Information Act, 5 U.S.C. 552(b)(4), shall be so labeled in 
accordance with the provisions of Sec. 209.11 of this chapter. FRA 
handles information so labeled in accordance with the provisions of 
Sec. 209.11 of this chapter.


Sec. 236.903  Definitions.

    As used in this subpart--
    Associate Administrator for Safety means the Associate 
Administrator for Safety, FRA, or that person's delegate as designated 
in writing.
    Component means an element, device, or appliance (including those 
whose nature is electrical, mechanical, hardware, or software) that is 
part of a system or subsystem.
    Configuration management control plan means a plan designed to 
ensure that the proper and intended product configuration, including 
the hardware components and software version, is documented and 
maintained through the life cycle of products in-use.
    Executive software means software common to all installations of a 
given product. It generally is used to schedule the execution of the 
site-specific application programs, run timers, read inputs, drive 
outputs, perform self-diagnostics, access and check memory, and monitor 
the execution of the application software to detect unsolicited changes 
in outputs.
    FRA means the Federal Railroad Administration.
    Full automatic operation means that mode of an automatic train 
control system capable of operating without external human influence, 
in which the locomotive engineer/operator may act as a passive system 
monitor, in addition to an active system controller.
    Hazard means an existing or potential condition that can result in 
an accident.
    High degree of confidence means that there exists credible safety 
analysis which is sufficient to persuade a reasonable decision-maker 
that the likelihood of the proposed condition associated with the new 
product being less safe than the previous condition is very small 
(remote).
    Human factors refers to a body of knowledge about human 
limitations, human abilities, and other human characteristics, such as 
behavior and motivation, that must be considered in product design.
    Human-machine interface (HMI) means the interrelated set of 
controls and displays that allows humans to interact with the machine.
    Initialization refers to the startup process when it is determined 
that a product has all required data input and the product is prepared 
to function as intended.
    Mandatory directive has the meaning set forth in Sec. 220.5 of this 
chapter.
    Materials handling refers to explicit instructions for handling 
safety-critical components established to comply with procedures 
specified in the PSP.
    Mean Time To Hazardous Event (MTTHE) means the average or expected 
time that a subsystem or component will operate prior to the occurrence 
of an unsafe failure.
    New or next-generation train control system means a train control 
system using technologies not in use in revenue service at the time of 
PSP submission or without established histories of safe practice.

[[Page 42386]]

    Petition for approval means a petition to FRA for approval to use a 
product on a railroad as described in its PSP. The petition for 
approval contains only: information relevant to determining the safety 
of the resulting system; information relevant to determining compliance 
with this part; and information relevant to determining the safety of 
the product, including a complete copy of the product's PSP and 
supporting safety analysis.
    Predefined change means any post-implementation modification to the 
use of a product that is provided for in the PSP (see Sec. 236.907(b)).
    Preliminary Safety Analysis means the initial PSP analysis which 
results in a comprehensive listing of all safety functions that a 
system, subsystem, or component will perform. The analysis will insure 
that hazards are controlled when they occur, and that the risks 
associated with such hazards are either eliminated or mitigated prior 
to further development. (The initial product safety plan analysis 
methodology that provides a safety plan which regulates quality 
assurance, development, testing, implementation, and maintenance of 
each product.)
    Previous Condition refers to the estimated risk inherent in the 
portion of the existing method of operation that is relevant to the 
change under analysis (including the elements of any existing signal or 
train control system relevant to the review of the product).
    Processor-based, as used in this subpart, means dependent on a 
digital processor for its proper functioning.
    Product means a processor-based signal or train control system, 
subsystem, or component.
    Product Safety Plan (or PSP) refers to a formal document which 
describes in detail all of the safety aspects of the product, including 
procedures for its development, installation, implementation, 
operation, maintenance, repair, inspection, testing and modification, 
as well as analyses supporting its safety claims, as described in 
Sec. 236.907.
    Railroad Safety Program Plan (or RSPP) refers to a formal document 
which describes a railroad's strategy for addressing safety hazards 
associated with operation of products under this subpart and its 
program for execution of such strategy though the use of PSP 
requirements, as described in Sec. 236.905.
    Revision control means a chain of custody regimen designed to 
positively identify safety-critical components and spare equipment 
availability, including repair/replacement tracking in accordance with 
procedures outlined in the PSP.
    Risk means the expected probability of occurrence for an individual 
accident event (probability) multiplied by the severity of the expected 
consequences associated with the accident (severity).
    Risk assessment means the process of determining, either 
quantitatively or qualitatively, the measure of risk associated with
    (1) Use of the product under all intended operating conditions or
    (2) The previous condition.
    Safety-critical, as applied to a function, a system, or any portion 
thereof, means the correct performance of which is essential to safety 
of personnel and/or equipment, or the incorrect performance of which 
could cause a hazardous condition, or allow a hazardous condition which 
was intended to be prevented by the function or system to exist.
    Subsystem means a defined portion of a system.
    System refers to a signal or train control system and includes all 
subsystems and components thereof, as the context requires.
    System Safety Precedence means the order of precedence in which 
methods used to eliminate or control identified hazards within a system 
are implemented.
    Validation means the process of determining whether a product's 
design requirements fulfill its intended design objectives during its 
development and life cycle. The goal of the validation process is to 
determine ``whether the correct product was built.''
    Verification means the process of determining whether the results 
of a given phase of the development cycle fulfill the validated 
requirements established at the start of that phase. The goal of the 
verification process is to determine ``whether the product was built 
correctly.''


Sec. 236.905  Railroad Safety Program Plan (RSPP).

    (a) What is the purpose of an RSPP? A railroad subject to this 
subpart shall develop an RSPP, subject to FRA approval, that serves as 
its principal safety document for all safety-critical products. The 
RSPP must establish the minimum PSP requirements that will govern the 
development and implementation of all products subject to this subpart, 
consistent with the provisions contained in Sec. 236.907.
    (b) What subject areas must the RSPP address? The railroad's RSPP 
must address, at a minimum, the following subject areas:
    (1) Requirements and concepts. The RSPP must require a description 
of the preliminary safety analysis, including:
    (i) A complete description of methods used to evaluate a system's 
behavioral characteristics;
    (ii) A complete description of risk assessment procedures;
    (iii) The system safety precedence followed; and
    (iv) The identification of the safety assessment process.
    (2) Design for verification and validation. The RSPP must require 
the identification of validation and verification methods for the 
preliminary safety analysis, initial development process and future 
incremental changes, including standards to be used in the validation 
and verification process, consistent with Appendix C to this part. The 
RSPP must require that a copy of any non-published standards be 
included with the PSP.
    (3) Design for human factors. The RSPP must require a description 
of the process used during product development to identify human 
factors issues and develop design requirements which address those 
issues.
    (4) Configuration management control plan. The RSPP must specify 
requirements for configuration management for all products to which 
this subpart applies.
    (c) How are RSPP's approved?
    (1) Each railroad shall submit a petition for approval of RSPP in 
triplicate to the Associate Administrator for Safety, FRA, 1120 Vermont 
Avenue, NW., Mail Stop 25, Washington, DC 20590. The petition must 
contain a copy of the proposed RSPP and the name, title, address, and 
telephone number of the railroad's primary contact person for review of 
the petition.
    (2) Normally within 180 days of receipt of a petition for approval 
of an RSPP, FRA:
    (i) Grants the petition, if FRA finds that the petition complies 
with applicable requirements of this subpart, attaching any special 
conditions to the approval of the petition as necessary to carry out 
the requirements of this subpart;
    (ii) Denies the petition, setting forth reasons for denial; or
    (iii) Requests additional information.
    (3) If no action is taken on the petition within 180 days, the 
petition remains pending for decision. The petitioner is encouraged to 
contact FRA for information concerning its status.
    (4) FRA may reopen consideration of any previously-approved 
petition for cause, providing reasons for such action.
    (d) How are RSPP's modified?
    (1) Railroads shall obtain FRA approval for any modification to 
their RSPP which affects a safety-critical

[[Page 42387]]

requirement of a PSP. Other modifications do not require FRA approval.
    (2) Petitions for FRA approval of RSPP modifications are subject to 
the same procedures as petitions for initial RSPP approval, as 
specified in paragraph (c) of this section. In addition, such petitions 
must identify the proposed modifications to be made, the reason for the 
modifications, and the effect of the modifications on safety.


Sec. 236.907  Product Safety Plan (PSP).

    (a) What must a PSP contain? The PSP must include the following:
    (1) A complete description of the product, including a list of all 
product components and their physical relationship in the subsystem or 
system;
    (2) A description of the railroad operation or categories of 
operations on which the product is designed to be used, including train 
movement density, gross tonnage, passenger train movement density, 
hazardous materials volume, railroad operating rules, and operating 
speeds;
    (3) An operational concepts document, including a complete 
description of the product functionality and information flows;
    (4) A safety requirements document, including a list with complete 
descriptions of all functions which the product performs to enhance or 
preserve safety;
    (5) A document describing the manner in which product architecture 
satisfies safety requirements;
    (6) A hazard log consisting of a comprehensive description of all 
safety-relevant hazards to be addressed during the life cycle of the 
product, including maximum threshold limits for each hazard (for 
unidentified hazards, the threshold shall be exceeded at one 
occurrence);
    (7) A risk assessment, as prescribed in Sec. 236.909 and Appendix B 
to this part;
    (8) A hazard mitigation analysis, including a complete and 
comprehensive description of all hazards to be addressed in the system 
design and development, mitigation techniques used, and system safety 
precedence followed, as prescribed by the applicable RSPP;
    (9) A complete description of the safety assessment and validation 
and verification processes applied to the product and the results of 
these processes, describing how subject areas covered in Appendix C to 
this part are either: addressed directly, addressed using other safety 
criteria, or not applicable;
    (10) A complete description of the safety assurance concepts used 
in the product design, including an explanation of the design 
principles and assumptions;
    (11) A human factors analysis, including a complete description of 
all human-machine interfaces, a complete description of all functions 
performed by humans in connection with the product to enhance or 
preserve safety, and an analysis in accordance with Appendix E to this 
part or in accordance with other criteria if demonstrated to the 
Associate Administrator for Safety to be equally suitable;
    (12) A complete description of the specific training necessary to 
ensure the safe and proper installation, implementation, operation, 
maintenance, repair, inspection, testing, and modification of the 
product;
    (13) A complete description of the specific procedures and test 
equipment necessary to ensure the safe and proper installation, 
implementation, operation, maintenance, repair, inspection, testing, 
and modification of the product. These procedures, including 
calibration requirements, shall be consistent with or explain 
deviations from the equipment manufacturer's recommendations;
    (14) An analysis of the applicability of the requirements of 
subparts A-G of this part to the product that may no longer apply or 
are satisfied by the product using an alternative method, and a 
complete explanation of the manner in which those requirements are 
otherwise fulfilled (see Sec. 234.275 of this chapter and 
Sec. 236.901(c));
    (15) A complete description of the necessary security measures for 
the product over its life-cycle;
    (16) A complete description of each warning to be placed in the 
Operations and Maintenance Manual identified in Sec. 236.919, and of 
all warning labels required to be placed on equipment as necessary to 
ensure safety;
    (17) A complete description of all initial implementation testing 
procedures necessary to establish that safety-functional requirements 
are met and safety-critical hazards are appropriately mitigated;
    (18) A complete description of:
    (i) All post-implementation testing (validation) and monitoring 
procedures, including the intervals necessary to establish that safety-
functional requirements, safety-critical hazard mitigation processes, 
and safety-critical tolerances are not compromised over time, over use, 
or after maintenance (repair, replacement, adjustment) is performed; 
and
    (ii) Each record necessary to ensure the safety of the system that 
is associated with periodic maintenance, inspections, tests, repairs, 
replacements, adjustments, and the system's resulting conditions, 
including records of component failures resulting in safety-relevant 
hazards (see Sec. 236.917(e)(3));
    (19) A complete description of any safety-critical assumptions 
regarding availability of the product, and a complete description of 
all backup methods of operation; and
    (20) A complete description of all incremental and predefined 
changes (see paragraphs (b) and (c) of this section).
    (b) What requirements apply to predefined changes?
    (1) Predefined changes are not considered design modifications 
requiring an entirely new safety verification process, a revised PSP, 
and informational filing or petition for approval in accordance with 
Sec. 236.915. However, the risk assessment for the product must 
demonstrate that operation of the product, as modified by any 
predefined change, satisfies the minimum performance standard.
    (2) The PSP must identify configuration/revision control measures 
designed to ensure that safety-functional requirements and safety-
critical hazard mitigation processes are not compromised as a result of 
any such change.
    (c) What requirements apply to other product changes? Incremental 
changes are planned product version changes described in the initial 
PSP where slightly different specifications are used to allow the 
gradual enhancement of the product's capabilities. Incremental changes 
shall require verification and validation to the extent the changes 
involve safety-critical functions. Changes classified as maintenance 
require validation.


Sec. 236.909  Minimum performance standard.

    (a) What is the minimum performance standard for products covered 
by this subpart? The safety analysis included in the railroad's PSP 
must establish with a high degree of confidence that introduction of 
the product will not result in risk that exceeds the previous 
condition. The railroad shall make the determination, prior to filing 
its petition for approval or informational filing, that this standard 
has been met and shall make available the necessary analyses and 
documentation as provided in this subpart.
    (b) How does FRA determine whether the PSP requirements for 
products covered by subpart H have been met? With respect to any FRA 
review of a PSP, the Associate Administrator for Safety determines 
sufficiency. In evaluating the sufficiency of the

[[Page 42388]]

railroad's case for the product, the Associate Administrator for Safety 
considers, as applicable, the factors pertinent to evaluation of risk 
assessments, listed in Sec. 236.913(g)(2).
    (c) What is the scope of a full risk assessment required by this 
section? A full risk assessment performed under this subpart must 
address the safety risks affected by the introduction, modification, 
replacement, or enhancement of a product. This includes risks 
associated with the previous condition which are no longer present as a 
result of the change, new risks not present in the previous condition, 
and risks neither newly created nor eliminated whose nature 
(probability of occurrence or severity) is nonetheless affected by the 
change.
    (d) What is an abbreviated risk assessment, and when may it be 
used? An abbreviated risk assessment demonstrates that the resulting 
MTTHE for the proposed product is greater than the MTTHE for the 
product or methods performing the same function in the previous 
condition. This determination must be supported by credible safety 
analysis sufficient to persuade a reasonable decision-maker that the 
likelihood of the new product's MTTHE being less than the MTTHE for the 
system, component, or method performing the same function in the 
previous condition is very small (remote). An abbreviated risk 
assessment may be used in lieu of a full risk assessment to show 
compliance with the performance standard if:
    (1) No new hazards are introduced as a result of the change;
    (2) Severity of each hazard associated with the previous condition 
does not increase from the previous condition; and
    (3) Exposure to such hazards does not change from the previous 
condition.
    (e) How are safety and risk measured for the full risk assessment? 
Risk assessment techniques, including both qualitative and quantitative 
methods are recognized as providing credible and useful results for 
purposes of this section if they apply the following principles:
    (1) Safety levels must be measured using competent risk assessment 
methods and must be expressed as the total residual risk in the system 
over its expected life cycle after implementation of all mitigating 
measures described in the PSP. Appendix B to this part provides 
criteria for acceptable risk assessment methods. Other methods may be 
acceptable if demonstrated to the Associate Administrator for Safety to 
be equally suitable.
    (2) For the previous condition and for the life-cycle of the 
product, risk levels must be adjusted for exposure. Exposure must be 
expressed as total train miles (and, as applicable, total passenger 
miles) traveled per year. Severity must identify the total cost, 
including fatalities, injuries, property damage, and other incidental 
costs, such as potential consequences of hazardous materials 
involvement, resulting from preventable accidents associated with the 
function(s) performed by the system. A railroad may, as an alternative, 
use a risk metric in which severity is measured strictly in terms of 
fatalities.
    (3) If changes in the physical or operating conditions on the 
railroad are planned coincident with introduction of or within the 
expected life cycle of the product subject to review under this 
subpart, the previous condition shall be adjusted to reflect any 
associated impact on risk. In particular, the previous condition must 
be adjusted for assumed implementation of systems necessary to support 
higher train speeds as specified in Sec. 236.0, as well as track and 
other changes required to support projected increases in train 
operations.


Sec. 236.911  Exclusions.

    (a) Does this subpart apply to existing systems? The requirements 
of this subpart do not apply to products in service as of (the date 60 
days after publication of the final rule). Railroads may continue to 
implement and use these products and components from these existing 
products.
    (b) How will transition cases be handled? Products designed in 
accordance with subparts A through G of this part which are not in 
service but are developed or are in the developmental stage prior to 
(date of publication of final rule) may be excluded upon notification 
to FRA by (60 days after date of publication of final rule) if placed 
in service by (3 years after date of publication of final rule). 
Railroads may continue to implement and use these products and 
components from these existing products. A railroad may at any time 
elect to have products that are excluded made subject to this subpart 
by submitting a PSP as prescribed in Sec. 236.913 and otherwise 
complying with this subpart.
    (c) How are office systems handled? The requirements of this 
subpart do not apply to existing office systems and future deployments 
of existing office system technology. However, a subsystem or component 
of an office system must comply with the requirements of this subpart 
if it performs safety-critical functions within, or affects the safety 
performance of, a new or next-generation train control system. For 
purposes of this section, office system means a centralized computer-
based train-dispatching and/or central safety computer system.
    (d) How are modifications to excluded products handled? Changes or 
modifications to products otherwise excluded from the requirements of 
this subpart by this section are not excluded from the requirements of 
this subpart if they result in a degradation of safety or a material 
increase in safety-critical functionality.
    (e) What other rules apply to excluded products? Products excluded 
by this section from the requirements of this subpart remain subject to 
subparts A through G of this part as applicable.


Sec. 236.913  Notification to FRA of PSPs.

    (a) Under what circumstances must a PSP be prepared? A PSP must be 
prepared for each product covered by this subpart. A joint PSP must be 
prepared when:
    (1) The territory on which a product covered by this subpart is 
normally subject to joint operations, or is operated upon by more than 
one railroad; and
    (2) The PSP involves a change in method of operation.
    (b) Under what circumstances must a railroad submit a petition for 
approval for a PSP or PSP amendment, and when may a railroad submit an 
informational filing? Depending on the nature of the proposed product 
or change, the railroad shall submit either an informational filing or 
a petition for approval. Submission of a petition for approval is 
required for PSPs or PSP amendments concerning installation of new or 
next-generation train control systems. All other actions that result in 
the creation of a PSP or PSP amendment require an informational filing 
and will be handled according to the procedures outlined in paragraph 
(c) of this section. Applications for discontinuance and material 
modification of signal and train control systems remain governed by 
parts 235 and 211 of this chapter; and petitions subject to this 
section may be consolidated with any relevant application for 
administrative handling.
    (c) What are the procedures for informational filings? The 
following procedures apply to PSPs and PSP amendments which do not 
require submission of a petition for approval, but rather require an 
informational filing:
    (1) Not less than 180 days prior to planned use of the product in 
revenue service as described in the PSP or PSP amendment, the railroad 
shall submit an

[[Page 42389]]

informational filing to the Associate Administrator for Safety, FRA, 
1120 Vermont Avenue, NW., Mail Stop 25, Washington, DC 20590. The 
informational filing must provide a summary description of the PSP or 
PSP amendment, including the intended use of the product, and specify 
the location where the documentation as described in Sec. 236.917(e)(1) 
is maintained.
    (2) Within 60 days of receipt of the informational filing, FRA:
    (i) Acknowledges receipt of the filing;
    (ii) Acknowledges receipt of the informational filing and requests 
further information; or
    (iii) Acknowledges receipt of the filing and notifies the railroad, 
for good cause, that the filing will be considered as a petition for 
approval as set forth in paragraph (d) of this section, and requests 
such further information as may be required to initiate action on the 
petition for approval. Examples of good cause include: The PSP 
describes a product with unique architectural concepts, the PSP 
describes a product that uses design or safety assurance concepts 
considered outside existing accepted practices, and the PSP describes a 
locomotive-borne product that commingles safety-critical train control 
processing functions with locomotive operational functions. In 
addition, good cause would include any instance where the PSP or PSP 
amendment does not appear to support its safety claim of satisfaction 
of the performance standard, after FRA has requested further 
information as provided in paragraph (c)(2)(ii) of this section.
    (d) What procedures apply to petitions for approval? The following 
procedures apply to PSPs and PSP amendments which require submission of 
a petition for approval:
    (1) Petitions for approval involving prior FRA consultation. (i) 
The railroad may file a Notice of Product Development with the 
Associate Administrator for Safety not less than 30 days prior to the 
end of the system design review phase of product development and 180 
days prior to planned implementation, inviting FRA to participate in 
the design review process and receive periodic briefings and updates as 
needed to follow the course of product development. At a minimum, the 
Notice of Product Development must contain a summary description of the 
product to be developed and a brief description of goals for improved 
safety.
    (ii) Within 15 days of receipt of the Notice of Product 
Development, the Associate Administrator for Safety either acknowledges 
receipt or acknowledges receipt and requests more information.
    (iii) If FRA concludes the Notice of Product Development contains 
sufficient information, the Associate Administrator for Safety 
determines the extent and nature of the assessment and review necessary 
for final product approval. FRA may convene a technical consultation as 
necessary to discuss issues related to the design and planned 
development of the product.
    (iv) Within 60 days of receiving the Notice of Product Development, 
the Associate Administrator for Safety provides a letter of preliminary 
review with detailed findings, including whether the design concepts of 
the proposed product comply with the requirements of this subpart, 
whether design modifications are necessary to meet the requirements of 
this subpart, and the extent and nature of the safety analysis 
necessary to comply with this subpart.
    (v) Not less than 60 days prior to use of the product in revenue 
service, the railroad shall file with the Associate Administrator for 
Safety a petition for final approval.
    (vi) Within 30 days of receipt of the petition for final approval, 
the Associate Administrator for Safety either acknowledges receipt or 
acknowledges receipt and requests more information. Whenever possible, 
FRA acts on the petition for final approval within 60 days of its 
filing by either granting it or denying it. If FRA neither grants nor 
denies the petition for approval within 60 days, FRA advises the 
petitioner of the projected time for decision and conducts any further 
consultations or inquiries necessary to decide the matter.
    (2) Other petitions for approval. The following procedures apply to 
petitions for approval of PSPs for which do not involve prior FRA 
consultation as described in paragraph (d)(1) of this section.
    (i) Not less than 180 days prior to use of a product in revenue 
service, the railroad shall file with the Associate Administrator for 
Safety a petition for approval.
    (ii) Within 60 days of receipt of the petition for approval, FRA 
either acknowledges receipt or acknowledges receipt and requests more 
information.
    (iii) Whenever possible, considering the scope, complexity, and 
novelty of the product or change, FRA acts on the petition for approval 
within 180 days of its filing by either granting it or denying it. If 
FRA neither grants nor denies the petition for approval within 180 
days, it remains pending, and FRA provides the petitioner with a 
statement of reasons why the petition has not yet been approved.
    (e) What role do product users play in the process of safety 
review?
    (1) FRA will publish in the Federal Register periodically a topic 
list including docket numbers for informational filings and a petition 
summary including docket numbers for petitions for approval.
    (2) Interested parties may submit to FRA information and views 
pertinent to FRA's consideration of an informational filing or petition 
for approval. FRA considers comments to the extent practicable within 
the periods set forth in this section. In a proceeding consolidated 
with a proceeding under part 235 of this chapter, FRA considers all 
comments received.
    (f) Is it necessary to complete field testing prior to filing the 
petition for approval? A railroad may file a petition for approval 
prior to completion of field testing of the product. The petition for 
approval should additionally include information sufficient for FRA to 
arrange monitoring of the tests. The Associate Administrator for Safety 
may approve a petition for approval contingent upon successful 
completion of the test program contained in the PSP or hold the 
petition for approval pending completion of the tests.
    (g) How are PSPs approved?
    (1) The Associate Administrator for Safety grants approval of a PSP 
when:
    (i) The petition for approval has been properly filed and contains 
the information required in Sec. 236.907;
    (ii) FRA has determined that the PSP complies with the railroad's 
approved RSPP and applicable requirements of this subpart; and
    (iii) The risk assessment supporting the PSP demonstrates that the 
proposed product satisfies the minimum performance standard stated in 
Sec. 236.909.
    (2) The Associate Administrator for Safety considers the following 
applicable factors when evaluating the risk assessment:
    (i) The extent to which recognized standards have been utilized in 
product design and in the relevant safety analysis;
    (ii) The availability of quantitative data, including calculations 
of statistical confidence levels using accepted methods, associated 
with risk estimates;
    (iii) The complexity of the product and the extent to which it will 
incorporate or deviate from design practices associated with previously 
established histories of safe operation;
    (iv) The degree of rigor and precision associated with the safety 
analyses, including the comprehensiveness of the

[[Page 42390]]

qualitative analyses, and the extent to which any quantitative results 
realistically reflect appropriate sensitivity cases;
    (v) The extent to which validation of the product has included 
experiments and tests to identify uncovered faults in the operation of 
the product;
    (vi) The extent to which identified faults are effectively 
addressed.
    (vii) Whether the risk assessment for the previous condition was 
conducted using the same methodology as that for operation under the 
proposed condition; and
    (viii) If an independent third party assessment is required or is 
performed at the election of the supplier or railroad, the extent to 
which the results of the assessment are favorable.
    (3) The Associate Administrator for Safety also considers when 
assessing PSPs the safety requirements for the product within the 
context of the proposed method of operations, including:
    (i) The degree to which the product is relied upon as the primary 
safety system for train operations; and
    (ii) The degree to which the product is overlaid upon and its 
operation is demonstrated to be independent of safety-relevant rules, 
practices and systems that will remain in place following the change 
under review.
    (4) As necessary to ensure compliance with this subpart and with 
the RSPP, FRA may attach special conditions to the approval of the 
petition.
    (5) Following the approval of a petition, FRA may reopen 
consideration of the petition for cause. Cause for reopening could 
include such circumstances as credible allegation of error or fraud, 
assumptions determined to be invalid as a result of in-service 
experience, or one or more unsafe events calling into question the 
safety analysis underlying the approval.
    (h) Under what circumstances may a third party assessment be 
required, and by whom may it be conducted?
    (1) The PSP must be supported by an independent third party 
assessment of the product when FRA concludes it is necessary based upon 
consideration of the following factors:
    (i) Those factors listed in paragraphs (g)(2)(i) through 
(g)(2)(vii) of this section;
    (ii) The sufficiency of the assessment or audit previously 
conducted at the election of a supplier or railroad; and
    (iii) Whether applicable requirements of subparts A through G of 
this part are satisfied.
    (2) As used in this section, independent third party means a 
technically competent entity responsible to and compensated by the 
railroad (or an association on behalf of one or more railroads) that is 
independent of the supplier of the product. An entity that is owned or 
controlled by the supplier, that is under common ownership or control 
with the supplier, or that is otherwise involved in the development of 
the product is not considered ``independent'' within the meaning of 
this section. FRA may maintain a roster of recognized technically 
competent entities as a service to railroads selecting reviewers under 
this section; however, a railroad is not limited to entities currently 
listed on any such roster.
    (3) The third party assessment must, at a minimum, consist of the 
activities and result in production of documentation meeting the 
requirements of Appendix D to this part. However, when requiring an 
assessment pursuant to this section, FRA specifies any requirements in 
Appendix D to this part which the agency has determined are not 
relevant to its concerns and therefore need not be included in the 
assessment. The railroad shall make the final assessment report 
available to FRA upon request.
    (i) How may a PSP be amended? A railroad may submit an amendment to 
a PSP at any time in the same manner as the initial PSP. Changes 
affecting the safety-critical functionality of a product may be made 
prior to the submission and approval of the PSP amendment as necessary 
in order to mitigate risk.
    (j) How may field testing be conducted prior to PSP approval? (1) 
Field testing of a product may be conducted prior to the approval of a 
PSP by the submission of an informational filing by a railroad. The FRA 
will arrange to monitor the tests based on the information provided in 
the filing, which must include:
    (i) A complete description of the product;
    (ii) An operational concepts document;
    (iii) A complete description of the specific test procedures, 
including the measures that will be taken to protect trains and on-
track equipment;
    (iv) An analysis of the applicability of the requirements of 
subparts A-G of this part to the product that will not apply during 
testing;
    (v) Date proposed testing to begin;
    (vi) The location of the tests; and
    (vii) Effect on the current method of operation.
    (2) FRA may impose such additional conditions on this testing as 
may be necessary for the safety of train operations. Exemptions from 
regulations other than those contained in this part must be requested 
through waiver procedures in part 211 of this chapter.


Sec. 236.915  Implementation and operation.

    (a) When may a product be placed or retained in service?
    (1) Except as stated in paragraphs (a)(2) and (a)(3) of this 
section, a railroad may operate in revenue service any product 180 days 
after filing with FRA the informational filing for that product. The 
FRA filing date can be found in FRA's acknowledgment letter referred to 
in Sec. 236.913(c)(2).
    (2) Except as stated in paragraph (a)(3) of this section, if FRA 
approval is required for a product, the railroad shall not operate the 
product in revenue service until after the Associate Administrator for 
Safety has approved the petition for approval for that product pursuant 
to Sec. 236.913.
    (3) If after product implementation FRA elects, for cause, to treat 
the informational filing for the product as a petition for approval, 
the product may remain in use if otherwise consistent with the 
applicable law and regulations. FRA may impose special conditions for 
use of the product during the period of review for cause.
    (b) How does the PSP relate to operation of the product? Each 
railroad shall comply with all provisions in the PSP for each product 
it uses and shall operate within the scope of initial operational 
assumptions and predefined changes identified by the PSP. Railroads may 
at any time submit an amended PSP according to the procedures outlined 
in Sec. 236.913.
    (c) What precautions must be taken prior to interference with the 
normal functioning of a product? The normal functioning of any safety-
critical product must not be interfered with in testing or otherwise 
without first taking measures to provide for safe movement of trains, 
locomotives, roadway workers and on-track equipment that depend on 
normal functioning of such product.
    (d) What actions must be taken immediately upon failure of a 
safety-critical component? When any safety-critical product component 
fails to perform its intended function, the cause must be determined 
and the faulty component adjusted, repaired, or replaced without undue 
delay. Until repair of such essential components are completed, a 
railroad shall take appropriate action as specified in the PSP. See 
also Sec. 236.917(b).


Sec. 236.917  Retention of records.

    (a) What life cycle and maintenance records must be maintained?

[[Page 42391]]

    (1) The railroad shall maintain at a designated office on the 
railroad for the life cycle of the product:
    (i) Adequate documentation to demonstrate that the PSP meets the 
safety requirements of the railroad's RSPP and applicable standards in 
this subpart, including the risk assessment;
    (ii) An Operations and Maintenance Manual, pursuant to 
Sec. 236.919; and
    (iii) Training records pursuant to Sec. 236.923(b).
    (2) Results of inspections and tests specified in the PSP must be 
recorded as prescribed in Sec. 236.110.
    (b) What actions must the railroad take in the event of occurrence 
of a safety-relevant hazard? After the product is placed in service, 
the railroad shall maintain a database of all safety-relevant hazards 
as set forth in the PSP and those that had not been previously 
identified in the PSP. If the frequency of the safety-relevant hazards 
exceeds the threshold set forth in the PSP (see Sec. 236.907(a)(6)), 
then the railroad shall:
    (1) Report the inconsistency to the FRA Director, Office of Safety 
Assurance and Compliance, 1120 Vermont Ave., NW, Mail Stop 25, 
Washington, DC 20590, within 15 days of discovery;
    (2) Take prompt countermeasures to reduce the frequency of the 
safety-relevant hazard(s) below the threshold set forth in the PSP; and
    (3) Provide a final report to the FRA Director, Office of Safety 
Assurance and Compliance, on the results of the analysis and 
countermeasures taken to reduce the frequency of the safety-relevant 
hazard(s) below the threshold set forth in the PSP when the problem is 
resolved.


Sec. 236.919  Operations and Maintenance Manual.

    (a) The railroad shall catalog and maintain all documents as 
specified in the PSP for the installation, maintenance, repair, 
modification, inspection, and testing of the product and have them in 
one Operations and Maintenance Manual, readily available to persons 
required to perform such tasks and for inspection by FRA.
    (b) Plans required for proper maintenance, repair, inspection, and 
testing of safety-critical products must be adequate in detail and must 
be made available for inspection by FRA where such products are 
deployed or maintained. They must identify all software versions, 
revisions, and revision dates. Plans must be legible and correct.
    (c) Hardware, software, and firmware revisions must be documented 
in the Operations and Maintenance Manual according to the railroad's 
configuration management control plan and any additional configuration/
revision control measures specified in the PSP.
    (d) Safety-critical components, including spare equipment, must be 
positively identified, handled, replaced, and repaired in accordance 
with the procedures specified in the PSP.


Sec. 236.921  Training and qualification program, general.

    (a) When is training necessary and who must be trained? The 
railroad shall establish and implement training and qualification 
programs for products subject to this subpart. These programs must meet 
the minimum requirements set forth in the PSP and in Secs. 236.923 
through 236.929 as appropriate, for the following personnel:
    (1) Persons whose duties include installing, maintaining, 
repairing, modifying, inspecting, and testing safety-critical elements 
of the railroad's products, including central office, wayside, or 
onboard subsystems;
    (2) Persons who dispatch train operations (issue or communicate any 
mandatory directive that is executed or enforced, or is intended to be 
executed or enforced, by a train control system subject to this 
subpart);
    (3) Persons who operate trains or serve as a train or engine crew 
member subject to instruction and testing under part 217 of this 
chapter, on a train operating in territory where a train control system 
subject to this subpart is in use; and
    (4) Roadway workers whose duties require them to know and 
understand how a train control system affects their safety and how to 
avoid interfering with its proper functioning.
    (b) What competences are required? The railroad's program must 
provide training for persons who perform the functions described in 
paragraph (a) of this section to ensure that they have the necessary 
knowledge and skills to effectively complete their duties related to 
processor-based signal and train control equipment.


Sec. 236.923  Task analysis and basic requirements.

    (a) How must training be structured and delivered? As part of the 
program required by Sec. 236.921, the railroad shall, at a minimum:
    (1) Identify the specific goals of the training program with regard 
to the target population (craft, experience level, scope of work, 
etc.), task(s) and desired success rate;
    (2) Based on a formal task analysis, identify the installation, 
maintenance, repair, modification, inspection, testing, and operating 
tasks that must be performed on the railroad's products. This will 
include the development of failure scenarios and the actions expected 
under such scenarios;
    (3) Develop written procedures for the performance of the tasks 
identified;
    (4) Identify the additional knowledge, skills, and abilities above 
those required for basic job performance necessary to perform each 
task;
    (5) Develop a training curriculum that includes classroom, 
simulator, computer-based training (CBT), hands-on, or other formally 
structured training designed to impart the knowledge, skills, and 
abilities identified as necessary to perform each task;
    (6) Prior to assignment of related tasks, require all persons 
mentioned in Sec. 236.921(a) and their direct supervisor(s) to 
successfully complete the training curriculum and pass an examination 
that covers the product and appropriate rules and tasks for which they 
are responsible (however, such persons may perform such tasks under the 
direct onsite supervision of a qualified person prior to completing 
such training and passing the examination);
    (7) Require periodic refresher training at intervals specified in 
the PSP that includes classroom, simulator, computer-based training 
(CBT), hands-on, or other formally structured training and testing, 
except with respect to basic skills for which proficiency is known to 
remain high as a result of frequent repetition of the task; and
    (8) Evaluate the effectiveness of the training program by comparing 
the desired success rate specified in Sec. 236.923(a)(1) with the 
actual success rate.
    (b) What training records are required? The railroad shall retain 
records which designate persons who are qualified under this section 
until new designations are recorded or for at least one year after such 
persons leave applicable service. These records shall be kept in a 
designated location and available for inspection and replication by 
FRA.


Sec. 236.925  Training specific to control office personnel.

    Any person responsible for issuing or communicating mandatory 
directives in territory where products are or will be in use must be 
trained in the following areas, as applicable:
    (a) Instructions concerning the interface between the computer-
aided dispatching system and the train control system, with respect to 
the safe movement of trains and other on-track equipment;

[[Page 42392]]

    (b) Railroad operating rules applicable to the train control 
system, including provision for movement and protection of roadway 
workers, unequipped trains, trains with failed or cut out train control 
onboard systems, and other on-track equipment; and
    (c) Instructions concerning control of trains and other on-track 
equipment in case the train control system fails, including periodic 
practical exercises or simulations and operational testing under part 
217 of this chapter to ensure the continued capability of the personnel 
to provide for safe operations under the alternative method of 
operation.


Sec. 236.927  Training specific to locomotive engineers and other 
operating personnel.

    (a) What elements apply to operating personnel? Training provided 
under this subpart for any locomotive engineer or other person who 
participates in the operation of a train in train control territory 
must be defined in the PSP and the following elements must be 
addressed:
    (1) Familiarization with train control equipment onboard the 
locomotive and the functioning of that equipment as part of the system 
and in relation to other onboard systems under that person's control;
    (2) Any actions required of the onboard personnel to enable, or 
enter data to, the system, such as consist data, and the role of that 
function in the safe operation of the train;
    (3) Sequencing of interventions by the system, including pre-
enforcement notification, enforcement notification, penalty application 
initiation and post-penalty application procedures;
    (4) Railroad operating rules applicable to the train control 
system, including provisions for movement and protection of any 
unequipped trains, or trains with failed or cut out train control 
onboard systems and other on-track equipment;
    (5) Means to detect deviations from proper functioning of onboard 
train control equipment and instructions regarding the actions to be 
taken with respect to control of the train and notification of 
designated railroad personnel; and
    (6) Information needed to prevent unintentional interference with 
the proper functioning of onboard train control equipment.
    (b) How must locomotive engineer training be conducted? Training 
required under this subpart for a locomotive engineer, together with 
required records, must be integrated into the program of training 
required by part 240 of this chapter.
    (c) What requirements apply to full automatic operation? The 
following special requirements apply in the event a train control 
system is used to effect full automatic operation of the train:
    (1) The PSP must identify all safety hazards to be mitigated by the 
locomotive engineer.
    (2) The PSP must address and describe the training required with 
provisions for the maintenance of skills proficiency. As a minimum, the 
training program must:
    (i) As described in Sec. 236.923(a)(2), develop failure scenarios 
which incorporate the safety hazards identified in the PSP, including 
the return of train operations to a fully manual mode;
    (ii) Provide training, consistent with Sec. 236.923(a), for safe 
train operations under all failure scenarios and identified safety 
hazards that affect train operations;
    (iii) Provide training, consistent with Sec. 236.923(a), for safe 
train operations under manual control; and
    (iv) Consistent with Sec. 236.923(a), ensure maintenance of manual 
train operating skills by requiring manual starting and stopping of the 
train for an appropriate number of trips and by one or more of the 
following methods:
    (A) Manual operation of a train for a 4-hour work period;
    (B) Simulated manual operation of a train for a minimum of 4 hours 
in a Type I simulator as required; or
    (C) Other means as determined following consultation between the 
railroad and designated representatives of the affected employees and 
approved by the FRA. The PSP must designate the appropriate frequency 
when manual operation, starting, and stopping must be conducted, and 
the appropriate frequency of simulated manual operation.


Sec. 236.929  Training specific to roadway workers.

    (a) How is training for roadway workers to be coordinated with part 
214? Training required under this subpart for a roadway worker must be 
integrated into the program of instruction required under part 214, 
Subpart C of this chapter (``Roadway Worker Protection''), consistent 
with task analysis requirements of Sec. 236.923. This training must 
provide instruction for roadway workers who provide protection for 
themselves or roadway work groups.
    (b) What subject areas must roadway worker training include?
    (1) Instruction for roadway workers must ensure an understanding of 
the role of processor-based signal and train control equipment in 
establishing protection for roadway workers and their equipment.
    (2) Instruction for roadway workers must ensure recognition of 
processor-based signal and train control equipment on the wayside and 
an understanding of how to avoid interference with its proper 
functioning.
    11. Add new Appendices B-E to part 236 to part 236 to read as 
follows:

Appendix B to Part 236--Risk Assessment Criteria

    The safety-critical performance of each product for which risk 
assessment is required under this part must be assessed in accordance 
with the following criteria or other criteria if demonstrated to the 
Associate Administrator for Safety to be equally suitable:
    (a) How are risk metrics to be expressed?
    The risk metric for the proposed product must describe with a high 
degree of confidence the accumulated risk of a train system that 
operates over a life cycle of 25 years or greater. Each risk metric for 
the proposed product must be expressed with an upper bound, as 
estimated with a sensitivity analysis, and the risk value selected must 
be demonstrated to have a high degree of confidence.
    (b) How does the risk assessment handle interaction risks for 
interconnected subsystems/components?
    The safety-critical assessment of each product must include all of 
its interconnected subsystems and components and, where applicable, the 
interaction between such subsystems.
    (c) How is the previous condition computed?
    Each subsystem or component of the previous condition must be 
analyzed with a Mean Time To Hazardous Event (MTTHE) as specified 
subject to a high degree of confidence.
    (d) What major risk characteristics must be included when relevant 
to assessment?
    Each risk calculation must consider the total signaling and train 
control system and method of operation, as subjected to a list of 
hazards to be mitigated by the signaling and train control system. The 
methodology requirements must include the following major 
characteristics, when they are relevant to the product being 
considered:
    (1) Track plan infrastructure;
    (2) Total number of trains and movement density;
    (3) Train movement operational rules, as enforced by the dispatcher 
and train crew behaviors;

[[Page 42393]]

    (4) Wayside subsystems and components; and
    (5) Onboard subsystems and components.
    (e) What other relevant parameters must be determined for the 
subsystems and components?
    The failure modes of each subsystem and/or component must be 
determined for the integrated hardware/software (where applicable) as a 
function of the Mean Times To Failure (MTTF) (expressed as failure 
laws), failure restoration rates, and the integrated hardware/software 
coverage of all processor-based subsystems and/or components. Train 
operating and movement rules, along with components that are layered in 
order to enhance safety-critical behavior, must also be considered. 
System safety-critical design for verification and validation 
documentation must support the risk-oriented assessment and validate 
the methodology used to arrive at the assessment results.
    (f) How are processor-based subsystems/components assessed?
    (1) An MTTHE value must be calculated for each processor-based 
subsystem and component, indicating the safety-critical behavior of the 
integrated hardware/software subsystem and/or component. The human 
factor impact must be included in the assessment, whenever applicable, 
to provide an integrated MTTHE value. The MTTHE calculation must 
consider the permanent and transient hardware failure rates (hardware, 
design and software coding errors), coverage of the integrated 
hardware/software (application, executive and input/output driver 
software) subsystem or component, phased-interval maintenance, and the 
restoration rates in response to detected failures.
    (2) MTTHE compliance verification and validation must be based on 
the assessment of the design for verification and validation process, 
historical performance data, analytical methods and experimental 
safety-critical performance testing performed on the subsystem or 
component. The compliance process must be demonstrated to be compliant 
and consistent with the MTTHE metric and demonstrated to have a high 
degree of confidence.
    (g) How are non-processor-based subsystems/components assessed?
    (1) The safety-critical behavior of all non-processor-based 
components, which are part of a processor-based system or subsystem, 
must be quantified with an MTTHE metric. The MTTHE assessment 
methodology must consider the permanent and transient hardware failure 
rates, phased interval maintenance and fault coverage of each non-
processor-based subsystem or component and the restoration rate.
    (2) MTTHE compliance verification and validation must be based on 
the assessment of the design for verification and validation process, 
historical performance data, analytical methods and experimental 
safety-critical performance testing performed on the subsystem or 
component. The non-processor-based quantification compliance must be 
demonstrated to have a high degree of confidence.
    (h) What assumptions must be documented?
    (1) The railroad shall document any assumptions regarding the 
reliability or availability of mechanical, electric, or electronic 
components. Such assumptions must include Mean Time To Failure (MTTF) 
projections, as well as Mean Time To Repair (MTTR) projections, unless 
the risk assessment specifically explains why these assumptions are not 
relevant to the risk assessment. The railroad shall document these 
assumptions in such a form as to permit later automated comparisons 
with in-service experience (e.g., a spreadsheet).
    (2) The railroad shall document any assumptions regarding human 
performance. The documentation shall be in such a form as to facilitate 
later comparisons with in-service experience.
    (3) The railroad shall document any assumptions regarding software 
defects. These assumptions shall be in a form which permits the 
railroad to project the likelihood of detecting an in-service software 
defect. These assumptions shall be documented in such a form as to 
permit later automated comparisons with in-service experience.
    (4) The railroad shall document all of the identified safety-
critical fault paths. The documentation shall be in such a form as to 
facilitate later comparisons with in-service faults.

Appendix C to Part 236--Safety Assurance Criteria and Processes

    (a) What is the purpose of this appendix?
    This appendix seeks to promote full disclosure of safety risk to 
facilitate minimizing or eliminating elements of risk where practicable 
by providing minimum criteria and processes for safety analyses 
conducted in support of PSPs. The analysis required by this appendix is 
intended to minimize the probability of failure to an acceptable level, 
helping to optimize the safety of the product within the limitations of 
the available engineering science, cost, and other constraints. FRA 
uses the criteria and processes set forth in this appendix to evaluate 
analyses, assumptions, and conclusions provided in RSPP and PSP 
documents. An analysis performed under this appendix must:
    (1) Address each area of paragraph (b) of this appendix, explaining 
how such requirements were satisfied or why they are not relevant, and
    (2) Employ a validation and verification process pursuant to 
paragraph (c) of this appendix.
    (b) What categories of safety elements must be addressed?
    The designer shall address each of the following safety 
considerations when designing and demonstrating the safety of products 
covered by subpart H of this part. In the event that any of these 
principles are not followed, the PSP shall state both the reason(s) for 
departure and the alternative(s) utilized to mitigate or eliminate the 
hazards associated with the design principle not followed.
    (1) Normal operation. The system (including all hardware and 
software) must demonstrate safe operation with no hardware failures 
under normal anticipated operating conditions with proper inputs and 
within the expected range of environmental conditions. All safety-
critical functions must be performed properly under these normal 
conditions. The safety of the product in the normal operating modes 
must not depend upon the correctness of actions or procedures used by 
operating personnel. There must be no hazards that are categorized as 
unacceptable or undesirable. Hazards categorized as unacceptable must 
be eliminated by design.
    (2) Systematic failure. The product must be shown to be free of 
unsafe systematic failure--those conditions which can be attributed to 
human error that could occur at various stages throughout product 
development. This includes unsafe errors in the software due to human 
error in the software specification, design and/or coding phases; human 
errors that could impact hardware design; unsafe conditions that could 
occur because of an improperly designed human-machine interface; 
installation and maintenance errors; and errors associated with making 
modifications.
    (3) Random failure.
    (i) The product must be shown to operate safely under conditions of 
random hardware failure. This includes single as well as multiple 
hardware failures, particularly in instances where one or more failures 
could occur, remain undetected (latent) and react in combination with a 
subsequent failure at a later time to cause an unsafe

[[Page 42394]]

operating situation. In instances involving a latent failure, a 
subsequent failure is similar to there being a single failure. In the 
event of a transient failure, the system must restart itself without 
human intervention. Frequency of attempted restarts must be considered 
in the hazard analysis required by Sec. 236.907(a)(8).
    (ii) There shall be no single point failures in the product that 
can result in hazards categorized as unacceptable or undesirable. 
Occurrence of single point failures that can result in hazards must be 
detected and the product must achieve a known safe state before falsely 
activating any physical appliance.
    (iii) If one non-self-revealing failure combined with a second 
failure can cause a hazard that is categorized as unacceptable or 
undesirable, then the second failure must be detected and the product 
must achieve a known safe state before falsely activating any physical 
appliance.
    (4) Common Mode failure. Another concern of multiple failure 
involves common mode failures in which two or more subsystems or 
components intended to compensate one another to perform the same 
function all fail by the same mode and result in unsafe conditions. 
This is of particular concern in instances in which two or more 
elements (hardware and/or software) are used in combination to ensure 
safety. If a common mode failure exists, then any analysis performed 
under this appendix cannot rely on the assumption that failures are 
independent. Examples include: The use of redundancy in which two or 
more elements perform a given function in parallel and When one 
(hardware and/or software) element checks/monitors another element (of 
hardware or software) to help ensure its safe operation. Common mode 
failure relates to independence, which must be ensured in these 
instances. When dealing with the effects of hardware failure, the 
designer shall address the effects of the failure not only on other 
hardware, but also on the execution of the software, since hardware 
failures can greatly affect how the software operates.
    (5) External influences. The product must be shown to operate 
safely when subjected to different external influences, including:
    (i) Electrical influences such as power supply anomalies/
transients, abnormal/ improper input conditions (e.g., outside of 
normal range inputs relative to amplitude and frequency, unusual 
combinations of inputs) including those related to a human operator, 
and others such as electromagnetic interference and/or electrostatic 
discharges;
    (ii) Mechanical influences such as vibration and shock; and
    (iii) Climatic conditions such as temperature and humidity.
    (6) Modifications. Safety must be ensured following modifications 
to the hardware and/or software. All or some of the concerns identified 
in this paragraph may be applicable depending upon the nature and 
extent of the modifications.
    (7) Software. Software faults must not cause hazards categorized as 
unacceptable or undesirable.
    (8) Closed Loop Principle. The product design must require positive 
action to be taken in a prescribed manner to either begin product 
operation or continue product operation.
    (c) What standards are acceptable for verification and validation?
    (1) The standards employed for verification and/or validation of 
products subject to this subpart must be sufficient to support 
achievement of the applicable requirements of subpart H of this part.
    (2) U.S. Department of Defense Military Standard MIL-STD-882C 
``System Safety Program Requirements'' (January 19, 1993) is recognized 
as providing appropriate risk analysis processes for incorporation into 
verification and validation standards.
    (3) The following standards designed for application to processor-
based signal and train control systems are recognized as acceptable 
with respect to applicable elements of safety analysis required by 
subpart H of this part. All standards listed below must be the latest 
revision date unless otherwise provided.
    (i) IEEE 1483-2000 Standard for the Verification of Vital Functions 
in Processor-Based Systems Used in Rail Transit Control.
    (ii) CENELEC Standards as follows:
    (A) EN50126: 1999 Railway Applications: Specification and 
Demonstration of Reliability, Availability, Maintainability and Safety 
(RAMS);
    (B) EN50128 (July 1998) Railway Applications: Software for Railway 
Control and Protection Systems (draft);
    (C) prENV50129: 1998 Railway Applications: Safety Related 
Electronic Systems for Signaling (draft); and
    (D) EN50155 Railway Applications: Electronic Equipment Used in 
Rolling Stock.
    (iii) ATCS Specification 140 Recommended Practices for Safety and 
Systems Assurance.
    (iv) ATCS Specification 130 Software Quality Assurance.
    (v) AAR-AREMA Manual of Recommended Signal Practices, Part 17 (this 
is an industry, rather than a consensus standard, and must bear the 
date of adoption).
    (vi) Safety of High Speed Ground Transportation Systems. Analytical 
Methodology for Safety Validation of Computer Controlled Subsystems. 
Volume II: Development of a Safety Validation Methodology. Final Report 
September 1995. Author: Jonathan F. Luedeke, Battelle. DOT/FRA/ORD-95/
10.2.
    (vii) IEC 61508 (International Electrotechnical Commission) 
Functional Safety of Electrical/Electronic/Programmable/Electronic 
Safety (E/E/P/ES) Related Systems, Parts 1-7 as follows:
    (A) IEC 61508-1 (1998-12) Part 1: General requirements.
    (B) IEC 61508-2 (Ed. 1.0BBPUB, draft) Part 2: Requirements.
    (C) IEC 61508-3 (1998-12) Part 3: Software requirements.
    (D) IEC 61508-4 (1998-12) Part 4: Definitions and abbreviations.
    (E) IEC 61508-5 (1998-12) Part 5: Examples of methods for the 
determination of safety integrity levels.
    (F) IEC 61508-6 (Ed. 1.0BBPUB, draft) Part 6: Guidelines on the 
applications of IEC 61508-2 and -3.
    (G) IEC 61508-7 (2000-03) Part 7: Overview of techniques and 
measures.
    (4) Use of unpublished standards, including proprietary standards, 
is authorized to the extent that such standards are shown to achieve 
the requirements of this part. However, any such standards shall be 
available for inspection and replication by FRA and for public 
examination in any public proceeding before the FRA to which they are 
relevant.

Appendix D to Part 236--Independent Review of Verification and 
Validation

    (a) What is the purpose of this Appendix?
    This appendix provides minimum requirements for independent third-
party assessment of product safety verification and validation pursuant 
to subpart H of this part. The goal of this assessment is to provide an 
independent evaluation of the product manufacturer's utilization of 
safety design practices during the product's development and testing 
phases, as required by the applicable railroad's RSPP, the product PSP, 
the requirements of subpart H of this part, and any other previously 
agreed-upon controlling documents or standards.
    (b) What general requirements apply to the conduct of third party 
assessments?
    (1) The supplier may request advice and assistance of the reviewer

[[Page 42395]]

concerning the actions identified in paragraphs (c) through (g) of this 
appendix. However, the reviewer should not engage in design efforts in 
order to preserve the reviewer's independence and maintain the 
supplier's proprietary right to the product.
    (2) The supplier shall provide the reviewer access to any and all 
documentation that the reviewer requests and attendance at any design 
review or walkthrough that the reviewer determines as necessary to 
complete and accomplish the third party assessment. The reviewer may be 
accompanied by representatives of FRA as necessary, in FRA's judgment, 
for FRA to monitor the assessment.
    (c) What must be done at the preliminary level?
    The reviewer shall evaluate with respect to safety and comment on 
the adequacy of the processes which the supplier applies to the design 
and development of the product. At a minimum, the reviewer shall 
compare the supplier processes with acceptable methodology and employ 
any other such tests or comparisons if they have been agreed to 
previously with FRA. Based on these analyses, the reviewer shall 
identify and document any significant safety vulnerabilities which are 
not adequately mitigated by the supplier's (or user's) processes. 
Finally, the reviewer shall evaluate the adequacy of the railroad's 
RSPP, the PSP, and any other documents pertinent to the product being 
assessed.
    (d) What must be done at the functional level?
    (1) The reviewer shall analyze the Preliminary Hazard Analysis 
(PHA) for comprehensiveness and compliance with the railroad's RSPP.
    (2) The reviewer shall analyze all Fault Tree Analyses (FTA), 
Failure Mode and Effects Criticality Analysis (FMECA), and other hazard 
analyses for completeness, correctness, and compliance with the 
railroad's RSPP.
    (e) What must be done at the implementation level?
    The reviewer shall randomly select various safety-critical software 
modules for audit to verify whether the requirements of the RSPP were 
followed. The number of modules audited must be determined as a 
representative number sufficient to provide confidence that all 
unaudited modules were developed in compliance with the RSPP.
    (f) What must be done at closure?
    (1) The reviewer shall evaluate and comment on the plan for 
installation and test procedures of the product for revenue service.
    (2) The reviewer shall prepare a final report of the assessment. 
The report shall be submitted to the railroad prior to the commencement 
of installation testing and contain at least the following information:
    (i) Reviewer's evaluation of the adequacy of the PSP, including the 
supplier's MTTHE and risk estimates for the product, and the supplier's 
confidence interval in these estimates;
    (ii) Product vulnerabilities which the reviewer felt were not 
adequately mitigated, including the method by which the railroad would 
assure product safety in the event of hardware or software failures 
(i.e. how does the railroad assure that all potentially hazardous 
failure modes are identified?) and the method by which the railroad 
addresses comprehensiveness of the product design for the requirements 
of the operations it will govern (i.e., how does the railroad assure 
that all potentially hazardous operating circumstances are identified? 
Who records any deficiencies identified in the design process? Who 
tracks the correction of these deficiencies and confirms that they are 
corrected?);
    (iii) A clear statement of position for all parties involved for 
each product vulnerability cited by the reviewer;
    (iv) Identification of any documentation or information sought by 
the reviewer that was denied, incomplete, or inadequate;
    (v) A listing of each RSPP procedure or process which was not 
properly followed;
    (vi) Identification of the software verification and validation 
procedures for the product's safety-critical applications, and the 
reviewer's evaluation of the adequacy of these procedures;
    (vii) Methods employed by product manufacturer to develop safety-
critical software, such as use of structured language, code checks, 
modularity, or other similar generally acceptable techniques; and
    (viii) Method by which the supplier or railroad addresses 
comprehensiveness of the product design which considers the safety 
elements listed in paragraph (b) of Appendix C to this part.

Appendix E to this Part--Human-Machine Interface (HMI) Design

    (a) What is the purpose of this appendix?
    The purpose of this appendix is to provide HMI design criteria 
which will minimize negative safety effects by causing designers to 
consider human factors in the development of HMIs.
    (b) What is meant by ``designer'' and ``operator''?
    As used in this section, designer means anyone who specifies 
requirements for and/or designs a system or subsystem for a product 
subject to subpart H of this part, and ``operator'' means any human who 
is intended to receive information from, provide information to, or 
perform repairs or maintenance on a signal or train control product 
subject to subpart H of this part.
    (c) What kinds of human factors issues must designers consider with 
regard to the general function of a system?
    (1) Reduced situation awareness and over-reliance. HMI design must 
give an operator active functions to perform, feedback on the results 
of the operator's actions, and information on the automatic functions 
of the system as well as its performance. The operator must be ``in-
the-loop.'' Designers shall consider at minimum the following methods 
of maintaining an active role for human operators:
    (i) The system must require an operator to initiate action to 
operate the train and require an operator to remain ``in-the-loop'' for 
at least 30 minutes at a time;
    (ii) The system must provide timely feedback to an operator 
regarding the system's automated actions, the reasons for such actions, 
and the effects of the operator's manual actions on the system;
    (iii) The system must warn operators in advance when they require 
an operator to take action; and
    (iv) HMI design must equalize an operator's workload.
    (2) Expectation of predictability and consistency in product 
behavior and communications. HMI design must accommodate an operator's 
expectation of logical and consistent relationships between actions and 
results. Similar objects must behave consistently when an operator 
performs the same action upon them.
    (3) Limited memory and ability to process information.
    (i) HMI design must minimize an operator's information processing 
load. To minimize information processing load, the designer shall:
    (A) Present integrated information that directly supports the 
variety and types of decisions that an operator makes;
    (B) Provide information in a format or representation that 
minimizes the time required to understand and act; and
    (C) Conduct utility tests of decision aids to establish clear 
benefits such as processing time saved or improved quality of 
decisions.

[[Page 42396]]

    (ii) Limited Memory. HMI design must minimize the load on an 
operator's memory.
    (A) To minimize short-term memory load, the designer shall 
integrate data or information from multiple sources into a single 
format or representation (``chunking'') and design so that three or 
fewer ``chunks'' of information need to be remembered at any one time.
    (B) To minimize long-term memory load, the designer shall design to 
support recognition memory, design memory aids to minimize the amount 
of information that must be recalled from unaided memory when making 
critical decisions, and ensure active processing of the information.
    (4) Miscellaneous Human Factors Concerns. System designers shall:
    (i) Design systems that anticipate possible user errors and include 
capabilities to catch errors before they propagate through the system;
    (ii) Conduct cognitive task analyses prior to designing the system 
to better understand the information processing requirements of 
operators when making critical decisions; and
    (iii) Present information that accurately represents or predicts 
system states.
    (d) What kinds of HMI design elements must a designer incorporate 
in the development of on-board train displays and controls?
    (1) Location of displays and controls. Designers shall:
    (i) Locate displays as close as possible to the controls that 
affect them;
    (ii) Locate displays and controls based on an operator's position;
    (iii) Arrange controls to minimize the need for the operator to 
change position;
    (iv) Arrange controls according to their expected order of use;
    (v) Group similar controls together;
    (vi) Design for high stimulus-response compatibility (geometric and 
conceptual);
    (vii) Design safety-critical controls to require more than one 
positive action to activate (e.g., auto stick shift requires two 
movements to go into reverse); and
    (viii) Design controls to allow easy recovery from error.
    (2) Information management. HMI design must:
    (i) Display information in a manner which emphasizes its relative 
importance;
    (ii) Comply with the ANSI/HFS 100-1988 standard for minimum 
resolution of visual displays;
    (iii) Design for display luminance of the foreground or background 
of at least 35 cd/m\2\ (the displays should be capable of a minimum 
contrast 3:1 with 7:1 preferred, and controls should be provided to 
adjust the brightness level and contrast level);
    (iv) Design the interface to display only the information necessary 
to the user;
    (v) Where text is needed, using short, simple sentences or phrases 
with wording that an operator will understand;
    (vi) Use complete words where possible, where abbreviations are 
necessary, choose a commonly accepted abbreviation or consistent method 
and select commonly used terms and words that the operator will 
understand;
    (vii) Adopt a consistent format for all display screens by placing 
each design element in a consistent and specified location;
    (viii) Display critical information in the center of the operator's 
field of view by placing items that need to be found quickly in the 
upper left hand corner and items which are not time critical in the 
lower right hand corner of the field of view;
    (ix) Group items that belong together;
    (x) Design all visual displays to meet human performance criteria 
under monochrome conditions and add color only if it will help the user 
in performing a task and use color coding as a redundant coding 
technique;
    (xi) Limit the number of colors over a group of displays to no more 
than seven;
    (xii) Design warnings to match the level of risk or danger with the 
alerting nature of the signal;
    (xiii) With respect to information entry, avoid full QWERTY 
keyboards for data entry; and
    (xiv) Use digital communications for safety-critical messages 
between the locomotive engineer and the dispatcher.
    (e) What kinds of HMI design elements must a designer consider with 
respect to problem management?
    (1) HMI design must enhance an operator's situation awareness. An 
operator must have access to:
    (i) Knowledge of the operator's train location relative to relevant 
entities;
    (ii) Knowledge of type and importance of relevant entities;
    (iii) Understanding of the evolution of the situation over time;
    (iv) Knowledge of roles and responsibilities of relevant entities; 
and
    (v) Knowledge of expected actions of relevant entities.
    (2) HMI design must support response selection and scheduling.
    (3) HMI design must support contingency planning.

    Issued in Washington, DC on July 16, 2001.
Betty Monro,
Deputy Federal Railroad Administrator.
[FR Doc. 01-19428 Filed 8-9-01; 8:45 am]
BILLING CODE 4910-06-P