Federal Register, Volume 74 Issue 138 (Tuesday, July 21, 2009)

[Federal Register Volume 74, Number 138 (Tuesday, July 21, 2009)]
[Proposed Rules]
[Pages 35950-36028]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: E9-17184]

[[Page 35949]]

-----------------------------------------------------------------------

Part III

Department of Transportation

-----------------------------------------------------------------------

Federal Railroad Administration

-----------------------------------------------------------------------

49 CFR Parts 229, 234, 235 et al.

Positive Train Control Systems; Proposed Rule

Federal Register / Vol. 74, No. 138 / Tuesday, July 21, 2009 /
Proposed Rules

[[Page 35950]]

-----------------------------------------------------------------------

DEPARTMENT OF TRANSPORTATION

Federal Railroad Administration

49 CFR Parts 229, 234, 235, and 236

[Docket No. FRA-2008-0132, Notice No. 1]
RIN 2130-AC03

Positive Train Control Systems

AGENCY: Federal Railroad Administration (FRA), Department of
Transportation (DOT).

ACTION: Notice of proposed rulemaking.

-----------------------------------------------------------------------

SUMMARY: FRA proposes regulations implementing a requirement of the
Rail Safety Improvement Act of 2008 that certain passenger and freight
railroads install positive train control systems. The proposal includes
required functionalities of the technology and the means by which it
would be certified. The proposal also describes the contents of the
positive train control implementation plans required by the statute and
contains the proposed process for submission of those plans for review
and approval by FRA. These proposed regulations could also be
voluntarily complied with by entities not mandated to install positive
train control systems.

DATES: (1) Written comments must be received by August 20, 2009.
Comments received after that date will be considered to the extent
possible without incurring additional expenses or delays.
(2) FRA will hold an oral public hearing on a date to be announced
in a forthcoming notice.

ADDRESSES: Comments: Comments related to Docket No. FRA-2008-0132, may
be submitted by any of the following methods:
Web Site: Comments should be filed at the Federal
eRulemaking Portal, http://www.regulations.gov. Follow the online
instructions for submitting comments.
Fax: 202-493-2251.
Mail: Docket Management Facility, U.S. Department of
Transportation, 1200 New Jersey Avenue, SE., W12-140, Washington, DC
20590.
Hand Delivery: Room W12-140 on the Ground level of the
West Building, 1200 New Jersey Avenue, SE., Washington, DC between 9
a.m. and 5 p.m. Monday through Friday, except Federal holidays.
Instructions: All submissions must include the agency name and
docket number or Regulatory Identification Number (RIN) for this
rulemaking. Note that all comments received will be posted without
change to http://www.regulations.gov including any personal
information. Please see the Privacy Act heading in the SUPPLEMENTARY
INFORMATION section of this document for Privacy Act information
related to any submitted comments or materials.
Docket: For access to the docket to read background documents or
comments received, go to http://www.regulations.gov at any time or to
Room W12-140 on the Ground level of the West Building, 1200 New Jersey
Avenue, SE., Washington, DC between 9 a.m. and 5 p.m. Monday through
Friday, except Federal Holidays.

FOR FURTHER INFORMATION CONTACT: Thomas McFarlin, Office of Safety
Assurance and Compliance, Staff Director, Signal & Train Control
Division, Federal Railroad Administration, Mail Stop 25, West Building
3rd Floor West, Room W35-332, 1200 New Jersey Avenue, SE., Washington,
DC 20590 (telephone: 202-493-6203); or Jason Schlosberg, Trial
Attorney, Office of Chief Counsel, RCC-10, Mail Stop 10, West Building
3rd Floor, Room W31-217, 1200 New Jersey Avenue, SE., Washington, DC
20590 (telephone: 202-493-6032).

SUPPLEMENTARY INFORMATION: FRA is issuing this proposed rule to provide
regulatory guidance and performance standards for the development,
testing, implementation, and use of Positive Train Control (PTC)
systems for railroads mandated by the Railroad Safety Improvement Act
of 2008 section 104, Public Law 110-432, 122 Stat. 4854 (Oct. 16, 2008)
(codified at 9 U.S.C. 20157) (hereinafter ``RSIA08'') to install PTC
systems. These regulations may also be voluntarily complied with by
entities not mandated to install PTC in lieu of the requirements
contained in subpart H of part 236. The proposed rule establishes
requirements for PTC system standard design and functionality, the
associated submissions for FRA PTC system approval and certification,
requirements for training, and required risk-based criteria. The RSIA08
mandates that widespread implementation of PTC across a major portion
of the U.S. rail industry be accomplished by December 31, 2015. This
proposed rule is intended to provide the necessary Federal oversight,
guidance, and assistance toward successful completion of that
congressional requirement. This proposed rule also necessitates or
results in some minimal revision or amendment to parts 229, 234 and
235, as well as previously existing subparts A through H of part 236.

Table of Contents for Supplementary Information

I. Introduction
II. Background
A. The Need for Positive Train Control Technology
B. Earlier Efforts to Encourage Voluntary PTC Implementation
C. Technology Advances Under Subpart H
III. The Rail Safety Improvement Act of 2008
IV. RSAC
V. Use of Performance Standards
VI. Section-by-Section Analysis
VII. Regulatory Impact and Notices
A. Executive Order 12866 and DOT Regulatory Policies and
Procedures
B. Regulatory Flexibility Act and Executive Order 13272
C. Paperwork Reduction Act
D. Federalism Implications
E. Environmental Impact
F. Unfunded Mandates Reform Act of 1995
G. Energy Impact
H. Privacy Act
VIII. The Rule

I. Introduction

This proposed rule provides new performance standards for the
implementation and operation of PTC systems as mandated by RSIA08 and
as otherwise voluntarily adopted. The proposed rule also details the
process and identifies the documents that railroads and operators of
passenger trains are to utilize and incorporate in their PTC
implementation plans required by the Railroad Safety Improvement Act of
2008 section 104, Public Law 110-432, 122 Stat. 4854, (Oct. 16, 2008)
(codified at 9 U.S.C. 20157) (hereinafter ``RSIA08''). The proposal
also details the process and procedure for obtaining FRA approval of
such plans.
FRA began the process of developing a proposed rule after RSIA08
was signed into law. While developing the proposed rule, FRA applied
the performance-based principles embodied in existing subpart H of part
236 to identify and remedy any weaknesses discovered in the subpart H
regulatory approach, while exploiting lessons learned from products
developed under subpart H. FRA has continued to make performance-based
safety decisions while supporting railroads in their development and
implementation of PTC system technologies.
Development of the proposed rule was enhanced with the
participation of the Railroad Safety Advisory Committee (RSAC), which
tasked a PTC Working Group to provide advice regarding development of
implementing regulations for PTC systems and their deployment that are
required under RSIA08. The PTC Working Group made a number of consensus
recommendations, which have been

[[Page 35951]]

identified and included in this proposed rule. The preamble discusses
the statutory background, the regulatory background, the RSAC
proceedings, the alternatives considered and the rationale for the
option selected, the proceedings to date, as well as the comments and
conclusions on general issues. Other comments and resolutions are
discussed within the corresponding section-by-section analysis.

II. Background

A. The Need for Positive Train Control Technology

Since the early 1920s, systems have been in use that can intervene
in train operations by warning crews or causing trains to stop if they
are not being operated safely because of inattention, misinterpretation
of wayside signal indications, or incapacitation of the crew. Pursuant
to orders of the Interstate Commerce Commission (ICC)--whose safety
regulatory activities were later transferred to FRA when it was
established in 1967--cab signal systems, automatic train control, and
automatic train stop systems were deployed on a significant portion of
the national rail system to supplement and enforce the indications of
wayside signals and operating speed limitations. However, these systems
were expensive to install and maintain, and with the decline of
intercity passenger service following the Second World War, the ICC and
the industry allowed many of these systems to be discontinued. During
this period, railroads were heavily regulated with respect to rates and
service responsibilities. The development of the Interstate Highway
System and other factors led to reductions in the railroads' revenues
without regulatory relief, leading to bankruptcies, railroad mergers,
and eventual abandonment of many rail lines. Consequently, railroads
focused on fiscal survival, and investments in expensive relay-based
train control technology were economically out of reach. The removal of
these train control systems, which had never been pervasively
installed, permitted train collisions to continue, notwithstanding
enforcement of railroad operating rules designed to prevent them.
As early as 1970, following its investigation of the August 20,
1969, head-on collision of two Penn Central Commuter trains near
Darien, Connecticut, in which 4 people were killed and 45 people were
injured, the National Transportation Safety Board (NTSB) asked FRA to
study the feasibility of requiring a form of automatic train control
system to protect against operator error and prevent train collisions.
Following the Darien accident, the NTSB continued to investigate one
railroad accident after another caused by human error. During the next
two decades, the NTSB issued a number of safety recommendations asking
for train control measures. Following its investigation of the May 7,
1986, rear-end collision involving a Boston and Maine Corporation
commuter train and a Consolidated Rail Incorporated (Conrail) freight
train in which 153 people were injured, the NTSB recommend that FRA
promulgate standards to require the installation and operation of a
train control system that would provide for positive train separation.
NTSB Recommendation R-87-16 (May 19, 1987), available at http://www.ntsb.gov/Recs/letters/1987/R87_16.pdf. When the NTSB first
established its Most Wanted List of Transportation Safety Improvements
in 1990, the issue of Positive Train Separation was among the
improvements listed, and it remained on the list until just after
enactment of RSIA08. Original ``Most Wanted'' list of Transportation
Safety Improvements, as adopted September 1990, available at http://www.ntsb.gov/Recs/mostwanted/original_list.htm. The NTSB continues to
follow the progress of the technology's implementation closely and
participated through staff in the most recent PTC Working Group
deliberations.
Meanwhile, enactment of the Staggers Rail Act of 1980 signaled a
shift in public policy that permitted the railroads to shed
unprofitable lines, largely replace published ``tariffs'' with
appropriately priced contract rates, and generally respond to
marketplace realities, which increasingly demanded flexible service
options responsive to customer needs. The advent of microprocessor-
based electronic control systems and digital data radio technology
during the mid-1980s led the freight railroad industry, through the
Association of American Railroads (AAR) and the Railway Association of
Canada, to explore the development of Advanced Train Control Systems
(ATCS). With broad participation by suppliers, railroads, and FRA,
detailed specifications were developed for a multi-level ``open''
architecture that would permit participation by many suppliers while
ensuring that systems deployed on various railroads would work in
harmony as trains crossed corporate boundaries. ATCS was intended to
serve a variety of business purposes, in addition to enhancing the
safety of train operations. Pilot versions of ATCS and a similar system
known as Advanced Railroad Electronic Systems (ARES) were tested
relatively successfully, but the systems were never deployed on a wide
scale primarily due to cost. However, sub-elements of these systems
were employed for various purposes, particularly for replacement of
pole lines associated with signal systems.
Collisions, derailments, and incursions into work zones used by
roadway workers continued as a result of the absence of effective
enforcement systems designed to compensate for the effects of fatigue
and other human factors. Renewed emphasis on rules compliance and
Federal regulatory initiatives, including rules for the control of
alcohol and drug use in railroad operations, operational testing and
inspection programs designed to verify railroad rules compliance,
requirements for qualification and certification of locomotive
engineers, and negotiated rules for roadway worker protection led to
some reduction in risk. However, the lack of an effective collision
avoidance system allowed the continued occurrence of accidents, some
involving tragic losses of life and significant property damage.

B. Earlier Efforts To Encourage Voluntary PTC Implementation

As the NTSB continued to highlight the opportunities for accident
prevention associated with emerging train control technology through
its investigations and findings, Congress showed increasing interest,
mandating three separate reports over the period of a decade. In 1994,
FRA reported to Congress on this problem, calling for implementation of
an action plan to deploy PTC systems (Railroad Communications and Train
Control, July 1994 (hereinafter ``1994 Report'')). The 1994 Report
forecasted substantial benefits of advanced train control technology in
supporting a variety of business and safety purposes, but noted that an
immediate regulatory mandate for PTC could not be justified based upon
normal cost-benefit principals relying on direct safety benefits. The
report outlined an aggressive Action Plan implementing a public-private
sector partnership to explore technology potential, deploy systems for
demonstration, and structure a regulatory framework to support emerging
PTC initiatives.
Following through on the 1994 Report, FRA committed approximately
$40 million through the Next Generation High Speed Rail Program and the
Research and Development Program to support development,

[[Page 35952]]

testing, and deployment of PTC prototype systems in the Pacific
Northwest, Michigan, Illinois, Alaska, and some Eastern railroads. FRA
also initiated a comprehensive effort to structure an appropriate
regulatory framework for facilitating voluntary implementation of PTC
and for evaluating future safety needs and opportunities.
In September of 1997, FRA asked the RSAC to address the issue of
PTC. The RSAC accepted three tasks: Standards for New Train Control
Systems (Task 1997-06), Positive Train Control Systems--Implementation
Issues (Task 1997-05), and Positive Train Control Systems--
Technologies, Definitions, and Capabilities (Task 1997-04). The PTC
Working Group was established, comprised of representatives of labor
organizations, suppliers, passenger and freight railroads, other
Federal agencies, and interested state departments of transportation.
The PTC Working Group was supported by FRA counsel and staff, analysts
from the Volpe National Transportation Systems Center, and advisors
from the NTSB staff.
In 1999, the PTC Working Group provided to the Federal Railroad
Administrator a consensus report (``1999 Report'') with an indication
that it would be continuing its efforts. The report defined the PTC
core functions to include: Prevention of train-to-train collisions
(positive train separation); enforcement of speed restrictions,
including civil engineering restrictions (curves, bridges, etc.) and
temporary slow orders; and protection for roadway workers and their
equipment operating under specific authorities. The PTC Working Group
identified additional safety functions that might be included in some
PTC architectures: Provide warning of on-track equipment operating
outside the limits of authority; receive and act upon hazard
information, when available, in a more timely or more secure manner
(e.g., compromised bridge integrity, wayside detector data); and
provide for future capability by generating data for transfer to
highway users to enhance warning at highway-rail grade crossings. The
PTC Working Group stressed that efforts to enhance highway-rail grade
crossing safety must recognize the train's necessary right of way at
grade crossings and that it is important that warning systems employed
at highway-rail grade crossings be highly reliable and ``fail-safe'' in
their design.
As the PTC Working Group's work continued, other collaborative
efforts, including development of Passenger Equipment Safety Standards
(including private standards through the American Public Transit
Association), Passenger Train Emergency Preparedness rules, and
proposals for improving locomotive crashworthiness (including improved
fuel tank standards) have targeted reduction in collision and
derailment consequences.
In 2003, in light of technological advances and potential increased
cost and system savings related to prioritized deployment of PTC
systems, the Appropriations Committees of Congress requested that FRA
update the costs and benefits for the deployment of PTC and related
systems. As requested, FRA carried out a detailed analysis that was
filed in August of 2004 (``2004 Report''), which indicated that under
one set of highly controversial assumptions, substantial public
benefits would likely flow from the installation of PTC systems on the
railroad system. Further, the total amount of these benefits was
subject to considerable controversy. While many of the other findings
of the 2004 Report were disputed, there were no data submitted to
challenge the 2004 Report finding that reaffirmed earlier conclusions
that the safety benefits of PTC systems were relatively small in
comparison to the large capital and maintenance costs. Accordingly, FRA
continued to believe that an immediate regulatory mandate for
widespread PTC implementation could not be justified based upon
traditional cost-benefit principles relying on direct railroad safety
benefits. Benefits and Costs of Positive Train Control (Report in
Response to Committees on Appropriations, August 2004).
Despite the economic infeasibility of PTC based on safety benefits
alone, as outlined in the 1994, 1999, and 2004 Reports, FRA continued
with regulatory and other efforts to facilitate and encourage the
voluntary installation of PTC systems. As part of the High Speed Rail
Initiative, and in conjunction with the National Railroad Passenger
Corporation (Amtrak), the AAR, the State of Illinois, and the Union
Pacific Railroad Company (UP), FRA created the North American Joint
Positive Train Control (NAJPTC) Program, which set out to describe a
single standardized open source PTC architecture and system. UP's line
between Springfield and Mazonia, Illinois was selected for initial
installation of a train control system to support Amtrak operations up
to 110 mph, and the system was installed and tested on portions of that
line. Although the system did not prove viable as then conceived, the
project hastened the development of PTC technology that was
subsequently employed in other projects. Promised standards for
interoperability of PTC systems also proved elusive.
In addition to financially supporting the NAJPTC Program, FRA
continued to work with the rail carriers, rail labor, and suppliers on
regulatory reforms to facilitate voluntary PTC implementation. The
regulatory reform effort culminated when FRA issued a final rule on
March 7, 2005, establishing a technology neutral safety-based
performance standard for processor-based signal and train control
systems. This new regulation, codified as subpart H to part 236, was
carefully crafted to encourage the voluntary implementation and
operation of processor-based signal and train control systems without
impairing technological development. 70 FR 11052 (Mar. 7, 2005).
FRA intended that final rule--developed in close cooperation with
rail management, rail labor, and suppliers--to further facilitate
individual railroad efforts to voluntarily develop and deploy cost
effective PTC technologies that would make system-wide deployment more
economically viable. It also appeared very possible that major
railroads would elect to make voluntary investments in PTC to enhance
safety, improve service quality, and foster efficiency (e.g., better
asset utilization, reduced fuel use through train pacing).

C. Technology Advances Under Subpart H

While FRA and RSAC worked to develop consensus on the regulations
that would become subpart H, the railroads continued with PTC prototype
development. The technology neutral, performance-based regulatory
process established by subpart H proved to be very successful in
facilitating the development of other PTC implementation approaches.
Although the railroads prototype development efforts were generally
technically successful and offered significant improvements in safety,
costs of nationwide deployment continued to be untenable. Information
gained from prototype efforts did little to reduce the estimated costs
for widespread implementation of the core PTC safety functions on the
nation's railroads.
Working under subpart H, the BNSF Railway Company (BNSF), CSX
Transportation, Inc. (CSXT), the Norfolk Southern Corporation (NS), and
UP undertook more aggressive design and implementation work. The new
subpart H regulatory approach also made it feasible for smaller
railroads such as the Alaska Railroad and the Ohio Central Railroad to
begin voluntary design and implementation work on PTC systems

[[Page 35953]]

that best suited their needs. FRA provided, and continues to provide,
technical assistance and guidance regarding regulatory compliance to
enable the railroads to more effectively design, install, and test
their respective systems.
In December 2006, FRA approved the initial version of the
Electronic Train Management System (ETMS) product for deployment on 35
of BNSF's subdivisions (``ETMS I Configuration'') comprising single
track territory that was either non-signaled or equipped with traffic
control systems. In a separate proceeding, FRA agreed that ETMS could
be installed in lieu of restoring a block signal system on a line for
which discontinuance had been authorized followed by a significant
increase in traffic. During the same period, BNSF successfully
demonstrated a Switch Point Monitoring System (SPMS)--a system that
contains devices attached to switches that electronically report the
position of the switches to the railroad's central dispatching office
or the crew of an approaching train--and a Track Integrity Warning
System (TIWS)--a system that electronically reports to the railroad's
central dispatching office or the crew of an approaching train if there
are any breaks in the rail that might lead to derailments. FRA believes
both of these technologies help to reduce risk in non-signaled
territory and are forward-compatible for use with existing and new PTC
systems. To be forward-compatible, not to be confused with the similar
concept of extensibility, a system must be able to gracefully provide
input intended for use in later system versions. The introduction of a
forward-compatible technology implies that older devices can partly
understand and provide data generated or used by new devices or
systems. The concept can be applied to electrical interfaces,
telecommunication signals, data communication protocols, file formats,
and computer programming languages. A standard supports forward-
compatibility if older product versions can receive, read, view, play,
execute, or transmit data to the new standard. In the case of wayside
devices, they are said to be forward compatible if they can
appropriately communicate and interact with a PTC system when later
installed. A wayside device might serve the function of providing only
information or providing information and accepting commands from a new
system.
In addition to scheduling the installation of the ETMS I
configuration as capital funding became available, BNSF voluntarily
undertook the design and testing of complementary versions of ETMS that
would support BNSF operations on more complex track configurations, at
higher allowable train speeds, and with additional types of rail
traffic. Meanwhile, CSXT was in the process of redesigning and
relocating the test bed for its Communications Based Train Management
(CBTM) system, which it has tested for several years, and UP and NS
were working on similar systems using vital onboard processing.
As congressional consideration of legislation that resulted in the
RSIA08 commenced, all four major railroads had settled on the core
technology developed for them by Wabtec Railway Electronics
(``Wabtec''). As the legislation progressed, the railroads and Wabtec
worked toward greater commonality in the basic functioning of the
onboard system with a view toward interoperability. Accordingly, ETMS
is now a generic architectural description of one type of PTC system.
Examples of ETMS include the non-vital PTC systems of BNSF's ETMS I and
ETMS II, CSXT's CBTM, UP's Vital Train Management System (VTMS), and
NS's Optimized Train Control (OTC). Further work is being undertaken by
BNSF to advance the capability of ETMS by integrating Amtrak operations
(ETMS III). For a description of system enhancements planned by BNSF as
per the Product Safety Plan filed in accordance with subpart H, see FRA
Docket No. 2006-23687, Document 0017, at pp. 40-43.
While the freight railroads' efforts for developing and installing
PTC systems progressed over a relatively long period of time, starting
with demonstrations of ATCS and ARES in the late 1980s and culminating
in the initial ETMS Product Safety Plan approval in December of 2006,
Amtrak demonstrated its ability to turn on revenue-quality PTC systems
on its own railroad in support of high speed rail. Beginning in the
early 1990s, Amtrak developed plans for enhanced high speed service on
the Northeast Corridor (NEC), which included electrification and other
improvements between New Haven and Boston and introduction of the Acela
trainsets as the premium service from Washington to New York and New
York to Boston. In connection with these improvements, which support
train speeds up to 150 mph, Amtrak undertook to install the Advanced
Civil Speed Enforcement System (ACSES) as a supplement to existing cab
signals and automatic train control (speed control). Together, these
systems deliver PTC core functionalities. In support of this effort,
FRA issued an order for the installation of the system, which required
all passenger and freight operators in the New Haven-Boston segment to
equip their locomotives with ACSES. See 63 FR 39343 (July 22, 1998).
ACSES was installed between 2000 and 2002, and has functioned
successfully between New Haven and Boston, and on selected high speed
segments between Washington and New York for a number of years.
Amtrak voluntarily began development of an architecturally
different PTC system, the Incremental Train Control System (ITCS), for
installation on its Michigan Line. Amtrak developed and installed ITCS
under waivers from specific sections of 49 CFR part 236, subparts A
through G, granted by FRA. ITCS was applied to tenant NS locomotives as
well as Amtrak locomotives traversing the route. Highway-rail grade
crossings on the route were fitted with ITCS units to pre-start the
warning systems for high-speed trains and to monitor crossing warning
system health in real time. The ITCS was tested extensively in the
field for safety and reliability, and it was placed in revenue service
in 2001. As experience was gained, FRA authorized increases in speed to
95 mph; and FRA is presently awaiting final results of an independent
assessment of verification and validation for the system with a view
toward authorizing operations at the design speed of 110 mph.
Despite these successes, the widespread deployment of these various
train control systems, particularly on the general freight system,
remained very much constrained by prohibitive capital costs. While the
railroads were committed to installing these new systems to enhance the
safety afforded to the public and their employees, the railroad's
actual widespread implementation remained forestalled due to an
inability to generate sufficient funding for these new projects in
excess of the capital expenditures necessary to cover the ongoing
operating and maintenance costs. Accordingly, the railroads continued
to plan very slow deployments of PTC system technologies.

III. The Rail Safety Improvement Act of 2008

On May 1, 2007, the House of Representatives introduced H.R. 2095,
which would, among other things, mandate the implementation and use of
PTC systems. The bill passed the House on October 17, 2007. The bill
was then amended and passed by the Senate on August 1, 2008. While the
bill was awaiting final passage, the FRA Administrator testified before
Congress that ``FRA is a strong supporter of PTC

[[Page 35954]]

technology and is an active advocate for its continued development and
deployment.'' Senate Commerce Committee Briefing on Metrolink Accident,
110th Cong. (Sept. 23, 2008) (written statement of Federal Railroad
Administrator Joseph H. Boardman), available at http://www.fra.dot.gov/downloads/PubAffairs/09-23-08FinalStatementFRAAdministratorPTC_Sen_Boxer_Meeting.pdf.
On September 24, 2008, the House concurred with the Senate
amendment and added another amendment pursuant to H. Res. 1492. When
considering the House's amendment, various Senators made statements
referencing certain train accidents that were believed to be PTC-
preventable. For instance, Senator Lautenberg (NJ) took notice of the
collision at Graniteville, South Carolina in 2005, and Senators
Lautenberg, Hutchinson (TX), Boxer (CA), Levin (MI), and Carper (DE)
took notice of an accident at Chatsworth, California, on September 12,
2008. According to Senator Levin, Federal investigators have said that
a collision warning system could have prevented that crash and the
subject legislation would require that new technology to prevent
crashes be installed in high risk tracks. Senators Carper and Boxer
made similar statements, indicating that PTC systems are designed to
prevent train derailments and collisions, like the one in Chatsworth.
154 Cong. Rec. S10283-S10290 (2008). Ultimately, on October 1, 2008,
the Senate concurred with the House amendment.
The Graniteville accident referenced by Senator Lautenberg was an
early morning collision between two NS trains in non-signaled (dark)
territory near the Avondale Mills Textile plant. One of the trains--
which was transporting chlorine gas, sodium hydroxide, and cresol on
the main track--approached an improperly lined hand-operated switch. As
the train diverged through the switch, it ran onto the siding track
where it collided with a parked train. Various tank cars ruptured,
releasing at least 90 tons of chlorine gas. Nine people died due to
chlorine inhalation and at least 250 people were treated for chlorine
exposure. In addition, 5,400 residents within a mile of the crash site
were forced to evacuate for nearly two weeks while hazardous materials
(hazmat) teams and cleanup crews decontaminated the area.
The Chatsworth train collision occurred on the afternoon of
September 12, 2008, when a Union Pacific freight train and a Metrolink
commuter train collided head-on on a single main track equipped with a
Traffic Control System (TCS) in the Chatsworth district of Los Angeles,
California. Although NTSB has not yet released its final report,
evidence summarized at the NTSB's public hearing suggested that the
Metrolink passenger train was operated past a signal displaying a stop
indication and entered a section of single track where the opposing UP
freight train was operating on a signal indication permitting it to
proceed over a switch and into a siding (after which the switch would
have been lined for the Metrolink train to proceed). As a consequence
of the accident, 25 people died and over 130 more were seriously
injured.
Prior to the accidents in Graniteville and Chatsworth, the
railroads' slow incremental deployment of PTC technologies--while not
uniformly agreed upon by the railroads, FRA, and NTSB--was generally
deemed acceptable by them in view of the tremendous costs involved.
Partially as a consequence and severity of these very public accidents,
coupled with a series of other less publicized accidents, Congress
passed the Rail Safety Improvement Act of 2008 into law on October 16,
2008, marking a public policy decision that, despite the implementation
costs, railroad employee and general public safety warranted mandatory
and accelerated installation and operation of PTC systems.
As immediately relevant to this rulemaking, RSIA08 requires the
installation and operation of PTC systems on all main lines, meaning
all intercity and commuter lines--with limited exceptions entrusted to
FRA--and on freight-only lines when they are part of a Class I railroad
system, carrying at least 5 million gross tons of freight annually, and
carrying any amount of poison- or toxic-by-inhalation (PIH or TIH)
materials. While the statute vests certain responsibilities with the
Secretary of the U.S. Department of Transportation, the Secretary has
since delegated those responsibilities to the FRA Administrator. See 49
CFR 1.49(oo); 74 FR 26,981 (June 5, 2009); see also 49 U.S.C. 103(g).
In RSIA08, Congress established very aggressive dates for PTC
system build-out completion. Each subject railroad is required to
submit to FRA by April 16, 2010, an implementation plan indicating
where and how it intends to install PTC systems by December 31, 2015.
As a result of this accelerated PTC system deployment schedule,
railroads must immediately engage in a massive reprogramming of capital
funds.
In light of the timetable instituted by Congress, and to better
support railroads with their installation while maintaining safety, FRA
decided that it is appropriate for mandatory PTC systems to be reviewed
by FRA differently than the regulatory approval process provided under
subpart H. FRA believes that it is important to develop a process more
suited specifically for PTC systems that would better facilitate
railroad reuse of safety documentation and simplify the process of
showing that the installation of the PTC system did not degrade safety.
FRA also believes that subpart H does not clearly address the statutory
mandates and that such lack of clarity would complicate railroad
efforts to comply with the new statutory requirements. Accordingly, FRA
is hereby proposing to amend part 236 by modifying existing subpart H
and adding a new subpart I. FRA requests comments on whether this
proposed regulation exercises the appropriate level of discretion and
flexibility to comply with RSIA08 in the most cost effective and
beneficial manner.

IV. RSAC

In March 1996, FRA established the RSAC, which provides a forum for
collaborative rulemaking and program development. The RSAC includes
representatives from all of the agency's major stakeholder groups,
including railroads, labor organizations, suppliers and manufacturers,
and other interested parties. When appropriate, FRA assigns a task to
RSAC, and after consideration and debate, RSAC may accept or reject the
task. If accepted, RSAC establishes a working group that possesses the
appropriate expertise and representation of interests to develop
recommendation to FRA for action on the task. These recommendations are
developed by consensus. The working group may establish one or more
task forces or other subgroups to develop facts and options on a
particular aspect of a given task. The task force, or other subgroup,
reports to the working group. If a working group comes to consensus on
recommendations for action, the package is presented to the RSAC for a
vote. If the proposal is accepted by a simple majority of the RSAC, the
proposal is formally recommended to FRA. FRA then determines what
action to take on the recommendation. Because FRA staff has played an
active role at the working group and subgroup levels in discussing the
issues and options and in drafting the language of the consensus
proposal, and because the RSAC recommendation constitutes the consensus
of some of the industry's

[[Page 35955]]

leading experts on a given subject, FRA is generally favorably inclined
toward the RSAC recommendation. However, FRA is in no way bound to
follow the recommendation and the agency exercises its independent
judgment on whether the recommended rule achieves the agency's
regulatory goals, is soundly supported, and was developed in accordance
with the applicable policy and legal requirements. Often, FRA varies in
some respects from the RSAC recommendation in developing the actual
regulatory proposal.
In developing this proposal, FRA adopted the RSAC PTC Working Group
approach. As part of this effort, FRA is working with the major
stakeholders affected by this subpart in as much a collaborative manner
as possible. FRA believes establishing a collaborative relationship
early in the product development and regulatory development cycles can
help bridge the divide between the railroad carrier's management,
railroad labor organizations, the suppliers, and FRA by ensuring that
all stakeholders are working with the same set of data and have a
common understanding of product characteristics or their related
processes production methods, including the regulatory provisions, with
which compliance is mandatory. However, where the group failed to reach
consensus on an issue, FRA used its authority to resolve the issue,
attempting to reconcile as many of the divergent positions as possible
through traditional rulemaking proceedings.
On December 10, 2008, the RSAC accepted a task (No. 08-04) entitled
``Implementation of Positive Train Control Systems.'' The purpose of
this task was defined as follows: ``To provide advice regarding
development of implementing regulations for Positive Train Control
(PTC) systems and their deployment under the Rail Safety Improvement
Act of 2008.'' The task called for the RSAC PTC Working Group to
perform the following:
Review the mandates and objectives of the Act related to
deployment of PTC systems;
Help to describe the specific functional attributes of
systems meeting the statutory purposes in light of available
technology;
Review impacts on small entities and ascertain how best to
address them in harmony with the statutory requirements;
Help to describe the details that should be included in
the implementation plans that railroads must file within 18 months of
enactment of the Act;
Offer recommendations on the specific content of
implementing regulations; and The task also required the PTC Working
Group to:
Report on the functionalities of PTC systems;
Describe the essential elements bearing on
interoperability and the requirements for consultation with other
railroads in joint operations; and
Determine how PTC systems will work with the operation of
non-equipped trains.
The PTC Working Group was formed from interested organizations that
are members of the RSAC. The following organizations contributed
members:

American Association of State Highway & Transportation Officials
(AAHSTO)
American Chemistry Council (ACC)
American Public Transportation Association (APTA)
American Short Line and Regional Railroad Association (ASLRRA)
Association of American Railroads (AAR)
Association of State Rail Safety Managers (ASRSM)
Brotherhood of Maintenance of Way Employees Division (BMWED)
Brotherhood of Locomotive Engineers and Trainmen Division (BLETD)
Brotherhood of Railroad Signalmen
Federal Transit Administration*
International Brotherhood of Electrical Workers
National Railroad Construction and Maintenance Association
National Railroad Passenger Corporation (Amtrak)
National Transportation Safety Board (NTSB)*
Railway Supply Institute (RSI)
Transport Canada*
Tourist Railway Association Inc.
United Transportation Union (UTU)
*Indicates associate (non-voting) member.

From January to April 2009, FRA met with the entire PTC Working
Group five times over the course of twelve days. During those meetings,
in order to efficiently accomplish the tasks assigned to it, the PTC
Working Group empowered three task forces to work concurrently. These
task forces were the passenger, short line and regional railroad, and
the radio and communications task forces. Each discussed issues
specific to their particular interests and needs and produced proposed
rule language for the PTC Working Group's consideration. The majority
of the proposals were adopted into the rule as agreed upon by the
working group, with rule language related to a remaining few issues
being further discussed and enhanced for inclusion into the rule by the
PTC Working Group.
The passenger task force discussed testing issues relating to parts
236 and 238 and the definition of ``main line'' under the statute,
including possible passenger terminal and limited operations exceptions
to PTC implementation. Recommendations of the task force were presented
to the PTC Working Group, which adopted or refined each suggestion.
The short line and regional railroad task group was formed to
address the questions pertaining to Class II and Class III railroads.
Specifically, the group discussed issues regarding the trackage rights
of Class II and III railroads using trains not equipped with PTC
technology over a Class I railroad's PTC territory, passenger service
over track owned by a Class II or Class III railroads where PTC would
not otherwise be required, and railroad crossings-at-grade involving a
Class I railroad's PTC-equipped train and a Class II or III railroad's
PTC unequipped train. After much discussion, there were no resolutions
reached to any of the main issues raised. However, the discussion
yielded insights utilized by FRA in preparing this proposed rule.
The radio and communications task force addressed wireless
communications issues, particularly as it relates to communications
security, and recommended language for proposed Sec. 236.1033.
FRA staff worked with the PTC Working Group and its task forces in
developing many facets of this proposal. FRA gratefully acknowledges
the participation and leadership of representatives who served on the
PTC Working Group and its task forces. These points are discussed to
show the origin of certain issues and the course of discussion on these
issues at the task force and working group levels. We believe this
helps illuminate the factors FRA weighed in making its regulatory
decisions regarding this proposed rule and the logic behind those
decisions.
In general, the PTC Working Group agreed on the process for
implementing PTC under the statute, including decisional criteria to be
applied by FRA in evaluating safety plans, adaptation of subpart H
principles to support this mandatory implementation, and refinements to
subpart H and the part 236 appendices necessary to dovetail the two
regulatory regimes and take lessons from early implementation of
subpart H, including most aspects of the training requirements. Notable
accords were reached, as well, on major functionalities of PTC and on
exceptions applicable to passenger

[[Page 35956]]

service (terminal areas and main line exceptions). Major areas of
disagreement included whether to allow non-equipped trains on PTC
lines, extension of PTC to lines not within the statutory mandate, and
whether to provide for additional onboard displays when two or more
persons are regularly assigned duties in the cab. Some additional areas
of concern were discussed but could not be resolved in the time
available. It was understood that where discussion did not yield
agreement, FRA would make proposals and receive public comment.

V. Use of Performance Standards

Given the statutory mandate for the implementation of PTC systems,
FRA intends the proposed rule to accelerate the promotion of, and not
hinder, cost effective technological innovation by encouraging an
efficient utilization of resources, an increased level of competition,
and more innovative user applications and technological developments.
FRA believes that, wherever possible, regulation must allow
technologies the full freedom to exploit market opportunities, must
support the challenges and opportunities resulting from the combination
of emerging and varying technologies within an evolving marketplace,
and should not discriminate between PTC systems vendors due to the
technology or services provided.
Accordingly, wherever possible, FRA has attempted to refrain as
much as possible from developing technical or design standards, or even
requiring implementation of particular PTC technologies that may
prevent technological innovation or the development of alternative
means to achieve the statutorily defined PTC functions. If FRA were to
implement specific technical standards, emerging technologies may
render those standards obsolete. Thus, implementation of systems by the
railroads using new technologies that are not addressed by the specific
standards would require railroads and FRA to manage the deployment of
alternative technologies using a cumbersome and time consuming waiver
process. Consequently, for the same reasons FRA expressed in the final
rule implementing subpart H (70 FR 11052, 11055-11059 (Mar. 7, 2005)),
FRA continues to believe that it is best to pursue a performance-based
standard while providing sufficient basic parameters within which the
PTC system's architectures and functionalities must be developed,
implemented, and maintained.
Like subpart H of part 236, proposed subpart I provides for the
same level of product confidence and versatility in determining what
PTC technology a railroad may elect to implement and operate, even if
the railroad chooses to modify its PTC system over time. Unlike subpart
H, however, proposed subpart I requires specific deployment of PTC
while simplifying the application process, potentially reducing the
size of the regulatory filings through facilitation of safety
documentation reuse, and more narrowly defining the required
performance targets based on railroad operations and in terms of more
specific functional PTC behaviors. The approach under subpart I also
reduces the likelihood of continually changing safety targets, which
may vary based on each railroad's safety culture, and provides for
incremental improvements in safety in coordination with FRA.
To ensure sufficient confidence in each PTC system implemented
under subpart I, FRA expects that all safety- and risk-related data be
supported by credible evidence or information. Such credible evidence
or information may be developed through laboratory or field testing,
augmented by appropriate analysis and inspection, which may be
monitored or reviewed by FRA. FRA expects that, as a practical matter,
lab testing would be performed in the majority of cases. FRA does not
believe it is necessary to require any railroad to lab test. However,
field testing may be required in certain instances to test certain
points of the PTC system in various conditions.
If the railroad or FRA determines that the complexity of the
technology or the supporting safety case warrants, credibility of this
information may also be evaluated through an assessment of Verification
and Validation performed by an acceptable independent third party
selected and paid for by the railroad, subject to FRA approval.
Ultimately, however, it is FRA's responsibility to determine whether
each PTC system's performance results in an acceptable level of safety
to railroad employees and the general public and whether any such
system shall receive PTC System Certification, as required by statute.
In order to provide meaningful flexibility, FRA is prepared to consider
use of alternative risk analysis methods and proposals regarding the
extent to which a product exhibits fail-safe behavior. FRA still
emphasizes that higher speed and higher risk rail service should be
supported by more highly competent train control technology and
analysis.
FRA recognizes that there may potentially be various PTC system
configurations and a variety of operational scopes involved. FRA
believes that the information requested under subpart I should be
sufficient to permit FRA to predict whether a PTC system is fully
adequate from a safety perspective. Subparts H and I require submission
of similar technical data. Given the degree of uncertainty associated
with the underlying analysis of a complex PTC system and its environs,
subpart I--much like subpart H--requires application of FRA's judgment
and expertise. Given the complexity of the underlying analysis--and
FRA's need to ensure an acceptable level of safety and analytical
uniformity between functionally equivalent but architecturally
different systems--it is incumbent upon the subject railroad, possibly
in concert with the vendor, supplier, or manufacturer of its PTC
system, to make a persuasive case in its filings that the applicable
performance standards are met. Primarily, the risk assessments required
by the proposed rule should provide an objective measure of the safety
risk levels involved, which will be reviewed by FRA for comparison
purposes. As such, FRA believes that each risk assessment should
determine relative risk levels, rather than absolute risk levels, but
against a clearly delineated base case acceptable to FRA under the
proposed regulation.
Thus, this proposed rule attempts to emphasize the determination of
relative risk. FRA believes that the guidelines captured in Appendix B
adequately state the objectives and major considerations of any risk
assessment it would expect to see submitted under proposed subpart I.
FRA also believes that these guidelines allow sufficient flexibility in
the conduct of risk assessments, yet provide sufficient uniformity by
helping to ensure that final results are presented in familiar units of
measurement.
One of the major characteristics of a risk assessment is whether it
is performed using qualitative or quantitative methods. FRA continues
to believe that both quantitative and qualitative risk assessment
methods may be used, as well as combinations of the two. FRA expects
that qualitative methods should be used only where appropriate, and
only when accompanied by an explanation as to why the particular risk
cannot be fairly quantified. FRA also continues to believe that
railroads and suppliers should not be limited in the type of risk
assessments they should be allowed to perform to demonstrate compliance
with the minimum performance standard. The state of the art of risk

[[Page 35957]]

assessment methods could potentially change more quickly than the
regulatory process will allow, and not taking advantage of these
innovations could slow the progress of implementation of safer signal
and train control systems. Thus, as in subpart H, FRA is allowing risk
assessment methods not meeting the guidelines of this rule, so long as
it can be demonstrated to the satisfaction of the FRA Associate
Administrator for Railroad Safety/Chief Safety Officer (hereinafter
Associate Administrator) that the risk assessment method used is
suitable in the context of the particular PTC system. FRA believes this
determination is best left to the Associate Administrator because the
FRA retains authority to ultimately prevent implementation of a system
whose plans do not adequately demonstrate compliance with the
performance standard under the proposed rule.
FRA is aware that some types of risk are more amenable to
measurement by using certain methods rather than others because of the
type and amount of data available. If a railroad does elect to use
different risk assessment methods, FRA will consider this as a factor
for PTC System Certification (see Sec. 236.1015). Also, in such cases,
when the margin of uncertainty has been inadequately described, FRA
will be more likely to require FRA monitored field or laboratory
testing (see Sec. 236.1035) or an independent third-party assessment
(see Sec. 236.1017).
When FRA issued the final rule establishing subpart H, FRA
considered the criteria of simplicity, relevancy, reliability, cost,
and objectivity. FRA believes that these criteria remain applicable.
FRA has attempted to make the requirements under subpart I simpler than
the requirements of subpart H, so that railroads will be provided with
a greater amount of flexibility to more easily demonstrate that its PTC
system is certifiable by FRA. Like subpart H, subpart I focuses on the
safety-relevant characteristics of systems and emphasizes all relevant
aspects of product performance. FRA also drafted performance standards
that can be applied reliably and precisely in a manner which should
yield similar results each time it is applied to the same subject.
Although RSIA08 appears to make cost a consideration secondary to
safety, FRA believes that demonstrating compliance under subpart I
should minimize those costs while not degrading the primary objective
of public safety. FRA also believes that subpart I includes an
objective performance standard where compliance can be determined
through sound engineering analysis, testing, or investigation.

VI. Section-by-Section Analysis

Unless otherwise noted, all section references below refer to
sections in title 49 of the Code of Federal Regulations (CFR). FRA
seeks comments on all proposals made in this NPRM.

Proposed Amendments to 49 CFR Part 229

Section 229.135 Event Recorders

Advances in electronics and software technology have not only
enabled the development of PTC systems, but have also resulted in
changes to the implementation of locomotive control systems. These
technological changes have provided for the introduction of new
functional capabilities and the integration of different functions in
ways that advance the building, operation, and maintenance of
locomotive control systems. FRA also recognizes that advances in
technology may further eliminate the traditional distinctions between
locomotive control and train control functionalities. Indeed,
technological advances may provide opportunities for increased or
improved functionalities in train control systems that run concurrently
with locomotive control.
Train control and locomotive control, however, remain two
fundamentally different operations with different objectives. FRA does
not want to restrict the adoption of new locomotive control functions
and technologies by imposing regulations on locomotive control systems
intended to address safety issues associated with train control.
Accordingly FRA is reviewing and enhancing the Locomotive Safety
Standards (49 CFR part 229) to address the use of advanced electronics
and software technologies to improve safe, efficient, and economical
locomotive operations when a new or proposed locomotive control system
function does not interface or commingle with a safety-critical train
control system. In the meantime, FRA proposes to amend Sec. 229.135 to
ensure its applicability to subpart I.

Proposed Amendments to 49 CFR Part 234

Section 234.275 Processor-Based Systems

Section 234.275 of title 49 presently requires that each processor-
based system, subsystem, or component used for active warning at
highway-rail grade crossings that is new or novel technology, or that
provides safety-critical data to a railroad signal or train control
system which is qualified using the subpart H process, shall also be
governed by those requirements, including approval of a Product Safety
Plan. Particularly with respect to high speed rail, FRA anticipates
that PTC systems will in some cases incorporate new or novel technology
to provide for crossing pre-starts (reducing the length of approach
circuits for high speed trains), verify crossing system health as
between the wayside and approaching trains, or slow trains approaching
locations where storage has been detected on a crossing, among other
options. Indeed, each of these functions is presently incorporated in
at least one train control system, and others may one day be feasible
(including in-vehicle warning). There would appear to be no reason why
such a functionality intended for inclusion in a PTC system mandated by
subpart I could not be qualified with the rest of the PTC system under
subpart I. On the other hand, care should be taken to set an
appropriate safety standard taking into consideration highway users,
occupants of the high speed trains, and others potentially affected.
In fact, with new emphasis on high speed rail, FRA needs to
consider the ability of PTC systems to integrate this type of new
technology and thereby reduce risk associated with high speed rail
service. Risk includes derailment of a high speed train with
catastrophic consequences after encountering an obstacle at a highway-
rail grade crossing. To avoid such consequences, as many crossings as
possible should be eliminated. To that end, 49 CFR 213.347 requires a
warning and barrier plan to be approved for Class 7 track (speeds above
110 mph) and prohibits grade crossings on Class 8 and 9 track (above
125 mph). That leaves significant exposure on Class 5 and 6 track that
is currently not addressed by regulation. Comment is requested on how
best to approach this issue, ensuring that various FRA regulations,
including subpart I, address this safety need effectively and in
harmony with one another.

Proposed Amendments to 49 CFR Part 235

Section 235.7 Changes Not Requiring Filing of Application

FRA proposes to amend this section of the regulation which allows
specified changes within existing signal or train control systems be
made without the necessity of filing an application. The amendment
consists of adding allowance for a railroad to remove an intermittent
automatic train stop system

[[Page 35958]]

in conjunction with the implementation of a PTC system approved under
subpart I of part 236.
The changes allowable under this section, without filing of an
application, are those identified on the basis that the resultant
condition will be at least no less safe than the previous condition.
The required functions of PTC within subpart I provide a considerably
higher level of functionality related to both alerting and enforcing
necessary operating limitations than an intermediate automatic train
stop system does. Additionally, in the event of the loss of PTC
functionality (i.e., a failure en route), the operating restrictions
required will provide the needed level of safety in lieu of the
railroad being expected to keep and maintain an underlying system such
as intermittent automatic train stop for only in such cases. FRA
therefore believes that with the implementation of PTC under the
requirements of subpart I, the safety value of any previously existing
intermittent automatic train stop system is entirely obviated. There
were no objections in the PTC Working Group to this amendment.

Proposed Amendments to 49 CFR Part 236

Section 236.0 Applicability, Minimum Requirements, and Penalties

FRA proposes to amend this existing section of the regulation to
remove manual block from the methods of operation permitting speeds of
50 miles per hour or greater for freight trains and 60 miles per hour
or greater for passenger trains. Manual block rules do create a
reasonably secure means of preventing train collisions. However, where
the attributes of block signal systems are not present, misaligned
switches, broken rails, or fouling equipment may cause a train
accident. FRA believes that contemporary expectations for safe
operations require this adjustment, which also provides a more orderly
foundation for the application of PTC to the subject territories. There
were no objections in the PTC Working Group to this change.

Section 236.909 Minimum Performance Standard

FRA is proposing to modify existing Sec. 236.909 to make the risk
metric sensitivity analysis an integral part of the full risk
assessment required to be submitted with a product safety plan in
accordance with Sec. 236.907(a)(7). The proposed amendment of this
section would also eliminate an alternative option for a railroad to
use a risk metric in which consequences of potential accidents are
measured strictly in terms of fatalities.
Currently, Sec. 236.909(e)(1) indicates how safety and risk should
be measured for the full risk assessment, but does not accentuate the
need for running a sensitivity analysis on chosen risk metrics to
assure that the worst case scenarios for the proposed system failures
or malfunctions are accounted for in the risk assessment. On the other
hand, Appendix B to this part mandates that each risk metric for the
proposed product must be expressed with an upper bound, as estimated
with a sensitivity analysis. The FRA's experience gained while
reviewing product safety plans submitted to FRA in accordance with
subpart H, revealed that the railroad's did not understand a
sensitivity analysis for the chosen risk metrics to be a mandatory
requirement. Accordingly, to ensure clarity regarding FRA's
expectations, FRA proposes to amend paragraph (e)(1) to explicitly
require the performance of a sensitivity analysis for the chosen risk
metrics. The language proposed in this rule explains the need for the
sensitivity analysis and describes the key input parameters that must
be analyzed.
The proposed modification to paragraph (e)(2) is intended to
clarify how the exposure and its consequences, as main components of
the risk computation formula, must be measured. Under the proposed rule
text, the exposure must be measured in train miles per year over the
relevant railroad infrastructure where a proposed system is to be
implemented. When determining the consequences of potential accidents,
the railroad must identify the total costs involved, including those
relating to fatalities, injuries, property damage, and other
incidentals. FRA proposes to eliminate the option of using an
alternative risk metric, which would allow the measurement of
consequences strictly in terms of fatalities. It is FRA's experience
that measuring consequences of accidents strictly in terms of
fatalities did not serve as an adequate alternative to metrics of total
cost of accidents for two main reasons. First, the statistical data on
railroad accidents shows that accidents involving fatalities also cause
injuries and significant damage to railroad property and infrastructure
for both freight and especially passenger operations. Even though the
cost of human life is often the highest component of monetary estimates
of accident consequences, the dollar estimates of injuries, property
losses, and damage to the environment associated with accidents
involving fatalities cannot and should not be discounted in the risk
analysis. Second, allowing fatalities to serve as the only risk metrics
of accident consequences confused the industry and the risk assessment
analysts attempting to determine the overall risk associated with the
use of certain types of train control systems. As a result, some risk
analysts inappropriately converted injuries and property damages for
observed accidents into relative estimates of fatalities. This method
cannot be considered acceptable because, while distorting the overall
picture of accident consequences, it also raises questions on
appropriateness of conversion coefficients. Therefore, FRA considers it
appropriate to eliminate from the rule the alternative option for
consequences to be measured in fatalities only.

Subpart I--Positive Train Control Systems

Section 236.1001 Purpose and Scope

This section describes both the purpose and the scope of subpart I.
Subpart I provides performance-based regulations for the development,
test, installation, and maintenance of Positive Train Control (PTC)
Systems, and the associated personnel training requirements, that are
mandated for installation by FRA. This subpart also details the process
and identifies the documents that railroads and operators of passenger
trains are to utilize and incorporate in their PTC implementation
plans. This subpart also details the process and procedure for
obtaining FRA approval of such plans.

Section 236.1003 Definitions

Given that a natural language such as English contains, at any
given time, a finite number of words, any comprehensive list of
definitions must either be circular or leave some terms undefined. In
some cases, it is not possible and indeed not necessary to state a
definition. Where possible and practicable, FRA prefers to provide
explicit definitions for terms and concepts rather than rely solely on
a shared understanding of a term through use.
Paragraph (a) reinforces the applicability of existing definitions
of subparts A through H. The definitions of subparts A through H are
applicable to subpart I, unless otherwise modified by this part.
Paragraph (b) introduces definitions for a number of terms that
have specific meanings within the context of subpart I. In lieu of
analyzing each definition here, however, some of the delineated

[[Page 35959]]

terms will be discussed as appropriate while analyzing other sections
below.
As a general matter, however, FRA believes it is important to
explain certain organizational changes required pursuant to RSIA08. The
statute establishes the position of a Chief Safety Officer. The Chief
Safety Officer has been designated as the Associate Administrator for
Railroad Safety. Thus, the use of the term Associate Administrator in
this subpart refers to the Associate Administrator for Railroad Safety
and Chief Safety Officer.

Section 236.1005 Requirements for Positive Train Control Systems

RSIA08 specifically requires that each PTC system be designed to
prevent train-to-train collisions, overspeed derailments, incursions
into established work zone limits, and the movement of a train through
a switch left in the wrong position. Section 236.1005 includes the
minimum statutory requirements and provides amplifying information
defining the necessary PTC functions and the situations under which PTC
systems must be installed. Each PTC system must be reliable and perform
the functions specified in RSIA08. FRA requests comments on whether the
definitions and amplifying information within Sec. 236.1005 are
appropriate interpretations of RSIA08 and whether FRA is exercising the
appropriate level of discretion and flexibility to comply with RSIA08
in the most cost effective and efficient manner.
Train-to-train collisions. Paragraph (a)(1)(i) proposes to apply
the statutory requirement that a mandatory PTC system must be designed
to prevent train-to-train collisions. FRA understands this to mean
head-to-head, rear-end, and side and raking collisions between trains
on the same, converging, or intersecting tracks. PTC technology now
available can meet these needs through guidance to the locomotive
engineer that is current and continuous and through enforcement using
predictive braking to stop short of known targets. FRA notes that the
technology associated with currently available PTC systems may not
completely eliminate all collisions risks. For instance, a PTC system
mandated by this subpart is not required to prevent a collision caused
by a train that derails and moves over an area not covered by track and
onto a neighboring or adjacent track (known in common parlance as a
``secondary collision'').
During discussions regarding available PTC technology, it has been
noted that this technology also has inherent limitations with respect
to prevention of certain collisions that might occur at restricted
speed. In signaled territory, there are circumstances under which
trains may pass red signals, other than absolute signals except with
verbal authority, either at restricted speed or after stopping and then
proceeding at restricted speed. Available PTC technology does not track
the rear end of each train as a target that another train must be
stopped short of but instead relies on the signal system to indicate
the appropriate action. In this example, the PTC system would display
``restricted speed'' to the locomotive engineer as the action required
and would enforce the upper limit of restricted speed (i.e., 15 or 20
miles per hour, depending on the railroad). This means that more
serious rear end collisions will be prevented, because the upper limit
of restricted speed is enforced, and it also means that fewer low speed
rear-end collisions will occur because a continuous reminder of the
required action will be displayed to the locomotive engineer (rather
than the engineer relying on the aspect displayed by the last signal,
which may have been passed some time ago). However, some potential for
a low-speed rear-end collision will remain in these cases, and the rule
is clear that this limitation has been accepted. Similar exposure may
occur in non-signaled territory where trains are conducting switching
operations or other activities under joint authorities. The PTC system
can enforce the limits of the authority and the upper limit of
restricted speed, but it cannot guarantee that the trains sharing the
authority will not collide. Again, however, the likelihood and average
severity of any potential collisions would be greatly reduced. FRA may
address this issue in a later modification to subpart I if necessary as
technology becomes available.
The proposed rule text does, however, provide an example of a
potential train-to-train collision that a PTC system should be designed
to prevent. Rail-to-rail crossings-at-grade--otherwise known as diamond
crossings--present a risk of side collisions. FRA recognizes that such
intersecting lines may or may not require PTC system implementation and
operation. Since a train operating with a PTC system cannot necessarily
recognize a train not operating with a PTC system or moving on an
intersecting track without a PTC system, the PTC system--no matter how
intelligent--may not be able to prevent a train-to-train collision in
such circumstances.
Accordingly, paragraph (a)(1)(i) proposes to require certain
protections for such rail-to-rail crossings-at-grade. While these
locations are specifically referenced in paragraph (a)(1)(i), their
inclusion is merely illustrative and does not necessarily preclude any
other type of potential train-to-train collision. Moreover, a host
railroad may have alternative arrangements to the specific protections
referenced in the associated table under paragraph (a)(1)(i), which it
must submit in its PTC Safety Plan (PTCSP)--discussed in detail below--
and receive a PTC System Certification associated with that PTCSP.
Rail-to-rail crossings-at-grade that have one or more PTC routes
intersecting with one or more routes without a PTC system must have an
interlocking signal arrangement in place developed in accordance with
subparts A through G of part 236 and a PTC enforced stop on all PTC
routes. FRA has also determined that the level of risk varies based
upon the speeds at which the trains operate through such crossings, as
well as the presence, or lack, of PTC equipped lines leading into the
crossing. Accordingly, under a compromise accepted by the PTC Working
Group, if the maximum speed on at least one of the intersecting tracks
is more than 40 miles per hour, then the routes without a PTC system
must also have either some type of positive stop enforcement or a
split-point derail on each approach to the crossing and incorporated
into the signal system, and a permanent maximum speed limit of 20 miles
per hour. FRA expects that these protections be instituted as far in
advance of the crossing as is necessary to stop the encroaching train
from entering the crossing. The 40 miles per hour threshold appears to
be appropriate given three factors. First, the frequency of collisions
at these rail intersections is low, because typically one of the routes
is favored on a regular basis and train crews expect delays until
signals clear for their movement. Second, the special track structure
used at these intersections, known as crossing diamonds, experiences
heavy wear; and railroads tend to limit speeds over these locations to
no more than 40 miles per hour. Finally, FRA recognizes that for a
train on either intersecting route, elevated speed will translate into
higher kinetic energy available to do damage in a collision-induced
derailment. Thus, for the relatively small number of rail crossings
with one or more routes having an authorized train speed above 40 miles
per hour, including higher speed passenger routes, it is particularly
important that any collision be prevented. FRA appreciates that a more
protective approach could be considered and welcomes any data or

[[Page 35960]]

commentary that might bear on this issue.
FRA believes that these more aggressive measures are required to
ensure train safety in the event the engineer does not stop a train
before reaching the crossing when the engineer does not have a cleared
route displayed by the interlocking signal system and higher speed
operations are possible on the route intersected. The split-point
derail would prevent a collision in such a case by derailing the
offending train onto the ground before it reaches the crossing. Should
the train encounter a split-point derail as a result of the crew's
failure to observe the signal indication, the slower speed at which the
unequipped train is required to travel would minimize the damage to the
unequipped train and the potential affect on the surrounding area. As
an alternative to split-point derails, the non-PTC line may be
outfitted with some other mechanism that ensures a positive stop of the
unequipped crossing train. If a PTC system or systems are installed and
operated on all crossing lines, there are no speed restrictions other
than those that might be enforced as part of a civil or temporary speed
restriction. However, the crossing must be interlocked and the PTC
system or systems must ensure that each of the crossing trains can be
brought safely to a stop before reaching the crossing in the event that
another train is already cleared through or occupying the crossing.
Overspeed derailments. Paragraph (a)(1)(ii) proposes that PTC
systems mandated under subpart I be designed to prevent overspeed
derailments and addresses specialized requirements for doing so. FRA
notes that a number of passenger train accidents with significant
numbers of injuries have been caused by trains exceeding the maximum
allowable speed at turnouts and crossovers and upon entering stations.
Accordingly, FRA emphasizes the importance of enforcement of turnout
and crossover speed restrictions, as well as civil speed restrictions.
For instance, in the Chicago region, two serious train accidents
occurred on the same Metra commuter line when locomotive engineers
operated trains at more than 60 miles per hour while traversing between
tracks using crossovers, which were designed to be safely traversed at
10 miles per hour. For illustrative purposes, the rule text makes clear
that such derailments may be related to railroad civil engineering
speed restrictions, slow orders, and excessive speeds over switches and
through turnouts and these types of speed restrictions are to be
enforced by the system.
Roadway work zones. Paragraph (a)(1)(iii) proposes that PTC systems
mandated under subpart I be designed to prevent incursions into
established work zone limits. Work zone limits are defined by time and
space. The length of time a work zone limit is applicable is determined
by human elements. Working limits are obtained by contacting the train
dispatcher, who will confirm an authority only after it has been
transmitted to the PTC server. Paragraph (a)(1)(iii) emphasizes the
importance of the PTC systems to provide positive protection for
roadway workers working within the limits of their work zone.
Accordingly, once a work zone limit has been established, the PTC
system must be notified. The PTC system must continue to obey that
limit until it is notified from the dispatcher or roadway worker in
charge, with verification from the other, either that the limit is
released and the train is authorized to enter or the roadway worker in
charge authorizes movement of the train through the work zone.
As a way to achieve this technological functionality, FRA's Office
of Railroad Development has funded the development of a Roadway Worker
Employee in Charge (EIC) Portable Terminal that allows the EIC to
control the entry of trains into the work zone. While no rule includes
the commonly used term EIC, FRA recognizes that it is the equivalent to
the ``Roadway Worker In Charge'' as used in part 214. With the portable
terminal, the EIC can directly control the entry of trains into the
work zone and restrict the speed of the train through the work zone. If
the EIC does not grant authority for the train to enter the work zone,
the train is forced to a stop prior to violating the work zone
authority limits. If the EIC authorizes entry of the train into the
work zone, the EIC may establish a maximum operating speed for the
train consistent with the safety of the roadway work employees. This
speed is then enforced on the train authorized to enter and pass
through the work zone. The technology is significantly less complex
than the technology associated with dispatching systems and the PTC
onboard system. In view of this, FRA strongly encourages deployment of
such portable terminals as opposed to current approaches which only
require the locomotive engineer to in some manner ``acknowledge'' his
or her authority to operate into or through the limits of the work zone
(e.g., by pressing a soft key on the onboard display, even if in
error).
Pending the adoption of more secure technology such as the EIC
Portable Terminal, FRA will scrutinize PTC Safety Plans to determine
whether they leave no opportunity for single point human failure in the
enforcement of work zone limits. FRA again notes that some approaches
in the past have provided that the locomotive engineer could simply
acknowledge a work zone warning, even if inappropriately, after which
the train could proceed into the work zone. FRA proposes that more
secure procedures be included in safety plans under the new proposed
subpart.
Movement over main line switches. Paragraph (a)(1)(iv) proposes to
require that PTC systems mandated under subpart I be designed to
prevent the movement of a train through a main line switch in the
improper position. Given the complicated nature of switches--especially
when operating in concert with wayside, cab, or other similar signal
systems--the proposed rule provides more specific requirements in
paragraph (e) as discussed further below.
In numerous paragraphs, the proposed rules require various
operating requirements based primarily on signal indications.
Generally, these indications are communicated to the engineer, who
would then be expected to operate the train in accordance with the
indications and authorities provided. However, a technology that
receives the same information does not necessarily have the wherewithal
to respond unless it is programmed to do so. Thus, paragraph (a)(2)
requires PTC systems implemented under subpart I to obey and enforce
all such indications and authorities provided by these safety-critical
underlying systems. The integration of the delivery of the indication
or authority with the PTC system's response to those communications
must be described and justified in the PTC Development Plan (PTCDP)--
further described below--and the PTCSP, as applicable, and then must
comply with those descriptions and justifications.
The PTC Working Group had extensive discussions concerning the
monitoring of main line switches and came to the following general
conclusions:
First, signal systems do a good job of monitoring switch position,
and enforcement of restrictions imposed in accordance with the signal
system is the best approach within signaled territory (main track and
controlled sidings). As a general rule, the enforcement required for
crossovers, junctions, and entry into and departure from controlled
sidings will be a positive stop, and the enforcement provided for other
switches (providing access to industry tracks and

[[Page 35961]]

non-signaled sidings and auxiliary tracks) will be display and
enforcement of the upper limit of restricted speed. National
Transportation Safety Board representatives were asked to evaluate
whether this strategy meets the needs of safety from their perspective.
They returned with a list of accidents caused by misaligned switches
that the Board had investigated in recent years, none of which was in
signaled territory. Based on that data, the NTSB staff decided that it
was not necessary to monitor individual switches in signaled territory.
Second, switch monitoring functions of contemporary PTC systems
provide an excellent approach to addressing this requirement in dark
territory. However, it is important to ensure that switch position is
determined with the same degree of integrity that one would expect
within a signaling system (e.g., fail safe point detection, proper
verification of adjustment). The PTC Working Group puzzled over sidings
in dark territory and how to handle the requirement for switch
monitoring in connection with those situations. (While these are not
``controlled'' sidings, as such, they will often be mapped so that
train movements into and out of the sidings are appropriately
constrained.) At the final PTC Working Group meeting, a proposal was
accepted that would treat a siding as part of the main line track
structure requiring monitoring of each switch off of the siding if the
siding is non-signaled and the authorized train speed within the siding
exceeds 20 miles per hour.
This issue is more fully discussed below.
Other functions. While FRA has included the core PTC system
requirements in Sec. 236.1005, there is the possibility that other
functions may be explicitly or implicitly required elsewhere in subpart
I. Accordingly, under paragraph (a)(3), each PTC system required by
subpart I must also perform any other functions specified in subpart I.
According to 49 U.S.C. 20157(g), FRA must prescribe regulations
specifying in appropriate technical detail the essential
functionalities of positive train control systems and the means by
which those systems will be qualified.
In addition to the general performance standards required under
paragraphs (a)(1)-(3), paragraph (a)(4) proposes more prescriptive
performance standards relating to the situations paragraphs (a)(1)-(3)
intend to prevent. Paragraph (a)(4) defines specific situations where
FRA has determined that specific warning and enforcement measures are
necessary to provide for the safety of train operations, their crews,
and the public and to accomplish the goals of the PTC system's
essential core functions. Under paragraph (a)(4)(i), FRA proposes to
prevent unintended movements onto PTC main lines and possible
collisions at switches by ensuring proper integration and enforcement
of the PTC system as it relates to derails and switches protecting
access to the main line. Paragraph (a)(4)(ii) intends to account for
operating restrictions associated with a highway-rail grade crossing
active warning system that is in a reduced or non-operative state and
unable to provide the required warning for the motoring public. In this
situation, the PTC system must provide positive protection and
enforcement related to the operational restrictions of alternative
warning that are issued to the crew of any train operating over such
crossing in accordance with part 234. Paragraph (a)(4)(iii) concerns
the movement of a PTC operated train in conjunction with the issuance
of an after arrival mandatory directive. While FRA recognizes that the
use of after arrival mandatory directives poses a risk that the train
crew will misidentify one or more trains and proceed prematurely, PTC
provides a means to intervene should that occur. Further, such
directives may sometimes be considered operationally useful.
Accordingly, FRA fully expects that the PTC system will prevent
collisions between the receiving trains and the approaching train or
trains.
FRA recognizes that movable bridges, including draw bridges,
present an operational issue for PTC systems. Under subpart C, Sec.
236.312 already governs the interlocking of signal appliances with
movable bridge devices and FRA believes that this section should
equally apply to PTC systems governing movement over such bridges.
While subparts A through H apply to PTC systems--as stated in Sec.
236.1001--paragraph (a)(4)(iv) proposes to make this abundantly clear.
Accordingly, in paragraph (a)(4)(iv) and consistent with Sec. 236.312,
movable bridges within a PTC route are to be equipped with an
interlocked signal arrangement which is also to be integrated into the
PTC system. A train shall be forced to stop prior to the bridge in the
event that the bridge locking mechanism is not locked, the locking
device is out of position, or the bridge rails of the movable span are
out of position vertically or horizontally from the rails of the fixed
span. Effective locking of the bridge is necessary to assure that the
bridge is properly seated and thereby capable to support both the
weight of the bridge and that of a passing train(s) and preventing
possible derailment or other potential unsafe conditions. Proper track
rail alignment is also necessary to prevent derailments, either of
which again could result in damage to the bridge or a train derailing
off the bridge.
Paragraph (a)(4)(v) proposes that hazard detectors integrated into
the PTC system--as required by paragraph (c) of this section or the FRA
approved PTCSP--must provide an appropriate warning and associated
applicable enforcement through the PTC system. There are many types of
hazard detection systems and devices. Each type has varying operational
requirements, limitations, and warnings based on the types and levels
of hazard indications and severities. FRA expects this enforcement to
include a positive stop where necessary to protect the train (e.g.,
areas with high water, flood, rock slide, or track structure flaws) or
to provide an appropriate warning with possible movement restriction be
acknowledged (i.e., hot journal or flat wheel detection). The details
of these warnings and associated required enforcements are to be
specifically addressed within a PTCDP and PTCSP subject to FRA
approval, and the PTC system functions are to be maintained in
accordance with the system specifications. FRA does not expect that all
hazard detectors be integrated into the PTC systems, but where they
are, they must interact properly with the PTC system to protect the
train from the hazard that the detector is monitoring.
Paragraph (a)(5) addresses the issue of broken rails, which is the
leading cause of train derailments. FRA proposes to strictly limit the
speed of passenger and freight operations in those areas where broken
rail detection is not provided. Under Sec. 236.0(c), as amended in
this rule, 24 months after the effective date of a final rule, freight
trains operating at or above 50 miles per hour, and passenger trains
operating at or above 60 miles per hour are required to have a block
signal system unless a PTC system meeting the requirements of this part
is installed. Since current technology for block signal systems relies
on track circuits--which also provide for broken rail detection--FRA
proposes limiting speeds where broken rail detection is not available
to the maximums allowed under Sec. 236.0 when a block signal system is
not installed.
Deployment requirements. Paragraph (b) contains proposed
requirements for where and when PTC systems must be installed. Under
RSIA08, each applicable railroad carrier must implement a PTC system in
accordance with its PTC Implementation Plan

[[Page 35962]]

(PTCIP), as further discussed below. The PTCIP is statutorily required
to be submitted by April 16, 2010, and must explain how the railroad or
railroads intend to implement an operating PTC system by December 31,
2015. Essentially, a PTC system must be installed on certain tracks. In
addition, except as provided under Sec. 236.1006, onboard components
required for and responsive to the PTC system must be installed on each
lead locomotive that operates over those tracks.
The lead locomotive means the first locomotive proceeding in the
direction of movement. In addition to the lead locomotive that controls
the train while moving in a forward direction, a PTC system must be
installed on any rear end unit control cab locomotive that is capable
of controlling the train when it moves in the reverse direction. These
proposed requirements assume that locomotives controlling the train may
be placed only at each end. At this time, FRA is unaware of any
locomotives not placed at either end of the train that may
independently control the train. FRA seeks comments and information
regarding these assumptions and understandings.
As a threshold matter, RSIA08 requires that a PTC system be
installed on certain main lines of each entity required to file a
PTCIP. According to the statute, a main line is, with certain
exceptions, a Class I railroad track over which 5 million or more gross
tons of railroad traffic is transported annually. Pursuant to the
statute, FRA may also designate additional tracks as main line and may
provide exceptions for intercity rail or commuter passenger
transportation over track where limited or no freight railroad
operations occur. The statutory language does not indicate whether the
phrase ``main line'' refers to the route used or actual trackage owned
by the subject railroad. It is clear, however, that Congress intended
to focus implementation and operation of PTC systems on freight lines
owned or used by Class I railroads for operations specifically
identified in the statute.
For instance, by referencing Class I railroads--and not referencing
any other type of freight railroad--FRA believes that Congress did not
intend, as a general matter, to have smaller freight railroads incur
the tremendous costs involved in PTC system implementation and
operation unless they own track over which is provided regularly
schedule intercity or commuter rail passenger transportation. Congress
gives the Secretary discretion in 49 U.S.C. 20157(f) to require the
installation of PTC systems on railroads other than Class I railroads
and intercity or commuter passenger systems.
The Surface Transportation Board (STB) has established a statutory
definition for Class I, II, and III railroads based on the reported
revenues in 1992. A reference to Class I railroads in this subpart
refers to those railroads that have been designated as such by the
Surface Transportation Board (STB). According to STB, a Class I
railroad has revenues greater than $250 million (adjusted annually for
inflation); a Class II railroad has revenues ranging from $20 million
to $250 million (adjusted annually for inflation); and a Class III
railroad has revenues that are less than $20 million (adjusted annually
for inflation). All switching and terminal railroads, regardless of
revenue size, are Class III railroads. The STB railroad classification
determines the amount of reporting which a carrier must file with the
STB. Class I railroads are required to file an annual R-1 Report, a
detailed income, expense, and operating data report, quarterly and
annual freight carload commodity reports, and reports on types of
employees and employee compensation (Wage Form A and B).
From time to time, as some Class II railroads approached the Class
I railroad revenue threshold, these carriers petitioned the STB to
remain as Class II railroads, so that these carriers would not be
burdened with the additional reporting requirements. Generally the STB
allowed this exemption. Accordingly, there may be some large
railroads--including Montana Rail Link and Florida East Coast--that are
Class II railroads ``by waiver,'' thereby freeing them from having to
file Class I railroad reports with the STB.
In drafts of this proposed rule provided to the RSAC PTC Working
Group, it was suggested that a Class I railroad's main line be defined
as track owned and controlled by the Class I railroad. By also
including track ``controlled'' by the Class I railroad, FRA intended to
include tracks not owned by Class I railroads, but used in a manner as
if the Class I railroad did own that track. For instance, under the
term ``controlled,'' FRA intended that a track owned by a Class II or
III railroad would be considered a main line if a Class I railroad had
effective control over the Class II or III railroad or that specific
track. Without the ``control'' requirement, Class I railroads could
divest themselves of track ownership while maintaining effective
control for the purposes of avoiding PTC system implementation.
The American Short Line and Regional Railroad Association (ASLRRA),
however, expressed concern with this provision, instead suggesting that
a Class I railroad's main line include only those lines owned and
``operated'' by the Class I railroad. FRA believes that the underlying
ASLRRA concern is that many of its member railroads may go out of
business if they are mandated to install PTC systems and incur the
associated untenable financial costs. FRA agrees that, from the point
of view of the congressional mandate, a narrower concept is appropriate
at this time. However, in light of future circumstances relating to
railroad revenue, safety opportunities, traffic patterns, and other
variables, FRA also recognizes that it may later require PTC system
implementation and operation on certain Class II and III railroad
tracks.
To avoid confusion, FRA proposes to define main line by standards
applicable to a single element. In its effort to define a Class I
railroad's main line as track owned and controlled by the Class I
railroad, FRA focuses the proposed definition on the status of the
track. To also focus on the issue of operations could raise confusion
and irreconcilable understandings. Thus, FRA is not comfortable with
ASLRRA's suggestion. To accomplish FRA's goal and respond to ASLRRA's
concerns, however, FRA has limited a Class I railroad's main lines to
tracks and segments documented in the timetables last filed before
October 16, 2008, by the Class I railroads with FRA under Sec. 217.7
of this title over which 5 million or more gross tons of railroad
traffic is transported annually. For most of its territory, each
railroad is already required to track tonnage in order to satisfy the
requirements for joint bar and internal rail flaw inspections. See
213.119 (table), 213.237. Thus, FRA does not expect this determination
to be difficult for railroads. For railroads that are required to
submit a PTCIP by April 16, 2010, the gross tonnage will be based on
2008 year traffic. To the extent rail traffic exceeds 5 million gross
tons in any year after 2008, the tonnage shall be calculated for the
preceding two calendar years in determining whether a PTCIP or its
amendment is required. FRA seeks comments on whether any tracks
intended to be covered would be missed under this approach and on
whether there is a better approach.
The RSIA08 requires certain tracks to be considered main line where
a certain amount of railroad traffic is transported. However, in
certain yard or terminal locations, trains are prepared for
transportation, but railroad traffic is not ``transported.'' Moreover,
FRA recognizes that in such locations, PTC system operation would be
especially cumbersome and onerous and possibly

[[Page 35963]]

resulting in a reduction of safety due to inappropriate interventions
by the PTC system that could lead to ``train handling'' derailments or
hazards to personnel riding the sides of rolling stock. Accordingly, in
such locations, FRA may not consider the subject tracks as main line.
For such locations that only include freight operations, FRA proposes
to consider these tracks other than main line by definition if all
trains in the location are limited to restricted speed.
However, for any tracks used by passenger trains, FRA proposes that
any designation of track as other than main line should be performed on
a case-by-case basis in accordance with Sec. 236.1019. FRA seeks
comments on this issue. FRA also seeks comments on whether this
explanation comports with the railroads' understanding of the rule
text.
Once a Class I railroad's main lines are determined, a PTC system
must be installed and operated on those main line tracks over which
passenger trains are operated or any PIH materials are is transported.
As a corollary, PTC systems are not required on a Class I railroad's
lines over which no PIH materials are transported and no passenger
trains are operated. In addition to an applicable Class I railroad's
main lines, a PTC system must be implemented and operated on all
railroads' main lines over which regularly scheduled intercity rail
passenger transportation or commuter rail passenger transportation, as
defined by 49 U.S.C. 24102, is provided. However, FRA does not intend
to apply this requirement to tracks operated by tourist railroads, as
described in 49 U.S.C. 20103(f), because, inter alia, they are not
Class I railroads and they do not provide regularly scheduled intercity
or commuter passenger service.
According to 49 U.S.C. 24102, ``intercity rail passenger
transportation'' means rail passenger transportation, except commuter
rail passenger transportation. 49 U.S.C. 24102 defines commuter rail
passenger transportation as ``short-haul rail passenger transportation
in metropolitan and suburban areas usually having reduced fare,
multiple-ride, and commuter tickets and morning and evening peak period
operations.''
49 CFR 238.5 provides further guidance, defining a long-distance
intercity passenger train as ``a passenger train that provides service
between large cities more than 125 miles apart and is not operated
exclusively in the National Railroad Passenger Corporation's Northeast
Corridor'' and a commuter train as ``a passenger train providing
commuter service within an urban, suburban, or metropolitan area. The
term includes a passenger train provided by an instrumentality of a
State or a political subdivision of a State.'' Section 238.5 also
defines passenger service as ``a train or passenger equipment that is
carrying, or available to carry, passengers. Passengers need not have
paid a fare in order for the equipment to be considered in passenger or
in revenue service.'' According to Sec. 238.5, a passenger train is
``a train that transports or is available to transport members of the
general public. If a train is composed of a mixture of passenger and
freight equipment, that train is a passenger train for purposes of this
part.''
While the statute generally limits mandatory PTC system
implementation and operation to certain main lines--defined for freight
purposes as track over which 5 million or more gross tons of railroad
traffic is transported annually--FRA is required to define passenger
main line by regulation. See 49 U.S.C. 20157(i)(2)(B). In that regard,
FRA has determined that freight density, as such, is not a relevant
factor. FRA intends to cover the same intercity and commuter passenger
services as 49 CFR part 238 (Passenger Equipment Safety Standards),
which excludes tourist railroads (49 CFR 238.3). See also, 49 CFR part
209, Appendix A.
As a corollary, after December 31, 2015, no intercity or commuter
passenger operations may operate on any track that does not have a PTC
system installed, except as described in the proposed rule. A PTC
system must be installed on any track--regardless of its ownership or
the weight of annual traffic--before any intercity or commuter rail
passenger operation may operate. Thus, any passenger or freight track
over which such passenger trains operate must be PTC-equipped.
The RSIA08 requires each intercity and commuter passenger railroad
to implement PTC on ``its main line over which intercity rail passenger
transportation or commuter rail passenger transportation, as defined in
section 24102, is regularly provided.'' Section 24102 uses the terms
``intercity'' and ``commuter'' in essentially the same way FRA has used
the terms for safety regulatory purposes. The single question that has
been puzzling in considering this mandate has been the meaning of the
possessive article, ``its,'' before ``main line.'' It appears clear
from the course of congressional consideration that the expression was
intended to apply to the passenger railroad's entire route system,
regardless of ownership. Amtrak's route system includes predominately
trackage owned or controlled by others. Many commuter railroads operate
partially or even exclusively over lines owned by freight railroads. On
the other hand, FRA is persuaded that the same intention does not apply
as to Class I freight railroads. A Class I freight railroad might
operate a train under trackage rights over a Class II or III railroad,
but it does not appear that was intended to burden the smaller railroad
with the responsibility to install PTC.
Accordingly, FRA is proposing to consider as passenger train main
lines all tracks across the nation over which intercity or commuter
passenger trains are transported. For the purposes of passenger trains,
a main line is determined regardless of the amount (i.e., 5 million or
more gross tons annually), except where temporary rerouting may occur
in accordance with Sec. Sec. 236.1005(g)-(k) as further discussed
below. Thus, if an intercity or commuter passenger train is transported
over a track, the track requires PTC implementation and operation,
regardless of whether the track is owned by a passenger railroad
entity, a Class I railroad, or any smaller freight railroads, including
Class II and short line railroads.
This approach, permissible under 49 U.S.C. 20157(a)(1)(C), is
consistent with both FRA's understanding of congressional intent and
FRA's historical safety sensitivity to regulating passenger
transportation. For example, in the relatively recent final rule
governing continuous welded rail, different schedules were developed
for track inspection intervals associated with freight and passenger
train operations. See 71 FR 59,677, 59,681 (Oct. 11, 2006). According
to FRA, the different schedules for track inspection were developed to
consider the potentially greater severity, especially in terms of loss
of life, from possible future track-related passenger train accidents.
If FRA were to otherwise restrict PTC systems to passenger train
main lines that are only owned by the passenger railroads, then PTC
systems would only be required on 11 percent of all track used by the
passenger railroads across the nation, which would mostly include the
Northeast Corridor (NEC) and some passenger lines in Michigan.
Considering Congress' concern with accidents involving multiple
passenger fatalities, which appears to be a significant impetus for
Congress' final passage of RSIA08, FRA believes that Congress did not
intend in 49 U.S.C. 20157 to limit PTC system operation to this narrow
passenger territory.

[[Page 35964]]

Nevertheless, while all passenger routes, including those over
track owned by freight railroads, are automatically deemed main lines
under the proposed rule, the proposed rule also provides an exception
for those main lines that would not be main lines but for the existence
of passenger trains and are not deemed by FRA main lines due to limited
or no freight railroad operations. This exception is permissible
pursuant to 49 U.S.C. 20157(i)(2)(B). The proposed procedure for such
exceptions can be found under Sec. Sec. 236.1011 and 236.1019, as
further discussed below.
In addition to determining which tracks require PTC system
implementation and operation, paragraph (b) requires such installation
be performed by the ``host railroad.'' Subpart I makes a distinction
between the railroad that has effective operating control over a
segment of track, and a railroad that is simply passing its trains
across the same segment of track. While the concept of actual ownership
of the track segment plays a significant role in determining the host
railroad, a PTC system may be required on a track segment that is not
owned by a PTC railroad. To avoid confusion, FRA designates the host
railroad as the railroad that exercises operational control of the
movement of trains on the segment, irrespective of the actual ownership
of the segment. This is in contrast to a tenant railroad, which is any
railroad that uses a segment of track but does not exercise operational
control of the movements of its trains. The terms ``host railroad'' and
``tenant railroad'' are defined as such in the definitions listed under
Sec. 235.1003.
The requirements for PTC contained in RSIA08 pertaining to freight
lines define the intended route structure by reference to the presence
or absence of PIH traffic and the annual gross tonnage. The law
requires installation and operation of a PTC system where it (1) is
part of a Class I railroad system, (2) carries at least 5 million gross
tons of rail traffic, and (3) carries at least some PIH traffic. Based
upon information available to FRA, and assuming a level of rail
operations consistent with normal economic conditions, these
requirements describe approximately 45,000 miles of freight-only
territory plus almost 18,000 miles where both PIH and passengers are
carried. There are another 6,000 miles of track owned by a Class I
railroad and used for passenger service that would not otherwise be
required to be equipped, for a total build-out of about 69,000 route
miles. These lines basically describe the heart or ``core'' of the
Class I freight network, albeit with some gaps.
However, the railroads carry only about 100,000 carloads of PIH
products annually (approximately 0.3% of all rail traffic). Facing an
extraordinary potential for tort liability associated with this
traffic, the railroads have sought through various means to reduce the
potential for release of these commodities through safety improvements;
but they have also sought to be relieved of their common carrier
obligation to carry them. The RSIA08 mandate, which entails an
expenditure of billions of dollars, most of it nominally because the
lines in question carry PIH, presents an additional enormous incentive
for the Class I railroads to shed PIH traffic and, further, to
concentrate the remaining PIH traffic on the fewest possible lines of
railroad.
FRA is concerned that PIH traffic could be diverted from the rail
mode. Although the risks of transporting these commodities can be
reduced by product substitution, by coordination of transportation that
reduces length of haul, and by other means, and although the U.S. DOT
continues to support these means where feasible, for the present there
are still realistic and supportable demands for transportation of these
PIH commodities that implicate the national interest in a very strong
way. Hazardous materials are vital to maintaining the health of the
economy of the United States and are essential to the well-being of its
people. These materials are used in water purification, farming,
manufacturing, and other industrial applications. The need for
hazardous materials to support essential services means that
transportation of hazardous materials is unavoidable. There are over 20
hazardous materials considered to be PIH that are shipped by rail in
tank car quantities. In 2003, over 77,000 tank car loads of PIH
materials were shipped by rail.
Examples of PIH materials include anhydrous ammonia and chlorine.
Anhydrous ammonia is an important source of nitrogen fertilizer for
crops and is used in the continuous cycle cooling units found in
various appliances and vehicles and in the production of explosives and
manufacturing of nitric acid and certain alkalies, pharmaceuticals,
synthetic textile fibers, plastics, and latex stabilizers. Chlorine is
used as an elemental disinfectant for over 84 percent of large drinking
water systems (those serving more than 10,000 people), according to the
American Water Works Association. For pharmaceuticals, chlorine
chemistry is essential to manufacturing 85 percent of their products.
Chlorine chemistry is also used in 25 percent of all medical plastics,
and 70 percent of all disposable medical applications. The single
largest use of chlorine is for the production of polyvinyl chloride
(PVC), which is used for building and construction materials such as
siding, windows, pipes, decks and fences.
The only effective modal alternative for transporting PIH materials
is by road, and for the present insufficient capacity exists in the
form of suitable packages (tank trucks, intermodal tanks). Further,
diversion to highways would entail significantly higher societal costs,
including adverse safety trade-offs from more trucks on the highways--
even before the potential for accidental release of product or further
security vulnerabilities are considered.
FRA is also concerned that PIH traffic could be retained on the
railroads but concentrated in such a way as to result in circuitous
routings with greater exposure to derailment hazards and security
threats. Although security concerns may be addressed to some extent by
rerouting during periods of high alert in specified urban areas, these
detour routes would inevitably be over lines not equipped with PTC
systems. These are the kinds of unfavorable trade-offs that the recent
amendments to PHMSA's rail security rule--based on a separate statutory
mandate and developed in concert with FRA--were intended to prevent.
See, e.g., 73 FR 20752 (April 16, 2008); 73 FR 72182 (Nov. 26, 2008).);
49 CFR 172.820.
Finally, FRA believes that, while the presence of PIH traffic on
the rail network was viewed by the Congress as a good proxy for risk
sufficient to warrant PTC system installation and operation, FRA is not
persuaded that it was the intent of Congress that PIH traffic be driven
from the railroads or concentrated on a smaller number of lines with
more circuitous routings. The final legislation constituting the RSIA08
emerged following the Chatsworth collision of September 12, 2008, which
claimed 25 lives (one rail employee and 24 passengers). However,
neither H.R. 2095, as initially passed by the House of Representatives
on October 17, 2007, nor the Senate version of the bill passed on
August 1, 2008, was limited to PIH routes. All versions of the bill,
including that finally enacted, preserved FRA's ability to apply the
technology to additional routes.
Although FRA recognizes that the congressional trade-offs in
September 2008 were driven by the impending end of the 110th Congress,
the Chatsworth accident, and the desire on the part of

[[Page 35965]]

some senators to see a rapid deployment of PTC technology (more rapid,
in fact, than provided in either the Senate- or House-enacted
versions), FRA does not believe that the Congress intended an
implementation that would create substantial incentives to drive PIH
traffic off of the railroads or concentrate it in such a way that large
urban areas would see an increase in volume above that expected using
normal, direct routing of the shipments. Accordingly, FRA proposes to
use its discretion in crafting implementing regulations to preserve the
presumed congressional intent. FRA does this by proposing in paragraph
(b) that implementation plans required to be filed by April 16, 2010,
be based on 2008 traffic levels. Although rail traffic, including PIH
traffic, declined in the second half of the year, 2008 constitutes a
much more ``normal'' base year than 2009 is expected to be due to the
current economic conditions. It was also the year during which the
Congress enacted the subject mandate.
In taking this action, FRA departs from the PTC Working Group's
consensus that 2009 be used as the base year. Since the RSAC initially
took up this subject, rail traffic levels have continued to plummet,
and that decision now appears to be inappropriate. FRA did advise the
PTC Working Group that it reserved the right to ``lock in'' the PTC
route structure as of passage of RSIA08 to prevent unintended
consequences. From a technical standpoint, Sec. 236.1005(b) attempts
to do just that, but with ample room for adjustment in light of normal
changes in market conditions.
Paragraph (b)(2) would require that the determination of Class I
freight railroad main lines required to be equipped be initially
established and reported as follows using a 2008 traffic base for gross
tonnage and determine the presence of PIH traffic based on 2008
shipments and routings. If increases in traffic occur that require a
line to be equipped and the PTCIP has already been filed, an amendment
would be required. As suggested by the RSAC, gross tonnage would be
measured over two years to avoid unusual spikes in traffic driving
investments inappropriately. However, if the 5 million gross tons
threshold was met based on the prior two years of traffic, and PIH was
added to the route, the railroad would be required to promptly file a
PTCIP amendment and thereafter equip the line by the end of December
31, 2015 or within two years, whichever is later.
Once a PTC system is installed, it cannot be removed or treated as
inoperative unless such discontinuance or modification is approved by
FRA in accordance with Sec. 236.1021, as discussed below. This is the
case even if the track segment ceases to be defined as a main line in
accordance with subpart I due to traffic pattern or consist changes,
such as annual traffic levels possibly dipping below the 5 million
gross ton threshold referenced in the statute and in Sec. Sec.
236.1003 and 236.1005 or the rerouting of PIH traffic. This result is
consistent with longstanding practice under 49 U.S.C. 20502 (see 49 CFR
part 235). To the extent traffic levels decline or PIH traffic ceases
prior to April 16, 2010, or during the implementation period, a
railroad could ask FRA to except a line segment from the requirement
that it be equipped. The railroad would need to provide estimated
traffic projections for the next 5 years (e.g., as a result of planned
rerouting, coordinations, location of new business on the line). Where
the request involves prior or planned rerouting of PIH traffic, the
railroad would be required to provide a supporting analysis that takes
into consideration the rail security provisions of the PHMSA rail
routing rule, including any railroad-specific and interline routing
impacts. See 49 CFR 172.820. For example, the request should include
information where multiple railroad carriers may coordinate traffic,
especially where there are parallel lines directing traffic in opposite
directions. FRA could approve an exception if FRA finds that it would
be consistent with safety and in the public interest.
Once a PTC system is required to be installed, it cannot be removed
or treated as inoperative unless such discontinuance or modification is
approved by FRA in accordance with Sec. 236.1021, as discussed below.
This is the case even if the track segment ceases to be defined as a
main line in accordance with subpart I due to traffic pattern or
consist changes, such as annual traffic levels possibly dipping below
the 5 million gross ton threshold referenced in the statute and in
Sec. Sec. 236.1003 and 236.1005 or the rerouting of PIH traffic.
There was discussion in the PTC Working Group regarding how to
handle new passenger service. Amtrak in particular suggested that FRA
might consider some leeway for new intercity service that could be
instituted within a short period if the sponsor (most likely a state
government) requested. FRA considered this contingency but concluded
that new passenger service should be adequately planned and
deliberately executed with safety as its first priority. The proposal
in paragraph (b) states that, after December 31, 2015, no intercity or
commuter rail passenger service could continue or commence until a PTC
system has been installed and made operative. FRA requests comment on
this proposal and on whether a new rail passenger service commenced
after April 10, 2010, but before December 31, 2015, should be permitted
any leeway for installation of PTC after 2015 and, if so, what special
circumstances would warrant that treatment.
Paragraph (c) provides amplifying information regarding the
installation and integration of hazard detectors into PTC systems.
Paragraph (c)(1) reiterates FRA's position that any hazard detectors
that are currently integrated into an existing signal and train control
system must be integrated into mandatory PTC systems and that the PTC
system will enforce as appropriate on receipt of a warning from the
detector. Paragraph (c)(2) proposes to require each PTCSP submitted by
a railroad to also identify any additional hazard detector to provide
warnings to the crew that a railroad may elect to install. The PTCSP
must also clearly define the actions required by the crew upon receipt
of the alarm or other warning or alert. FRA does not expect a railroad
to install hazard detectors at every location where a hazard might
possibly exist.
Paragraph (c)(3) proposes, in the case of high speed service (as
described in Sec. 236.1007 as any service operating at speeds greater
than 90 mph) that FRA will require the hazard analysis to address any
hazards on the route, along with a reason why additional hazard
detectors are not required to provide warning and enforcement for
hazards not already protected by an existing hazard detector. The
hazard analysis must clearly identify the risk associated with the
hazard, and the mitigations taken if a hazard detector is not installed
and interfacing with a PTC system. For instance, in the past, large
motor vehicles have left parallel or overhead structures and have
fouled active passenger rail lines. Depending upon the circumstances,
such events can cause catastrophic train accidents. Although not every
such event can be prevented, detection of obstacles such as this may
make it more likely that the accident could be prevented.
Under paragraph (d), FRA proposes that each lead locomotive
operating with a PTC system be equipped with an operative event
recorder that captures safety-critical data routed to the engineer's
display that the engineer must obey, as well as the text of mandatory
directives and authorized

[[Page 35966]]

speeds. FRA intends that this information be available in the event of
an accident with a PTC-equipped system to determine root causes and the
necessary actions that must be taken to prevent reoccurrence. Although
FRA expects implemented PTC systems will prevent PTC-preventable
accidents, in the event of system failure FRA believes it is necessary
to capture available data relating to the event. Further, FRA sees
value in capturing information regarding any accident that may occur
outside of the control of a PTC system as it is currently designed--
including the prevention of collisions with trains not equipped with
PTC systems--and accidents that could otherwise have been prevented by
PTC technology, but were unanticipated by the system developers, the
employing railroad, or FRA.
The data may be captured in the locomotive event recorder, or a
separate memory module. If the locomotive is placed in service on or
after October 1, 2009, the event recorder and memory module, if used,
shall be crashworthy, otherwise known as crash-hardened, in accordance
with Sec. 229.135. For locomotives built prior to that period, the
data shall be protected to the maximum extent possible within the
limits of the technology being used in the event recorder and memory
module.
As required by the RSIA08 and by paragraph (a)(1)(iv), as noted
above, a PTC system required by subpart I must be designed to prevent
the movement of a train through a main line switch in the wrong
position. Paragraph (e) provides amplifying information on switch point
monitoring, indication, warning of misalignment, and associated
enforcement. According to the statute, each PTC system must be designed
to prevent ``the movement of a train through a switch left in the wrong
position.'' FRA understands ``wrong position'' to mean not in the
position for the intended movement of the train. FRA believes that
Congress' use of the phrase ``left in the wrong position'' was
primarily directed at switches in non-signaled (dark) territory such as
the switch involved in the aforementioned accident at Graniteville,
South Carolina. FRA also believes that, in order to prevent potential
derailment or divergence to an unintended route, it is critical that
all switches be monitored by a PTC system in some manner to detect
whether they are in their proper position for train movements. If a
switch is misaligned, the PTC system shall provide an acceptable safe
state of train operations.
Prior to the statute, PTC provided for positive train separation,
speed enforcement, and work zone protection. The addition of switch
point monitoring and run through prevention would have eliminated the
Graniteville, South Carolina accident where a misaligned switch
resulted in the unintended divergence of a train operating on the main
track onto a siding track and the collision of that train with another
parked train on the siding. The resulting release of chlorines gas
caused nine deaths and required the evacuation of the entire town for
two weeks while remediation efforts were in progress.
As discussed above, FRA considered requiring PTC systems to be
interconnected with each main line switch and to individually monitor
each switch's point position in such a manner as to provide for a
positive stop short of any misalignment condition. However, after
further consideration and discussion with the PTC Working Group, FRA
believes that such an approach may be overly aggressive and terribly
expensive in signaled territory.
Under paragraph (e), FRA instead proposes to treat switches
differently, depending upon whether they are within a wayside or cab
signal system--or are provided other similar safeguards (i.e., distant
switch indicators and associated locking circuitry) required to meet
the applicable switch position standards and requirements of subparts
A-G--or are within non-signaled (dark) territory.
While a PTC system in dark territory would be required to enforce a
positive stop--as discussed in more detail below--a PTC system in
signaled territory would require a train to operate at no more than the
upper limit of restricted speed between the associated signal, over any
switch in the block governed by the signal, and until reaching the next
subsequent signal that is displaying a signal indication more
permissive than proceed at restricted speed.
Signaled territory includes various types of switches, including
power-operated switches, hand-operated switches, spring switches,
electrically-locked switches, electro-pneumatic switches, and hydra
switches, to name the majority. Each type of switch poses different
issues as it relates to PTC system enforcement. We look at power- and
hand-operated switches as examples.
On a territory without a PTC system, if a power-operated switch at
an interlocking or control point were in a condition resulting in the
signal system displaying a stop indication, an approaching train would
have to stop generally only a few feet from the switch, and in the
large majority of cases no more than several hundred feet away from it.
In contrast, in PTC territory adhering to the aforementioned overly
aggressive requirement, a train would have to stop at the signal, which
may be in close proximity to its associated switch, and operate at no
more than the upper limit of restricted speed to that switch, where it
would have to stop again. FRA believes that, since the train would be
required to stop at the signal, and must operate at no more than the
upper limit of restricted speed until it completely passes the switch
(with the crew by rule watching for and prepared to stop short of,
among other concerns, an improperly lined switch), another enforced
stop at the switch would be unnecessarily redundant.
Operations using hand-operated switches would provide different,
and arguably greater, difficulties and potential risks. Generally, in
between each successive interlocking and control point, signal spacing
along the right of way can approximately be 1 to 3 miles or more apart,
determined by the usual length of track circuits and the sufficient
number of indications that would provide optimal use for train
operations. Each signal governs the movement through the entire
associated block up to the next signal. Thus, a train approaching a
hand-operated switch may encounter further difficulties since its
governing signal may be much further away than one would be for a
power-operated switch. If within signaled territory a hand-operated
switch outside of an interlocking or control point were in a condition
resulting in the signal system displaying a restricted speed signal
indication, an approaching train may be required to stop before
entering the block governed by the signal and proceed at restricted
speed, or to otherwise reduce its speed to restricted speed as it
enters the block governed by the signal, and be operated at restricted
speed until the train reaches the next signal displaying an indication
more permissive than proceed at restricted speed, including while
passing over any switch within the block. The governing signal,
however, may be anywhere from a few feet to more than a mile from the
hand-operated switch. For instance, if a signal governs a 3 mile long
block, and there is a switch at 1.8 miles after passing the governing
signal (stated in advance of the signal), and that switch is
misaligned, the train would have to travel that 1.8 miles at restricted
speed. Even if the train crew members were able to normal the
misaligned switch, they would need to remain at restricted

[[Page 35967]]

speed at least until the next signal (absent an upgrade of a cab signal
indication).
In signaled territory, to require a PTC system to enforce a
positive stop of an approaching train at each individual switch that is
misaligned would be an unnecessary burden on the industry, particularly
since movement beyond the governing signal would be enforced by the PTC
system to a speed no more than the upper limit of restricted speed.
Accordingly, in signaled territory, FRA proposes in paragraph (e)(1) to
require a PTC system to enforce the upper limit of restricted speed
through the block. By definition, at restricted speed, the locomotive
engineer must be prepared to stop within one-half the range of vision
short of any misaligned switch or broken rail, etc., not to exceed 15
or 20 miles per hour depending on the operating rule of the railroad.
Accordingly, if a PTC system is integrated with the signal system, and
a train is enforced by the PTC system to move at restricted speed past
a signal displaying a restricted speed indication, FRA feels
comfortable that the PTC system will meet the statutory mandate of
preventing the movement of the train through the switch left in the
wrong position by continuously displaying the speed to be maintained
(i.e., restricted speed) and by enforcing the upper limit of the
railroads' restricted speed rule (but not to exceed 20 mph). While this
solution would not completely eliminate human factors associated with
movement through a misaligned switch, it would significantly mitigate
the risk of a train moving through such a switch and would be much more
cost effective.
Moreover, it would be cost prohibitive to require the industry to
individually equip each of the many thousands of hand-operated switches
with a wayside interface unit (WIU) necessary to interconnect with a
PTC system in order to provide a positive stop short of any such switch
that may be misaligned. Currently each switch in signaled territory has
its position monitored by a switch circuit controller (SCC). When a
switch is not in its normal position, the SCC opens a signal control
circuit to cause the signal governing movement over the switch location
to display its most restrictive aspect (usually red). A train
encountering a red signal at the entrance to a block will be required
to operate at restricted speed through the entire block, which can be
several miles in length depending on signal spacing. The signal system
is not capable of informing the train crew which switch, if any, in the
block may be in an improper position since none of switches are
equipped with an independent WIU. There could be many switches within
the same block in a city or other congested area. Thus, there is a
possibility that one or more switches may be not in its proper position
and the signal system is unable to transmit which switch or switches
are not in normal position. The governing signal could also be
displaying a red aspect on account of a broken rail, broken bond wire,
broken or wrapped line wire, bad insulated joint, bad insulated switch
or gage rods, or other defective condition.
FRA believes that requiring a PTC system to enforce the upper limit
of restricted speed in the aforementioned situations is statutorily
acceptable. The statute requires each PTC system to prevent ``the
movement of a train through a switch left in the wrong position.''
Under this statutory language, the railroad's intended route must
factor into the question of whether a switch is in the ``wrong''
position. In other words, in order to determine whether a switch is in
the ``wrong position,'' we must know the switch's ``right position.''
The ``right position'' is determined by the intended route of the
railroad. Thus, when determining whether a switch is in the wrong
position, it is necessary to know the railroad's intended route and
whether the switch is properly positioned to provide for the train to
move through the switch to continue on that route. The intended route
is normally determined by the dispatcher.
Under the proposed rules, when a switch is in the wrong position,
the PTC system must have knowledge of that information, must
communicate that information to the railroad (e.g., the locomotive
engineer or dispatcher), and must control the train accordingly. Once
the PTC system or railroad has knowledge of the switch's position, FRA
expects the position to be corrected in accordance with part 218 before
the train operates through the switch. See, e.g., Sec. Sec. 218.93,
218.103, 218.105, 218.107.
If the PTC system forces the train to move at no more than the
upper limit of restricted speed, the railroad has knowledge that a
misaligned switch may be within the subject block, and the railroad by
rule or dispatcher permission then makes the decision to move through
the switch (i.e., the railroad's intent has changed as indicated by
rule or dispatcher instructions), the switch is no longer in the
``wrong position.'' The RSAC PTC Working Group was unanimous in
concluding that these arrangements satisfy the safety objectives of
RSIA08. Utilization of the signal system to detect misaligned switches
and facilitate safe movements also provides an incentive to retain
existing signal systems, with substantial additional benefits in the
form of broken rail detection and detection of equipment fouling the
main line.
Paragraph (e)(2) addresses movements over switches in dark
territory and under conditions of excessive risk, even if in block
signal territory. In dark territory, by definition, there are no
signals available to provide any signal indication or to interconnect
with the switches or PTC system. Without the benefit of a wayside or
cab signal system, or other similar system of equivalent safety, the
PTC system will have no signals to obey. In such a case, the PTC system
may be designed to allow for virtual signals, which are waypoints in
the track database that would correspond to the physical location of
the signals had they existed without a switch point monitoring system.
Accordingly, paragraph (e)(2)(i) proposes to require that in dark
territory where PTC systems are implemented and governed by this
subpart, the PTC system must enforce a positive stop for each
misaligned switch whereas the lead locomotive must be stopped short of
the switch to preclude any fouling of the switch. Once the train stops,
the railroad will have an opportunity to correct the switch's
positioning and then continue its route as intended.
Unlike in signaled territory, FRA expects that on lines requiring
PTC in dark territory, each switch will be equipped with a WIU to
monitor the switch's position. A WIU is a device that aggregates
control and status information from one or more trackside devices for
transmission to a central office and/or an approaching train's onboard
PTC equipment, as well as disaggregating received requests for
information, and promulgates that request to the appropriate wayside
device. Most of the switches in dark territory are hand-operated with a
much smaller amount of them being spring and hydra switches. In dark
territory, usually none of the switches have their position monitored
by a SCC and railroads have relied on the proper handling of these
switches by railroad personnel. When it is necessary to throw a main
line switch from normal to reverse, an obligation arises under the
railroad's rules to restore the switch upon completion of the
authorized activity. Switch targets or banners are intended to provide
minimal visual indication of the switch's position, but in the typical
case trains are not required to operate at a speed permitting them to
stop short of open switches. As evidenced by the issuance of Emergency

[[Page 35968]]

Order No. 24 and the subsequent Railroad Operating Rules Final Rule (73
FR 8442 (Feb. 13, 2008)), proper handling of main line switches cannot
be guaranteed in every case. However, now with the implementation and
operation of PTC technology, if a switch is not in the normal position,
that information will be transmitted to the locomotive. The PTC system
will then know which switch is not in the normal position and require a
positive stop at that switch location only.
In the event that movement through a misaligned switch would result
in an unacceptable risk, whether in dark or signaled territory,
paragraph (e)(2)(ii) proposes to require the PTC system to enforce a
positive stop on each train before it crosses the switch in the same
manner as described above for trains operating in dark, PTC territory.
FRA acknowledges that regardless of a switch's position, and regardless
of whether the switch is in dark or signaled territory, movement
through certain misaligned switches--even at low speeds--may still
create an unacceptable risk of collision with another train.
FRA understands the term ``unacceptable risk'' to mean risk that
cannot be tolerated by the managing activity. It is a type of
identified risk that must be eliminated or controlled. For instance,
such an unacceptable risk may exist with a hand-operated crossover
between two main tracks, between a main track and a siding or auxiliary
track, or with a hand-operated switch providing access to another
subdivision or branch line. The switches mentioned in (e)(2)(ii) are in
locations where, if the switch is left lined in the wrong position, a
train would be allowed to traverse through the crossover or turnout and
potentially into the path of another train operating on an adjoining
main track, siding, or other route. Even if such switches were located
within a signaled territory, the signal governing movements over the
switch locations, for both tracks as may be applicable, would be
displaying their most restrictive aspect (usually red). This
restrictive signal indication would in turn allow both trains to
approach the location at restricted speed where one or both of the
crossover switches are lined in the reverse position. Since the PTC
system is not capable of actually enforcing restricted speed other than
its upper limits, the PTC system would enforce a 15 or 20 mile per hour
speed limit dependent upon the operating rules of the railroad.
However, there is normally up to as much as a 5 mile per hour tolerance
allowed for each speed limit before the PTC system will actually
enforce the applicable required speed. Thus, in reality, the PTC system
would not enforce the restricted speed condition until each train
obtained a speed of up to 25 miles per hour. In this scenario, it is
conceivable that two trains both operating at a speed of up to 25 miles
per hour could collide with each other at a combined impact speed
(closing speed) of up to 50 miles per hour. While these examples are
provided in the rule text, they are merely illustrative and do not
limit the universe of what FRA may consider an unacceptable risk for
the purpose of paragraph (e). FRA emphasizes that FRA maintains the
final determination as to what constitutes acceptable or unacceptable
risk in accordance with paragraph (e)(2)(ii).
The PTC system must also enforce a positive stop short of any
misaligned switch on a PTC controlled siding in dark territory where
the allowable track speed is in excess of 20 miles per hour. Sidings
are used for meeting and passing trains and where those siding
movements are governed by the PTC system, safety necessitates the
position of the switches located on them to be monitored in order to
protect train movements operating on the siding. Conversely, on
signaled sidings, train movements are governed and protected by the
associated signal indications, track circuits, and monitored switches,
none of which are present in dark territory.
Paragraph (e)(3) provides that the PTCSP may include a safety
analysis for PTC system enforcement associated with switch position and
an identification and justification of any alternate means of
protection other than that provided in this section shall be identified
and justified. FRA recognizes that in certain circumstances this
flexibility may allow the reasonable use of a track circuit in lieu of
individually monitored switches.
Paragraph (e)(4) provides amplifying information regarding existing
standards of subparts A through G related to switches, movable-point
frogs, and derails in the route governed that are equally applicable to
PTC systems unless otherwise provided in a PTCSP approved under this
subpart. This paragraph explains that the FRA required and accepted
railroad industry standard types of components used to monitor switch
point position and how those devices are required to function. This
paragraph allows for some alternative method to be used to accomplish
the same level of protection if it is identified and justified in a
PTCSP approved under this subpart.
Paragraph (f) provides amplifying information for determining
whether a PTC system is considered to be configured to prevent train-
to-train collisions, as required under paragraph (a). FRA will consider
the PTC system as providing the required protection if the PTC system
enforces the upper limits of restricted speed. These criteria will
allow following trains to pass intermediate signals displaying a
restricting aspect and will allow for the issuance of joint mandatory
directives.
Where a wayside signal displays a ``Stop,'' ``Stop and Proceed,''
or ``Restricted Proceed'' indication, paragraph (f)(1)(i) requires the
PTC system to enforce the signal indication accordingly. In the case of
a ``Stop'' or ``Stop and Proceed'' indication, the train will be
brought to a stop prior to passing the signal displaying the
indication. The train may then proceed at 15 or 20 miles per hour, as
applicable according to the host railroad's operating rule(s) for
restricted speed. In the case of a ``Restricted Proceed'' indication,
the train would be allowed to pass the signal at 15 or 20 miles per
hour. In either event, the speed restriction would be enforced until
the train passes a more favorable signal indication. In dark territory
where trains operate by mandatory directive, the PTC system would be
expected to enforce the upper limit of restricted speed on a train when
the train was allowed into a block already occupied by another
preceding train traveling in the same direction. FRA would expect each
PTC system to function in this way and that each railroad will test
each system to ensure such proper functioning.
Paragraphs (g) through (k) all concern situations where temporary
rerouting may be necessary and would affect application of the
operational rules under subpart I. While the proposed rule attempts to
reduce the opportunity for PTC and non-PTC trains to co-exist on the
same track, FRA recognizes that this may not always be possible,
especially when a track segment is out of service and a train must be
rerouted in order to continue to destination. Accordingly, paragraph
(g) allows for temporary rerouting of traffic between PTC equipped
lines and lines not equipped with PTC systems. FRA anticipates two
situations--emergencies and planned maintenance--that would justify
such rerouting.
Paragraph (g) provides the preconditions and procedural rules to
allow or otherwise effectuate a temporary rerouting in the event of an
emergency or planned maintenance that would prevent usage of the
regularly used track. Historically, FRA has dealt

[[Page 35969]]

with temporary rerouting on an ad hoc basis. For instance, on November
12, 1996, FRA granted UP, under its application RS&I-AP-No. 1099,
conditional approval for relief from the requirements of Sec. 236.566,
which required equipping controlling locomotives with an operative
apparatus responsive to all automatic train stop, train control, or cab
signal territory equipment. The conditional approval provided for
``detour train movements necessitated by catastrophic occurrence such
as derailment, flood, fire, or hurricane'' on certain listed UP
territories configured with automatic cab signals (ACS) or automatic
train stop (ATS). Ultimately, the relief would allow trains not
equipped with the apparatus required under Sec. 236.566 to enter those
ACS and ATS territories. However, the relief was conditional upon
establishing an absolute block in advance of each train movement--as
prescribed by General Code of Operating Rules (GCOR) 11.1 and 11.2--and
notifying the applicable FRA Regional Headquarters. The detour would
only be permissible for up to seven days and FRA could modify or
rescind the relief for railroad non-compliance.
On February 7, 2006, that relief was temporarily extended to
include defined territory where approximately two months of extensive
track improvements were necessary. Additional conditions for this
relief included a maximum train speed of 65 miles per hour and
notification to the FRA Region 8 Headquarters within 24 hours of the
beginning of the non-equipped detour train movements and immediately
upon any accident or incident. On February 27, 2007, FRA provided
similar temporary relief for another three months on the same
territory.
While the aforementioned conditional relief was provided on an ad
hoc basis, FRA feels that codifying rules regulating temporary
rerouting involving PTC system track or locomotive equipment is
necessary due to the potential dangers of allowing mixed PTC and non-
PTC traffic on the same track and the inevitable increased presence of
PTC and PTC-like technologies. Moreover, FRA believes that the subject
railroads and FRA would benefit from more regulatory flexibility to
work more quickly and efficiently to provide for temporary rerouting to
mitigate the problems associated with emergency situations and
infrastructure maintenance.
Under the proposed rule, FRA is providing for temporary rerouting
of non-PTC trains onto PTC track and PTC trains onto non-PTC track. A
train will not be considered rerouted for purposes of the conditions
set forth in this section if it operates on a PTC line that is other
than its ``normal route,'' which is equipped and functionally
responsive to the PTC system over which it is subsequently operated, or
if it is a non-PTC train (not a passenger train or a freight train
having any PIH materials) operating on a non-PTC line that is other
than its ``normal route.''
Paragraph (g) effectively provides temporary civil penalty immunity
from various applicable requirements of this subpart, including
provisions under subpart I relating to lead locomotives, similar to how
waivers from FRA have provided certain railroads immunity from Sec.
236.566. FRA seeks comments on what other requirements under part 236
should also be included.
FRA expects that emergency rerouting will require some flexibility
in order to respond to circumstances outside of the railroad's
control--most notably changes in the weather, vandalism, and other
unexpected occurrences--that would result in potential loss of life or
property or prevent the train from continuing on its normal route.
While paragraph (g) lists a number of possible emergency circumstances,
they are primarily included for illustrative purposes and are not a
limiting factor in determining whether an event rises to an emergency.
For instance, FRA would also consider allowing rerouting in the event
use of the track is prevented by vandalism or terrorism. While these
events are not the primary reasons FRA proposes paragraph (g) to allow
rerouting, FRA recognizes that they may fall outside of the railroad's
control.
In the event of an emergency that would prevent usage of the track,
temporary rerouting may occur instantly by the railroad without
immediate FRA notice or approval. By contrast, the vast majority of
maintenance activities can be predicted by railroad operators. While
the proposed rule provides for temporary rerouting for such activities,
the lack of exigent circumstances does not require the allowance of
instantaneous rerouting without an appropriate request and, in cases
where the request is for rerouting to exceed 30 days, FRA approval.
Accordingly, under paragraph (g), procedurally speaking, temporary
rerouting for emergency circumstances will be treated differently than
temporary rerouting for planned maintenance. While FRA continues to
have an interest in monitoring all temporary rerouting to ensure that
it is occurring as contemplated by FRA and within the confines of the
rule, the timing of FRA notification, and the approval procedures,
reflect the aforementioned differences.
When an emergency circumstance occurs that would prevent usage of
the regularly used track, and would require temporary rerouting, the
subject railroad must notify FRA within one business day after the
rerouting commences. To provide for communicative flexibility in
emergency situations, the proposed rule provides for such notification
to be made in writing or by telephone. FRA proposes that written
notification may be accomplished via overnight mail, e-mail, or
facsimile. In any event, the railroad should take the steps necessary
for the method of notification selected to include confirmation that an
appropriate person actually on duty with FRA receives the notification
and FRA is duly aware of the situation. FRA is considering whether to
employ the National Response Center (NRC) for such communications,
whereas notification may be made to the NRC clearly describing the
actions taken and providing the railroad's point of contact so that FRA
may follow up for additional information if necessary. While the NRC
provides full time telephonic services, 24 hours a day, 7 days a week,
365 days a year, the light volume of calls FRA expects for rerouting
purposes under this section may make the option cost prohibitive. FRA
is currently reviewing this option and seeks comments on this issue.
While telephone notification may provide for easy communications by
the railroad, a mere phone call would not provide for documentation of
information required under paragraph (g). Moreover, if for some reason
the phone call is made at a time when the designated telephone operator
is not on duty or if the caller is only able to leave a message with
the FRA voice mail system, the possibility exists that the applicable
FRA personnel would not be timely notified of the communication and its
contents. Thus, while not in the proposed rules, FRA is considering
requiring any telephonic notification performed in accordance with
paragraph (g) to be followed up with written notification within 48
hours. FRA seeks comments on this issue.
FRA is also considering using particular contact mail and e-mail
addresses and telephone and facsimile numbers to be used exclusively
for the notifications required by paragraph (g) as they relate to
emergency rerouting. Otherwise, if a railroad would notify a particular
member of the FRA staff in writing, and that staff member is
unavailable (e.g., on annual or sick leave, working in the field, or
otherwise indisposed), FRA would not be timely notified of the
emergency situation and the rerouting actions that are occurring.

[[Page 35970]]

If there is a singular contact address for each form of written
notification, FRA could attempt to provide continuous personnel
assignment to monitor incoming notifications. FRA seeks comments on
this issue. FRA also seeks comments on the possible need to include
requirements relating to confirmation of receipt of notifications
required under paragraph (g).
Emergency rerouting can only occur without FRA approval for
fourteen (14) consecutive calendar days. If the railroad requires more
time, it must make a request to the Associate Administrator. The
request must be made directly to the Associate Administrator and
separately from the initial notification sometime before the 14-day
emergency rerouting period expires. Unless the Associate Administrator
notifies the railroad of his or her approval before the end of the
allowable emergency rerouting timeframe, the relief provided by
paragraph (g) will expire at the end of that timeframe.
While a mere notification is necessary to commence emergency
rerouting, a request must be made, with subsequent FRA approval, to
perform planned maintenance rerouting. The relative predictability of
planned maintenance activities allows railroads to provide FRA with
much more advance request of any necessary rerouting and allows FRA to
review that request. FRA proposes that the request must be made at
least 10 calendar days before the planned maintenance rerouting
commences.
To ensure a retrievable record, the request must be made in
writing. It may be submitted to FRA by fax, e-mail, or courier. Because
of security protocols placed in effect after 9/11, regular mail
undergoes irradiation to ensure that any pathogens have been destroyed
prior to delivery. The irradiation process adds significant delay to
FRA's receipt of the document, and the submitted document may be
damaged due to the irradiation process. The lack of emergency
circumstances makes telephonic communication less necessary and less
preferable. Like notifications for emergency rerouting, the request for
planned rerouting must include the number of days that the rerouting
should occur. If the planned maintenance will require rerouting up to
30 days, then the request must be made with the Regional Administrator.
If it will require rerouting for more than 30 days, then the request
must be made with the Associate Administrator. These longer time
periods reflects FRA's opportunity to review and approve the request.
In other words, since FRA expects that the review and approval process
will provide more confidence that a higher level of safety will be
maintained, the rerouting period for planned maintenance activities may
be more than the 14 days allotted for emergency rerouting.
Regardless of whether the temporary rerouting is the result of an
emergency situation or planned maintenance, the communication to FRA
required under paragraph (g) must include the information listed under
paragraph (i). This information is necessary to provide FRA with
context and details of the rerouting. To attempt to provide railroads
with the flexibility intended under paragraph (g), and to attempt to
prevent enforcement of the rules from which the railroad should be
receiving relief, FRA must be able to coordinate with its inspectors
and other personnel. This information may also eventually be important
to FRA in developing statistical analyses and models, reevaluating its
rules, and determining the actual level of danger inherent in mixing
PTC and non-PTC traffic on the same tracks.
For emergency rerouting purposes, the information is also necessary
for FRA to determine whether it should order the railroad or railroads
to cease rerouting or provide additional conditions that differ from
the standard conditions specified in paragraph (i). FRA recognizes the
importance of allowing temporary rerouting to occur automatically in
emergency circumstances. However, FRA must also maintain its
responsibility of ensuring that such rerouting occurs lawfully and as
intended by the rules. Accordingly, the proposed rules provide for the
opportunity for FRA to review the information required by paragraph (g)
to be submitted in accordance with paragraph (i) and order the railroad
or railroads to cease rerouting if FRA finds that such rerouting is not
appropriate or permissible in accordance with the requirements of
paragraphs (g) through (i), and as may be so directed in accordance
with paragraph (k), as discussed further below.
For rerouting due to planned maintenance, the information required
under paragraph (i) is equally applicable and will be used to determine
whether the railroad should not reroute at all. If the request for
planned maintenance is for a period of up to 30 days, then the request
and information must be sent in writing to the Regional Administrator
of the region in which the temporary rerouting will occur. While such a
request is self-executing--meaning that it will automatically be
considered permissible if not otherwise responded to--the Regional
Administrator may prevent the temporary rerouting from starting by
simply notifying the railroad or railroads that its request is not
approved. The Regional Administrator may otherwise provide conditional
approval, request that further information be supplied to the Regional
Administrator or Associate Administrator, or disapprove the request
altogether. If the railroad still seeks to reroute due to planned
maintenance activities, it must provide the Regional Administrator or
Associate Administrator, as applicable, the requested information. If
the Regional Administrator requests further information, no planned
maintenance rerouting may occur until the information is received and
reviewed and the Regional Administrator provides his or her approval.
Likewise, no planned maintenance rerouting may occur if the Regional
Administrator disapproves of the request. If the Regional Administrator
does not provide notice preventing the temporary rerouting, then the
planned maintenance rerouting may begin and occur as requested.
However, once the planned maintenance rerouting begins, the Regional
Administrator may at any time order the railroad or railroads to cease
the rerouting in accordance with paragraph (k).
Requests for planned maintenance rerouting exceeding 30 days,
however, must be made to the Associate Administrator and are not self-
executing. No such rerouting may occur without Associate Administrator
approval, even if the date passes on which the planned maintenance was
scheduled to commence. Under paragraph (h)(3), like the Regional
Administrator, the Associate Administrator may provide conditional
approval, request further information, or disapprove of the request to
reroute. Once approved rerouting commences, the Associate Administrator
may also order the rerouting to cease in accordance with paragraph (k).
Paragraph (j) requires that, once temporary rerouting commences,
regardless of whether it is for emergency or planned maintenance
purposes, the track segments upon which the train will be rerouted must
have an absolute block established in advance of each rerouted train
movement and that each rerouted train movement shall not exceed 59
miles per hour for passenger and 49 miles per hour for freight. FRA
requests comment on whether these speed restrictions should be limited
to trains actually transporting PIH materials or intercity or commuter
passengers and whether a higher limit

[[Page 35971]]

should be provided on cab signal territory where the detoured train is
led by a locomotive equipped with operative cab signals. FRA also
requests comment on whether the more stringent requirements of Sec.
236.1029 (trains failed en route on PTC lines) should apply. Finally,
FRA requests comment on the extent to which the host railroad's PTCSP
might provide for alternative safety measures.
Moreover, as referenced in paragraph (g) as it applies to both
emergency and planned maintenance circumstances, the track upon which
FRA expects the rerouting to occur would require certain mitigating
protections listed under paragraph (j) in light of the mixed PTC and
non-PTC traffic. While FRA purposefully intends paragraph (j) to apply
similarly to Sec. 236.567, FRA recognizes that Sec. 236.567 does not
account for the statutory mandates of interoperability and the core PTC
safety functions. Accordingly, paragraph (j) must be more restrictive.
Section 236.567, which applies to territories where ``an automatic
train stop, train control, or cab signal device fails and/or is cut out
en route,'' requires trains to proceed at either restricted speed or,
if an automatic block signal system is in operation according to signal
indication, at no more than 40 miles per hour to the next available
point of communication where report must be made to a designated
officer. Where no automatic block signal system is in use, the train
shall be permitted to proceed at restricted speed or where an automatic
block signal system is in operation according to signal indication but
not to exceed medium speed to a point where absolute block can be
established. Where an absolute block is established in advance of the
train on which the device is inoperative, the train may proceed at not
to exceed 79 miles per hour. Paragraph (j) utilizes that absolute block
condition, which more actively engages the train dispatcher in managing
movement of the train over the territory (in both signaled and non-
signaled territory). Recognizing that re-routes under this section will
occur in non-signaled territory, the maximum authorized speeds
associated with such territory are used as limitations on the speed of
re-routed trains. FRA agrees with the comments of labor representatives
in the PTC Working Group who contend that the statutory mandate alters
to some extent what would otherwise be considered reasonable for these
circumstances. FRA welcomes comments on whether restrictions associated
with re-routing should vary depending on whether the actual train in
question is a passenger train or includes cars containing PIH
materials.
It should be noted that this paragraph (j) was added by FRA after
further consideration of this issue and was not part of the PTC Working
Group consensus. FRA believes that special precautions may be
appropriate given the heightened safety expectations suggested by the
statutory mandate. Comment is requested on the appropriateness of these
restrictions, including any impact on other rail traffic.
Paragraph (k), as previously noted, provides the Regional
Administrator with the ability to order the railroad or railroads to
cease rerouting operations that were requested for up to 30 days. The
Associate Administrator may order a railroad or railroads to cease
rerouting operations regardless of the length of planned maintenance
rerouting requested. FRA believes this is an important measure
necessary to prevent rerouting performed not in accordance with the
rules and FRA's expectations based on the railroad's communications and
to ensure the protection of train crews and the public. However, FRA is
confident that in the vast majority of cases railroads will utilize the
afforded latitude reasonably and only under necessary circumstances.
FRA expects each host railroad to develop a plan to govern
operations in the event temporary rerouting is performed in accordance
with this section. Thus, as noted further below in Sec. 236.1015, FRA
proposes each PTCSP to include a plan accounting for such rerouted
operations.

Section 236.1006 Equipping Locomotives Operating in PTC Territory

The PTC Working Group discussed at great length the issues related
to operation of PTC-equipped locomotives, and locomotives not equipped
with PTC onboard apparatus, over lines equipped with PTC. The PTC
Working Group recognized that the typical rule with respect to train
control territory is that all controlling locomotives must be equipped
and operative (see Sec. 236.566). It was also noted in the discussion
that the Interstate Commerce Commission (FRA's predecessor agency in
the regulation of this subject matter) and FRA have provided some
relief from this requirement in discrete circumstances where safety
exposure was considered relatively low and the hardship associated with
equipping additional locomotives was considered substantial.
The ASLRRA noted that its member railroads conduct limited
operations over Class I railroad lines that will be required to be
equipped with PTC systems in a substantial number of locations. These
operations are principally related to the receipt and delivery of
carload traffic in interchange. The small railroad service extends onto
the Class I railroad track in order to hold down costs and permit both
the small railroad and the Class I railroad to retain traffic that
might be priced off the railroad if the Class I had to dispatch a crew
to pick up or place the cars. This, in turn, supports competitive
transportation options for small businesses, including marginal small
businesses in rural areas.
The ASLRRA advocated an exception that would permit the trains of
its members and other small railroads to continue use of existing
trackage rights and agreements without the necessity for equipping
their locomotives with PTC. They suggested that any incremental risk be
mitigated by requiring that such trains proceed subject to the
requirement for an absolute block in advance (similar to operating
rules consistent with Sec. 236.567 applicable to trains with failed
onboard train control systems). This position was consistently opposed
both by the rail labor organizations and the Class I railroads. These
organizations took the position that all trains should be equipped with
PTC in order to gain the benefits sought by the congressional mandate
and to provide the host railroad the full benefit of its investment in
safety. Informal discussions suggested that Class I railroads might
offer technical or financial assistance to certain small railroads in
equipping their locomotives, but that this would, of course, be done
based on the corporate interest of the Class I railroad.
In the PTC Working Group and in informal discussions around its
activities, Class I railroads indicated that they intended to take a
strong position against non-equipped trains operating on their PTC
lines, and that in order to enforce this restriction fairly they
understood that they would need to equip their own locomotives,
including older road switchers that might venture onto PTC-equipped
lines only occasionally. However, during these discussions, FRA was not
able to develop a clear understanding regarding, outside the scope of
FRA regulations, the extent to which the Class I railroads under
previously executed private agreements enjoy the effective ability to
enforce a requirement that all trains be equipped. FRA presumes for
purposes of this proposal that there will be circumstances rooted

[[Page 35972]]

in previously executed private agreements under which the Class I
railroad would be entitled to require the small railroad to use a
controlling locomotive equipped with PTC as a condition of operating
onto the property. FRA wishes to emphasize that, in making this
regulatory proposal, FRA does not intend to influence the exercise of
private rights or to suggest that public policy would disfavor an
otherwise legitimate restriction on the use of unequipped locomotives
on PTC lines. Rather, this proposal is intended to explore limited
exceptions that might be acceptable from the point of view of safety,
and helpful from the point of view of the public interest in rail
service, where it might be compatible with prior rights of the
railroads involved. FRA also notes that, in the absence of clear
guidance on this issue, a substantial number of waiver requests could
be expected that would have to be resolved without the benefit of
decisional criteria previously examined and refined through the
rulemaking process.
Paragraph (a) proposes that, as general rule, all trains operating
over PTC territory must be PTC-equipped. In other words, paragraph (a)
would require that each lead locomotive to be operated with a PTC
onboard apparatus if it is controlling a train operating on a track
equipped with a PTC system in accordance subpart I. The PTC onboard
apparatus should operate and function in accordance with the PTCSP
governing the particular territory. Accordingly, it must successfully
and sufficiently interoperate with the host railroad's PTC system.
Generally, the four parts of each PTC system are office, wayside,
communications, and onboard components. FRA recognizes that a PTC
onboard apparatus for a lead locomotive owned and operated by one
railroad may not be part of the PTC system upon which the locomotive
operates. For example, a Class II railroad lead locomotive equipped
with a PTC onboard apparatus may operate on a Class I railroad's PTC
line. Throughout this rule, the use of the term ``PTC system,''
depending upon its context, usually refers to the host railroad's PTC
system, and not the tenant railroad's lead locomotive. When using the
term, PTC onboard apparatus, however, FRA intends to cover all such
mobile equipment, regardless of whether it on a locomotive owned or
controlled by a host or tenant railroad.
Under proposed Sec. 236.1006, FRA may enforce paragraph (a).
Proposed paragraphs (b) and (c), however, contains a series of proposed
qualifications and exceptions to paragraph (a).
First, it is understood that during the time PTC technology is
being deployed to meet the statutory deadline of December 31, 2015,
there will be movements over PTC lines by trains with lead locomotives
not equipped with a PTC onboard apparatus. In general, Class I railroad
locomotives are used throughout the owning railroad's system and, under
shared power agreements, on other railroads nationally. FRA anticipates
that the gradual equipping of locomotives--which will occur at a
relatively small number of specialized facilities and which will
require a day or two out of service as well as time in transit--will
extend well into the implementation period that ends on December 31,
2015. It will not be feasible to tie locomotives down to PTC lines, and
the RSAC stakeholders fully understood that point. Labor organizations
did urge that railroads make every effort to use equipped locomotives
as controlling units, and FRA believes that in general, railroads will
do so in order to obtain the benefits of their investment.
Second, FRA has included a transitional provision, related to PTC
apparatus that fails upon attempted initialization, specifically
intended to encourage placement of PTC-equipped locomotives on the
point during the period when reliability may be an issue. This
provision would allow a stated, declining percentage of locomotives
equipped with PTC to be dispatched even if the onboard apparatus fails.
Although FRA agrees with the objective of rail labor's suggestion for
``consist management'' that puts equipped locomotives on the point, FRA
also recognizes that a number of factors related to the age and
condition of locomotives may influence this decision. Further, in the
early stages of implementation, requiring that power be switched if
initialization fails could result in significant train delays and
contribute to congestion in yards and terminals. Some ``slack'' in the
system will be required to implement PTC intelligently and
successfully. Of course, if FRA determines during implementation that
good faith efforts are not being made to take advantage of PTC-equipped
locomotives, FRA could step in with more prescriptive requirements
after providing notice and an opportunity for comment.
Recognizing that matching PTC lines with PTC-equipped controlling
locomotives will be a key factor in obtaining the benefits of this
technology in the period up to December 31, 2015, FRA requests comments
on whether PTC Implementation Plans should be required to include power
management elements describing how this will be accomplished to the
degree feasible.
Third, the section provides a cross-reference to Sec. 236.1029
pertaining to PTC onboard apparatus failing en route.
Fourth, this provision proposes exceptions for trains operated by
Class II and III railroads, including tourist or excursion railroads.
The exceptions are limited to lines not carrying intercity or commuter
passenger service, except where the Class I freight railroad and the
passenger railroad have requested an exception in the PTC
Implementation Plan's main line track exception addendum (MTEA) in
accordance with Sec. 236.1019, as further discussed below, and FRA has
approved that element of the plan.
FRA has considered whether to provide an exception to requiring
each Class II and III railroad locomotive to be equipped with a PTC
onboard apparatus when operating over passenger routes to be equipped
with a PTC system, but FRA has not been able to define conditions that
would apparently be suitable in every case. FRA is open to
consideration of exceptions within the context of a PTC Implementation
Plan. To the extent that the host Class I or passenger railroad would
need to be supportive of the exception, FRA recognizes that options may
be foreclosed prior to FRA consideration. However, railroads have
historically exercised substantial control of operations over track
that they own or dispatch, and in this case those interests
significantly parallel the apparent intent of the Congress to achieve a
high level of safety in mixed freight and passenger operations. If FRA
were to handle exceptions through PTC Implementation Plans, FRA seeks
comments on how that should be accomplished. FRA also seeks comments on
whether there should be an assumption that the lead locomotives not
equipped with PTC onboard apparatus' on four unequipped Class II or III
railroad trains will be permitted daily on a segment of PTC-equipped
track and that variances from that are permitted in a PTC
Implementation Plan. If so, FRA questions whether that should be
subject to the agreement of both railroads. If agreement by the Class
II or III railroad is not required, FRA seeks comments on what
assurance there would be that the Class I railroad would not
effectively shut out the Class II or III railroad's operation.
FRA recognizes that most of the justifications stated for these
proposed exceptions pertain to short movements for interchange that
would constitute a small portion of the movements over the

[[Page 35973]]

PTC-equipped line. The accident/incident data show that the risk
attendant upon these movements is small. A review of the last seven
years of accident data covering 3,312 accidents that were potentially
preventable by PTC showed that there were only two of those accidents
which involved a Class I railroad's train and a Class II or III
railroad's train. FRA believes that the low level of risk revealed by
these statistics justifies an exception for Class II and III railroad
trains traversing a PTC-equipped line for a relatively short distance.
FRA notes that the cost of equipping those trains would be high when
viewed in the context of the financial strength of the Class II or III
railroad and the marginal safety benefits would be relatively low in
those cases where a small volume of traffic is moved over the PTC-
equipped line.
FRA also believes that it is clearly desirable to eventually have
each train using a PTC-equipped line to have a lead locomotive equipped
with a PTC onboard apparatus. However, FRA seeks comments on the length
of time the exception should last and a justification of that length of
time. Other considerations aside, FRA seeks comments on whether FRA
should not require a Class II or III railroad locomotive used on a PTC-
equipped line to be equipped with PTC when it is rebuilt or replaced
(i.e., when the cost of equipping a locomotive is lowest). In other
cases, the Class II or III railroad has dedicated locomotives serving
the line to be equipped with PTC. From the facts presently available to
FRA, it appears to be appropriate for those locomotives to be equipped
with PTC. Moreover, FRA is aware of other cases where Class II and III
railroads have rather more extensive operations over Class I railroad
lines; and, in these cases, the risks incurred could be more
substantial. Further, in some of these cases the smaller railroads are
aligned with the Class I railroads over which they operate or may even
be under common ownership and control. For purposes of prompting a more
complete public dialogue on this issue, FRA is proposing to limit
unequipped movements by any single Class II or III railroad to not more
than 4 trains per day over any given track segment on a PTC-equipped
line. A train moving from the small railroad to the point of
interchange and back within the same calendar day would count as two
trains.
To the extent the movements in question do not exceed 20 miles,
this exception would be available at least until FRA next considered
the issue of PTC deployment. Information available to FRA indicates
that this would accommodate a substantial majority of the affected
operations. FRA questions and seeks comments as to whether this
latitude should be available if one or more locomotives subsequently
acquired by the small railroad were equipped for PTC.
To the extent the movements in question exceed 20 miles, the
exception would be available only until December 31, 2020. In some
cases, small railroads operate over Class I railroad tracks for over
one hundred miles, and these operations may be integral to their
service plans (e.g., permitting the small railroad to reach lines
branching off from the Class I railroad's route structure for which the
smaller railroad provides local service). FRA recognizes that in these
circumstances the smaller railroads would face overwhelming competition
for supplier attention and significant challenges related to pricing
that will attend the initial period of implementation. Accordingly, FRA
proposes to provide for these railroads to equip the necessary
locomotives with additional time beyond the statutory deadline that
applies to Class I railroads. In conjunction with this latitude, FRA
would ask for progress reports to focus the attention of the railroads'
management teams and to ensure that the agency could not be presented
with unreasonable demands for further extensions at the end of the
extended implementation period.
FRA recognizes that small railroads carry a wide variety of
commodities, including PIH traffic. FRA invites comments on whether the
small railroad exceptions for freight operations that FRA is proposing
should be altered if the small railroad is transporting PIH traffic on
PTC equipped track through a densely populated area. Commenters are
requested to detail any alternative standards they believe should be
adopted to address such a situation.

Section 236.1007 Additional Requirements for High Speed Service

Since the early 1990s, there has been an interest centered around
designated high speed corridors for the introduction of high speed
rail, and a number of States have made progress in preparing rail
corridors through safety improvements at highway-rail grade crossings,
investments in track structure, and other areas. FRA has administered
limited programs of assistance using appropriated funds. With the
passage of the American Recovery and Reinvestment Act of 2009, Public
Law 111-5, 123 Stat. 115 (2009), which provides $8 billion in capital
assistance for high speed rail corridors and intercity passenger rail
service, and the President's announcement in April 2009 of a Vision for
High Speed Rail in America, FRA expects those efforts to increase
considerably. FRA believes that railroads conducting high speed
operations in the United States can provide a world class service as
safe as, or better than, any high speed operations conducted elsewhere.
In anticipation of such service, and to ensure public safety, FRA
proposes three tiers of requirements for PTC systems operating in high
speed service. The proposed performance thresholds are intended to
increase safety performance targets as the maximum speed limits
increase to compensate for increased risks, including the potential
frequency and adverse consequences of a collision or derailment.
Section 236.1007 proposes setting the intervals for the high speed
safety performance targets for operations with: maximum speeds at or
greater than 60 and 50 miles per hour for passenger service and freight
operations, respectively, under paragraph (a); maximum speeds greater
than 90 miles per hour under paragraph (b); maximum speeds greater than
125 miles per hour under paragraph (c); and maximum speeds greater than
150 mph under paragraph (d). The reader should note that the
requirements increase as speed rises. Thus, for instance, operations
with trains moving above 125 miles per hour must, in addition to the
requirements under paragraph (c), adhere to the requirements under
paragraphs (a) and (b).
Paragraph (a) addresses the PTC system requirements for territories
where speeds are greater than 59 miles per hour for passenger service
and 49 miles per hour for freight service. Under existing regulations
(49 CFR 236.0), block signal systems are required at these speeds
(unless a manual block system is in place, an option that this proposal
would phase out). The proposed rule expects covered operations moving
at these speeds to have implemented a PTC system that provides, either
directly or with another technology, all of the statutory PTC system
functions along with the safety-critical functions of a block signal
system as defined in the existing standards of subparts A-F of part
236. The safety-critical functions of a block signal system include
track circuits, which assist in broken rail detection and unintended
track occupancies (equipment rolling out), and fouling circuits, which
can identify equipment that is intruding on the clearance envelope and
may prevent raking collisions.

[[Page 35974]]

FRA recognizes that advances in technology may render current block
signal, fouling, and broken rail detection systems obsolete and FRA
does not want to preclude the introduction of suitable and appropriate
advanced technologies. Accordingly, FRA believes that alternative
mechanisms providing the same functionality are entirely acceptable and
FRA encourages their development and use to the extent they do not have
an adverse impact on the level of safety.
Paragraph (b) addresses system requirements for territories where
operating speeds are greater than 90 miles per hour, which is currently
the maximum allowable operating speed for passenger trains on Class 5
track. At these higher speeds, the implemented PTC system must not only
comply with paragraph (a), but also be shown to be fail-safe (as
defined in Appendix C) and at all times prevent unauthorized intrusion
of rail traffic onto the higher speed line operating with a PTC system.
FRA intends this concept of fail-safe application to be understood in
its commonplace meaning, i.e., that insofar as feasible the system is
designed to fail to a safe state, which normally means that trains will
be brought to a stop. Further, FRA understands that there are aspects
of current system design and operation that may create a remote
opportunity for a ``wrong-side'' or unsafe failure and that these
issues would be described in the PTCSP and mitigations would be
provided. FRA recognizes that, as applied in the general freight
system, this proposal could create a significant challenge related to
interoperability of freight equipment operating over the same
territory. Accordingly, FRA requests comment on whether, where
operations do not exceed 125 miles per hour or some other value, the
requirement for compliance with Appendix C safety assurance principles
might be limited to the passenger trains involved, with ``non-vital''
onboard processing permitted for the intermingled freight trains.
As speed increases, it also becomes more important that inadvertent
incursions on the PTC-equipped track be prevented at switch locations.
FRA proposes that this be done by effective means that might include
use of split-point derails properly placed, equipping of tracks
providing entry with PTC, or arrangement of tracks and switches in such
a way as to divert an approaching movement which is not authorized to
enter onto the PTC line. The protection mechanism on the slower speed
line must be integrated with the PTC system on the higher speed line in
a manner to provide appropriate control of trains operating on the
higher speed line if a violation is not prevented for whatever reason.
Paragraph (c) addresses high speed rail operations exceeding 125
miles per hour, which is the maximum speed for Class 7 track under
Sec. 213.307. At these higher speeds, the consequences of a derailment
or collision are significantly greater than at lower speeds due to the
involved vehicle's increased kinetic energy. In such circumstances, in
addition to meeting the requirements under paragraphs (a) and (b),
including having a fail-safe PTC system, the entity operating above 125
miles per hour must provide an additional safety analysis (the HSR-125)
providing suitable evidence to the Associate Administrator that the PTC
system can support a level of safety equivalent to, or better than, the
best level of safety of comparable rail service in either the United
States or a foreign country over the 5-year period preceding the
submission of the PTCSP. Additionally, PTC systems on these high speed
lines must provide the capability, as appropriate, to detect incursion
from outside the right of way and provide warnings to trains. Each
subject railroad is free to suggest in its HSR-125 any method to the
Associate Administrator that ensures that the subject high speed lines
are corridors effectively sealed and protected from such incursions
(see Sec. 213.347 of this title), including such hazards as large
motor vehicles falling on the track structure from highway bridges.
Paragraph (d) addresses the highest speeds existing or currently
contemplated for rail operations exceeding 150 miles per hour. FRA
expects these operations to be governed by a Rule of Particular
Applicability and the HSR-125 required by paragraph (c) shall be
developed as part of an overall system safety plan approved by the
Associate Administrator. The quantitative risk showing required for
operations above 125 miles per hour is not required to include
consideration of acts of deliberate violence. The reason for this
exclusion is simply to remove speculative or extraordinary
considerations from the analysis. FRA and the Department of Homeland
Security will of course expect that security considerations are taken
into account in system planning.

Section 236.1009 Procedural Requirements

RSIA08 and the proposed rule requires that by April 16, 2010, each
Class I railroad carrier and each entity providing regularly scheduled
intercity or commuter rail passenger transportation develop and submit
to FRA a plan for implementing a PTC system by December 31, 2015, and
that FRA shall not permit the installation of any PTC system or
component in revenue service unless the Administrator has certified
them through the approval process contained in this part. FRA
understands implementation to include design, testing, potential
Verification and Validation, installation, and operation over the PTC
system's life cycle.
Current subpart H of part 236 provides a technically sound
procedure for obtaining FRA approval of various processor-based signal
and train control systems. However, as based on experience gained
during BNSF's ETMS 1 project, FRA believes that its process does not
support rapid FRA review and decision making and requires redundant
submission of information common to multiple railroads. FRA also
believes that although the risk analysis required by subpart H fully
reflects operational parameters associated with the different type of
operations, it is excessively cumbersome and overly time consuming for
the purposes of deploying PTC system technologies at the rate required
under RSIA08. Moreover, subpart H does not require an implementation
plan and does not provide for ``certification.'' Arguably FRA could
simply amend subpart H to include requirements relating to
implementation plans and to modify the language to equate ``approval''
under subpart H with ``certification'' under the statute. However, FRA
believes that such a resultant amended subpart H would remain
unsuitable for a PTC system certification process in light of the
congressional mandates. Those potential amendments alone would not
remedy subpart H's inability to provide quick and efficient FRA review.
Accordingly, for PTC system implementation, certification, and
build-out completion to occur within the very aggressive dates set by
Congress, FRA is proposing a new subpart I, with some minor
modifications to subpart H. Under subpart I, Sec. 236.1007 proposes
and explains the process by which each railroad may ultimately receive
PTC System Certification for its PTC system. Under Sec. 236.1007, FRA
intends to avoid procedural redundancy, provide sufficient procedural
flexibility to accompany the varying needs of those seeking
certification, mitigate the financial risk associated with
technological investment necessary to comply with the regulatory
requirements, and otherwise develop a

[[Page 35975]]

streamlined process to provide for quick review and resolution of the
issues leading to certification.
Generally speaking, there are three major elements of the proposed
PTC System Certification process: PTC Implementation Plan (PTCIP)
submission and approval, receipt or use of a Type Approval number--
which may be provided with approval of a PTC Development Plan (PTCDP)--
and PTC Safety Plan (PTCSP) submission to receive PTC System
Certification. While Sec. 236.1009 provides for the procedural
requirements for this process, the contents for the applicable filings
are provided for under Sec. Sec. 236.1011, 236.1013, and 236.1015. The
PTCIP is the written plan that defines the specific details of how and
when the railroad will implement the PTC system. The PTCDP provides a
detailed discussion of specific elements of the proposed technology and
product that will be used to implement PTC as required by RSIA08.
Approval of the PTCDP comes in the form of a Type Approval number that
applies to the subject PTC system. The PTCSP provides the railroad-
specific elements demonstrating that the system, as installed, meets
the required safety performance objectives. Approval of the PTCSP comes
in the form of a PTC System Certification.
Under paragraph (a), the PTCIP submission deadline of April 16,
2010, applies to all host railroads--as defined in Sec. 236.1003--that
exist at that time and are required to install a PTC system on one or
more main lines in accordance with Sec. 236.1005(b). Intercity and
commuter railroads that are tenants on Class I, II, or III freight
lines must also join with their host railroad in filing these plans.
FRA believes that the railroad that maintains operational control over
a particular track segment is generally in the best position to develop
and submit the PTCIP, since that railroad is more knowledgeable of the
conditions of and operations over its track. FRA recognizes that in
cases where a tenant passenger railroad operates over a Class II or III
railroad, the passenger railroad may be required to take a more active
role in planning the PTC system deployment by working with the host
railroad.
Paragraph (a), proposes to require that a PTCIP will be filed by
railroads that are host railroads upon which passenger trains traverse
and thus require PTC installation and operation. FRA recognizes that
the statute requires timely submission of a PTCIP by each Class I
railroad and each entity providing regularly scheduled intercity or
commuter rail passenger transportation. Class II and III railroads that
host intercity or commuter rail service will need to file
implementation plans, whether or not they directly procure or manage
installation of the PTC system.
The tenant passenger railroad will need to file jointly with the
Class I, II or III railroad. This is consistent with RSIA08, which
requires each subject passenger railroad to file an implementation
plan. In the case of an intercity or commuter railroad providing
service over a Class I railroad, it may be sufficient for the passenger
railroad to file a letter associating itself with the Class I's plan to
the extent it impacts the passenger service. FRA does not propose any
requirement for joint filing in the more common case where another
railroad has freight trackage rights over a Class I railroad's PTC
line. However, the Class I railroad will, of course, address these
joint operations and discuss the issue of interoperability in its plan
as required by law.
If a host freight railroad and tenant passenger railroad cannot
come to an agreement on a PTCIP to jointly file by April 16, 2010, they
must instead each file a PTCIP separately with a notification separate
from the PTCIP to the Associate Administrator indicating that a joint
filing was not possible and an explanation of why the subject railroads
could not agree upon a final PTCIP draft for joint filing. Under such a
circumstance, each freight or passenger railroad may still be subject
to a civil penalty assessed for each day past the deadline that a PTCIP
is not jointly filed. FRA believes that these measures are necessary to
ensure timely PTC system implementation and operation under the statute
and are in the interest of public safety. FRA believes that when
subject railroads have an obligation to submit a joint filing, they
also carry the obligation to seek dispute resolution by private means
if needed.
If a PTCIP or request for amendment (RFA), as provided in Sec.
236.1021, must be submitted in accordance with the rule after April 16,
2010, paragraph (a) does not propose to provide the subject railroads
with an opportunity to file separately. If a railroad intends to use
track that would require the installation of a PTC system in accordance
with paragraph (a)(3), and the parties have difficulty reaching
agreement, then such usage would merely be delayed until the parties
come to a mutually acceptable PTCIP for joint filing.
FRA notes that new passenger railroads are likely to begin
operations during the period between issuance of the final rule in this
proceeding and the end of the implementation period for PTC (December
15, 2015). Railroads beginning operations after April 16, 2010, but
before December 31, 2015, that must install PTC would be expected to
file a PTCIP that meets the requirements of paragraph (a) as soon as
possible after the decision to proceed. It is FRA's position for
purposes of this proposal that any railroad commencing operations after
December 31, 2015, that require PTC will not be authorized to commence
revenue operations until the PTC installation is complete. FRA requests
comment on whether there are any legitimate exceptions to this
approach, which appears to be the only approach consistent with the
RSIA08.
Paragraph (b) contains the proposed process for receiving a Type
Approval number for a particular PTC system. Under the proposed rule,
each PTC system must receive a Type Approval number. The Type Approval
is a number assigned to a particular off-the-shelf PTC system product--
described in a PTCDP in accordance with Sec. 236.1013--indicating
FRA's belief that the product could fulfill the requirements of subpart
I. FRA's issuance of a Type Approval does not mean that the product
will meet the requirements of subpart I. The Type Approval applies to
the technology designed and developed, but not yet implemented, and
does not bestow any ownership or other similar interests or rights to
any railroad. Each Type Approval number remains under the control of
the FRA, and can be issued or revoked in accordance with this subpart.
FRA expects the proposed Type Approval process to provide a variety
of benefits to FRA and the industry. If a railroad submits a PTCDP
describing a PTC system, and the PTC system receives a Type Approval,
then other railroads intending to use the same PTC system without
variances may, in accordance with proposed paragraph (b)(1), simply
rely on the Type Approval number without having to file a separate
PTCDP. While the railroad filing the PTCDP must expend resources to
develop and submit the PTCDP, all other railroads using the same PTC
system would not. This would not only provide significant cost and time
savings for a number of railroads, but will remove a significant level
of redundancy from the approval process that is currently inherent in
subpart H.
If, however, a railroad intends to use a modified version of a PTC
system that has already received a Type Approval number, and the
variances between the two systems are of a safety-critical nature, the
railroad must submit a new PTCDP. The new PTCDP can either fully

[[Page 35976]]

comply with the content requirements under Sec. 236.1013 or supply a
Type Approval number for the other PTC system upon which the modified
PTC system will rely and a document fulfilling the content requirements
under Sec. 236.1013 as it applies to the safety-critical variances.
In any event, to receive a new Type Approval number, the railroad
must submit to FRA a PTCDP, drafted in accordance with Sec. 236.1013,
no later than when it submits its PTCIP. While the PTCDP may be drafted
by the PTC system vendor, FRA believes it is the railroads' regulatory
responsibility and duty to submit its PTCIP to FRA. FRA believes that
requiring the submission of the PTCDP with the PTCIP will facilitate a
reduction in regulatory activities, thus maximizing the time available
for the railroads to carry out the necessary activities to complete PTC
implementation within the 65 months available between April 2010, and
December 2015. During that time, the each railroad is expected to carry
out all of the required actions necessary to complete design,
manufacture, test, and installation of the PTC office, onboard, and
wayside subsystems. FRA believes that the process proposed in paragraph
(b) provides the railroads considerable flexibility. By requiring that
a railroad's PTCDP be submitted no later than its PTCIP, FRA intends to
ensure that FRA has the opportunity early in the regulatory approval
process to review and determine whether the proposed technical solution
in the PTCDP has the potential to satisfy the statutory requirements.
If a PTCDP is submitted at a later time, the length of time available
to the railroad to perform a complete PTC implementation will be
decreased even further.
Many issues relating to FRA's review of the railroad's PTCDP may
also cause further delays, thus reducing the time between the receipt
of a Type Approval and the statutory deadline of December 15, 2015,
upon which the PTC system must be installed and operating. For
instance, FRA may find that the PTCDP does not adequately conform to
this subpart or otherwise has insufficient information to justify
approval. FRA may also determine that there are issues raised by the
PTCDP that would adversely affect the ability of FRA to eventually
certify the system. If such a situation were to arise, the railroad and
its vendor would need to address the issues, and resubmit the PTCDP for
FRA approval.
Given the magnitude of the tasks faced by the railroads, any
additional delays beyond April 16, 2010, will increase the risk of the
railroad failing to meet the December 31, 2015, completion date
required by RSIA08. Such delays will increase the length of time that
the risk to the public and railroad employees remains unmitigated by
PTC technologies. More specifically, FRA recognizes that any loss of
time would make it more difficult for a railroad to perform the
installation, testing, and analyses necessary to submit its PTCSP for
PTC System Certification. Such installation, testing, and analyses
cannot occur until the railroad knows the PTC system that it may use,
as identified by a Type Approval number. Accordingly, paragraph (b)
proposes that each PTCDP be filed no later than when its associated
PTCIP is submitted in order to preserve as much time as possible to
ensure that each railroad meets the statutory deadline and that
Congress' intent is not otherwise frustrated.
FRA believes that the existence of certain overlapping issues in
each PTCDP and PTCIP also requires their contemporaneous submission and
review. FRA strongly believes that a meaningful implementation plan
cannot be created if the railroad has not identified and understands
the technology they propose to implement. Without an understanding of
the technology, and the issues associated with its design, test, and
implementation, any schedules developed by the railroad may be
meaningless. Unless there is an understanding of the PTC system it
hopes to use, and how it expects to implement that system, evaluation
of a deployment schedule can not be undertaken.
Moreover, the PTCIP requires that the railroad address the issue of
interoperability with other PTC systems. Any meaningful discussion
regarding interoperability requires that the railroad have a clear
understanding of the technical capabilities of the system that it
proposes to implement before it can make an informed judgment of how
the system will interoperate with other systems. The information
required in the PTCDP provides the implementing railroad, other
railroads with which the implementing railroad interfaces, and FRA with
an understanding of the technical requirements necessary for
interoperability. FRA believes that early identification of technical
capabilities of the proposed PTC systems will allow the concerned
parties to make more timely design adjustments to facilitate
interoperability, reducing any delays that may increase the level of
risk of the railroad meeting its statutory deadline.
FRA also believes that the process proposed by paragraph (b) will
also reduce each railroad's financial risk related to implementing a
technological system requiring governmental approval. Members of the
PTC Working Group expressed concern about having to expend significant
resources to implement and test a PTC system prior to submitting a
PTCSP reflecting its findings in order to receive PTC System
Certification. FRA believes that proposed paragraphs (b) and (e)
address this concern. By requiring submission of a PTCDP earlier in the
process, FRA intends to be involved in the design and implementation
process from the beginning. After contemporaneously reviewing a
railroad's PTCIP and PTCDP, FRA may be able to predetermine, and share
with the railroad, an appropriate course of action to adequately
address the various issues specific to the railroad and related to
drafting a successful PTCSP. Moreover, in accordance with paragraph
(e)--as discussed further below--each subject railroad may have the
benefit of FRA monitoring its progress in implementing its PTC system.
With FRA's involvement in the process, each subject railroad's
financial risk associated with implementing a PTC system prior to PTCSP
approval will be mitigated.
While FRA expects each subject railroad to submit its PTCDP with
its PTCIP, the proposed rule does not preclude a railroad from
submitting its PTCDP before its PTCIP for FRA review and approval. FRA
encourages an earlier submission of the PTCDP to further reduce the
required regulatory effort necessary to review the PTCIP and PTCDP if
submitted together. More importantly, it would present an opportunity
for FRA to issue a Type Approval for the proposed PTC system before
April 16, 2010, thus providing other railroads intending to use the
same or similar PTC system the opportunity to leverage off of the work
already accomplished by simply submitting the Type Approval--and a much
less burdensome PTCDP in the event of variances. FRA also believes that
the proposed regulatory procedure may incentivize railroads using the
same or similar PTC system to jointly develop and submit a PTCDP, thus
further reducing the paperwork burden on FRA and the industry as a
whole and increasing confidence in the interoperability between
systems.
Paragraph (c) proposes to require that each subject railroad must
either file a Request for Expedited Certification (REC) or submit an
approved PTCIP, a Type Approval, and a PTCSP developed in accordance
with Sec. 236.1015 in order to receive PTC System Certification. A REC
applies only to PTC systems that

[[Page 35977]]

have already been in revenue service and meet the criteria of Sec.
236.1031(a), as further discussed below. If a PTC system is not
eligible for expedited certification, the railroad must submit a PTCSP.
As required under proposed Sec. 236.1015, the PTCSP must include
information relating to the operation and safety of the PTC system as
defined in the PTCDP and as applied to the railroad's actual territory.
To determine the sufficiency of the PTC system's applicability on the
railroad's territory, the railroad may be required, as referenced in
paragraph (e), to perform laboratory or field testing or have an
independent assessment performed. Ultimately, PTC System
Certification--issued by FRA based on a review and approval of the
PTCSP--is FRA's formal recognition that the PTC system, as described
and implemented, meets the statutory requirements and the provisions of
subpart I. It does not imply FRA endorsement or approval of the PTC
system itself.
To be clear, paragraph (d) requires that each PTCIP, PTCDP, and
PTCSP must comply with the content requirements proposed in Sec. Sec.
236.1011, 236.1013, and 236.1015, respectively. If the submissions do
not comply with their respective regulatory requirements, then they may
not be approved. Without approval, a PTC system may not receive a Type
Approval or PTC System Certification.
Paragraph (d) also proposes that the contents of the submitted
plans be understood by FRA personnel. In the interest of an open
market, FRA does not want to preclude the ability of PTC system
suppliers outside of the United States from manufacturing PTC systems
or selling them to the subject railroads. However, in order to ensure
the safety and reliability of those systems, FRA needs to adequately
review the submitted plans. Accordingly, FRA proposes to require that
all materials submitted in accordance with this subpart be in the
English language, or be translated into the English language and
attested as true and correct. FRA seeks comments on this proposal and
whether any additional requirements are necessary to ensure FRA's
adequate understanding of the submissions.
Under subpart H of part 236, a railroad may seek confidential
treatment for certain information required to be submitted under that
subpart. According to Sec. 236.901(c), a railroad may label that
information as confidential--if it deems it to be trade secrets, or
commercial or financial information that is privileged or confidential
under Exemption 4 of the Freedom of Information Act, 5 U.S.C.
552(b)(4)--and submit the information in accordance with Sec. 209.11.
FRA believes that the same concept should be applied to materials
submitted in accordance with proposed subpart I. FRA continues to
believe that the referenced information should receive the protections
under the Freedom of Information Act (FOIA) (5 U.S.C. 552) and the
Trade Secrets Act (18 U.S.C. 1905). FRA also continues to believe that
it cannot make any flat pronouncements about the confidentiality of
information it has not yet received. Should a FOIA request be made for
information submitted under this rule that the submitting party has
claimed should be withheld, the submitting company will be notified of
the request in accordance with the submitter consultation provisions of
the Department's FOIA regulations (Sec. 7.17) and will be afforded the
opportunity to submit detailed written objections to the release of
information protected by exemption 4 as provided for in Sec. 7.17(a).
Since FRA proposes to place the redacted versions of the submitted
plans in a docket for public comment, FRA strongly encourages
submitting parties to request protection from withholding only for
those portions of documents that truly justify such treatment (i.e.,
trade secrets and security sensitive information).
While FRA continues to believe that there is no need at this time
to substantially revise Sec. 209.11, FRA proposes in subpart I to
require an additional document to assist FRA in efficiently and
correctly reviewing confidential information. Under Sec. 209.11, a
redacted and an unredacted copy of the same document must be submitted.
When FRA review is required to determine whether confidentiality should
be afforded, FRA personnel must painstakingly compare side-by-side the
two versions to determine what information has been redacted. To reduce
this burden, FRA proposes that any material submitted for confidential
treatment under subpart I and Sec. 209.11 must include a third version
that would indicate, without fully obscuring, the redacted portions.
For instance, to indicate, without obscuring, the plan's redacted
portions, the railroad may use the color or light gray highlighting,
underlining, or strikethrough functions of its word processing program.
This document will also be treated as confidential under Sec. 209.11.
While FRA could instead amend Sec. 209.11 to include this requirement,
FRA does not believe it to be necessary at this time. If more
regulatory procedures in other subparts or parts provide for
confidential treatment under Sec. 209.11, FRA will then consider
whether amendment of Sec. 209.11 would be appropriate at that time.
As discussed more specifically below, FRA is considering requiring
the submission of an adequate GIS shapefile to fulfill some of the
PTCIP content requirements under Sec. 236.1011. Redacting word
processing documents includes the simple task of blocking the text
wished to be deemed confidential. However, in a GIS shapefile, which
includes primarily map data, visually blocking out the information
would defeat the purpose. For instance, a black dot over a particular
map location, or a black line over a particular route, would actually
reveal the location. FRA expects that a railroad seeking
confidentiality for portions of a GIS shapefile will submit three
versions of the shapefile to comply with paragraph (d). FRA expects
that the version for public consumption would merely not include the
confidential information. FRA seeks comments on this proposal. FRA also
seeks comments on how a third version of the GIS shapefile would
indicate, without fully obscuring, the confidential portions.
As previously noted, FRA expects that FRA-monitored laboratory or
field testing or an independent third party assessment may be necessary
to support conclusions made and included in a railroad's submitted
PTCDP or PTCSP. This issue is initially addressed in paragraph (e). The
procedural requirements to effectuate either of those requirements can
be found in Sec. Sec. 236.1035 and Sec. 236.1017, respectively.
Proposed paragraph (f) makes clear that FRA approval of a plan
submitted under subpart I may be contingent upon any number of factors
and that once the plan is approved, FRA maintains the authority to
modify or revoke the resulting Type Approval or PTC System
Certification. Under paragraph (f)(1), FRAs would reserve the right to
attach additional requirements as a condition for approval of a PTCIP,
PTCDP, or PTCSP. A risk-informed and performance-based approach is one
in which the risk insights, and engineering analysis and performance
history, are used to: (1) Focus attention on the most important
activities; (2) establish objective criteria based upon risk insights
for evaluating performance; (3) develop measurable or calculable
parameters for monitoring systems performance; and (4) focus on the
results as the primary basis of regulatory decision-making. To
accomplish these tasks, it is necessary to identify, analyze,

[[Page 35978]]

assess, and control hazards and risks within all components of a
system--including people, cultures and attitudes, procedures,
materials, tools, equipment, facilities and software. In the
preparation of any of these plans, railroads may have inadvertently
failed to fully address hazards and risks associated with all of these
components.
FRA believes that proposed paragraph (f)(1) will make the
regulatory process more efficient and stable. Rather than reject a
railroad's plan completely, and consequently delay the railroad's
implementation of its PTC system, FRA would prefer to add additional
conditions during the approval process to address these oversights.
When determining whether to attach conditions to plan approval, FRA
will consider whether: (1) The plan includes a well-defined and
discrete technical or security issue that affects system safety; (2)
the risk or safety significance of an issue can be adequately
determined; (3) the issue affects public health and safety; (4) the
issue is not already being processed under an existing program or
process; and (5) the issue cannot be readily addressed through other
regulatory programs and processes, existing regulations, policies,
guidance, or voluntary industry initiatives.
Proposed paragraph (f)(2) provides FRA the right to withdraw a Type
Approval or a PTC System Certification as a consequence of the
discovery of new information regarding system safety that was not
previously identified. FRA issuance of each Type Approval or PTC System
Certification under performance-based regulations assumes that the
model of the train control system and its associated probabilistic data
adequately accounts for the behavior of all design features of the
system that could contribute to system risk. Different system design
approaches may result in different levels of detail introducing
different approximations/errors associated with the safety performance.
There are some characteristics for which modeling methods may not fully
capture the behavior of the system, or there may be elements of the
system for which historical performance data may not be currently
available. These potential inconsistencies in the failure analysis
could introduce significant variations in the predicted performance
from the actual performance. Because of the design complexity
associated with train control systems, FRA recognizes that these
inconsistencies are not the results of deliberate acts by any
individuals or organizations, but simply reflects the level of detail
of the analysis, the availability of comprehensive information as well
as the qualification and experience of the team of analysts, and the
resource limitations of both the railroad and FRA.
In proposed paragraph (f)(3), FRA indicates that the railroad may
be allowed to continue operations using the system, although such
continued operations may have special conditions attached to mitigate
any adverse consequences. It is FRA's intent, to the maximum extent
possible and when consistent with safety, to assist railroads in
keeping the systems in operation. FRA expects that if it places a
condition on PTC system operations, each railroad will have a
predefined process and procedure in place that would allow continued
railroad operations, albeit under reduced capability, until appropriate
mitigations are in place, and the system can be restored to full
operation. In certain dire situations, FRA may actually order the
suspension or discontinuation of operations until the root cause of the
situation is understood and adequate mitigations are in place. FRA
believes that suspending a Type Approval or a PTC System Certification
pending a more detailed analysis of the situation may be appropriate,
and that any such suspension must be done without prejudice. FRA
expects to take such an action only in the most extreme circumstances
and after consultation with the affected parties.
After reconsidering its issuance of a Type Approval or PTC System
Certification, under paragraph (f)(4), FRA may either dismiss its
reconsideration, continue to recognize the existing FRA approved Type
Approval or PTC System Certification, allow continued operations with
certain conditions attached, or order the railroad to cease applicable
operations by revoking its Type Approval or PTC System Certification.
If FRA dismisses its reconsideration or continues to recognize the Type
Approval, any conditions required during the reconsideration period
would no longer be applicable. If FRA will allow continued operations,
FRA may order that the same or other conditions apply. FRA expects that
revocation of a Type Approval or PTC System Certification may occur in
very narrow circumstances, where the risks to safety appear
insurmountable. Regrettably, there may be a few situations in which the
inconsistencies are the result of deliberate fraudulent
representations. In such situations, FRA may also seek criminal or
civil penalties against the entities involved.
Proposed paragraph (g) enables FRA to engage in the proper
inspection to ensure that a railroad is in compliance with subpart I.
FRA inspections may be required to determine whether a particular
railroad has not implemented a PTC system where necessary. For
instance, FRA may need to confirm whether a track segment has
traversing over it 5 million gross tons or more of annual railroad
traffic, PIH materials, or passenger traffic. FRA may also need to
inspect locomotives to determine whether they are equipped with a PTC
onboard apparatus or to review locomotive logs to determine whether it
has entered PTC territory. Paragraph (g) makes clear FRA's statutorily
provided power to inspect the railroads and gather information
necessary to enforce subpart I.
As noted above, in order to maintain an open marketplace, the
proposed rule has been drafted to allow domestic railroads to purchase
PTC systems from outside of the United States. FRA recognizes that PTC
systems have been used in revenue service across the globe and that
acceptable products may be available in other countries. FRA also
recognizes that such use may come under a regulatory entity much like
FRA. Accordingly, under paragraph (h), in the event information
relating to a particular PTC system has been certified under the
auspices of a regulatory entity in a foreign government, FRA is willing
to consider that information as independently Verified and Validated in
accordance with the proposed rule to support the railroad's PTCSP
development. The phrase ``under the auspices'' intends to reflect the
possibility of certification contractually performed by a private
entity on behalf of a foreign government agency. However, the foreign
regulatory entity must be one recognized by the Associate
Administrator. A railroad seeking to enjoy the benefits of paragraph
(h) must communicate that interest in its PTCSP.

Section 236.1011 PTC Implementation Plan Content Requirements

This proposed section describes the minimum required contents of a
PTC Implementation Plan. A PTCIP is a railroad's plan for complying
with the installation of mandatory PTC systems required by RSIA08. The
PTCIP consists of implementation schedules, narratives, rules,
technical documentation, and relevant excerpts of agreements that an
individual railroad will use to complete mandatory PTC implementation.
FRA will measure the railroad's progress in meeting the required
implementation date based on the schedule and other information in the
PTCIP. While the proposed rule does not specify or mandate any format

[[Page 35979]]

for the PTCIP, it must at least clearly indicate which portions intend
to address compliance with the various plan requirements under Sec.
236.1011. The PTCIP must also clearly identify each referenced document
and either include a copy of each document (or its applicable excerpt)
or indicate where FRA and the public may view that document. Should FRA
not be able to readily determine adequate response to the required
information, FRA will assume that the information has not been
submitted, and will handle the document accordingly. The lack of the
required information may result in FRA's disapproval of a PTCIP. To
facilitate timely and successful submittals, FRA, through assistance
from a PTCIP Task Force drawn from the PTC Working Group, is developing
a template that could be used to format the documents that must be
submitted. FRA, however, wishes to emphasize that the use of such a
template is strictly voluntary, and encourages railroads to prepare and
submit the documents in whatever structure is most economical for the
railroad. FRA does believe it is necessary to require that the
railroads expend their limited resources in reformatting of documents
when such an activity adds no real value. However, while the template
may be a useful tool, and in light of the various forms a PTCIP may be
required to take due to the system the railroad intends to implement,
complete adherence to the template will not guarantee FRA approval of
the submitted PTCIP.
FRA expects each PTCIP to include various highly specific and
descriptive elements relating to each railroad's infrastructure and
operations. FRA recognizes that to manually assemble each piece of data
into a PTCIP may be exceptionally onerous and time consuming and may
make the PTCIP prone to errors. In light of the foregoing and due to
the statutory requirement that Congress be apprised of the progress of
the railroad carriers in implementing their PTC systems, FRA believes
that electronic submission of much of this information may be warranted
and preferred. To facilitate collection of this data, FRA proposes to
require submission of this data in electronic format. Such electronic
submission would fulfill the requirements under Sec. 236.1011 to which
they apply.
FRA believes that the preferred, least costly, and least error-
prone method to comply with Sec. 236.1011 is for railroads to submit
an electronic geographic digital system map containing the
aforementioned segment attribute information in shapefile format, which
is a data format structure compatible with most Geographic Information
System (GIS) software packages. Using a GIS provides an efficient means
for organizing basic transportation-related geographic data to
facilitate the input, analysis, and display of transport networks.
Railways around the world rely on GIS to manage key information for
rail operations, maintenance, asset management, and decision support
systems. FRA believes that the railroads may have already identified
track segments, and their physical and operational characteristics, in
shapefile format. For instance, FRA believes that it may be preferable
that for each track segment, a shapefile should provide the following
identifiable information: Owning railroad(s); distance; signal system;
track class; subdivision; number and location of sidings; maximum
allowable speed; number and location of mainline tracks; annual volume
of gross tonnage; annual number of cars carrying hazmat; annual number
of cars carrying PIH; passenger traffic volume; average daily through
trains; WIUs; switches; and at-grade rail-to-rail crossings. The
requirements under paragraph (a) may be changed to accommodate any of
these informational elements. FRA seeks comments on this proposal.
Paragraph (a)(1) proposes that the railroad describe the technology
that will be employed in its PTC system. Here, FRA intends to use the
term ``technology'' broadly to include all applicable tools, machines,
methods, and techniques.
In proposed paragraph (a)(2), FRA addresses the statutory
requirements that the PTCIP shall describe how the PTC system will
provide interoperability with movements of trains of other railroad
carriers over its lines. Practically speaking, this means that each
locomotive operating within PTC territory must be able to communicate
with and respond to the PTC systems installed on each PTC territory's
track and signal system, except in limited situations established
elsewhere in this proposed rule. For similar reasons, paragraph (a)(3)
proposes that the PTCIP should describe how the PTC system will provide
for interoperability of the system between the host and all tenant
railroads on the lines required to be equipped with PTC systems under
this subpart.
Interoperability means the ability of diverse systems and
organizations to work together (inter-operate), taking into account the
technical, operational, and organizational factors that may impact
system-to-system performance. FRA expects each PTC system required by
subpart I to exhibit syntactic interoperability--so that it may
successfully communicate and exchange data with other PTC systems--and
semantic interoperability--so that it may automatically, accurately,
and meaningfully interpret the exchanged information to prove useful to
the end user of each communicating PTC system. To achieve semantic
interoperability, both sides must defer to a common information
exchange reference model. In other words, the content of the
information sent must be the same as what is received and understood.
Taking syntactic and semantic interoperability together, FRA expects
each PTC system to provide services to, and accept services from, other
PTC systems and to use those services exchanged to enable the PTC
systems to operate effectively together and to provide the intended
results. The degree of interoperability should be defined in the PTCIP
when referring to specific cases.
Interoperability is achieved through four interrelated means:
Product testing, industry and community partnership, common technology
and intellectual property, and standard implementation.
Product testing includes conformance testing and product
comparison. Conformance testing ensures that the product complies with
an appropriate standard. FRA recognizes that certain standards attempt
to create a framework that would result in the development of the same
end product. However, many standards apply only to core elements and
allow developers to enhance or otherwise modify products as long as
they adhere to those core elements. Thus, if an end product is
developed in different ways to conform to the same standard, there may
still be discrepancies between each instantiation of the end product
due to the existence of those variables. Accordingly, FRA believes that
comparison testing must also occur to ensure that each instantiation of
the same product, regardless of the means upon which it is created to
meet the same standard, is ultimately identical. In regards to PTC
systems, such comparison testing must occur on all portions that relate
to each system's interoperability with other systems. Thus, it is also
important that the PTC system be formally tested in a production
scenario--as they will be finally implemented--to ensure that it will
actually intercommunicate and interoperate with other PTC systems as
advertised and intended.
To reach interoperability between the various applicable PTC
systems, each PTCDP must also show that the systems share common
product engineering.

[[Page 35980]]

Product engineering refers to the common standard, or a sub-profile
thereof, as defined by the industry and community partnerships,
specifically intended to achieve interoperability. Without common
product engineering, the systems will be unable to intercommunicate or
otherwise interact as necessary to comply with the proposed rule.
FRA expects that each interoperability standard for PTC systems
will be developed by a partnership between various industry
participants. Industry and community partnerships, either domestic or
international, usually sponsor standard workgroups to define a common
standard to provide system intercommunications for a specific purpose.
At times, an industry or community will sub-profile an existing
standard produced by another organization to reduce options and thus
making interoperability more achievable. Thus, in each PTCDP, the
railroad must discuss how it developed or adopted a standard commonly
accepted by that partnership.
Means of achieving interoperability include having the various
entities involved using the same PTC system product or obtaining its
components from the same developer. While FRA does not necessarily
require this approach--since the agency seeks to maintain an open and
competitive marketplace--FRA believes that this is a suitable means to
achieve interoperability. This technique may provide similar technical
results when using PTC system products from different vendors relying
on the same intellectual property. FRA recognizes that certain
developers with an intellectual property interest in a particular
technology may provide a non-exclusive license of its intellectual
property to another entity so that the licensee may introduce into the
marketplace a substantially similar product reliant on that
intellectual property. In such a case, FRA foresees that the use of a
common PTC system technology--even if it is proprietary to a single or
multiple entities and licensed to railroads--could reduce the
variability between components, thus providing for a more efficient
means to achieve interoperability.
In order for interoperability to actually occur between multiple
entities' PTC systems, there must be some standard to which they all
adhere. Thus, FRA also expects that each PTCDP will provide assurances
of a common interoperability standard agreed to between all entities
using PTC systems that must interoperate.
Since each of these interrelated means has an important role in
reducing variability in intercommunication, each railroad's PTCIP must
clearly describe the elements required under paragraph (a)(1)-(3).
Much of the remaining information required in a PTCIP under the
proposed rule relies on the location, length, and characteristics of
each track segment. Therefore, a common understanding of a track
segment is necessary. A track is the main designation for describing a
physical linear portion of the network. Each line of railroad has a
station location referencing system, which serves to locate inventory
features and defects along the length of the track. Because some tracks
can be very long, track segments are established to divide the track
into smaller ``management units.'' Typically, segment's boundaries are
established at point of switch (POS) locations, but may also be located
at mile markers, grade crossings, or other readily identifiable
locations. Inspection, condition assessment, and maintenance planning
is performed individually on each segment. After the track network
hierarchy is established, the attribute information associated with
each track is defined. This attribute information describes the track
layout (e.g., curves and grades), the track structure (e.g., rail
weights and tie specifications), track clearance issues, and other
track related items such as turnouts, rail-to-rail at-grade crossings,
highway-rail grade crossings, drainage culverts, and bridges. Inventory
information about these track attributes can be quite detailed. The
benefits of a complete and accurate track inventory provides a record
of the track network's properties and information about the existing
track materials at the specific locations when maintenance or repair is
necessary.
Proposed paragraphs (a)(4) and (a)(5) require the railroad to put
its entire implementation plan into an understandable context,
primarily as it relates to the sequence and schedule of line segment
implementation events. Under RSIA08, Sec. 20157(a)(2), Congress
requires each subject railroad, in its PTCIP, to describe how it shall,
to the extent practical, implement the PTC system in a manner that
addresses areas of greater risk before areas of lesser risk.
Accordingly, under paragraph (a)(4), the PTCIP must discuss the
railroad's areas of risk and the criteria by which these risks were
evaluated and prioritized for PTC system implementation. To this end,
the railroad must clearly identify all track segments that must be
equipped, the basis for that decision for each segment (which might be
done by categories of segments), and, as provided in paragraph (a)(5),
the dates that implementation of each segment will be completed, taking
into account the time necessary to fulfill the procedural requirements
related to PTCSP submission, review, and approval. At a minimum, the
deployment decisions must be based on segment traffic characteristics
such as passenger and freight traffic volumes, the quantity of PIH and
other hazardous materials, current methods of operations, existence of
block signals and other traditional train control technologies, the
number and class of tracks, authorized and allowable speeds for each
segment, and other unusual characteristics that may adversely impact
safety, such as unusual ruling grades and other track geometries. In
cases where deployment of the PTC system cannot be accomplished in
order of areas with the greatest risk to areas with the least risk,
paragraph (a)(9) proposes that the railroad must explain why such a
deployment was not practical and the steps that will be taken to
minimize adverse consequences to the public until the line segment can
be equipped.
Proposed paragraphs (a)(6) and (a)(7) require the PTCIP to include
information regarding the rolling stock and wayside devices that will
be equipped with the appropriate PTC technology. For a PTC system to
work as intended, PTC system components must be installed and operated
in all applicable offices and on all applicable onboard and wayside
subsystems. Accordingly, the PTCIP must identify which technologies
will be installed on each subsystem and when they are scheduled to be
installed.
Under paragraph (a)(6), each host railroad filing the PTCIP must
include a comprehensive list of all rolling stock upon which a PTC
onboard apparatus must be operative. FRA understands that in most
situations, the rolling stock referenced in paragraph (a)(6) may only
apply to lead locomotives. However, in the interest of not hindering
creative technological innovations, FRA presumes the possibility that
PTC system technology may also be attached to additional rolling stock
to provide other functions, including determining train capacity and
length or providing certain acceptable and novel train controls. To be
kept apprised of these possibilities, FRA is proposing in paragraph
(a)(6) that each PTCIP include a list of all rolling stock equipped
with PTC technology. FRA believes that the PTCIP should also identify
any risks associated with trains operated by tenant railroads and not
equipped with

[[Page 35981]]

PTC system technology and the efforts that the host railroad has made
to establish the extent of that risk. Although FRA believes that this
is inherent to reviewing the risk in the system, FRA asks for comment
as to whether a requirement should be specifically called out in the
rule text.
FRA understands that a host railroad may not receive cooperation
from a tenant railroad in collecting the necessary rolling stock
information. Nevertheless, FRA expects each host railroad to make a
good faith effort. Identification of those tenant railroads that the
host railroad attempted to obtain the requisite and applicable
information from and that failed to address a host railroad's written
request may establish a good faith effort by the host railroad.
Proposed paragraph (a)(7) requires the PTCIP to provide a detailed
schedule of and the railroad to subsequently report WIU installation.
The selection and identification of a technology selected as part of
the PTCIP will also, to a great extent, determine the distribution of
the functional behaviors of each of the PTC subsystems (e.g., office,
wayside, communications, and back office). The WIU is a type of remote
terminal unit (RTU) that is part of a larger PTC system, which is a
type of Supervisory Control and Data Acquisition System (SCADA). As a
whole, the safe and efficient operation of a SCADA--a centralized
system that covers large areas, monitors and control systems, and
passes status information from, and operational commands to, RTUs--is
largely dependent on the ability of each of its RTUs to accurately
receive and distribute the required information. As such, a PTC system
cannot properly operate without properly functioning WIUs to provide
and receive status information and react appropriately to control
information.
It is commonly understood that a WIU device is capable of
communicating directly to the office, train, or other wayside unit. FRA
recognizes that there may not be the same amount of WIUs and devices
that they monitor. Depending on the architecture and technology used, a
single WIU may communicate the necessarily information as it relates to
multiple devices. FRA is comfortable with this type of consolidation
provided that, in the event of a failure of any one of the devices
being monitored, the most restrictive condition will be transmitted to
the train or office, except where the system may uniquely identify the
failed device in a manner that will provide safe movement of the train
when it reaches the subject location.
Because of the critical role that WIU's play in the proper and safe
operation of PTC systems, paragraph (a)(7) proposes that the railroad
identify the number of WIU's required to be installed on any given
track segment and the schedule for installing the WIU's associated with
that segment. This information is necessary to fully and meaningfully
fulfill the RSIA08 requirement that by December 31, 2012, Congress
shall receive a report on the progress of the railroad carriers in
implementing PTC systems. See 49 U.S.C. 20157(d). To comply with this
statutory requirement, each railroad must determine the number of WIUs
it will need to procure and the location--as defined by the applicable
subdivision--that each WIU will be installed. FRA believes that if a
railroad does not perform these traditional engineering tasks, it will
risk exceeding the statutory implementation deadline of December 31,
2015. FRA considers this information an integral part of the PTCIP that
must be submitted to FRA for approval.
FRA recognizes the potential for technological improvements that
may modify the number and types of WIU's required. FRA also recognizes
that during testing and installation, it may be discovered that
additional WIU installation may be necessary. In either case, the
railroad will be required to submit an RFA in accordance with Sec.
236.1021 indicating how the railroad intends to appropriately revise
its schedule to reflect the resulting necessary changes. Nevertheless,
regardless of whether FRA approves or disapproves of the RFA, if a
railroad is required to submit its PTCIP by April 16, 2010,
implementation must still be completed by the statutory deadline
December 31, 2015.
Under proposed paragraph (a)(8), each railroad must also identify
in its PTCIP which of its track segments are either main line or not
main line. This list must be made based solely on the statutory and
regulatory definitions regardless of whether FRA may later deem a track
segment as other than main line. If a railroad has a main line that it
believes should be considered not main line, it may file with the PTCIP
a main line track exception addendum (MTEA) in accordance with Sec.
236.1019, as further discussed below. Each track segment included in
the MTEA should be indicated as much on the list required under
paragraph (a)(8) so that the PTCIP accounts for each track segment with
an appropriate cross-reference to the subject MTEA.
Paragraph (a)(9) requires that the plan call out the basis for this
determination to the extent the railroad determines that risk-based
prioritization required by paragraph (a)(4) of this section is not
practical. FRA recognizes that there may be situations where risk is
somewhat evenly distributed and where other factors related to
practical considerations--such as the need to establish reliable
operation of the system in less complex environments before installing
it in more complex environments--may be the prudent course. However,
the burden of establishing the reasonableness of this approach would be
on the railroad, starting with a showing that risk does not vary
substantially among the line segments in question.
As previously mentioned, Sec. 236.1005(a) requires each applicable
PTC system to be designed to prevent train-to-train collisions. Under
that section, FRA has proposed various requirements that would apply to
at-grade rail-to-rail crossings, also known as diamond crossings. While
the proposed rule text includes certain specific technical
requirements, it also provides the opportunity for each subject
railroad to submit an alternative arrangement providing an equivalent
level of safety as specified in an FRA approved PTCSP. Accordingly,
under proposed paragraph (a)(10), if the railroad intends to utilize
alternative arrangements providing an equivalent level of safety to
that of the table provided under Sec. 236.1005(a)(1)(i), each PTCSP
must identify those alternative arrangements and methods, with any
associated risk reduction measures, in its PTCSP.
Paragraph (b) contains proposed provisions related to further
deployment of PTC. As noted elsewhere in this preamble, the specific
characteristics of the PTC route structure, with the focus on PIH
traffic as an indicator of risk, was a late addition to the bill that
would become RSIA08, not having appeared in either the House or Senate
bills until the final package was assembled using consultations between
the committee staffs in lieu of a formal committee of conference.
Although the statutory construct (Class I rail line with 5 million
gross tons and some PIH materials) adequately defines most of the core
of the national freight rail system, it is a construct that will
introduce distortions at both ends of the spectrum of risk.
On one hand, a line with a maximum speed limit of 25 miles per hour
ending at a grain elevator that receives a few cars of anhydrous
ammonia per year is a ``main line'' if it has at least 5 million gross
tons of traffic (a very low threshold for a Class I railroad). This is
not a line without risk, particularly if it lacks wayside signals, but
FRA analysis

[[Page 35982]]

shows that the potential for a catastrophic release from a pressure
tank car is very low at an operating speed of 25 miles per hour, and
the low tonnage is likely associated with relatively infrequent train
movements--limiting the chance of a collision. As FRA understands the
congressional mandate, the law gives FRA little choice but to require
PTC under these circumstances.
On the other end of the spectrum, lines with greater risk may go
unaddressed. For instance, a line carrying perhaps a much higher level
of train traffic and significant volumes of other hazardous materials
at higher speeds, without any PIH or passenger traffic, would not be
equipped. This example is not likely to be present to any significant
extent under current conditions. However, should the Class I railroads
raise freight rates sufficiently to eliminate PIH traffic by making
rail transportation prohibitively expensive, the issue would be
presented as a substantial one. Most of the transportation risk--
including hazards to train crews and roadway workers and exposure to
other hazardous materials if released--would remain, but not the few
carloads of PIH. FRA believes that the intent of Congress with respect
to deployment of PTC might be defeated, even though the literal
language of the legislation would be satisfied. Other lines carrying
very heavy volumes of bulk commodities such as coal and intermodal
traffic may or may not include PIH traffic. Putting aside the risk
associated with PIH materials, significant risk exists to train crews
and persons in the immediate vicinity of the right-of-way if a
collision or other PTC-preventable accident occurs. Any place on the
national rail system is a potential roadway work zone, but special
challenges are presented in providing for on-track safety where train
movements are very frequent.
Risk on the larger Class II and III railroads' lines is also a
matter of concern, and the presence of significant numbers of Class I
railroad trains on some of those properties presents the opportunity
for further risk reduction, since over the coming years virtually all
Class I railroad locomotives will be equipped with PTC onboard
apparatus'. Examples include trackage and haulage rights retained over
Class II and III railroads following asset sales in which the Class I
railroads divested the subject lines. Other prominent examples involve
switching and terminal railroads, the largest of which are owned and
controlled by two or more Class I railroads and function, in effect, as
extensions of their systems. Conrail Shared Assets, a large regional
switching railroad that is owned by NS and CSXT and is comprised of
major segments of the former Conrail, then a Class I railroad, is
perhaps the classic example.
FRA notes that there has also been a trend, only recently and
temporarily abated by the downturn in the economy, toward higher train
counts on some non-signaled lines of the Class I railroads. On a train-
mile basis, these operations present about twice the risk as similar
operations on signalized lines. These safety gaps need to be filled;
and, while most will be filled due to the presence of PIH traffic, FRA
cannot verify that this is the case in every instance.
FRA concludes that the mandated deployment of PTC will leave some
substantial gaps in the Class I route structure, including gaps in some
major urban areas. FRA believes that these gaps will, over time, be
``filled in'' by voluntary actions of the Class I railroads as they
establish the reliability of their PTC systems, verify effective
interoperability, and begin to enjoy the safety and other business
benefits from use of these systems. FRA fully understands both the
desire of the labor stakeholders in the PTC Working Group to see a
broader build-out of PTC systems than that ``minimally'' required by
RSIA08 and the concerns of the Class I railroads' representatives who
noted the extreme challenge associated with equipping tens of thousands
of wayside units, some 20,000 locomotives, and their dispatching
centers' back offices within the statutory implementation period.
The Congress recognized that all of these issues are legitimate
concerns and so mandated the establishment of Risk Reduction Programs
under the same legislation. Section 103 of RSIA08 codifies language
that includes, within the Risk Reduction Program, a Technology
Implementation Plan that is specifically required to address technology
alternatives, including PTC. Accordingly, the PTC and Risk Reduction
provisions in RSIA08 are clearly aligned in purpose; and there are also
references in the technology plan elements of the Risk Reduction
language that address installation of PTC by other railroads. Further,
FRA has been charged with a separate rulemaking under section 406 of
RSIA08 regarding risk in non-signaled (dark) territory that
significantly overlaps the issue set in this rulemaking and the Risk
Reduction section. Use of technologies that are integral to PTC systems
constitute the best response to hazards associated with non-signaled
lines. Switch position monitoring systems, track integrity circuits,
digital data links and other technology used to address dark territory
issues should be and, as presently conceived, are forward-compatible
with PTC. FRA proposes in paragraph (b) to dovetail these requirements
by requiring that each Class I railroad include in its PTCIP deployment
strategies indicating how it will approach the further build-out of
full PTC, or partial implementation of PTC (e.g., using PTC technology
to prevent train-to-train collisions but perhaps not monitoring all
switches in the territory; or using PTC to protect movements of the
Class I over a switching or terminal railroad without initially
requiring all controlling locomotives of the switching or terminal
railroad to be equipped). These railroads would then be required to
include in the technology elements of their initial Risk Reduction
plans a specification of which lines will be equipped and with what PTC
system elements. Proposed paragraph (b) makes clear that there would be
no expectation regarding additional lines being equipped until those
mandated by subpart I have been addressed. FRA shares the view of the
Class I railroads and the passenger railroads that the December 31,
2015, deadline already presents a substantial challenge for railroads,
suppliers and the employees affected.
Paragraph (c) proposes to codify in regulation the statutory
mandate that FRA review the PTCIP and determine, within 90 days upon
receipt of the plan, whether to provide its approval or disapproval.
FRA believes it is also important to provide procedural rules to
communicate approval or disapproval. Thus, under paragraph (c), FRA
proposes that any approval or disapproval of a PTCIP requires FRA to
provide written notice. In the event that FRA disapproves of the PTCIP,
the notice will also include a narrative explaining the reasons for
disapproval. Once the railroad receives notification that its PTCIP has
been disapproved by FRA, it will have 30 days to resubmit its PTCIP for
review and approval. While FRA may provide assistance to remedy a
faulty PTCIP, it is ultimately the railroad's responsibility and burden
to develop and submit a PTCIP worthy of FRA approval. A railroad may be
subject to civil penalties if it fails to timely file its PTCIP under
this section. As noted previously, subpart I applies to each railroad
that Congress and FRA has mandated to install a PTC system. A railroad
that is not required to install a PTC system may still do so under its
own volition. In such a case, it may

[[Page 35983]]

either seek approval of its system under either subpart H or I.
Paragraph (d) intends to make this choice clear.
Paragraph (e) responds to comments by labor organizations in the
PTC Working Group. These employee representatives sought the
opportunity to comment on major PTC filings. The paragraph provides
that, upon receipt of a PTCIP, PTCDP, or PTCSP, FRA posts on its public
Web site notice of receipt and reference to the public docket in which
a copy of the filing has been placed. FRA may consider any public
comment on each document to the extent practicable within the time
allowed by law and without delaying implementation of PTC systems. The
version of any filing initially placed in the public docket would be
the redacted copy as filed by the railroad. If FRA later determined
that additional material was not deserving of protection as
confidential, that material would be added to the docket.

Section 236.1013 PTCDP Content Requirements and Type Approval

As noted in the discussion above regarding Sec. 236.1009, each
PTCSP must be submitted with a Type Approval number identifying a PTC
system that FRA believes could fulfill the requirements of subpart I.
Under Sec. 236.1009, a railroad may submit an existing Type Approval
number in lieu of a PTC Development Plan (PTCDP) if the PTC system it
intends to implement and operate is identical to the one described in
that Type Approval's associated PTCDP. In the event, however, that a
railroad intends to install a system for which a Type Approval number
has not yet been assigned, or to use a system with an assigned Type
Approval number that may have certain variances to its safety-critical
functions, then the railroad must submit a PTCDP to obtain a new Type
Approval number.
The PTCDP is the core document that provides the Associate
Administrator sufficient information to determine whether the PTC
system proposed for installation by the railroad could meet the
statutory requirements for PTC systems specified by RSIA08 and the
regulatory requirements under subpart I. Issuance of a product Type
Approval number is contingent upon the approval of the PTCDP by the
Associate Administrator. While filing of a PTCDP is optional in the
sense that the railroad may proceed directly to submission of the PTCSP
by the April 16, 2010 deadline (see Sec. 236.1009), FRA encourages
railroads engaged in joint operations to do so. Approval of the PTCDP,
and issuance of a Type Approval, presents the opportunity for other
railroads to reduce the effort required to obtain a PTC System
Certification. If a Type Approval for a PTC system exists, another
railroad may also use that Type Approval provided there are no
variances in the system as described in the Type Approval's PTCDP. In
such cases, the other railroad may avoid submitting its own PTCDP by
simply incorporating by reference the supporting information in the
Type Approval's PTCDP and certifying that no variances in the PTC
system have been made.
This proposed section describes the contents of the PTCDP required
to obtain FRA approval in the form of issuance of a Type Approval
number. The proposed provisions of this section require each PTCDP to
include all the elements and practices listed in this section to
provide reasonable assurance that the subject PTC system will meet the
statutory requirements and are developed consistent with generally-
accepted principles and risk-oriented proof of safety methods
surrounding this technology. FRA believes it is necessary to include
the provisions contained in this section in order to provide reasonable
assurance that the product, when developed and deployed, will have no
adverse impact on the safety of railroad employees, the public, and the
movement of trains.
FRA recognizes that much of the information required by Sec.
236.1013 normally resides with the PTC system's developer or supplier
maintains and not the client railroad. While FRA expects that each
railroad and its PTC system supplier may jointly draft a PTCDP, the
railroad has the primary responsibility for the safety of its
operations and for providing the information required under Sec.
236.1013. Accordingly, each railroad required to submit a PTCDP under
subpart I should make the necessary arrangements to ensure that the
requisite information is readily available from the supplier for
submission to the agency. FRA believes that suppliers and railroads
will develop a PTCDP for most products that adequately address the
requirements of the new subpart without substantial additional expense.
As part of the design and evaluation process, it is essential to ensure
that an adequate analysis of the features and capabilities is made to
minimize the possibility of conflicts resulting from any use or
feature, including a software fault. Since this analysis is a normal
cost of software engineering development, FRA does not believe this
requirement imposes any additional significant costs beyond what should
already be done when developing safety-critical software.
In proposed Sec. Sec. 236.1013 and 236.1015, various adjectives
may precede the several of the requirements. For instance, certain
paragraphs require ``a complete description,'' ``a detailed
description,'' or simply a ``description.'' These phrases are inherited
from subpart H. Their inclusion in subpart I are similarly not to imply
that any description should be more or less detailed or complete than
any other description required. By contrast, they are included merely
for the purposes of emphasis.
Paragraph (a)(1) proposes to require that the PTCDP include system
specifications that describe the overall product and identify each
component and its physical relationship in the system. FRA will not
dictate specific product architectures, but will examine each PTC
system to fully understand how its various parts interrelate. Safety-
critical functions in particular will be reviewed to determine whether
they are designed to be fail-safe. FRA believes this provision is an
important element that can be applied to determine whether safety is
maximized and maintainability can be achieved.
Paragraph (a)(2) proposes to require a description of the operation
where the product will be used. Upon receipt of this information within
a PTCDP, FRA will have better contextual knowledge of the product as it
applies to the type of operation on which it is designed to be used.
Where operational behaviors are not applicable to a particular
railroad, or the product design is not intended to address a particular
operational behavior, FRA would expect a short statement indicating
which operational characteristics do not apply and why they are not
applicable.
Paragraph (a)(3) proposes that the PTCDP include a concept of
operations, a list of the product's functional characteristics, and a
description explaining how various components within the system are
controlled. FRA expects that the information provided under paragraphs
(a)(2) and (a)(3) will together provide a thorough understanding of the
PTC system. FRA will review this information--primarily by comparing
the subject PTC system's functionalities with those underlying
principles contained in standards for existing signal and train control
systems--to determine whether the PTC system is designed to account for
all relevant safety issues. While FRA proposes to not prescribe PTC
system design standards, FRA expects that each applicant compare the
concepts contained in existing standards to the

[[Page 35984]]

operational concepts, functionalities, and controls contemplated for
the PTC system in order to determine whether a sufficient level of
safety will be achieved. For example, the proposed requirements
prescribe that where a track relay is de-energized, a switch or derail
is improperly lined, a rail is removed, or a control circuit is opened,
each signal governing movements into the subject block occupied by a
train, locomotive, or car must display its most restrictive aspect for
the safety of train operations. The principle behind the requirement is
that, when a condition exists in the operating environment, or with
respect to the functioning of the system, that entails a potential
hazard, the system will assume its most restrictive state to protect
the safety of train operations.
Paragraph (a)(4) proposes that each PTCDP include a document that
identifies and describes each safety-critical function of the subject
PTC system. The product architecture includes both hardware and
software aspects that identify the protection developed against random
hardware faults and systematic errors. Further, the document should
identify the extent to which the architecture is fault tolerant. FRA
intends to use this information to determine whether appropriate safety
concepts have been incorporated into the proposed PTC system. For
example, existing regulations require that when a route has been
cleared for a train movement, it cannot be changed until the governing
signal has been caused to display its most restrictive indication and a
predetermined time interval has expired where time locking is used or
where a train is in approach to the location where approach locking is
used. FRA intends to use this information to determine whether all the
safety-critical functions are included. Where such functionalities are
not clearly determined to exist as a result of technology development,
FRA will expect the reasoning to be stated and a justification provided
describing how that technology provides the required level of safety.
Where FRA identifies a void in safety-critical functions, FRA may not
approve the PTCDP until remedial action is taken to rectify the
concern.
FRA recognizes that the information required under paragraph (a)(4)
may already be provided when complying with paragraph (a)(1). In such a
case, the railroad shall cross reference where in the PTCDP that both
paragraphs (a)(1) and (a)(4) are jointly satisfied.
Paragraph (a)(5) proposes to require that each PTCDP address the
minimum requirements under Sec. 236.1005 for development of safety-
critical PTC systems. FRA expects the information provided under
paragraph (a)(5) to cover: identification of all safety requirements
that govern the operation of a system; evaluation of the total system
to identify known or potential safety hazards that may arise over the
life-cycle of the system; identification of all safety issues during
the design phase of the process; elimination or reduction of the risks
posed by the hazards identified; resolution of safety issues presented;
development of a process to track progress; and development of a
program of testing and analysis to demonstrate that safety requirements
are met. Paragraph (a)(5) also requires that each railroad identify the
PTC system's safety assurance concepts.
Paragraph (a)(6) proposes to require a submission of a preliminary
human factors analysis that addresses each applicable human-machine
interface (HMI) and all proposed product functions to be performed by
humans to enhance or preserve safety. FRA expects this analysis to
place special emphasis on proposed human factors responses--and the
result of any failure to perform such a response--to safety-critical
hazards, including the consequences of human failure to perform. For
each HMI, the PTCDP should address the proposed basis of assumptions
used for selecting each such interface, its potential affect upon
safety, and all potential hazards associated with each interface. Where
more than one employee is expected to perform duties dependent upon HMI
input or output, the analysis must address the consequences of failure
by one or multiple employees. FRA intends to use this information to
determine the proposed HMI's effect upon the safety of railroad
operations. The preliminary human factors analysis must propose how the
railroad or its PTC system supplier plans to address the HMI criteria
listed in Appendix E to part 236 or any alternatives proposed by the
railroad and deemed acceptable by the Associate Administrator.
Paragraph (a)(6) also proposes that the PTCDP explain how the
proposed HMI will affect interoperability. RSIA08 requires that each
subject railroad explain how it intends to obtain system
interoperability. The ability of a train crew member to operate another
railroad's PTC system significantly depends upon a commonly understood
HMI. The HMI provides the end user with a method of interacting with
the underlying system and accessing the PTC functionality. FRA expects
that each railroad will adopt an HMI standard that will ensure ease of
use of the PTC system both within, and between, railroads.
Paragraph (a)(7) proposes to require an analysis regarding how
subparts A through G of part 236 apply, or no longer apply, to the
subject PTC system. FRA recognizes that while a PTC system may be
designed in accordance with the underlying safety concepts of subparts
A through G, the specific existing requirements contained in those
subparts are not applicable. In any event, the PTCDP must identify each
pertinent requirement considered to be inapplicable, fully describe the
alternative method used to fulfill that underlying safety concept, and
explain how the proposed PTC system supports the underlying safety
principle. FRA notes that certain sections in subparts A though G may
always be applicable to PTC systems certified under subpart I.
FRA is concerned about all dimensions of system security. Thus,
paragraph (a)(8) proposes to require the PTCDP to include a description
of the security measures necessary to meet the specifications for each
PTC system. Security is an important element in the design and
development of PTC systems and covers issues such as developing
measures to prevent hackers from gaining access to software and to
preclude sudden system shutdown, mechanisms to provide message
integrity, and means to authenticate the communicating parties. Safety
and security are two closely related topics. Both are elements for
ensuring that a subject is protected and without risk of harm. In the
industrial marketplace, the goals of safety and security are to create
an environment protecting assets from hazards or harm. While activities
to ensure safety usually relate to the possibility of accidental harm,
activities to ensure security usually relate to protecting a subject
from intentional malicious acts such as espionage, theft, or attack.
Since system performance may be affected by either inadvertent or
deliberate hazards or harms, the safety and security involved in the
implementation and operation of a PTC system must both be considered.
Integrated security recognizes that optimum protection comes from
three mutually supporting elements: physical security measures,
operational procedures, and procedural security measures. Today, the
convergence of information and physical security is being driven by
several powerful forces, including: interdependency, efficiency and
organizational simplification, security awareness, regulations,
directives, standards, and the evolving global communications
infrastructure. Physical security describes measures

[[Page 35985]]

that prevent or deter attackers from accessing a facility, resource, or
information stored on physical media and guidance on how to design
structures to resist various hostile acts. Communications security
describes measures and controls taken to deny unauthorized persons
information derived from telecommunications and ensure the authenticity
of such telecommunications. Because of the integrated nature of
security, FRA expects that each PTCDP will address security as a
holistic concept, and not be restricted to limited or specific aspects.
Paragraph (a)(9) proposes to require documentation of assumptions
concerning reliability and availability targets of mechanical,
electrical, and electronic components. When building a PTC system,
designers may make numerous presumptions that will directly impact
specific implementation decisions. These fundamental assumptions
usually come in the form of data (e.g., facts collected as the result
of experience, observation or experiment, or processes, or premises)
that can be randomly sampled. FRA does not expect to audit all of the
fundamental assumptions on which a PTC system has been developed.
Instead, FRA envisions sampling and reviewing fundamental assumptions
prior to product implementation and after operation for some time. FRA
expects that the data sampled may vary, depending upon the PTC system.
It is not possible to provide a single set of quantitative numbers
applicable to all systems, especially when systems have yet to be
designed and for which the fundamental assumptions are yet to be
determined. Quantification is part of the risk management process for
each project. FRA believes that the actual performance of the system
observed during the pre-operational testing and post-implementation
phases will provide indications of the validity of the fundamental
assumptions. FRA proposes that this review process will occur for the
life of the PTC system (i.e., as long as the product is kept in
operation). The depth of details required will depend upon what FRA
observes. The range of difference between a PTC system's predicted and
actual performance may indicate to FRA the validity of the underlying
fundamental assumptions. Generally, if the actual performance matches
the predicted performance, FRA believes that it will not have to
extensively review the fundamental assumptions. If the actual
performance does not match predicted performance, FRA may need to more
extensively review the fundamental assumptions.
FRA expects each subject railroad to confirm the validity of
initial assumptions by comparing them to actual in-service data. FRA is
aware that mechanical and electronic component failure rates and times
to repair are easily quantified data, and usually are kept as part of
the logistical tracking and maintenance management of a railroad. FRA
believes that this proposed criterion will enhance the quality of risk
assessments conducted pursuant to this subpart by forcing PTC system
designers and users to consider the long-term effects of operation over
the course of the PTC system's projected life-cycle. If a PTC system
can be used beyond its design life-cycle, FRA expects that any
continued use would be only under a waiver provided in accordance with
part 211 or under a PTCDP or PTCSP amended in accordance with Sec.
236.1021. In its request for waiver or request for amendment, the
railroad should address any new risks associated with the life-cycle
extension.
Paragraph (a)(9) also proposes to require specification of the
target safety levels. This includes the identity of each potential
hazard and how the events leading to a hazard will be identified for
each safety-critical subsystem; the proposed safety integrity level of
each safety-critical subsystem, and the proposed means that
accomplishment of these targets will be evaluated. This paragraph also
requires identification of the proposed backup methods of operation and
safety-critical assumptions regarding availability of the product. FRA
believes this information is essential for making determinations about
the safety of a product and both the immediate and long-term effect of
its failure. FRA contends that availability is directly related to
safety to the extent the backup means of controlling operations
involves greater risk (either inherently or because it is infrequently
practiced).
Paragraph (a)(10) proposes to require a complete description of how
the PTC system will enforce all pertinent authorities and block signal,
cab signal, or other signal related indications. FRA appreciates that
not all PTC architectures will seek to enforce the speed restrictions
associated with intermediate signals directly, but nevertheless a clear
description of these functions is necessary for clarity and evaluation.
Proposed paragraph (a)(11) requires that, if the railroad is
seeking to deviate from the requirements of section 236.1029 with
respect to movement of trains with onboard equipment that has failed en
route using the flexibility provided by paragraph (c) of that section,
a justification must be provided in the PTCDP. Paragraph (c) of
proposed Sec. 236.1029 provides that, in order for a PTC train that
operates at a speed above 90 miles per hour to deviate from the
operating limitations contain in paragraph (b) of that section, the
deviation must be described and justified in the FRA approved PTCDP or
PTCSP, or by reference to an Order of Particular Applicability, as
applicable. For instance, if Amtrak wished to continue to operate at up
to 125 miles per hour with cab signals and automatic train control in
the case of failure of onboard ACSES equipment, Amtrak would request to
do so based on the applicable language of the Order of Particular
Applicability that required installation of that system on portions of
the Northeast Corridor. Similarly, a railroad wishing more liberal
requirements for a high speed rail system on a dedicated right-of-way
could request that latitude by explaining how the safety of all
affected train movements would be maintained.
Paragraph (a)(12) requires a complete description of how the PTC
system will appropriately and timely enforce all hazard detectors that
are interconnected with the PTC system in accordance with Sec.
236.105(c)(3), as may be applicable.
Proposed paragraph (b) specifies the approval standard that will be
employed by the Associate Administrator. The PTCDP is not expected to
provide absolute assurance to the Associate Administrator that every
potential hazard will be eliminated with complete certainty. It only
needs to establish that the PTC system meets the appropriate statutory
and regulatory requirements for a PTC system required under this
subpart, and that there is a reasonable chance that once built, it will
meet the required safety standards for its intended use. FRA emphasizes
that approval of a PTCDP and issuance of a Type Approval does not
constitute final approval to operate the product in revenue service.
Such approval only comes when the Associate Administrator issues an
applicable PTC System Certification.
Paragraph (c) proposes a time limit on the validity of a Type
Approval. Provided that at least one product is certified within the 5
year period after issuance of the Type Approval, the Type Approval
remains valid until final retirement of the system. The main purpose of
this requirement is to incentivize installation, not just creation, of
a PTC system. This paragraph would also allow FRA to periodically clean
out its records

[[Page 35986]]

relating to Type Approvals and PTCDPs for obsolete PTC systems.
Paragraph (d) proposes the conditions under which a Type Approval
may be used by another railroad. These conditions consist of the
railroad maintaining a continually updated PTCPVL pursuant to Sec.
236.1023(c) and the railroad providing licensing information associated
with the use of the Type Approval. Under paragraph (d), FRA intends to
ensure the implementation of the proper technology and not any orphan
product using apparently similar, but actually different, technology.
When a railroad submits a previously issued Type Approval for its PTC
system, FRA expects that all the proper licensing agreements provide
for continued use and maintenance of the PTC system are in place. To
ensure FRA's confidence in this area, FRA proposes to require each Type
Approval submission to include this relevant licensing information. FRA
recognizes that there may be various licensing arrangements available
relating to the exclusivity and sublicensing of manufacturing or
vending of a particular PTC system. There may be other intellectual
property variables that may make arrangements even more complex. To
adequately capture all applicable arrangements, FRA proposes to
generally require the submission of ``licensing information.'' More
specific language may preclude FRA's ability to collect information
necessary to fulfill its intent. If any of this information were to
change, either through any type of sale, transfer, or sublicense of any
right or ownership, then FRA would expect the railroad to submit a
request for amendment of its PTCDP in accordance with Sec. 236.1021.
FRA recognizes that this may be difficult for a railroad to accomplish,
given the railroad may not be privy to any intellectual property
transactions that may occur outside of its control. In any event, FRA
would expect that a railroad would ensure, either through contractual
obligation or otherwise, that its vendor or supplier provide it with
updated licensing information on a continuing basis. FRA seeks comments
on this proposal.
Paragraph (e) proposes to require that a railroad submitting a
PTCDP demonstrate that its vendor has a suitable quality control
system. This requirement provides protection to the railroad and FRA
that there is a reasonable probability that the vendor can design and
manufacture the product such that it will meet the design targets
specified in paragraph (a). FRA expects that compliance with paragraph
(e) will eliminate the operation of a PTC system where its vendor has
inadequate quality control procedures and processes to support the
proper development of a safety critical product.
Paragraph (f) proposes language retaining the Associate
Administrator's ability to impose any conditions necessary to ensure
the safety of the public, train crews, and train operations when
approving the PTCDP and issuing a Type Approval. While FRA expects that
adherence to the remainder of this section's requirements should
justify issuance of a Type Approval, FRA also recognizes that there may
be situations where other unaccounted for variables may reduce the
Associate Administrator's confidence in the PTC system, its
manufacturer, supplier, vendor, or operator.

Section 236.1015 PTCSP Content Requirements and PTC System
Certification

The PTC Safety Plan (PTCSP) is the core document that provides the
Associate Administrator the information necessary to certify that the
as-built PTC system fulfills the required statutory PTC functions and
is in compliance with the requirements of this subpart. Issuance of a
PTC System Certification is contingent upon the approval of the PTCSP
by the Associate Administrator. Under the proposed rules, the filing
and approval of the PTCSP and issuance of a PTC System Certification is
a mandatory prerequisite for PTC system operation in revenue service.
Each PTCSP is unique to each railroad and must addresses railroad-
specific implementation issues associated with the PTC system
identified by the submitted Type Approval. Paragraph (a) proposes
language explaining these meanings and limits.
When filing a PTCSP, proposed paragraph (b) proposes to require
each railroad to: Include the applicable and approved PTCIP, PTCDP, and
Type Approval; describe any changes subsequently made to the PTC
system, as reflected in the PTCSP, that would require amendment of the
PTCIP or PTCDP; and assure FRA whether the PTC system built is the same
PTC system described in the PTCDP and PTCSP. Paragraph (b)(1)
effectively merges the approved PTCIP and PTCDP into the PTCSP so that
there will be a single ``package'' available for PTC operations and FRA
review before and after issuance of a PTC System Certification. If a
PTCSP is approved, and the railroad receives a PTC System
Certification, all three plans continue to ``live'' and can only be
amended in accordance with Sec. 236.1021.
FRA recognizes the possibility that between PTCIP or PTCDP
approval, and prior to PTCSP submission, there may be changes to the
former two documents. While such changes may only be made in accordance
with Sec. 236.1021, documentation of those changes may not be readily
apparent to the reader of the PTCSP. Accordingly, under proposed
paragraph (b)(2), FRA expects that each PTCSP shall include a clear and
complete description of any such changes by specifically and rigorously
documenting each variance. Paragraph (b)(2) also proposes to require
that the PTCSP include an explanation of each variance's significance.
To ensure that there are no other existing variances not documented in
the PTCSP, FRA also proposes under this paragraph to require the
railroad to attest that there are no further variances. For the same
reason, paragraph (b)(3) proposes that, if there have been no changes
to the plans or to the PTC system as intended, the railroad be required
to attest that there are no such variances.
Proposed paragraph (c) delineates the contents of the PTCSP. The
first elements of the PTCSP are the same elements as the PTCDP (and are
described more fully in the section by section for 236.1013). If the
railroad had already submitted, and FRA had already approved, the
PTCDP, then attachment of the PTCDP to the PTCSP should fulfill this
requirement.
The additional, proposed railroad specific elements are as follows:
Paragraph (c)(1) proposes to require that the PTCSP include a
hazard log comprehensively describing all hazards to be addressed
during the life-cycle of the product, including maximum threshold
limits for each hazard. For unidentified hazards, the threshold shall
be exceeded at one occurrence. In other words, if the hazard has not
been predicted, then any single occurrence of that hazard is
unacceptable. The hazard log addresses safety-relevant hazards, or
incidents or failures that affect the safety and risk assumptions of
the PTC system. Safety relevant hazards include events such as false
proceed signal indications and false restrictive signal indications. If
false restrictive signal indications occur with any type of frequency,
they could influence train crew members, roadway workers, dispatchers,
or other users to develop an apathetic attitude towards complying with
signal indications or instructions from the PTC system, creating human
factors problems.
Incidents in which stop indications are inappropriately displayed
may also necessitate sudden brake applications

[[Page 35987]]

that may involve risk of derailment due to in-train forces. Other
unsafe or wrong-side failures which affect the safety of the product
will be recorded on the hazard log. The intent of this paragraph is to
identify all possible safety-relevant hazards which would have a
negative effect on the safety of the product. Right-side failures, or
product failures which have no adverse effect on the safety of the
product (i.e., do not result in a hazard) would not be required to be
recorded on the hazard log.
Paragraph (c)(2) proposes to require that a risk assessment be
included in the PTCSP. FRA will use this information as a basis to
confirm compliance with the appropriate performance standard. A
performance standard specifies the outcome required, but leaves the
specific measures to achieve that outcome up to the discretion of the
regulated entity. In contrast to a design standard or a technology-
based standard that specifies exactly how to achieve compliance, a
performance standard sets a goal and lets each regulated entity decide
how to meet that goal. An appropriate performance standard should
provide reasonable assurance of safe and effective performance by
making provision for: (1) Considering the construction, components,
ingredients, and properties of the device and its compatibility with
other systems and connections to such systems; (2) testing of the
product on a sample basis or, if necessary, on an individual basis; (3)
measurement of the performance characteristics; and (4) requiring that
the results of each or of certain of the tests required show that the
device is in conformity with the portions of the standard for which the
test or tests were required. Typically, the specific process used to
design, verify and validate the product is specified in a private or
public standard. The Administrator may recognize all or part of an
appropriate standard established by a nationally or internationally
recognized standard development organization.
Paragraph (c)(3) proposes to require that the PTCSP include a
hazard mitigation analysis. The hazard mitigation analysis must
identify the techniques used to investigate the consequences of various
hazards and list all hazards addressed in the system hardware and
software including failure mode, possible cause, effect of failure, and
remedial actions. A safety-critical system must satisfy certain
specific safety requirements specified by the system designer or
procuring entity. To determine whether these requirements are
satisfied, the safety assessor must determine that: (1) Hazards
associated with the system have been comprehensively identified; (2)
hazards have been appropriately categorized according to risk
(likelihood and severity); (3) appropriate techniques for mitigating
the hazards have been identified; and (4) hazard mitigation techniques
have been effectively applied. See Leveson, Nancy G., Safeware: System
Safety and Computers, (Addison-Wesley Publishing Company, 1995).
FRA does not expect that the safety assessment will prove that a
product is absolutely safe. However, the safety assessment should
provide evidence that risks associated with the product have been
carefully considered and that steps have been taken to eliminate or
mitigate them. Hazards associated with product use need to be
identified, with particular focus on those hazards found to have
significant safety effects. The risk assessment proposed under
paragraph (c)(2) must include each hazard that cannot be mitigated by
system designs (e.g., human over-reliance of the automated systems) no
matter how low its probability may be. After the risk assessment, the
designer must take steps to remove them or mitigate their effects.
Hazard analysis methods are employed to identify, eliminate, and
mitigate hazards. Under certain circumstances, FRA may require an
independent third party assessment in accordance with proposed Sec.
236.1017 to review these methods as a prerequisite to FRA approval.
Paragraph (c)(4) also proposes that the PTCSP address safety
Verification and Validation procedures as defined under part 236. FRA
believes that Verification and Validation for safety are vital parts of
the PTC system development process. Verification and Validation require
forward planning. Consequently, the PTCSP should identify the testing
to be performed at each stage of development and the levels of rigor
applied during the testing process. FRA will use this information to
ensure that the adequacy and coverage of the tests are appropriate.
Paragraph (c)(5) proposes to require the railroad to include in its
PTCSP the training, qualification, and designation program for workers
regardless of whether those railroad employees will perform inspection,
testing, and maintenance tasks involving the PTC system. FRA believes
many benefits accrue from the investment in comprehensive training
programs and are fundamental to creating a safe workforce. Effective
training programs can result in fewer instances of human casualties and
defective equipment, leading to increased operating efficiencies, less
troubleshooting, and decreased costs. FRA expects any training program
to include employees, supervisors, and contractors engaged in railroad
operations, installation, repair, modification, testing, or maintenance
of equipment and structures associated with the product.
Paragraph (c)(6) proposes to require the PTCSP to identify specific
procedures and test equipment necessary to ensure the safe operation,
installation, repair, modification and testing of the product.
Requirements for operation of the system must be succinct in every
respect. The procedures must be specific about the methodology to be
employed for each test to be performed that is required for
installation, repair, or modification including documenting the results
thereof. FRA will review and compare the repair and test procedures for
adequacy against existing similar requirements prescribed for signal
and train control systems. FRA intends to use this information to
ascertain whether the product will be properly installed, maintained,
tested, and repaired.
Paragraph (c)(7) proposes that each railroad develop a manual
covering the requirements for the installation, periodic maintenance
and testing, modification, and repair for its PTC system. The
railroad's Operations and Maintenance Manual must address the issues of
warnings and describe the warning labels to be placed on each piece of
PTC system equipment as necessary. Such warnings include, but are not
limited to: Means to prevent unauthorized access to the system;
warnings of electrical shock hazards; cautionary notices about improper
usage, testing, or operation; and configuration management of memory
and databases. The PTCSP should provide an explanation justifying each
such warning and an explanation of why there are no alternatives that
would mitigate or eliminate the hazard for which the warning is placed.
Paragraph (c)(8) proposes to require that the PTCSP identify the
various configurable applications of the product, since this rule
mandates use of the product only in the manner described in its PTCDP.
Given the importance of proper configuration management in safety-
critical systems, FRA believes it is essential that railroads learn of
and take appropriate configuration control of hardware and software.
FRA believes that a requirement for configuration management control
will enhance the safety of these systems and ultimately provide other
benefits to the railroad as

[[Page 35988]]

well. Under this proposed paragraph, railroads are responsible--through
its applicable Operations and Maintenance Plan and other supporting
documentation maintained throughout the system's life-cycle--for all
changes to configuration of their products in use, including both
changes resulting from maintenance and engineering control changes,
which result from manufacturer modifications to the product. Since not
all railroads may experience the same software faults or hardware
failures, the configuration management and fault reporting tracking
system play a crucial role in the ability of the railroad and the FRA
to determine and fully understand the risks and their implications.
Without an effective configuration management tracking system in place,
it is difficult, if not impossible, to fairly evaluate risks associated
with a product over the life of the product.
Paragraph (c)(9) proposes to require the railroad to develop
comprehensive plans and procedures for product implementation.
Implementation (field validation or cutover) procedures must be
prepared in detail and identify the processes necessary to verify that
the PTC system is properly installed and documented, including measures
to provide for the safety of train operations during installation. FRA
will use this information to ascertain whether the product will be
properly installed, maintained, and tested. FRA also believes that
configuration management should reduce disarrangement issues. Further,
configuration management will reduce the cost of troubleshooting by
reducing the number of variables and will be more effective in
promoting safety.
Paragraph (c)(10) proposes to require the railroad to provide a
complete description of the particulars concerning measures required to
assure that the PTC system, once implemented, continues to provide the
expected safety level without degradation or variation over its life-
cycle. The measures specifically provide the prescribed intervals and
criteria for the following: testing; scheduled preventive maintenance
requirements; procedures for configuration management; and procedures
for modifications, repair, replacement and adjustment of equipment. FRA
intends to use this information, among other data, to monitor the PTC
system to assure it continually functions as intended.
Paragraph (c)(11) proposes to include in each PTCSP a description
of each record concerning safe operation. Recordkeeping requirements
for each product are discussed in proposed Sec. 236.1037.
Paragraph (c)(12) proposes to require a safety analysis of
unintended incursions into a work zone. Measuring incursion risks is a
key safety risk assumption. Failing to identify incursion risk can have
the effect of making a system seem safer on paper than it actually is.
The requirements set forth in this paragraph attempt to mandate design
consideration of incursion protection at an early stage in the product
development process. The totality of the arrangements made to prevent
unintended incursions or operation at higher than authorized speed
within the work zone must be analyzed. That is, in addition to the
functions of the PTC system, the required actions for dispatchers,
train crews, and roadway workers in charge must be evaluated.
Regardless of whether a PTC system has been previously approved or
recognized, FRA will not accept a system that allows a single point
human failure to defeat the essential protection intended by the
Congress. See NTSB Recommendations R-08-05 and R-08-06. FRA believes
that exposure should be identified because increases in risk due to
increased exposure could be easily distinguished from increases in risk
due solely to implementation and use of the proposed PTC system.
In the past, little attention was given to formalizing incursion
protection procedures. Training for crews has also not been uniform
among organizations, and has frequently received inadequate attention.
As a result, a variety of procedures and techniques evolved based on
what has been observed or what just seemed correct at the time. This
lack of structure, standardization, and formal training is inconsistent
with the goal of increasing the safety and efficiency.
Paragraph (c)(13) proposes to require a more detailed description
of any alternative arrangements provided under proposed Sec.
236.1011(a)(10), pertaining to at grade rail-to-rail crossings.
Paragraph (c)(14) proposes to require a complete description of how
the PTC system will enforce mandatory directives and signal
indications, unless already addressed in the PTCDP. FRA recognizes that
all systems will enforce all signal indications; however, the PTCDP
must describe where the architecture of the system performs this
function.
Proposed paragraph (c)(15) refers to the requirement of Sec.
236.1019(e) that the PTCSP is aligned with the PTCIP, including any
amendments.
Under proposed Sec. 236.1029(b), FRA proposes to require certain
limitations on PTC trains operating over 90 miles per hour. Under Sec.
236.1029(c), FRA provides railroads with an opportunity to deviate from
those limitations if the railroad describes and justifies the deviation
in its PTCDP, PTCSP, or by reference to an Order of Particular
Applicability, as applicable. Thus, proposed paragraph (c)(16) to Sec.
236.1015 reminds railroads that this is one of the optional elements
that may be included in a PTCSP. This need may also be addressed
through review of the PTCDP, and FRA reserves the right to so provide
in the final rule.
Railroads are required under Sec. 236.1005(c) to submit a complete
description of its compliance regarding hazard detector integration and
under Sec. Sec. 236.1005(g)-(k) to submit a temporary rerouting plan
in the event of emergencies and planned maintenance. Railroads must
also submit a document indicating any alternative arrangements for each
rail at-grade crossing not adhering to the table under Sec.
236.1005(a)(1)(i). Proposed paragraphs (c)(17), (c)(18), and (c)(19) to
Sec. 236.1015 reminds railroads that such requirements must be
fulfilled with the submission of the PTCSP. For example, under proposed
paragraph (c)(18), FRA expects each temporary rerouting plan to explain
the host railroad's procedure relating to detouring the applicable
traffic. In other words, FRA expects that each temporary rerouting plan
address how the host railroad will choose the track that traffic will
be rerouted onto. For instance, the plan should explain the factors
that will be considered in determining whether and how the railroad
should take advantage of temporary rerouting. FRA remains concerned
about the unnecessary commingling of PTC and non-PTC traffic on the
same track and expects each temporary rerouting plan to address this
possibility. More specifically, each plan should describe how the
railroad expects to make decisions to reroute non-PTC train traffic
onto a PTC line, especially where another non-PTC line may be
available. While FRA recognizes each railroad may seek to use the most
cost effective route, FRA expects the railroad to also consider the
level of risk associated with that route.
In paragraph (d), FRA proposes to state the criteria that FRA will
refer to when evaluating the PTCSP, depending upon the underlying
technical approach. Whereas in subpart H the safety case is evaluated
to determine whether it demonstrates with a high degree of confidence
that relevant risk

[[Page 35989]]

will be no greater under the new product than previously, the statutory
mandate for PTC calls for a different approach. In crafting the
proposed approach, FRA has attempted to limit requirements for
quantitative risk assessment to those situations where the technique is
truly needed. Regardless of the type of PTC system, the safety case for
the system must demonstrate that it will reliably execute all of the
functions required by this subpart (particularly those provided under
proposed Sec. Sec. 236.1005 and 236.1007). With this foundation, the
additional criteria that must be met depend upon the type of PTC
technology to be employed.
It is FRA's understanding that PTC systems may be categorized as
one of the following four system types: Non-vital overlay; vital
overlay; standalone; and mixed. Initially, however, all PTC systems
will have some features that are not fully fail-safe in nature, even if
onboard processing and certain wayside functions are fully fail-safe.
Common causes include surveying errors of the track database, errors in
consist weight or makeup from the railroad information technology
systems, and the crew input errors of critical operational data. To the
extent computer-aided dispatching systems are the only check on
potential dispatcher error in the creation or inappropriate
cancellation of mandatory directives, some room for undetected wrong-
side failure will continue to exist in this function as well. This
issue is addressed under paragraph (g) of this section.
Proposed paragraph (d)(1) specifies the required behavior for non-
vital overlay systems. Based on previous experience with non-vital
systems, FRA believes it is well within the technical capability of the
railroads to reduce the level of risk on any particular track segment
to a level of risk 80% lower than the level of risk prior to
installation of PTC on that segment. For subsequent PTC system
installations on the same line segment, FRA recognizes that requiring
an additional 80% improvement may not be technically or economically
practical. Therefore, FRA is only proposing that an entity installing
or modifying an existing PTC system need only demonstrate that the
level of safety is equal to, and preferably greater than, the level of
safety of the prior PTC system. The risk that must be reduced is the
risk against which the PTC functionalities are directed, assuming a
high level of availability. Note that the required functionalities
themselves do not call for elimination of all risk of mishaps. It is
scope of risk reduction that the functionalities describe that becomes
the 100% universe which is the basis of comparison. Although it is
understood that the system will endeavor to eliminate 100% of this
risk--meaning that if the system worked as intended every time and was
always available, 100% of the target risk would be eliminated--the
analysts will need to account for cases where wrong side failure of the
technology is coincident with a human failure potentially induced by
reliance on the technology. Since, within an appropriate conservative
engineering analysis (i.e., pro forma analysis), non-vital processing
has the theoretical potential to result in more failures than will
typically be experienced, a 20% margin is provided. In preparing the
PTCSP, the railroad will want to affirmatively address how training and
oversight--including programs of operational testing under 49 CFR
217.9--will reduce the potential for inappropriate reliance by those
charged with functioning in accordance with the underlying method of
operation.
The 80% reduction in risk for PTC preventable accidents must be
demonstrated by an appropriate risk analysis acceptable to the
Associate Administrator and must address all intended track segments
upon which the system will be installed. Again, FRA does not expect, or
require, that these types of systems will prevent all wrong side
failures. However, FRA expects that the systems will be designed to be
robust, all pertinent risk factors (including human factors) will be
fully addressed, and that no corners will be cut to ``take advantage''
of the nominal allowance provided for non-vital approaches. FRA also
encourages those using non-vital approaches to preserve as much as
possible the potential for a transition to vital processing.
Proposed paragraph (d)(2) addresses vital overlays. Unlike a non-
vital system, the vital system must be designed to address, at a
minimum, the factors delineated in Appendix C. The railroad and their
vendors are encouraged to carry out a more thorough design analysis
addressing any other potential product specific hazards. FRA cannot
overemphasize that vital overlay system designs must be fully designed
to address the factors contained in Appendix C. The associated risk
analysis supporting this design analysis demonstrating compliance may
be accomplished using any of the risk analysis approaches in subpart H,
including abbreviated risk analysis.
Proposed paragraph (d)(3) addresses stand-alone PTC systems that
are used to replace existing methods of operations. The PTCSP design
and risk analysis submitted to the Associate Administrator must show
that the system does not introduce any new hazards that have not been
acceptably mitigated, based upon all proposed changes in railroad
operation. The required analysis for standalone systems is much more
comprehensive than that required for vital overlay systems, since it
must provide sufficient information to the Associate Administrator to
make a decision with a high degree of confidence. FRA will uniquely and
separately consider each request for standalone operations, and will
render decisions in the context of the proposed operation and the
associated risks. FRA recognizes that application of this standard to a
new rail system for which there is no clear North American antecedent
could present a conceptual challenge. FRA invites comments regarding
how best to frame the risk assessment showing for a standalone system
applied to a new rail operation.
Proposed paragraph (d)(4) addresses mixed systems (i.e., systems
that include a combination of the systems identified in paragraphs
(d)(1) through (d)(3). Because of the inherent complexity of these
systems, FRA will determine an appropriate approach to demonstrating
compliance after consultation with the railroad. Any approach will, of
course, require that the system perform the PTC requirements as
proposed in Sec. Sec. 236.1005 and 236.1007.
Paragraph (e) discusses proposed factors that the Associate
Administrator will consider in reviewing the PTCSP. In general, PTC
systems will have some features that are not failsafe in nature.
Examples include surveys of the track database, errors in consist data
from the railroad such as weight and makeup, and crew input errors. FRA
participation in the design and testing of the PTC system product helps
FRA to better understand the strengths and weaknesses of the product
for which approval is requested, and facilitates the approval process.
The railroad must establish through safety analysis that its
assertions are true. This standard places the burden on the railroad to
demonstrate that the safety analysis is accurate and sufficiently
supports certification of the PTC system. The FRA Associate
Administrator will determine whether the railroad's case has been made.
As provided in subpart H, FRA believes that final agency determinations
under this new subpart I should also be made at the technical level,
rather than the policy level, due to the complex and sometimes esoteric
subject matters associated with risk analysis and

[[Page 35990]]

evaluation. This is particularly appropriate in light of the RSIA08's
designation of the Associate Administrator for Railroad Safety as the
Chief Safety Officer of FRA. When considering the PTC system's
compliance with recognized standards in product development, FRA will
weigh appropriate factors, including: The use of recognized standards
in system design and safety analyses; the acceptable methods in risk
estimates; the proven safety records for proposed components; and the
overall complexity and novelty of the product design. In those cases
where the submission lacks information the Associate Administrator
deems necessary to make an informed safety decision, FRA will solicit
the data from the railroad. If the railroad does not provide the
requested information, FRA may determine that a safety hazard exists.
Depending upon the amount and scope of the missing data, PTCSP
approval, and the subsequent system certification, may be denied.
While paragraph (e) summarizes how FRA intends to evaluate the risk
analysis, proposed paragraph (f) applies specifically to cases where a
PTC system has already been installed and the railroad subsequently
wants to put in a new PTC system. Paragraph (f) re-emphasizes that FRA
policy regarding the safety of PTC systems is not, and cannot expect to
be, static. Rather, FRA policy may evolve as railroad operations
evolve, operating rules are refined, related hazards are addressed
(e.g., broken rails), and other readily available options for risk
reduction emerge and become more affordable. FRA embraces the concept
of progressive improvement and expects that when new systems are
installed to replace existing systems that actual safety outcomes equal
or exceed those for the existing systems.

Section 236.1017 Independent Third Party Review of Verification and
Validation

As previously noted in the discussion of proposed Sec.
236.1009(e), FRA may require a railroad to engage in an independent
assessment of its PTC system. In the event an independent assessment is
required, Sec. 236.1017 proposes the applicable rules and procedures.
Proposed paragraph (a) establishes factors considered by FRA when
requiring a third-party assessment. FRA will attempt to make a
determination of the necessary level of third party assessment as early
as possible in the approval process. However, based on issues that may
arise during the development and testing processes, or during the
detailed technical reviews of the PTCDP and PTCSP, FRA may deem it
necessary to require a third party assessment at any time during the
review process.
Proposed paragraph (b) is intended to make it clear that it is FRA
that will make the determination of the acceptability of the
independence of the third party to avoid any potential issues
downstream regarding the acceptability of the assessor's independence.
If a third party assessment is required, each railroad is encouraged to
identify in writing what entity it proposes to utilize as its third
party assessor. Compliance with paragraph (b) is not mandatory.
However, if FRA determines that the railroad's choice of a third party
does not meet the level of independence contemplated under proposed
paragraph (c), then the railroad will be obligated to have the
assessment repeated, at its expense, until it has been completed by a
third party suitable to FRA.
Paragraph (c) proposes a definition of the term ``independent third
party'' as used in this section. It limits independent third parties to
those that are compensated by the railroad or an association on behalf
of one or more railroads that is independent of the PTC system
supplier. FRA believes that requiring the railroad to compensate a
third party will heighten the railroad's interest in obtaining a
quality analysis and will avoid ambiguous relationships between
suppliers and third parties that could indicate possible conflicts of
interest.
Proposed paragraph (d) explains that the minimum requirements of a
third party audit are outlined in Appendix F (which is modeled on
current Appendix D, which is used in conjunction with subpart H) and
that FRA has discretion to limit the extent of the third party
assessment. FRA intends to limit the scope of the assessment to areas
of the safety Verification and Validation as much as possible, within
the bounds of FRA's regulatory obligations. This will allow reviewers
to focus on areas of greatest safety concern and eliminate any
unnecessary expense to the railroad. In order to limit the number of
third-party assessments, FRA first strives to inform the railroad as to
what portions of a submittal could be amended to avoid the necessity
and expense of a third-party assessment altogether. However, FRA wishes
to make it clear that Appendix F represents minimum requirements and
that, if circumstances warrant, FRA may expand upon the Appendix F
requirements as necessary to enable FRA to render a decision that is in
the public interest (i.e., if FRA is unable to certify the system
without the additional information).

Section 236.1019 Main Line Track Exceptions

The RSIA08 generally defines ``main line'' as ``a segment of
railroad tracks over which 5,000,000 or more gross tons of railroad
traffic is transported annually.'' See 49 U.S.C. 20157(i)(2). However,
FRA may also define ``main line'' by regulation ``for intercity rail
passenger transportation or commuter rail passenger transportation
routes or segments over which limited or no freight railroad operations
occur.'' See 49 U.S.C. 20157(i)(2)(B); 49 CFR 1.49(oo). FRA recognizes
that there may be circumstances where certain statutory PTC system
implementation and operation requirements are not practical and provide
no significant safety benefits. In those circumstances, FRA proposes to
exercise its statutory discretion provided under 49 U.S.C.
20157(i)(2)(B).
In accordance with the authority provided by the statute and with
carefully considered recommendations from the RSAC, FRA proposes to
consider requests for designation of track over which rail operations
are conducted as ``other than main line track'' for passenger and
commuter railroads, or freight railroads operating jointly with
passenger or commuter railroads. Such relief may be granted only after
request by the railroad or railroads filing a PTCIP and approval by the
Associate Administrator.
Paragraph (a), therefore, proposes to require the submittal of a
main line track exclusion addendum (MTEA) to any PTCIP filed by a
railroad that seeks to have any particular track segment deemed as
other than main line. Since the statute only provides for such
regulatory flexibility as it applies to passenger transportation routes
or segments which limited or no freight railroad operations occur, only
a passenger railroad may file an MTEA as part of its PTCIP. This may
include a PTCIP jointly filed by freight and passenger railroads. In
fact, FRA expects that in the case of joint operations, only one MTEA
should be agreed upon and submitted by the railroads filing the PTCIP.
After reviewing a submitted MTEA, FRA may provide full or partial
approval for the requested exemptions.
Each MTEA must clearly identify and define the physical boundaries,
use, and characterization of the trackage for which exclusion is
requested. When describing the tracks' use and characterization, FRA
expects the requesting railroad or railroads to include copies of the
applicable track

[[Page 35991]]

and signal charts. Ultimately, FRA expects each MTEA to include
information sufficiently specific to enable easy segregation between
main line track and non-main line track. In the event the railroad
subsequently requests additional track to be considered for exclusion,
a well-defined MTEA should reduce the amount of future information
required to be submitted to FRA. Moreover, if FRA decides to grant only
certain requests in an MTEA, the portions of track for which FRA has
determined should remain considered as main line track can be easily
severed from the MTEA. Otherwise, the entire MTEA, and thus its
concomitant PTCIP, may be entirely disapproved by FRA, increasing the
risk of the railroad or railroads not meeting its statutory deadline
for PTC implementation and operation.
For each particular track segment, the MTEA must also provide a
justification for such designation in accordance with paragraphs (b) or
(c) of this section.
Proposed paragraph (b) specifically addresses the conditions for
relief for passenger and commuter railroads with respect to passenger-
only terminal areas. As noted previously in the analysis of Sec.
236.1005(b), FRA proposes to except from the definition of main line
any track within a yard used exclusively by freight operations moving
at restricted speed. In those situations, operations are usually
limited to preparing trains for transportation and do not usually
include actual transportation. FRA does not propose to extend this
automatic exclusion to yard or terminal tracks that include passenger
operations. Such operations may also include the boarding and
disembarking of passengers, heightening FRA's sensitivity to safety and
blurring the lines between what defines ``transportation'' and
``preparing for transportation.'' Moreover, while FRA could not expend
its resources to review whether a freight-only yard should be deemed
other than main line track, FRA believes that the relatively lower
number of passenger yards and terminals would allow for such review.
Accordingly, FRA believes that it is appropriate to review these
circumstances on a case-by-case basis.
During the PTC Working Group discussions, the major passenger
railroads requested an exception for tracks in passenger terminal areas
because of the impracticability of installing PTC. These are locations
where signal systems govern movements over very complex special track
work divided into short signal blocks. Operating speeds are low (not to
exceed 20 miles per hour), and locomotive engineers moving in this
environment expect conflicting traffic and restrictive signals.
Although low-speed collisions do occasionally occur in these
environments, the consequences are low; and the rate of occurrence is
very low in relation to the exposure. It is the nature of current-
generation PTC systems that they work with averages in terms of
stopping distance and use conservative braking algorithms. Applying
this approach in congested terminals would add to congestion and
frustrate efficient passenger service, in the judgment of those who
operate these railroads. The density of wayside infrastructure required
to effect PTC functions in these terminal areas would also be
exceptionally costly in relation to the benefits obtained. FRA agrees
that technical solutions to address these concerns are not presently
available. FRA does believe that the appropriate role for PTC in this
context is to enforce the maximum allowable speed (which is presently
accomplished in cab signal territory through use of automatic speed
control, a practice which could continue where already in place).
If FRA grants relief, the proposed conditions of (b)(1), (b)(2), or
(b)(3), as applicable, must be strictly adhered to. These three
conditions represent the minimum conditions FRA believes is necessary
for safe operations. FRA reserves the right to add more restrictive
conditions if necessary to provide for the safety of the public and
train crews. If FRA approves a MTEA and the railroad subsequently
violates any of the applicable conditions, civil penalties may apply.
Under paragraph (b)(1), FRA proposes to limit relief under
paragraph (b) to operations that do not exceed 20 miles per hour. The
PTC Working Group agreed upon the 20 miles per hour limitation, instead
of requiring restricted speed, because the operations in question will
be by signal indication in congested and complex terminals with short
block lengths and numerous turnouts. FRA agrees with the PTC Working
Group that the use of restricted speed in this environment would
exacerbate congestion, delay trains, and diminish the quality of rail
passenger service.
Moreover, when trains on the excluded track are controlled by a
locomotive with an operative PTC onboard apparatus, FRA proposes to
require that PTC system component to enforce the regulatory speed limit
or actual maximum authorized speed, whichever is less. While the actual
track may not be outfitted with a PTC system in light of a MTEA
approval, FRA believes it would be nevertheless prudent to require such
enforcement when the technology is available on the operating
locomotives. This can be accomplished in cab signal territory using
existing automatic train stop technology and outside of cab signal
territory by mapping the terminal and causing the onboard computer to
enforce the maximum speed allowed.
Under paragraph (b)(2), FRA proposes to also limit relief under
paragraph (b) to operations that enforce interlocking rules. Under
interlocking rules, trains are prohibited from moving in reverse
directions without dispatcher permission on track where there are no
signal indications. FRA believes that such a restriction would minimize
the potential for a head-on impact.
Also, under proposed paragraph (b)(3), such operations would only
be allowed in yard or terminal areas where no freight operations are
permitted. While the definition of main line may not include yard
tracks used solely by freight operations, FRA does not propose to
extend any relief or exception to tracks within yards or terminals
shared by freight and passenger operations. The collision of a
passenger train with a freight consist is typically a more severe
condition because of the greater mass of the freight equipment.
Paragraph (c) proposes the conditions under which joint limited
passenger and freight operations may occur on defined track segments
without the requirement for installation of PTC. This paragraph
proposes three alternative paths to the main line exception.
First, under paragraph (c)(1), an exception may be available where
both the freight and passenger trains are limited to restricted speed.
Such operations are feasible only for short distances, and FRA would
examine the circumstances involved to ensure that the exposure is
limited and that appropriate operating rules and training are in place.
Second, under paragraph (c)(2), FRA will consider an exception
where temporal separation of the freight and passenger operations can
be ensured. A more complete definition of temporal separation is
provided in paragraph (d). Temporal separation of passenger and freight
services reduces risk because the likelihood of a collision is reduced
(e.g., due to freight cars engaged in switching that are not properly
secured) and the possibility of a relatively more severe collision
between a passenger train and much heavier freight consist is obviated.
Third, under paragraph (c)(3), FRA will consider commingled freight
and passenger operations provided that a jointly agreed risk analysis
is provided

[[Page 35992]]

by the passenger and freight railroads, and the level of safety is the
same as that which would be provided under one of the two prior options
selected as the base case. FRA seeks comments on whether FRA or the
subject railroad should determine the appropriate base case. FRA
recognizes that there may be situations where temporal separation may
not be possible. In such situations, FRA may allow commingled
operations provided the risk to the passenger operation is no greater
than if the passenger and freight trains where operating under temporal
separation or with all trains limited to restricted speed. For an
exception to be made under paragraph (c)(3), FRA requires a risk
analysis jointly agreed to and submitted by the applicable freight and
passenger services. This ensures that the risks and consequences to
both parties have been fully analyzed, understood, and mitigated to the
extent practical.
Paragraph (d) proposes the definition of temporal separation with
respect to paragraph (c)(2). The temporal separation approach is
currently used under the FRA-Federal Transit Administration Joint
Policy on Shared Use, which permits co-existence of light rail
passenger services (during the day) and local freight service (during
the nighttime). See Joint Statement of Agency Policy Concerning Shared
Use of the Tracks of the General Railroad System by Conventional
Railroads and Light Rail Transit Systems, 65 FR. 42,526 (July 10,
2000); FRA Statement of Agency Policy Concerning Jurisdiction Over the
Safety of Railroad Passenger Operations and Waivers Related to Shared
Use of the Tracks of the General Railroad System by Light Rail and
Conventional Equipment, 65 FR 42529 (July 10, 2000). Conventional rail
technology and secure procedures are used to ensure that these services
do not commingle. Amtrak representatives in the PTC Working Group were
confident that more refined temporal separation strategies could be
employed on smaller railroads that carry light freight volumes and few
Amtrak trains (e.g., one train per day or one train per day in each
direction). The Passenger Task Force agreed.
Proposed paragraph (e) ensures that by the time the railroad
submits its PTCSP, it has made no unapproved changes to the MTEA and
that the PTC system, as implemented, reflects the PTCIP and its MTEA.
Under the proposed rule, the PTCSP shall reflect the PTCIP, including
its MTEA, as it was approved or how it has been modified in accordance
with proposed Sec. 236.1021. FRA believes that it is also important
that the railroad attest that no other changes to the documents or to
the PTC system, as implemented, have been made.
FRA understands that as a railroad implements its PTC system in
accordance with its PTCIP or even after it receives PTC System
Certification, the railroad may decide to modify the scope of which
tracks it believes to be other than main line. To effectuate such
changes, paragraph (f) proposes to require FRA review. In the case that
the railroad believes that such relief is warranted, the railroad may
file in accordance with proposed Sec. 236.1021 a request for amendment
of the PTCIP, which will eventually be incorporated into the PTCSP upon
PTCSP submission. Each request, however, must be fully justified to and
approved by the Associate Administrator before the requested change can
be made to the PTCIP. If such a RFA is submitted simultaneously with
the PTCSP, the RFA may not be approved, even if the PTCSP is otherwise
acceptable. A change made to a MTEA subsequent to FRA approval of its
associated PTCIP that involves removal or reduction in functionality of
the PTC system is treated as a material modification. In keeping with
traditional signaling principles, such requests must be formally
submitted for review and approval by FRA.

Section 236.1021 Discontinuances, Material Modifications, and
Amendments

FRA recognizes that after submittal of a plan or implementation of
a train control system, the subject railroad may have legitimate
reasons for making changes in the system design and the locations where
the system is installed. In light of the statutory and regulatory
mandates, however, FRA believes that the railroad should be required to
request FRA approval prior to effectuating certain changes. Section
236.1021 proposes the scope and procedure for requesting and approving
those changes. For example, all requests for covered changes must be
made in a request for amendment (RFA) of the subject PTC system or
plan. While Sec. 236.1021 includes lengthy descriptions of what
changes may, or may not, require FRA approval, there are various places
elsewhere in subpart I that also require the filing of a RFA.
Under paragraph (a), FRA proposes to require FRA approval prior to
certain PTC system changes. FRA expects that if a railroad wants to
make a PTC system change covered by subpart I, then any such change
would result in noncompliance with one of the railroad's plans approved
under this subpart. For instance, if a railroad seeks to modify the
geographical limits of its PTC implementation, such changes would not
be reflected in the PTCIP. Accordingly, under paragraph (a), after a
plan is approved by FRA and before any change is made to the PTC
system's development, implementation, or operation, FRA proposes that
the railroad file a RFA to the subject plan.
FRA considers an amendment to be a formal or official change made
to the PTC system or its associated PTCIP, PTCDP, or PTCSP. Amendments
can add, remove, or update parts of these documents, which may reflect
proposed changes to the development, implementation, or operation of
its PTC system. FRA believes that an amending procedure provides a
simpler and cleaner option than requiring the railroad to file an
entirely new plan.
While the railroad may develop a RFA without FRA input or
involvement, FRA believes that it is more advantageous for the railroad
to informally confer with FRA before formally submitting its RFA. If
FRA is not involved in the drafting process, FRA may not have a
complete understanding of the system, making it difficult for FRA to
evaluate the impact of the proposed changes on public safety. After RFA
submission, all applicable correspondence between FRA and the railroad
must be made formally in the associated docket, as further discussed
below. In such a situation, FRA's review may take a significantly
longer time than usual. If FRA continues to not understand the impact,
it may request a third party audit, which would only further delay a
decision on the request. Accordingly, FRA believes it is more
advantageous for the railroad drafting an RFA to informally confer with
FRA before its formal submission of the change request. The railroad
would then be provided an opportunity to discuss the details of the
change and to assure FRA's understanding of what the railroad wishes to
change and of the change's potential impact.
Paragraph (b) proposes a mechanism for requesting such change. Once
the RFA is approved, the railroad may--and, in fact, is required under
paragraph (b)--to adopt those changes into the subject plan and
immediately ensure that its PTC complies with the plan, as amended. FRA
expects that each PTC system accurately reflects the information in its
associated approved plans. FRA believes that this requirement will also
incentivize railroads to make approved changes as quickly as possible.
Otherwise, if a railroad delays in implementing the changes reflected
in an approved RFA,

[[Page 35993]]

FRA may find it difficult to enforce its regulations until
implementation is completed, since they plans and PTC system to not
accurately and adequately reflect each other. In such circumstances,
railroads may be assessed a civil penalty for violating its plan or for
falsifying records.
Any change to a PTCIP, PTCDP, or PTCSP, which may include removal
or discontinuance of any signal system, may not take effect until after
FRA has approved the corresponding submitted or amended PTCIP, PTCDP,
or PTCSP. FRA may provide partial or conditional approval. Until FRA
has granted appropriate relief or approval, the railroad may not make
the change, and once a requested change has been made, the railroad
must comply with requested change.
FRA recognizes that a railroad may wish to remove an existing train
control system due to new and appropriate PTC system implementation.
For train control systems existing prior to promulgation of subpart I,
any request for a material modification or discontinuance must be made
pursuant to part 235. FRA proposes in paragraph (c), however, to
provide the railroads with an opportunity to instead request such
changes in accordance with proposed Sec. 236.1021. FRA believes that
this proposal would reduce the number of required filings and would
otherwise simplify the process requesting material modifications or
discontinuances.
Paragraph (d) proposes the minimum information required to be
submitted to FRA when requesting an amendment. While FRA proposes to
promulgate procedural rules here different than those in part 235, FRA
expects that the same or similar information be provided. Accordingly,
under paragraph (d)(1), the RFA must contain the information required
in 235.10. Paragraph (d)(1) also requires the railroad to submit, upon
FRA request, certain additional information, including the information
referenced in Sec. 235.12. Paragraphs (d)(2) through (d)(7) provide
further examples of such information. While such information may only
be required upon request, FRA urges each railroad to include this
information in its RFA to help expedite the review process.
FRA believes that proposed paragraphs (d)(2) through (d)(6) are
self-explanatory. However, according to proposed paragraph (d)(7), FRA
may require with each RFA an explanation of whether each change to the
PTCSP is planned or unplanned. Planned changes are those that the
system developer and the railroad have included in the safety analysis
associated with the PTC system, but have not yet implemented. These
changes provide enhanced functionality to the system, and FRA strongly
encourages railroads to include PTC system improvements that further
increase safety. A planned change may require FRA approved regression
testing to demonstrate that its implementation has not had an adverse
affect on the system it is augmenting. Each planned change must be
clearly identified as part of the PTCSP, and the PTCSP safety analysis
must show the affect that its implementation will have on safety.
Unplanned changes are those either not foreseen by the railroad or
developer, but nevertheless necessary to ensure system safety, or are
unplanned functional enhancements from the original core system. The
scope of any additional necessary work necessary to ensure safety may
depend upon when in the development cycle phase the changes are
introduced. For instance, if the PTCDP has not yet been submitted to
FRA, no FRA involvement is required. However if the PTCDP has been
submitted to FRA, or if the change impacts the safety functionality of
the system once a Type Approval has been issued, and a PTCSP has not
yet submitted, the railroad must submit a RFA requesting and
documenting that change. Once FRA approves that RFA, FRA expects the
subsequently filed PTCSP to account for the change in analysis.
If the change is made after approval of the PTCSP and the system
has been certified by FRA, a RFA must be submitted to FRA for approval.
Because this requires significant effort by FRA and the railroad, FRA
expects that every effort will be made to eliminate the need for
unplanned changes. If the railroad and the vendor submit unplanned
safety related changes that FRA believes are a significant amount or
inordinately complex, FRA may revoke any approvals previously granted
and disallow the use of the product until such time the railroad
demonstrates the product is sufficiently mature.
Paragraph (e) proposes that if a RFA is submitted for a
discontinuance or a material modification to a portion or all of its
PTC system, a notice of its submission shall be published in the
Federal Register. Interested parties will be provided an opportunity to
comment on the RFA, which will be located in an identified docket.
Proposed paragraph (f) makes it clear that FRA will consider all
impacts on public safety prior to approval or disapproval of any
request for discontinuance, modification, or amendment of a PTC system
and any associated changes in the existing signal system that may have
been concurrently submitted. While the economic impact to the affected
parties may be considered by the FRA, the primary and final deciding
factor on any FRA decision is safety. FRA will consider not only how
safety is affected by installation of the system, but how safety is
impacted by the failure modes of the system.
The purpose of proposed paragraph (g) is to emphasize the right of
FRA to unilaterally issue a new Type Approval, with whatever conditions
are necessary to ensure safety based on the impact of the proposed
changes.
In proposed paragraph (h), FRA makes clear that it considers any
implemented PTC system to be a safety device. Accordingly, the
discontinuance, modification, or other change of the implemented system
or its geographical limits will not be authorized without prior FRA
approval. While this requirement primarily applies to safety critical
changes, FRA believes that they should also apply to all changes that
will affect interoperability. FRA seeks comments on this issue. The
principles expressed in the paragraph parallel those embodied in part
235, which implements 49 U.S.C. 20502(a).
That said, FRA recognizes that there are a limited number of
situations where changes of the PTC system may not have an adverse
impact upon public safety. Specific situations where prior FRA approval
is required are proposed in paragraphs (h)(1) through (h)(4).
Paragraph (i) proposes the exceptions from the requirement for
prior approval in cases where the discontinuance of a system or system
element will be treated as pre-approved, as when a line of railroad is
abandoned.
Paragraph (j) proposes exceptions for certain lesser changes that
are not expected to materially affect system risk, such as removal of
an electric lock from a switch where speed is low and trains are not
allowed to clear.
Paragraph (k) proposes additional exceptions consisting of
modifications associated with changes in the track structure or
temporary construction. FRA notes that only temporary removal of the
PTC system without prior FRA approval is allowed to support highway
rail separation construction or damage to the PTC system by
catastrophic events. In both cases, the PTC system must be restored to
operation no later than 6 months after completion of the event.

[[Page 35994]]

Section 236.1023 Errors and Malfunctions

Because PTC systems are approved, in part, based on certain
assumptions regarding expected failure modes and frequencies, reporting
and recording of errors and malfunctions takes on critical importance.
If the number of errors and malfunctions exceeds those originally
anticipated in the design, or errors and malfunctions that were not
predicted are observed to occur, the validity of the risk analysis
becomes suspect. Since not all railroads may experience the same
software faults or hardware failures, the developer's development,
configuration management, and fault reporting tracking system play a
crucial role in the ability of the railroad and FRA to determine and
fully understand the risks and their implications. Without an effective
configuration management tracking system in place, it is difficult, if
not impossible, to fairly evaluate PTC system risks during the system's
life cycle.
In the event of a safety-essential PTC system component failing to
perform as intended, FRA intends to propose under Sec. 236.1023 that
the cause be identified and corrective action be taken without undue
delay. Until the repair is completed, the railroad and vendors are
required to take appropriate measures to assure the safety of train
movements, roadway workers, and on-track equipment. This requirement
mirrors the current requirements of 49 CFR 236.11, which applies to all
signal system components. FRA recognizes that there may be situations
where reducing the severity of such hazards will suffice for an
equivalent reduction in risk. For example, a reduction in operating
speeds may not reduce the frequency of certain hazards involving
safety-critical products, but it may reduce the severity of such
hazards in most cases.
Paragraph (a) proposes a direct obligation on suppliers to report
safety-relevant failures, including ``wrong-side'' failures and other
failures significantly impacting availability, where the PTCSP
indicates availability to be a material issue in the safety performance
of the larger railroad system. FRA expects each applicable supplier to
identify the problem and the necessary corrective actions, recommended
risk mitigations, and provide an estimated amount of time it expects to
complete the corrective actions. FRA believes that it should be
informed to ensure public safety in any case where a commercial dispute
(e.g., over liability) might disrupt communication between a railroad
and supplier.
Paragraph (b) proposes a similar responsibility on the part of the
railroad to report safety relevant failures to the supplier and FRA,
and to keep the vendor and FRA apprised of any subsequent failures. To
aid FRA in understanding the scope of a problem on a railroad, and to
aid the railroad in communicating any PTC system failures to the
appropriate vendor, paragraph (c) proposes to require that each
railroad keep a currently updated PTC Product Vendor List (PTCVPL),
which must identify each supplier of PTC equipment on its railroad.
Paragraph (d) proposes the requirement that each railroad identify
the procedures for action upon notification from the manufacturer of a
safety-critical upgrade, patch, or revision performed within the scope
of the applicable PTCDP. FRA expects that when issues are discovered
that may adversely affect the safe operation of the system, regardless
if the railroad has experienced the problem, the railroad will take
corrective action without undue delay (see Sec. 236.11). FRA believes
this is necessary to ensure that each railroad promptly addresses
applicable errors to maintain a common safety baseline by performing
component changes that, if left uncorrected, would increase risk or
interfere with the safety of train operations. If the action were to
take a significant amount of time, FRA proposes to require the railroad
to provide FRA with periodic frequent progress reports.
Paragraph (e) proposes time limits for reporting failures and
malfunctions and the minimum reporting requirements. FRA has no
specific format for the reports, and will accept any format provided it
contains at least the information required by this proposed rule. FRA
will accept delivery of these reports by commercial courier, fax, and
e-mail.
Paragraph (f) proposes to require the manufacturer to provide a
detailed explanation of the problem and the intended or performed
corrective action to FRA upon request, in the event that a PTC system
is found to be unsafe due to a design or manufacturing defect. While
the railroad may be able to report symptoms of a problem, it is the
manufacturer who is in the best position to determine its underlying
root cause. FRA may require this information to determine the full
impact of the problem, and to determine if any additional restrictions
or limitations on the use of the PTC may be warranted to ensure the
safety of the general public and the railroad personnel.
Proposed paragraph (g) is intended to limit unnecessary reporting.
If the failure was the result of improper operation of the PTC system
outside of the design parameters or of non-compliance with the
applicable operating instructions, FRA believes that compliance with
paragraph (f) is not necessary. Instead, FRA expects, and proposes to
require, the railroad to engage in more narrow remedial measures,
including remedial training by the railroad in the proper operation of
the PTC system. Similarly, once a problem has been identified to all
stakeholders, FRA does not believe it is necessary for a manufacturer
to repeatedly submit a formal report in accordance with paragraph (f).
In either situation, however, FRA expects that all users of the
equipment are proactively and timely notified of the misuse that
occurred and the corrective actions taken.
Such reports, however, do not have to be made within seven days of
occurrence, as required for other notifications under paragraph (e),
but within a reasonable time appropriate to the nature and extent of
the problem.
Proposed paragraph (h) is intended to make clear that the reporting
requirements of part 233 are not a substitute for the proposed
reporting requirements of this subpart. Both requirements apply. In the
case of a false proceed signal indication, FRA would not expect the
railroad to wait for the frequency of such occurrences to exceed the
threshold reporting level assigned in the hazard log of the PTCSP.
Rather, current Sec. 233.7 requires all such instances to be reported.

Section 236.1027 Exclusions

This section retains similarities to, but also establishes
contrasts with, Sec. 236.911, which deals with exclusions from subpart
H. In particular, Sec. 236.911(c) offers reassurance that a stand-
alone computer aided dispatching (CAD) system would not be considered a
safety-critical processor-based system within the purview of subpart H.
CADs have long been used by large and small railroads to assist
dispatchers in managing their workload, tracking information required
to be kept by regulation, and--most importantly--providing a conflict
checking function designed to alert dispatchers to incipient errors
before authorities are delivered. Even Sec. 236.911, however, states
that ``a subsystem or component of an office system must comply with
the requirements of this subpart if it performs safety-critical
functions

[[Page 35995]]

within, or affects the safety performance of, a new or next-generation
train control system.'' In fact, FRA is currently working with a vendor
on a simple CAD that provides authorities in an automated fashion,
without the direct involvement of a dispatcher.
For subpart I, FRA wishes to retain the exception referred to in
Sec. 236.911 for CAD systems not associated with a PTC system. Many
smaller railroads use CAD systems to good effect, and there is no
reason to impose additional regulations where dispatchers
contemporaneously retain the function of issuing mandatory directives.
However, in the present context, it is necessary to recognize that PTC
systems utilize CAD systems as the ``front end'' of the logic chain
that defines authorities enforced by the PTC system, particularly in
non-signaled territory.
Accordingly, paragraph (a) proposes the potential exclusion of
certain office systems technologies from subpart I compliance. These
existing systems have been implemented voluntarily to enhance
productivity and have proven to provide a reasonably high level of
safety, reliability, and functionality. FRA recognizes that full
application of subpart I to these systems would present the rail
industry with a tremendous burden. The burdens of subpart I may
discourage voluntary PTC implementation and operation by the smaller
railroads.
However, FRA proposes to apply subpart I to those subsystems or
components that perform safety critical functions or affect the safety
performance of the associated PTC system. The level and extent of
safety analysis and review of the office systems will vary depending
upon the type of PTC system with which the office system interfaces.
For example, to prevent the issuance of overlapping and inconsistent
authorities, FRA expects that each PTC system demonstrate sufficient
credible evidence that the requisite safety-critical, conflict
resolution (although not necessarily vital) hardware and software
functions of the system will work as intended. FRA also expects that
the applicable PTCDP's and PTCSP's risk analysis will identify the
associated hazards and describe how they have been mitigated.
Particularly where mandatory directives and work authorities are
evaluated for use in a PTC system use without separate oral
transmission from the dispatcher to the train crew or employee in
charge--with the opportunity for receiving personnel to evaluate and
confirm the integrity of the directive or authority received and the
potential for others overhearing the transmission to note conflicting
actions by the dispatching center--FRA will insist on explanations
sufficient to provide reasonable confidence that additional errors will
not be introduced.
Paragraph (b) proposes requirements for modifications of excluded
PTC systems. At some point when a change results in degradation of
safety or in a material increase in safety-critical functionality,
changes to excluded PTC systems or subsystems may be significant enough
to require application of subpart I's safety assurance processes. FRA
believes that all modifications caused by unforeseen implementation
factors will not necessarily cause the product to become subject to
subpart I. These types of implementation modifications will be minor in
nature and be the result of site specific physical constraints.
However, FRA expects that implementation modifications that will result
in a degradation of safety or a material increase in safety-critical
functionality, such as a change in executive software, will cause the
PTC system or subsystem to be subject to subpart I and its
requirements. FRA is concerned, however, that a series of incremental
changes, while each individually not meeting the threshold for
compliance with this subpart, may when aggregated result in a product
which differs sufficiently so as to be considered a new product.
Therefore, FRA reserves the right to require products that have been
incrementally changed in this manner to comply with the requirements of
this subpart. Prior to FRA making such a determination, the affected
railroad will be allowed to present detailed technical evidence why
such a determination should not be made. This provision mirrors
paragraph (d) of existing Sec. 236.911.
Proposed paragraph (c) addresses the integration of train control
systems with other locomotive electronic control systems. The earliest
train control systems were electro-mechanical systems that were
independent of the discrete pneumatic and mechanical control systems
used by the locomotive engineer for normal throttle and braking
functions. Examples of these train control systems included cab signals
and ACS/ATC appliances. These systems included a separate antenna for
interfacing with the track circuit or inductive devices on the wayside.
Their power supply and control logic were separate from other
locomotive functions, and the cab signals were displayed from a
separate special-purpose unit. Penalty brake applications by the train
control system bypassed the locomotive pneumatic and mechanical control
systems to directly operate a valve that accomplished a service
reduction of brake pipe pressure and application of the brakes as well
as reduction in locomotive tractive power. In keeping with this
physical and functional separation, train control equipment on board a
locomotive came under part 236, rather than the locomotive inspection
requirements of part 229.
Advances in hardware and software technology have allowed the
various PTC systems' and components' original equipment manufacturers
(OEMs) to repackage individual components, eliminating parts and system
function control points access. Access to control functions became
increasingly restricted to the processor interfaces using proprietary
software. While this resulted in significant simplification of the
previously complex discrete pneumatic and mechanical control train and
locomotive control systems into fewer, more compact and reliable
devices, it also creates significant challenges with respect to
compatibility of the application programs and configuration management.
FRA encourages such enhancements, and believes, if properly done,
can result in significant safety, as well as operational, improvements.
Locomotive manufacturers can certainly provide secure locomotive and
train controls, and it is important that they do so if locomotives are
to function safely in their normal service environment. FRA highly
encourages the long-term goal of common platform integration. However,
when such an integration occurs, it must not be done at the expense of
decreasing the safe, and reliable operation of the train control
system. Accordingly FRA expects that the complete integrated system
will be shown to have been designed to fail-safe principles, and then
demonstrated that the system operates in a fail safe mode. Any
commingled system must have a manual failsafe fall back up that allows
the engineer to be brought to a safe stop in the event of an electronic
system failure. This analysis must be provided to FRA for approval in
the PTCDP and PTCSP as appropriate. This provision mirrors the
heightened scrutiny called for by Sec. 236.913(c) of subpart H for
commingled systems, but is more explicit with respect to FRA's
expectations. The provision in general accords with the requirements
for locomotive systems that are currently under development in the
RSAC's Locomotive Safety Standards Working Group.
Finally proposed paragraph (d) clarifies the application of
subparts A

[[Page 35996]]

through H to products excluded from compliance with Subpart I. These
products are excluded from the requirements of subpart I, but FRA
expects that the developing activity demonstrates compliance of
products with Subparts A through H. FRA believes that railroads not
mandated to implement PTC, or that are implementing other non-PTC
related processor based products should be given the option to have
those products approved under subpart H by submitting a PSP and
otherwise complying with subpart H or voluntarily complying with
subpart I. This provision mirrors Sec. 236.911(e) of subpart H.

Section 236.1029 PTC System Use and En Route Failures

This section proposes minimum requirements, in addition to those
found in the PTC system's plans, for each PTC system with a PTC System
Certification. Railroads are allowed, and encouraged, to adopt more
restrictive rules that increase safety.
Paragraph (a) proposes to require that, in the event of the failure
of a component essential to the safety of a PTC system to perform as
intended, the cause be identified and corrective action taken without
undue delay. The paragraph also requires that until the corrective
action is completed, the railroad is required at a minimum, to take the
appropriate measures, including those specified in the PTCSP, to assure
the safety of train movements, roadway workers, and on-track equipment.
This proposed requirement mirrors current requirements of Sec. 236.11,
which applies to all signal and train control system components. Under
proposed paragraph (a), FRA intends to apply to PTC systems provided
PTC System Certification under subpart I the same standard in current
Sec. 236.11.
Paragraph (b) proposes the circumstance where a PTC onboard
apparatus on a lead locomotive that is operating in or is to be
operated within a PTC system fails or is otherwise cut-out while en
route. Under proposed paragraph (b), the subject train may only
continue such operations in accordance with specific limitations. An en
route failure is applicable only in instances after the subject train
has departed its initial terminal, having had a successful
initialization, and subsequently rendering it no longer responsive to
the PTC system. For example, FRA believes that an en route failure may
occur when the PTC onboard apparatus incurs an onboard fault or is
otherwise cut out.
Under subpart H, existing Sec. 236.567 provides specific
limitations on each train failing en route in relation to its
applicable automatic cab signal, train stop, and train control system.
FRA believes that it would be desirable to impose somewhat more
restrictive conditions given the statutory mandate and the desire to
have an appropriate incentive to properly maintain the equipment and to
timely respond to en route failures. For instance, FRA recognizes that
the limitations of Sec. 236.567 do not account for the statutory
mandates of the core PTC safety functions. However, during the PTC
Working Group meetings, no consensus was reached on how to regulate en
route failures on PTC territory. Nevertheless, proposed Sec. 236.1029,
and in particular proposed paragraph (b), purposefully intend to
parallel the limitations contained in Sec. 236.567. In other words,
FRA intends that Sec. 236.567 and proposed paragraph (b) to Sec.
236.1029 will share the common purpose of maintaining a level of safety
generally in accord with that expected with the train control system
fully functional. This is accomplished by requiring supplementary
procedures to heighten awareness and provide operational control
(limiting the frequency of unsafe events) and by restricting the speed
of the failed train (reducing the potential severity of any unsafe
event).
Paragraph (b)(1) proposes to allow the subject train to proceed at
restricted speed--or at medium speed if a block signal system is in
operation according to signal indication--to the next available point
where communication of a report can be made to a designated railroad
officer of the host railroad. The intent of this requirement is to
ensure that the occurrence of an en route failure may be appropriately
recorded and that the necessary alternative protection of absolute
block is established.
After a report is made in accordance with paragraph (b)(1), or made
electronically and immediately by the PTC system itself, paragraph
(b)(2) proposes to allow the train to continue to a point where an
absolute block can be established in advance of the train in accordance
with the limitations that follow in paragraphs (b)(2)(i) and (ii).
Paragraph (b)(2)(i) proposes to require that where no block signal
system is in use, the train may proceed at restricted speed.
Alternatively, under proposed paragraph (b)(2)(ii), the train may
proceed at a speed not to exceed medium speed where a block signal
system is in operation according to signal indication.
Paragraph (b)(3) proposes to require that, upon the subject train
reaching the location where an absolute block has been established in
advance of the train, the train may proceed in accordance with the
limitations that follow in paragraphs (b)(3)(i), (ii), or (iii).
Proposed paragraph (b)(3)(i) requires that where no block signal system
is in use, the train may proceed at medium speed; however, if the
involved train is a train which is that of the criteria requiring the
PTC system installation (i.e., a passenger train or a train hauling any
amount of PIH material), it may only proceed at a speed not to exceed
30 miles per hour. Paragraph (b)(3)(ii) requires that where a block
signal system is in use, a passenger train may proceed at a speed not
to exceed 59 miles per hour and a freight train may proceed at a speed
not to exceed 49 miles per hour. Paragraph (b)(3)(iii) requires that
except as provided in paragraph (c), where a cab signal system with an
automatic train control system is in operation, the train may proceed
at a speed not to exceed 79 miles per hour.
Paragraph (c) requires that, in order for a PTC train that operates
at a speed above 90 miles per hour to deviate from the operating
limitations contained in paragraph (b) of this section, the deviation
must be described and justified in the FRA approved PTCDP or PTCSP, or
the Order of Particular Applicability, as applicable.
Paragraph (d) proposes to require that the railroad operate its PTC
system within the design and operational parameters specified in the
PTCDP and PTCSP. Railroads will not exceed maximum volumes, speeds, or
any other parameter provided for in the PTCDP or PTCSP. On the other
hand, a PTCDP or PTCSP could be based upon speed or volume parameters
that are broader than the intended initial application, so long as the
full range of sensitivity analyses is included in the supporting risk
assessment. FRA feels this requirement will help ensure that
comprehensive product risk assessments are performed before products
are implemented.
Paragraph (e) sets forth the requirement that any testing of the
PTC system must not interfere with its normal safety-critical
functioning, unless an exception is obtained pursuant to 49 CFR
236.1035, where special conditions have been established to protect the
safety of the public and the train crew. Otherwise, paragraph (e)
requires that each railroad ensure that the integrity of the PTC system
not be compromised, by prohibiting the normal functioning of such
system to be interfered with by testing or otherwise without first
taking measures to provide for the safety of train movements, roadway
workers, and

[[Page 35997]]

on-track equipment that depend on the normal safety-critical
functioning of the system. This provision parallels current Sec.
236.4, which applies to all systems. By requiring this paragraph, FRA
also intends to clarify that the standard in current Sec. 236.4 also
applies to subpart I PTC systems.
Paragraph (f) proposes to require that each member of the operating
crew has appropriate access to the information and functions necessary
to perform his or her job safely when products are implemented and used
in revenue service. Where two-person crews are employed, availability
of a screen and any needed function keys will enable the second crew
person to carry out PTC onboard computer-related activities without
distracting the locomotive engineer from maintaining situational
awareness of activities outside the locomotive cab. FRA's existing
regulations for train control in Sec. 236.515 requires that the cab
signal display be clearly visible to each member of the crew. FRA
believes the decision to operate with one PTC screen, only accessible
to the engineer, can only be made after careful analysis of the human
factor implications, the associated risks, and the sensitivity of the
safety analysis that is used to potentially justify the decision. FRA
notes that the principles of crew resource management and current crew
briefing practices in the railroad industry require that all members of
a functioning team (e.g., engineer, conductor, dispatcher, roadway
worker in charge) have all relevant information available to facilitate
constructive interactions and permit incipient errors to be caught and
corrected. Retaining and reinforcing this level of cooperation will be
particularly crucial during the early PTC implementation as errors in
train consist information, errors generated in on-board processing,
delays in delivery of safety warnings due to radio frequency
congestion, and occasional errors in dispatching challenge the
integrity of PTC systems even as the normal reliability of day-to-day
functioning supports reductions in vigilance. Loss of crew cooperation
could easily spill over to other functions, including switching
operations and management of emergency situations.
This issue was the subject of significant disagreement within the
PTC Working Group. FRA appreciates the views of those who suggest that
the cost of additional displays is not warranted and the argument that,
where there is an additional crew member assigned, no value may be
added by isolating the second crew member from potentially corrupted
information communicated from the PTC display. However, FRA believes
that there is a strong likelihood that railroads will at some point in
the future seek to deliver electronically all mandatory directives from
the dispatcher to the PTC onboard apparatus, obviating the need for
oral transmission. When this occurs, FRA believes that having a second
crew member involved in receipt and confirmation of the authority will
be useful to verify situational appropriateness and avoid information
overload of the locomotive engineer.

Section 236.1031 Previously Approved PTC Systems

FRA recognizes that substantial effort has been voluntarily
undertaken by the railroads to develop, test, and deploy PTC systems
prior to the passage of the RSIA08, and that some of the PTC systems
have accumulated a significant history of safe and reliable operations.
In order to facilitate the ability of the railroads to leverage the
results of PTC design, development, and implementation efforts that
have been previously been approved or recognized by FRA prior to the
adoption of this subpart, FRA is proposing an expedited certification
process in this section.
Under proposed paragraph (a), each railroad that has a PTC system
that may qualify for expedited treatment would have to submit a Request
for Expedited Certification (REC) letter. Products that have not
received approval under the subpart H, or that have not been previously
recognized by FRA, would be ineligible. The REC letter may be jointly
submitted by PTC railroads and suppliers as long as there is at least
one PTC railroad. A PTC system may qualify for expedited certification
if it fulfills at least one of the descriptions proposed in paragraphs
(a)(1) through (a)(3). While these descriptions are objective in
nature, FRA intends them to cover ETMS, ITCS, and ACSES, respectively.
Proposed paragraph (a)(1) applies to systems that have been
recognized or approved by FRA after submission of a product safety plan
(PSP) in accordance with subpart H. Subpart I generally reflects the
same criteria required for a PSP under subpart H. Thus, FRA believes
that most of the PTCDP and PTCSP requirements in subpart I can be
fulfilled with the submission of the existing and approved PSP.
However, FRA notes that the subject railroad will also need to submit
the information required in a PTCDP and PTCSP that is not in the
current PSP.
FRA also recognizes that certain PTC systems may currently operate
in revenue service with FRA approval through the issuance of a waiver
or order. Proposed paragraphs (a)(2) and (a)(3) intend to cover those
systems.
If a PTC system complying with paragraph (a)(1) is provided
expedited certification, the system plans should ultimately match the
criteria required for each PTCDP and PTCSP. As previously noted, a
railroad may seek to use a PTC system that has already received a Type
Approval. To extend this benefit as it applies to previously used
systems for which expedited certification is provided, paragraph (b)
proposes to give the Associate Administrator the ability to provide a
Type Approval to systems receiving expedited certification in
accordance with paragraph (a)(1).
FRA recognizes that certain systems eligible for expedited
certification may not entirely comply with the subsequently issued
statutory mandate. Accordingly, under paragraph (c), FRA is compelled
to propose that before any Type Approval or expedited certification may
be provided, the PTC system must be shown to reliably execute the same
functionalities of every other PTC system required by subpart I.
Nothing in this abbreviated process should be construed as implying the
automatic granting by FRA of a Type Approval or PTC System
Certification. Each expedited request for a Type Approval or PTC System
Certification must be submitted by the railroad under this abbreviated
process and, as required under subpart I, must demonstrate that the
system reliably enforces positive train separation and prevents
overspeed derailments, incursions into roadway worker zones, and
movements through misaligned switches.
Under proposed paragraph (d), FRA encourages railroads, to the
maximum extent possible, to use proven service history data to support
their requests for Type Approval and PTC System Certification. While
proven service history cannot be considered a complete replacement for
an engineering analysis of the risks and mitigations associated with a
PTC product, it provides great creditability for the accuracy of the
engineering analysis. Testing and operation can only show the absence
or mitigation of a particular failure mode, and FRA believes that there
will always be some failure modes that may only be determined through
analysis. Due to this inherent limitation associated with testing and
operation, FRA also strongly encourages the railroads to also submit
any available analysis or information.
Paragraph (e) proposes that, to the extent that the PTC system
proposed for implementation under this subpart is different in
significant detail from the

[[Page 35998]]

system previously approved or recognized, the changes shall be fully
analyzed in the PTCDP or PTCSP as would be the case absent prior
approval or recognition. FRA understands that the PTC product for which
expedited Type Approval and PTC System Certification is sought may
differ in terms of functionality or implementation from the PTC product
previously approved or recognized by FRA. In such a case, the service
history and analysis may not align directly with the new variant of the
product. Similarly, the available service history and analysis
associated with a PTC product may be inconclusive about the reliability
of a particular function. It is because of these possible situations
that FRA can not unequivocally promise that all requests for expedited
Type Approval and PTC System Certification submitted by a railroad
under this subpart will be automatically granted. FRA will, however,
apply the available service history and analytical data as credible
evidence to the maximum extent possible. FRA believes that this still
greatly simplifies each railroad's task in making its safety case,
since the additional testing and analysis required need only address
those areas for which credible evidence is insufficient. To reduce the
overall level of financial resources and effort necessary to obtain
sufficient credible evidence to support the claims being made for the
safety performance of the product, FRA also encourages each railroad to
share with other railroads a system's service history and the results
of any analysis, even in the case where the shared information does not
fully support a particular railroad's safety analysis.
Proposed paragraph (f) defines terms used only in this section.
``Approved'' refers to approval of a Product Safety Plan under subpart
H. As this NPRM was being prepared, only BNSF Railway's ETMS
Configuration I had been so approved, but other systems were under
development. ``Recognized'' refers to official action permitting a
system to be implemented for control of train operations under an order
or waiver, after review of safety case documentation for the
implementation. As this NPRM was being prepared, only ACSES I had been
recognized under an order of particular applicability, and ACSES II was
under review for potential approval. Only one system, the ITCS in place
on Amtrak's Michigan line, had been approved for unrestricted revenue
service under waiver.
FRA was unable to fashion an outright ``grandfathering'' of
equipment previously used in transit and foreign service. FRA does not
have the same degree of direct access to the service history of these
systems. Transit systems--except those that are connected to the
general railroad system--are not directly regulated by FRA. FRA has had
limited positive experience eliciting safety documentation from foreign
authorities, particularly given the influence of national industrial
policies.
However, FRA believes that, while complete exclusion may not be
available in those circumstances, procedural simplification may be
possible. FRA is considering a procedure under which the railroad and
supplier could establish safety performance at the highest level of
analysis for the particular product, relying in part on experience in
the other service environments and showing why similar performance
should be expected in the U.S. environment. Foreign signal suppliers
should be in a good position to marshal service histories for these
products and present them as part of the railroad's PTCSP. For any
change, the applicant must provide additional information that will
enable FRA to make an informed decision regarding the potential impact
of the change on safety. This information must include, but is not
limited to, the following: (1) A detailed description of the change;
(2) a detailed description of the hardware and software impacted by the
change; (3) a detailed description of any new functional data flows
resulting from the change; (4) the results of the analysis used to
verify that the change did not introduce any new safety risks or, if
the change did introduce any new safety risks, a detailed description
of the new safety risks and the associated risk mitigation actions
taken; (5) the results of the tests used to verify and validate the
correct functionality of the product after the change has been made;
(6) a detailed description of any required modifications in the
railroad training plan that are necessary for continued safe operation
of the product after the change; and (7) a detailed description of any
new test equipment and maintenance procedures required for the
continued safe operation of the product. FRA requests comment on
whether and in what way these concepts might be captured in the final
rule.
In the same vein, paragraph (g) encourages re-use of safety case
documentation previously reviewed, whether under subpart H or subpart
I.

Section 236.1033 Communications and Security Requirements

Subpart I proposes specific communications security requirements
for PTC system messages. Proposed Sec. 236.1033 originated from the
radio and communications task force within the PTC Working Group. The
objectives of the proposal are to ensure data integrity and
authentication for communications with and within a PTC system.
In data communications, ``cleartext'' is a message or data in a
form that is immediately comprehensible to a human being without
additional processing. In particular, it implies that this message is
transferred or stored without cryptographic protection. It is related
to, but not entirely equivalent to, the term ``plaintext.'' Formally,
plaintext is information that is fed as an input to a cryptographic
process, while ``ciphertext'' is what comes out of that process.
Plaintext might be compressed, encrypted, or otherwise manipulated
before the cryptographic process is applied, so it is quite common to
find plaintext that is not cleartext. Cleartext material is sometimes
in plain text form, meaning a sequence of characters without
formatting, but this is not strictly required. The security
requirements proposed in this document are consistent with the
Department of Homeland Security (DHS) guidance for SCADA systems and
the National Institute of Standards and Technology guidance. FRA has
coordinated this proposal with DHS.
Proposed paragraph (a) establishes the requirement for message
integrity and authentication. Integrity is the assurance that data is
consistent and correct. Generally speaking, in cryptography and
information security, integrity refers to the validity of data.
Integrity can be compromised through malicious altering--such as an
attacker altering an account number in a bank transaction, or forgery
of an identity document--or accidental altering--such as a transmission
error, or a hard disk crash. A level of data integrity can be achieved
by mechanisms such as parity bits and Cyclic Redundancy Codes (CRCs).
Such techniques, however, are designed only to detect some proportion
of accidental bit errors; they are powerless to thwart deliberate data
manipulation by a determined adversary whose goal is to modify the
content of the data for his or her own gain. To protect data against
this sort of attack, cryptographic techniques are required. Thus,
appropriate algorithms and keys must be employed and commonly
understood between the entity wanting to provide data integrity and the
entity wanting to be assured of data integrity.
Authentication is the act of establishing or confirming something
(or someone) as authentic. Various systems have been invented to
provide a means

[[Page 35999]]

for readers to reliably authenticate the sender. In any event, the
communication must be properly protected; otherwise, an eavesdropper
can simply copy the relevant data and later replay it, thereby
successfully masquerading as the original, legitimate entity.
Sender authentication typically finds application in two primary
contexts. Entity identification serves simply to identify the specific
entity involved, essentially in isolation from any other activity that
the entity might want to perform. The second context is data origin
identification, which identifies a specific entity as the source or
origin of a given piece of data. This is not entity identification in
isolation, nor is it entity identification for the explicit purpose of
enabling some other activity. Rather, this is identification with the
intent of statically and irrevocably binding the identified entity to
some particular data, regardless of any subsequent activities in which
the entity might engage. Cryptographically based signatures provide
nearly irrefutable evidence that can be used subsequently to prove to a
third party that this entity did originate--or at least possess--the
data.
Proposed paragraph (b)(1) requires that cryptographic algorithms
and keys used to establish integrity and authenticity be approved by
either the National Institute of Standards or a similar standards
organization acceptable to FRA. As a practical matter, cryptographic
algorithms can be believed secure by competent, experienced, practicing
cryptographers. This requires that the algorithms be publicly known and
have been seriously studied by working cryptographers. Algorithms that
have been approved by NIST (or similar standards bodies) can be assured
of being both publicly known and seriously studied.
Proposed paragraph (b)(2) allows the use of either manual or
automated means to distribute keys. Key distribution is the most
important component in secure transmissions. The general key
distribution problem refers to the task of distributing keys between
communicating parties to provide the required security properties.
Frequent key changes are usually desirable to limit the amount of data
compromised if an attacker learns the key. Therefore, the strength of
any cryptographic system results with the key distribution technique, a
term that refers to the means of delivering a key to two parties that
wish to exchange data without allowing others to see the key. Key
distribution can be achieved in a number of ways. There are various
combinations by which a key can be selected manually or in automation
amongst one or multiple parties.
Proposed paragraph (b)(3) establishes the conditions under which
cryptographic keys must be revoked. Paragraph (b)(3)(i) addresses the
situation when a key has actually been found to have been compromised
and when the possibility of key compromise exists. Cryptographic
algorithms are part of the foundations of the security house, and any
house with weak foundations will collapse. Adequate procedures should
be foreseen to take an algorithm out of service or to upgrade an
algorithm which has been used beyond its lifetime
Proposed paragraph (d) addresses physical protection as applied to
cryptographic equipment. Compliance does not necessitate locking
devices within mechanical safes or enclosing their electronics within
thick steel or concrete shields (i.e. making them tamper-proof).
Compliance does, however, involve using sound design practices to
construct a system capable of attack detection by a comprehensive range
of sensors (i.e. tamper resistant). The level of physical security
suggested should be such that unauthorized attempts at access or use
will either be unsuccessful or will have a high probability of being
detected during or after the event. Additionally, the cryptographic
equipment should be prominently situated in operation so that its
condition (outward appearance, indicators, controls, etc.) is easily
visible to minimize the possibility of undetected penetration. In any
system containing detection and destruction methods as described here,
there is naturally a cost penalty for providing very high levels of
tamper resistance, due to construction and test requirements by the
manufacturer. It is naturally important to analyze the risks of key
disclosure against cost of protection and specify a suitable
implementation.
Confidentiality has been defined by the International Organization
for Standardization (ISO) as ``ensuring that information is accessible
only to those authorized to have access.'' Confidentiality, integrity,
and authentication all rely on the same basic cryptographic
primitives--algorithms with basic cryptographic properties--and their
relationship to other cryptographic problems. These primitives provide
fundamental properties, which guarantee one or more of the high-level
security properties. In proposed paragraph (e)(1), FRA makes it clear
that while providing for confidentiality of message data is not a
regulatory requirement, if confidentiality is elected to be implemented
by a railroad, that the same protection mechanisms applicable to the
cryptographic primitives that support integrity and authentication must
also be provided for the cryptographic primitives that support
confidentiality.
It is only the difficulty of obtaining the key that determines
security of the system, provided that there is no analytic attack
(i.e., a ``structural weakness'' in the algorithms or protocols used),
and assuming that the key is not otherwise available (such as via
theft, extortion, or compromise of computer systems). A key should
therefore be large enough that a brute force attack (possible against
any encryption algorithm) is infeasible, whereas the attack would take
too long to execute. Under information theory, to achieve perfect
secrecy, it is necessary for the key length to be at least as large as
the message to be transmitted and only used once (this algorithm is
called the one-time pad). In light of this, and the practical
difficulty of managing such long keys, modern cryptographic practice
has discarded the notion of perfect secrecy as a requirement for
encryption, and instead focuses on computational security. Under this
definition, the computational requirements of breaking an encrypted
text must be infeasible for an attacker. Paragraph (e)(2) proposes to
require that in the event that a railroad elects to implement
confidentiality, the chosen key length should provide the appropriate
level of computational complexity to protect the information being
protected, and that this information be included in the PTCSP. Both
academic and private organizations provide recommendations and
mathematical formulas to approximate the minimum key size requirement
for security based on mathematic attacks; they generally do not take
algorithmic attacks, hardware flaws, or other such issues into account.
Key management--the process of handling and controlling
cryptographic keys and associated material during their life cycle in a
cryptographic system--includes ordering, generating, distributing,
storing, loading, escrowing, archiving, auditing, and destroying the
different types of material. Paragraph (e) proposes to require that
cleartext stored cryptographic keys be protected from unauthorized
disclosure, modification, or substitution. During key management,
however, it may be necessary to validate the accuracy of the key being
entered, especially in cases where the key management process is being
done manually. During the key

[[Page 36000]]

entry process, keys not encrypted to protect against disclosures may be
temporarily displayed to allow visual verification. However, if the key
has been encrypted to protect against disclosure, then the cleartext
version of the key may not be displayed. This does not, however,
preclude the display of the encrypted version of the key.
In proposed paragraph (f), FRA requires that each railroad
implement a service restoration and mitigation plan to address restoral
of communications services in the event of their loss or disruption and
to make this plan available to FRA. Loss of communications services
reduces or eliminates the effectiveness of a PTC system and FRA
requires that these critical safety systems, once implemented, are
restored to operation as soon as practical. FRA believes that the
restoration plan must include testing and validating the plan,
communicating the plan, and validating backup and restoration
operations.
To ensure that these or any other procedures work in the railroads
operational environment, the railroad must validate each procedure
intended for implementation. The backup and restoration plan should
clearly describe who is to implement procedures and how they are to do
it. The primary information to be communicated includes: the team or
person (specified as an individual or a role) that is responsible for
determining when restoration of service is required and the procedures
to be used to restore service, as well as the team or person
responsible for implementing procedures for each restoration scenario;
the criteria for determining which restoration procedures are most
appropriate for a specific situation; the time estimates for
restoration of service in each restoration scenario; the restoration
procedures to be used, including the tools required to complete each
procedure; and the information required to restore data and settings.
Finally, paragraph (g) is proposed to make clear that railroads are
permitted to implement more restrictive security requirements provided
the requirements do not adversely impact the interoperability.

Section 236.1035 Field Testing Requirements

Initial field or subsequent regression testing of a PTC product on
the general rail system is often required before the product has been
certified in order to obtain data to support the safety case presented
in the PTCSP. To ensure the safety of the public and train crews, prior
FRA approval is required to conduct test operations on the general rail
system. This paragraph proposes an alternative to the waiver process
when only part 236 regulations are involved. When regulations
concerning track safety grade crossing safety or when operational rules
are involved, however, this process would not be available. Such
testing may also implicate other safety issues, including adequacy of
warning at highway-rail crossings (including part 234 compliance),
qualification of passenger equipment (part 238), sufficiency of the
track structure to support higher speeds or unbalance (part 213), and a
variety of other safety issues, not all of which can be anticipated in
any special approval procedure. Approval under this part for testing
does not grant relief from other parts of this title and the railroads
must still apply for relief from the non-part 236 regulations under the
discrete special approval sections of those regulations, the provisions
of part 211 related to waivers, or both.
The information required for this filing is described in proposed
paragraphs 236.1035(a)(1) through (a)(7). This information is necessary
in order for FRA to make informed decisions regarding the safety of
testing operations. FRA would prefer that the informational filings to
test under this part be accompanied by any requests for relief from
non-part 236 regulations so that they may be considered as a whole.
Proposed paragraph (b) provides notification that FRA may--based on
the results of the review of the information provided in paragraph (a)
and in order to provide additional oversight to ensure the safety of
rail operations--impose special conditions on the execution of the
testing, including the appointment of a FRA test monitor. When a test
monitor is appointed, he or she has the authority to stop testing if
unsafe conditions arise, require additional tests as necessary to
demonstrate the safe operation of the system, or have tests rerun when
the results are in question.
Paragraph (c) reemphasizes the earlier discussion that either
temporary or permanent requests for relief for other than requirements
of part 236 must be submitted in accordance with the waiver processes
specified by part 211.

Sections 236.103 Through 236.1049

In subpart H, Sec. Sec. 236.917 through 236.929 contain various
requirements that involve PSPs. FRA believes that these requirements
should apply equally to PTC systems governed by subpart I. FRA has
included proposed Sec. Sec. 236.1037 to 236.1049 to inform interested
parties how these elements would apply. FRA intends that the meanings
of those sections in subpart H, as described in the preamble to its
proposed and final rules, would also apply equally in the context of
this proposal. While FRA has considered amending these sections in
subpart H to incorporate references to subpart I, FRA believes such an
attempt and its results would be cumbersome and awkward. Thus, FRA has
included the provisions in proposed subpart I for clarity. FRA seeks
comments on this issue.

Appendix B to Part 236--Risk Assessment Criteria

FRA proposes modifying Appendix B of part 236 to enhance the
language for risk assessment criteria in a light of experience gained
during the initial stage of PTC system implementation under subpart H
and to accommodate the requirements of subpart I regulating the use of
mandatory PTC systems. As modified, Appendix B will modify certain
headings and incorporate new language in paragraphs (a) through (h).
Paragraph (a) reflects the change in the required length of time
over which the system's risk must be computed. FRA replaces the
requirement to assess risk for the system ``over the life-cycle of 25
years or greater'' with the requirement to assess risk ``over the
designed life-cycle of the product.'' FRA believes that the proposed
language is consistent with the preamble discussion of the subpart H
final rule inasmuch that they do not specify the length of a system's
life cycle, thereby providing flexibility for new processor-based
systems to have a life cycle other than 25 years.
FRA proposes to modify paragraph (b) only to clarify FRA's intent.
FRA proposes to modify the heading and content of paragraph (c) to
better identify the main purpose of this requirement and to ensure its
consistency with the associated requirements of Sec. Sec. 236.909(c)
and (d). FRA believes that current paragraph (c) and its heading do not
fully support or clarify the main intent of subpart H, which requires
that the total cost of hazardous events should be the risk measure for
a full risk assessment and that the mean time to hazardous event
(MTTHE) calculations for all hazardous events should be the risk
measure for the abbreviated risk assessment. The existing subpart H
text asks for both the base case and the proposed case to be expressed
in the same metrics. Paragraph (c) of this appendix, as currently
written, does not fully reflect FRA's intent that the same risk metric
is to be used in the risk assessment for both the previous and current

[[Page 36001]]

conditions (see Sec. 236.913(g)(2)(vii). FRA believes that the revised
title of this paragraph poses the right question and that its new
language provides better guidance on how to perform risk assessment for
previous and current conditions.
FRA proposes to modify the heading and text of paragraph (d) to
create a comprehensive and detailed list of system characteristics that
must be included in the risk assessment for each proposed PTC system
subject to requirements of subpart H or subpart I, or both, as
applicable. FRA believes that the extended description of system
characteristics better suits the risk assessment requirements of
subpart H and subpart I. For example, the proposed revisions clarify
that the risk assessment must account for the total volume of traffic,
the type of transported freight materials (PIH, PIH), and any
additional requirements for PTC systems with trains operating at
certain speeds.
FRA proposes to modify paragraph (e) to clarify its intent and
reflect the industry's experience in risk assessment techniques gained
during the initial stage of PTC system implementation under subpart H.
In the proposed language of paragraph (e), FRA provides more specific
guidance on how to derive the main risk characteristics, MTTHE, and
what role reliability and availability parameters, such as mean time to
failure (MTTF) or mean time between failures (MTBF), for different
system components can play while assessing risk for vital and non-vital
hardware or software components of the system. FRA emphasizes that it
is critical that each railroad and its vendors include the software
failure rates into risk assessments for the system. FRA also finds it
necessary to advise each railroad and its vendors to include
reliability and availability characteristics, such as MTTF or MTBF,
into its risk assessment to account for potential system exposure to
hazards during system failures or malfunctioning when the system
operates in its fall back mode--the back-up operation, as described in
the PTCSP, when the PTC system fails to operate.
FRA believes that the proposed modifications to paragraph (e) more
accurately address the industry's need for clarity in interpretation
and execution of the requirements related to risk assessment.
FRA proposes to modify paragraph (f)(2) to reflect FRA's
understanding that a software failure analysis may not necessarily be
based on MTTHE ``Verification and Validation'' processes and that MTTHE
characteristics cannot be easily obtained for the system software
components. Therefore, the proposed modification intends to outline the
significance of detailed software fault/failure analysis and software
testing to demonstrate repeatable predictive results that all software
defects are identified and corrected.
FRA proposes to modify paragraph (g) to clarify that MMTHE
calculations should account for the restoration time after system or
component failure and that the system design must be assessed for
adequacy through the Verification and Validation process.
FRA proposes to modify paragraph (h) to emphasize the need to
document all assumptions made during the risk assessment process. FRA
believes that the assumptions should be documented while deriving the
total cost of potential accident consequences for full risk assessment
or MTTHE values for abbreviated risk assessment, rather than only
documenting assumptions for her intermediate parameters, such as MTTF
and MTTR, as currently required. These two referenced parameters may or
may not be relevant for the risk assessment.

Appendix C to Part 236--Safety Assurance Criteria and Processes

FRA proposed to modify Appendix C to Part 236 to enhance and
clarify its language, re-organize the existing list of safe system
design principles in accordance with the well established models of
system safety engineering, and augment the list of safe system design
principles with the principles related to safe system software design.
A safe state is a system configuration that the system defaults to in
the event of a fault or failure or when unacceptable or dangerous
conditions are detected. The safe state is a state of the process
operation where the hazardous event cannot occur. Paragraph (a), as
proposed, is revised to reflect the main purpose of this appendix in
clear, accurate, and consistent language that will be repeatedly used
throughout the appendix. It also outlines that the requirements of this
appendix will be applicable to each railroad's PTCIP and PTCSP, as
required by subpart I.
Paragraph (b), as proposed, is modified and restructured to
consistently present a complete list of safety assurance principles
properly classified or categorized in accordance with well established
system safety engineering principles that need to be followed by the
designer of the system to assure that all system components perform
safely under normal operating conditions and under failures, accounting
for human factor impacts, external influencing, and procedures and
policies related to maintenance, repair, and modification of the
system. FRA also proposes adding language indicating that these
principles must also be applicable to PTC systems designed and
implemented under the requirements of subpart I. FRA's intent in
promulgating Appendix C was to ensure that safety principles are
followed during the design stage and that Verification and Validation
methods are used to assure that the product meets the safety criteria
established in Sec. 236.909. The heading of this paragraph and its
subparagraphs are changed to more adequately and precisely capture this
paragraph's purpose. For instance, FRA proposes to modify the heading
of paragraph (b)(1) to better suit the chosen base of classification
for all safety principles under paragraph (b).
Under paragraph (b)(3), FRA proposes to amend the definition of
Closed Loop Principle to reflect its industry accepted definition
provided by the AREMA Manual. FRA believes that the current definition
is too general and does not reflect the essence of the most significant
principles of safe signaling system design.
Under paragraph (b)(4), FRA proposes to add a list of Safety
Assurance Concepts that the designer may consider for implementation to
assure sail-safe system design and operation. These principles are
predominantly applicable for the safe system software design and quoted
from the IEEE-1483 standard. Based on this proposed amendment, FRA also
proposes to renumber some of the remaining subparagraphs of paragraph
(b) to follow the chosen scheme for the proper classification and
sequence of safety principles.
FRA proposes to amend paragraph (c) reflect the changes in
recommended standards. For instance, the standard ``EN50126: 1999,
Railway Applications: Specification and Demonstration of Reliability,
Availability, Maintainability and Safety'' (RAMS) is superseded by the
standard IEC62278: 2002 under the same title. The standard ``EN50128
(May 2001), Railway Applications: Software for Railway Control and
Protection Systems'' is superseded by the Standard IEC62279: 2002 under
the same title.
Under paragraph (c)(3)(i), FRA references additional IEEE standards
that have become available and will support the designs of PTC systems
that are widely using communications as their main component. In
addition to existing reference under paragraph (c)(3)(i)(A) for IEEE-
1483 Standard, the following standards are added to paragraph
(c)(3)(i): IEEE 1474.2-2003,

[[Page 36002]]

Standard for user interface requirements in communications based train
control (CBTC) systems; and IEEE 1474.1-2004, Standard for
Communications-Based Train Control (CBTC) Performance and Functional
Requirements.
After an analysis of the current applicability of ATCS
Specification 130 and 140, FRA believes that they are not being used.
Thus, FRA proposes to remove these standards from the list of
referenced standards. However, FRA also proposes to add the ATCS 200,
Data Communication standard that remains relevant for communication
segment of PTC system designs.
FRA also considers it necessary to reference several additional
sections of the current AREMA 2009 Communications and Signal Manual of
Recommended Practices. In addition to Section 17 of this manual
referenced in a previous version of Appendix C, FRA proposes to add to
the list of references Section 16 Vital Circuit and Software Design;
Section 21 Data Transmission; and Section 23 Communication-Based
Signaling.

VII. Regulatory Impact and Notices

A. Executive Order 12866 and DOT Regulatory Policies and Procedures

This proposed rule has been evaluated in accordance with existing
policies and procedures, and determined to be significant under both
Executive Order 12866 and DOT policies and procedures (44 FR 11034;
Feb. 26, 1979). We have prepared and placed in the docket a regulatory
impact analysis (RIA) addressing the economic impact of this proposed
rule. FRA invites comments on this RIA.
The costs anticipated to accrue from adopting this proposed rule
would include: (1) Costs associated with developing implementation
plans and administrative functions related to the implementation and
operation of PTC systems, including the information technology and
communication systems that make up the central office; (2) hardware
costs for onboard locomotive system components, including installation;
(3) hardware costs for wayside system components, including
installation; and (4) maintenance costs for all system components.
Two types of benefits are expected to result from the
implementation of this proposed rule--benefits from railroad accident
reduction and business benefits from efficiency gains. The first type
would include safety benefits or savings expected to accrue from the
reduction in the number and severity of casualties arising from train
accidents that would occur on lines equipped with PTC systems. Casualty
mitigation estimates are based on a value of statistical life of $6
million. In addition, benefits related to accident preventions would
accrue from a decrease in damages to property such as: Locomotives,
railroad cars, and track; environmental damage; track closures; road
closures; and evacuations. Benefits more difficult to monetize--such as
the avoidance of hazmat accident related costs incurred by Federal,
State, and local governments and impacts to local businesses--will also
result. FRA also expects that once PTC systems are refined, there would
likely be substantial additional business benefits resulting from more
efficient transportation service; however such benefits are not
included because of significant uncertainties regarding whether and
when individual elements will be achieved and given the complicating
factor that some benefits might, absent deployment of PTC, be captured
using alternative technologies at lower cost. FRA requests comments on
whether this proposed regulation exercises the appropriate level of
discretion and flexibility to comply with RSIA08 in the most cost
effective and beneficial manner.
This document presents a 20-year analysis of the costs and benefits
associated with FRA's proposed rule, using both 7 percent and 3 percent
discount rates, and two types of sensitivity analyses. The first is
associated with varying cost assumptions used for estimating PTC
implementation costs. The second takes into account potential business
benefits from realizing service efficiencies and related additional
societal benefits from attainment of environmental goals and an overall
reduction in transportation risk from modal diversion.
The 20-year total cost estimates are $10.00 billion (PV, 7%) and
$13.85 billion (PV, 3%). Annualized costs are $0.95 billion (PV, 7%)
and $0.93 billion (PV, 3%). Using high-cost assumptions, the 20-year
total cost estimates would be $17.12 billion (PV, 7%) and $23.76
billion (PV, 3%). Using low-cost assumptions, the 20-year cost
estimates would be $7.09 billion (PV, 7%) and $9.84 billion (PV, 3%).
The later the expenditures are made, the lower the discounted cost
impact, which in any event is a very small portion of the total PTC
costs.
Twenty-year railroad safety (railroad accident reduction) benefit
estimates associated with implementation of the proposed rule are $608
million (PV, 7%) and $931 million (PV, 3%). Annualized benefits are $57
million (PV, 7%), and $63 million (PV, 3%). Some forecasts predict
significant growth of both passenger and freight transportation
demands, and it is thus possible that greater activity on the system
could present the potential for larger safety benefits than estimated
in this analysis. The presence of a very large PTC-equipped freight
locomotive fleet also supports the opportunity for introduction of new
passenger services of higher quality at less cost to the sponsor of
that service. Information is not presently available to quantify that
benefit.

Total 20--Year Benefits and Discounted Benefits
[At 3% and 7%]
------------------------------------------------------------------------

------------------------------------------------------------------------
Discount rate..................... 3.00% 7.00%
Costs: ................. .................
Central Office and Development $283,025,904 $263,232,675
Wayside Equipment............. 3,109,098,494 2,586,453,456
On-Board Equipment............ 1,643,839,209 1,416,706,349
Maintenance................... 8,812,624,111 5,741,220,231
-------------------------------------
Total..................... 13,848,587,717 10,007,612,712
------------------------------------------------------------------------
Railroad Safety Benefits.......... 931,253,681 607,711,640
------------------------------------------------------------------------

The Port Authority Trans Hudson (PATH), a commuter railroad, is
apparently considering the system used by the New York City Transit
Authority on the Canarsie line. This system, which is known as
Communication-Based

[[Page 36003]]

Train Control, is not similar in concept to any of the other PTC
systems (including the CSX CBTC, with which its name might easily be
confused), and would not be suitable, as FRA understands the system,
except on a railroad with operating characteristics similar to a heavy
rail mass transit system. FRA believes that, in absence of the
statutory mandate or this rulemaking, PATH would have adopted PTC for
business reasons.
Although costs associated with implementation of the proposed rule
are significant and such costs would far exceed the benefits, FRA is
constrained by the requirements of RSIA08, which do not provide
latitude to for implementing PTC differently. Nevertheless, FRA has
taken several steps to avoid triggering unnecessary costs in the
proposed rule. For instance, FRA is not proposing to require use of
separate monitoring of switch position in signal territory or that the
system be designed to determine the position of the end of the train.
FRA also minimized costs, such as by proposing a requirement to monitor
derails protecting the mainline, but limiting it to derails connected
to the signal system; and by proposing a requirement to monitor hazard
detectors protecting the mainline, but limiting it to hazard detectors
connected to the signal system. FRA also minimized costs related to
diamond crossings, where a PTC equipped railroad crosses a non-PTC
equipped railroad at grade; included exceptions to main track for
passenger train operations, and proposed provisions that would permit
some Class III railroad operation of trains not equipped with PTC over
Class I railroad freight lines equipped with PTC.
RSIA08 requires the railroads to have all mandatory PTC systems
operational on or before December 31, 2015. Members of the PTC Working
Group, especially railroad and supplier representatives, said that the
timeframe was very tight, and that the scheduled implementation dates
would be difficult to meet. In general, the faster a government agency
requires a regulated entity to adopt new equipment of procedures, the
more expensive compliance becomes. In part, this is due to supply
elasticity being less over shorter time periods.
FRA is unable to estimate the potential savings if Congress
provided a longer implementation schedule or provided incentives,
rather than mandates, for PTC system installation. In order to estimate
the likely reduction in costs in such situations, FRA would need to
develop some other schedule for implementation. The element least
sensitive to an implementation's schedule appears to be onboard costs.
Each PTC system's onboard equipment seems similar and is not very
different from existing onboard systems. Further, the 2015 deadline is
not so restrictive that it would cause railroads to pull locomotives
out of service just to install on board PTC equipment. Locomotives must
be inspected thoroughly every 90 and more extensively every 360 days.
The inspections can last from one to several days. Railroads usually
bring locomotives into their shops to perform these inspections, during
which time a skilled and experienced team could install the on board
equipment for PTC. System development is much less certain, and more
time would enable vendors to develop, test, and implement the software
at a more reasonable cost. Wayside costs are also sensitive to the
installation timetable, as the wayside must be mapped and measured, and
then the railroads must install wayside interface units (WIUs). Wayside
mapping and measurement takes a highly skilled workforce. A larger
workforce is necessary to timely implement the required PTC systems in
a shorter amount of time. WIU installation is likely similar to
existing signal or communication systems installation, and is likely to
involve use of existing railroad skilled workers. The shorter the
installation time period, the more work will be done at overtime rates,
which are, of course, higher.
FRA believes that lower costs could result from a longer
installation period, but FRA also believes that the differences in
costs would be within the range of the low costs provided in the main
analysis of the proposed rule. The 2004 report included some lower cost
estimates, but in light of current discussions with railroads, the cost
estimates in the 1998 report seem more accurate. The lower estimates
FRA received in preparing the 2004 report were both overly optimistic,
and excluded installation costs, as well as higher costs which stem
from meeting the performance standards.
Some of the costs of PTC implementation, operation, and maintenance
may be offset by business benefits, especially in the long run,
although there is uncertainty regarding the timing and level of those
benefits. Economic and technical feasibility of the necessary system
refinements and modifications to yield the potential business benefits
has not yet been demonstrated. FRA analyzed business benefits
associated with PTC system implementation and presented its findings in
the 2004 Report. Due to the aggressive implementation schedule for PTC
and the resulting need to issue a rule promptly, FRA has not formally
updated this study. Nevertheless, FRA believes that there is
opportunity for significant business benefits to accrue several years
after implementation once the systems have been refined to the degree
necessary. Thus, FRA conducted a sensitivity analysis of potential
business benefits based on the 2004 Report.
The 2004 Report included business benefits from improved or
enhanced locomotive diagnostics, fuel savings attributable to train
pacing, precision dispatch, and capacity enhancement. Although
railroads are enhancing locomotive diagnostics using other
technologies, FRA believes that PTC could provide the basis for
significant gains in the other three areas.
In the years since the 2004 Report, developing technology and
rising fuel costs have caused the rail supply industry and the
railroads to focus on additional means of conserving diesel fuel while
minimizing in-train forces that can lead to derailments and delays from
train separations (usually broken coupler knuckles). Software programs
exist that can translate information concerning throttle position and
brake use, together with consist information and route characteristics,
to produce advice for prospective manipulation of the locomotive
controls to limit in-train forces. Programs are also being conceived
that project arrival at meet points and other locations on the
railroad. These types of tools can be consolidated into programs that
either coaches the locomotive engineer regarding how to handle the
train or even take over the controls of the locomotive under the
engineer's supervision. The ultimate purpose of integrating this
technology is to conserve fuel use while handling the train properly
and arriving at a designated location ``just in time'' (e.g., to meet
or pass a train or enter a terminal area in sequence ahead of or behind
other traffic). Further integrating this technology with PTC
communications platforms and traffic planning capabilities could permit
transmittal of ``train pacing'' information to the locomotive cab in
order to conserve fuel. Like the communications backbone, survey data
concerning route characteristics can be shared by both systems. The
cost of diesel fuel for road operations to the Class I railroads is
approximately $3.5 billion annually and is gradually rising. If PTC
technology helps to spur the growth and effective use of train pacing,
fuel savings of 5% ($175,000,000

[[Page 36004]]

annually) or greater could very likely be achieved. Clearly, if the
railroads are able to conserve use of fuel, they will also reduce
emissions and contribute to attainment of environmental goals, even
before modal diversion occurs.
The improvements in dispatch and capacity have further
implications. With those improvements, railroads could improve the
reliability of shipment arrival time and, thus, dramatically increase
the value of rail transportation to shippers, who in turn would divert
certain shipments from highway to rail. Such diversion would yield
greater overall transportation safety benefits since railroads have
much lower accident risk than highways, on a point-to-point ton-mile
basis. The total societal benefits of PTC system implementation and
operation, following the analysis, would be much greater than total
societal costs, although the costs would fall disproportionately more
heavily on the railroads.
At present, the PTC systems contemplated by the railroads, with the
possible exception of PATH, would not increase capacity, at least not
for some time. If the locomotive braking algorithms need to be made
more conservative in order to ensure that each train does not exceed
the limits of its authority, PTC system operation may actually decrease
rail capacity where applied in the early years. Further investment
would be required to bring about the synergy that would result in
capacity gains. A more significant business benefit of PTC system
operation would be derived from precision dispatching, which decreases
the variance of arrival times of delivered freight. To avoid the risk
of running out of stock, shippers often overstock their inventory at an
annual cost of approximately 25% of its inventory value, regardless of
the material being stored. This estimate accounts for shrinkage,
borrowing costs, and storage costs. Of course, freight with more value
per unit of mass or volume tends to have greater storage costs per
unit. At present, no rail precision dispatch system exists. However, if
a shipper would take advantage of precision dispatching, thus
increasing freight arrival time accuracy, then it could reduce its
overstock inventory. Accurate train data is a necessary, but not a
sufficient condition, for precision dispatch. At least two of the Class
I railroads have unsuccessfully attempted to develop precision dispatch
systems. The mandatory installation of PTC systems is likely to divert
any resources that might have been devoted to precision dispatch, so
these benefits are unlikely during the first several years of this
rule.
Applying current factors to the variables used in the 2004 Report
to Congress, the resulting analysis indicates that diversion could
result in highway annual safety benefits of $744 million by 2022, and
$1,148 million by 2032. Of course, these benefits require that the
productivity enhancing systems be added to PTC, and are heavily
dependent on the underlying assumptions of the 2004 model.
Modal diversion would also yield environmental benefits. The 2004
Report estimated that reduced air pollution costs would have been
between $68 million and $132 million in 2010 (assuming PTC would be
implemented by 2010), and between $103 million and $198 million in
2020. This benefit would have accrued to the general public. FRA has
not broken out the pollution cost benefit of the current rule, but
offers the estimates from the 2004 Report as a guide to the order of
magnitude of such benefits.
While railroads argued that many of the benefits identified in
FRA's 2004 report were exaggerated, shortly after the publication of
the report, several railroads began developing strategies for PTC
system development and implementation. This investment by the railroads
would seem to illustrate that they believe that there is some potential
for PTC to provide a boost to railroad profits, beyond providing any of
the aforementioned societal benefits.
Modal diversion is highly sensitive to service quality. Problems
with terminal congestion and lengthy dwell times might overwhelm the
benefits of PTC or other initiatives which the railroads have been
pursuing (reconfiguration of yards, pre-blocking of trains, shared
power arrangements, car scheduling, Automatic Equipment Identification,
etc.) might actually work in synergy with PTC. It should also be noted
that, in the years since the 2004 Report was developed, the Class I
railroads have shown an increased ability to retain operating revenue
as profit, rather than surrendering it in the form of reduced rates.
This was particularly true during the period prior to the current
recession, when strained highway capacity favored the growth of rail
traffic. The sensitivity analysis performed by FRA indicates that
realization of business benefits could yield benefits sufficient to
close the gap between PTC implementation costs and rail accident
reduction benefits within the first 20 years of the rule, applying a 3%
discount rate, and by year 25 of the rule, applying a discount rate of
7%. Accordingly, the precise partition of business and societal
benefits cannot be estimated with any certainty.
FRA recognizes that the likelihood of business benefits is
uncertain and that the cost-to-benefit comparison of this rule,
excluding any business benefits, is not favorable. However, FRA has
taken measures to minimize the rule's adverse impacts and to provide as
much flexibility as FRA is authorized to grant under RSIA08.

B. Regulatory Flexibility Act and Executive Order 13272

The Regulatory Flexibility Act (5 U.S.C. 601 et seq.) and Executive
Order 13272 require a review of proposed and final rules to assess
their impacts on small entities. An agency must prepare an initial
regulatory flexibility analysis (IRFA) unless it determines and
certifies that a rule, if promulgated, would not have a significant
impact on a substantial number of small entities. FRA has not
determined whether this proposed rule would have a significant economic
impact on a substantial number of small entities. Therefore, we are
publishing this IRFA to aid the public in commenting on the potential
small business impacts of the proposals in this NPRM. We invite all
interested parties to submit data and information regarding the
potential economic impact that would result from adoption of the
proposals in this NPRM. We will consider all comments received in the
public comment process when making a determination in the Final
Regulatory Flexibility Assessment.
In accordance with the Regulatory Flexibility Act, an IRFA must
contain:
(1) A description of the reasons why action by the agency is being
considered;
(2) A succinct statement of the objectives of, and the legal basis
for, the proposed rule;
(3) A description of, and where feasible, an estimate of the number
of small entities to which the proposed rule will apply;
(4) A description of the projected reporting, recordkeeping and
other compliance requirements of the proposed rule, including an
estimate of the classes of small entities that will be subject to the
requirement and the type of professional skills necessary for
preparation of the report or record;
(5) An identification, to the extent practicable, of all relevant
Federal rules that may duplicate, overlap, or conflict with the
proposed rule; and
(6) A description of any significant alternatives to the proposed
rule that accomplish the stated objectives of applicable statutes and
which minimize any significant economic impact of the

[[Page 36005]]

proposed rule on small entities. 5 U.S.C. 603(b), (c).
1. Reasons for Considering Agency Action
PTC systems will be designed to prevent train-to-train collisions,
overspeed derailments, incursions into established work zone limits,
and the movement of a train through a switch left in the wrong
position.
As discussed in more detail in section I of the preamble, the
RSIA08 mandates that widespread implementation of PTC across a major
portion of the U.S. rail industry be accomplished by December 31, 2015.
RSIA08 requires each Class I carrier and each entity providing
regularly scheduled intercity or commuter rail passenger transportation
to develop a plan for implementing PTC by April 16, 2010. The Secretary
of Transportation is responsible for reviewing and approving or
disapproving such plans. The Secretary has delegated this
responsibility to FRA. This proposed rule details the process and
procedure for obtaining FRA approval of the plans.
2. Legal Basis for the Proposed Rule
As discussed earlier in the preamble, FRA is issuing this proposed
rule to provide regulatory guidance and performance standards for the
development, testing, implementation, and use of Positive Train Control
(PTC) systems for railroads mandated by the Rail Safety Improvement Act
of 2008. section 104, Public Law 110-432, 122 Stat. 4848, 4856, (Oct.
16, 2008) (codified at 49 U.S.C. 20157).
3. Description and Estimate of Small Entities Affected
``Small entity'' is defined in 5 U.S.C. 601. Section 601(3) defines
a ``small entity'' as having the same meaning as ``small business
concern'' under section 3 of the Small Business Act. This includes any
small business concern that is independently owned and operated, and is
not dominant in its field of operation. Section 601(4) includes not-
for-profit enterprises that are independently owned and operated, and
are not dominant in their field of operations within the definition of
``small entities.'' Additionally, section 601(5) defines as ``small
entities'' governments of cities, counties, towns, townships, villages,
school districts, or special districts with populations less than
50,000.
The U.S. Small Business Administration (SBA) stipulates ``size
standards'' for small entities. It provides that the largest a for-
profit railroad business firm may be (and still classify as a ``small
entity'') is 1,500 employees for ``Line-Haul Operating'' railroads, and
500 employees for ``Short-Line Operating'' railroads. See ``Table of
Size Standards,'' U.S. Small Business Administration, January 31, 1996,
13 CFR part 121; see also NAICS Codes 482111 and 482112.
SBA size standards may be altered by Federal agencies in
consultation with SBA, and in conjunction with public comment. Pursuant
to the authority provided to it by SBA, FRA has published a final
policy, which formally establishes small entities as railroads that
meet the line haulage revenue requirements of a Class III railroad. See
68 FR 24,891 (May 9, 2003). Currently, the revenue requirements are $20
million or less in annual operating revenue, adjusted annually for
inflation. The $20 million limit (adjusted annually for inflation) is
based on the Surface Transportation Board's threshold of a Class III
railroad carrier, which is adjusted by applying the railroad revenue
deflator adjustment. See also 49 CFR part 1201. The same dollar limit
on revenues is established to determine whether a railroad shipper or
contractor is a small entity. FRA proposes to use this definition for
this rulemaking.
The IRFA's ``universe'' of considered entities generally includes
only those small entities that can reasonably be expected to be
directly regulated by the proposed action. One type of small entity is
potentially affected by this proposed rule: railroads. The level of
impact on small railroads will vary from railroad to railroad. Class
III railroads will be impacted for one or more of the following
reasons: (1) They operate on Class I railroad lines that carry PIH
materials and are required to have PTC, in which case they would need
to equip the portion of their locomotive fleet that operates on such
lines; (2) they operate on Amtrak or commuter rail lines, including
freight railroad lines that host such service; (3) they host regularly
scheduled intercity or commuter rail transportation; or (4) they have
at-grade railroad crossings over lines required by RSIA08 to have PTC.
Generally, to the extent that Class III railroads incur costs
associated with implementation of PTC it will limited to equipping
locomotives, and not the wayside, for the reasons discussed below.
The proposed rule would apply to small railroads' tracks over which
a passenger railroad conducts intercity or commuter operations and
locomotives operating on main lines of Class I freight railroads
required to have PTC and on railroads conducting intercity passenger or
commuter operations. The impact on Class III railroads that operate on
Class I railroad lines required to be equipped with PTC will depend on
the nature of such operations. Class III railroads often make short
moves on Class I railroad lines for interchange purposes. To the extent
that their moves do not exceed four per day or 20 miles in length of
haul (one way), Class III railroads will be exempt from the requirement
to equip the locomotives. However some Class III railroads operate much
more extensively on Class I railroad lines that will be required to
have PTC and would have to equip some of their locomotives. It is
likely that Class III railroads will dedicate certain locomotives to
such service, if they have not done so already. FRA estimates that
approximately 55 small railroads would have to equip locomotives with
PTC system components because they have trackage rights on Class I
freight railroad PIH lines that would be required to have PTC and would
not be able to qualify for any of the operational exceptions discussed.
FRA further estimates that 10 small railroads have trackage rights
on intercity passenger or commuter railroads or other freight railroads
hosting such operations, and might need to equip some locomotives with
PTC systems. Half of these would need to equip locomotives anyway,
because they also have trackage rights on Class I railroads that haul
PIH and would otherwise be required to have PTC.
Thus, a total of 60 railroads would need to equip locomotives. FRA
estimates that the average small railroad will need to equip four
locomotives, at a per railroad cost of $55,000 each, totaling $220,000,
and that the total cost for all 60 small railroads which will need to
equip locomotives would be $13,200,000. The annual maintenance cost
would be 15% of that total, equaling $33,000 per railroad or $1,980,000
total for all small railroads. FRA requests comments regarding this
cost estimate.
In addition, 15 small railroads host commuter or intercity
passenger operations on what might be defined as main line track under
the accompanying rulemaking; however, only five of these railroads are
neither terminal or port railroads, which tend to be owned and operated
by large railroads or port authorities, nor subsidiaries of large short
line holding companies with the expertise and resources across the
disciplines comparable to larger railroads. Of those five railroads,
only one has trackage exceeding 3.8 miles. The other four railroads may
request that FRA define such track as other than main line after
ensuring that all trains

[[Page 36006]]

will be limited to restricted speed. The cost burden on the remaining
railroad will likely be reduced by restricting speed, temporally
separating passenger train operations, or by passing the cost to the
passenger railroad. Thus, the expected burden to small entities hosting
passenger operations is minimal. FRA requests comments related to this
analysis.
At rail-to-rail crossings where at least one of the intersecting
tracks allows operating speeds in excess of 40 miles per hour, the
approaching non-PTC line must have a permanent maximum speed limit of
20 miles per hour and either have some type of positive stop
enforcement or a split-point derail incorporated into the signal system
on the non-PTC route.. FRA believes that the cost of the derail would
be borne by the PTC-equipped railroad, and that slowing to 20 miles per
hour reflects current practice at most diamond crossings. FRA estimates
that ten crossings exist, on five small railroads with two crossings
each, where the newly burdened small railroad will be slowing to 20
miles per hour from a higher track speed. FRA estimates that the
average traffic on the newly burdened route is two trains per day, and
that the cost to slow from a higher track speed is $30 per train, for a
total cost of $60 per crossing per day, a per railroad cost of $120 per
day, and a total national cost for all ten small railroads of $600 per
day and an annual cost of $43,800 per railroad and a total for all
small railroads of $219,000 per year. FRA estimates that only five
railroads will be affected by this provision, and that they will be
railroads not affected by the requirement to equip locomotives, because
railroads with equipped locomotives could simply use the PTC system and
avoid the requirement to slow down. This analysis yields a total of 65
affected small entities that may be impacted by implementation of the
proposed rule. FRA requests comments regarding this estimate of small
entities potentially impacted.
4. Description of Reporting, Recordkeeping, and Other Compliance
Requirements and Impacts on Small Entities Resulting From Specific
Proposed Requirements
Class III railroads that host intercity or commuter rail service
will need to file implementation plans, whether or not they directly
procure or manage installation of the PTC system. FRA believes that
although the implementation plan must be jointly filed by the small
host railroad and passenger tenant railroad, the cost of these plans
will be borne by the passenger railroads. FRA believes that only one
small entity, as described above, is likely to have PTC installed on
its lines. The implementation plan is likely to be an extension of the
passenger railroad's plan, and the marginal cost will be the cost of
tailoring the plan to the host railroad, which will be borne by the
passenger railroad, and maintaining copies of the plan at the host
railroad, which FRA estimates to be approximately $1,000 per year.
The total cost to small entities would include the initial cost of
equipping locomotives, $13,200,000; annual costs of $1,980,000 for
maintenance; $219,000 due to operating speed restrictions at diamond
crossings; and $1,000 to maintain a copy of the PTC implementation
plan. The total annual costs to small entities after initial
acquisition would be $2,200,000 ($1,980,000 + $219,000 + $1,000).
Individual railroads affected would either face an initial cost of
$220,000 to equip locomotives, and an annual cost of $33,000 to
maintain the PTC systems on those locomotives, or would face a per
railroad cost of $43,800 per year to slow at diamond crossings.
5. Identification of Relevant Duplicative, Overlapping, or Conflicting
Federal Rules
There are no Federal rules that would duplicate, overlap, or
conflict with this proposed rule.
6. Alternatives Considered
FRA is unaware of any significant alternatives that would meet the
intent of RSIA08 and that would minimize the economic impact on small
entities. FRA is exercising its discretion to provide the greatest
flexibility for small entities available under RSIA08 by proposing to
allow operations of unequipped trains operated by small entities on the
main lines of Class I railroads, and in defining main track on
passenger railroads to avoid imposing undue burdens on small entities.
The definition of passenger main track was adopted based on PTC Working
Group recommendations that were backed strongly by representatives of
small railroads. The provisions permitting operations of unequipped
trains of Class I railroads exceeded the maximum flexibility for which
the PTC Working Group could reach a consensus. FRA requests comments on
this finding of no significant alternative related to small entities.
FRA also requests comments on whether this proposed regulation
exercises the appropriate level of discretion and flexibility to comply
with RSIA08 in the most cost effective and beneficial manner.
The process by which this proposed rule was developed provided
outreach to small entities. As noted earlier in the preamble, this
notice was developed in consultation with industry representatives via
the RSAC, which includes small railroad representatives. From January
to April 2009, FRA met with the entire PTC Working Group five times
over the course of twelve days. This PTC Working Group established a
task force to focus on issues specific to short line and regional
railroads. The discussions yielded many insights and this proposed rule
takes into account the concerns expressed by small railroads during the
deliberations.

C. Paperwork Reduction Act

The information collection requirements in this proposed rule have
been submitted for approval to the Office of Management and Budget
(OMB) under the Paperwork Reduction Act of 1995, 44 U.S.C. 3501 et seq.
The sections that contain the new information collection requirements
and the estimated time to fulfill each requirement are as follows:

----------------------------------------------------------------------------------------------------------------
Average time
CFR section Respondent universe Total annual per response Total annual
responses (hours) burden hours
----------------------------------------------------------------------------------------------------------------
234.275--Processor-Based Systems-- 20 Railroads......... 25 letters........... 4 100
Deviations from Product Safety
Plan (PSP)--Letters.
236.18--Software Mgmt Control Plan 184 Railroads........ 184 plans............ 2,150 395,600
--Updates to Software Mgmt. 90 Railroads......... 20 updates........... 1.50 30
Control Plan.
236.905--Updates to RSPP.......... 78 Railroads......... 6 plans.............. 135 810
--Response to Request For 78 Railroads......... 1 updated doc........ 400 400
Additional Info.

[[Page 36007]]

--Request for FRA Approval of 78 Railroads......... 1 request/modified 400 400
RSPP Modification. RSPP.
236.907--Product Safety Plan 5 Railroads.......... 5 plans.............. 6,400 32,000
(PSP)--Dev.
236.909--Minimum Performance
Standard.
--Petitions For Review and 5 Railroads.......... 2 petitions/PSP...... 19,200 38,400
Approval.
--Supporting Sensitivity 5 Railroads.......... 5 analyses........... 160 800
Analysis.
236.913--Notification/Submission 6 Railroads.......... 1 joint plan......... 25,600 25,600
to FRA of Joint Product Safety
Plan (PSP).
--Petitions for Approval/ 6 Railroads.......... 6 petitions.......... 1,928 11,568
Informational Filings.
--Responses to FRA Request For 6 Railroads.......... 2 documents.......... 800 1,600
Further Info. After
Informational Filing.
--Responses to FRA Request For 6 Railroads.......... 6 documents.......... 16 96
Further Info. After Agency
Receipt of Notice of Product
Development.
--Consultations............... 6 Railroads.......... 6 consults........... 120 720
--Petitions for Final Approval 6 Railroads.......... 6 petitions.......... 16 96
--Comments to FRA by Public/RRs........... 7 comments........... 240 1,680
Interested Parties.
--Third Party Assessments of 6 Railroads.......... 1 assessment......... 104,000 104,000
PSP.
--Amendments to PSP........... 6 Railroads.......... 15 amendments........ 160 2,400
--Field Testing of Product-- 6 Railroads.......... 6 documents.......... 3,200 19,200
Info. Filings.
236.917--Retention of Records.
--Results of tests/inspections 6 Railroads.......... 3 documents/records.. 160,000; 360,000
specified in PSP. 160,000;
40,000
--Report to FRA of 6 Railroads.......... 1 report............. 104 104
Inconsistencies with
frequency of safety-relevant
hazards in PSP.
236.919--Operations & Maintenance
Man.
--Updates to O & M Manual..... 6 Railroads.......... 6 updated docs....... 40 240
--Plans For Proper 6 Railroads.......... 6 plans.............. 53,335 320,010
Maintenance, Repair,
Inspection of Safety-Critical
Products.
--Hardware/Software/Firmware 6 Railroads.......... 6 revisions.......... 6,440 38,640
Revisions.
236.921--Training Programs: 6 Railroads.......... 6 Tr. Programs....... 400 2,400
Development.
--Training of Signalmen & 6 Railroads.......... 300 signalmen; 20 40; 20 12,400
Dispatchers. dispatchers.
236.923--Task Analysis/Basic 6 railroads.......... 6 documents.......... 720 4,320
Requirements: Necessary Documents.
--Records..................... 6 railroads.......... 350 records.......... \1\ 10 58
SUBPART I--NEW REQUIREMENTS
236.1001--RR Development of More 30 railroads......... 3 rules.............. 80 240
Stringent Rules Re: PTC
Performance Stds.
236.1005--Requirements for PTC
Systems.
--Temporary Rerouting: 30 railroads......... 50 requests.......... 8 400
Emergency Requests.
--Written/Telephonic 30 railroads......... 50 notifications..... 2 100
Notification to FRA Regional
Administrator.
--Temporary Rerouting Requests 30 railroads......... 95 requests.......... 8 760
Due to Track Maintenance.
--Temporary Rerouting Requests 30 railroads......... 800 requests......... 8 6,400
That Exceed 30 Days.
236.1006--Requirements for
Equipping Locomotives Operating
in PTC Territory.
--Reports of Movements in 35 railroads......... 35 reports........... 16 560
Excess of 20 Miles/RR
Progress on PTC Locomotives.
236.1007--Additional Requirements
for High Speed Service.
--Required HSR-125 Documents 30 railroads......... 11 documents......... 3,200 35,200
with approved PTCSP.
--Requests to Use Foreign 30 railroads......... 2 requests........... 8,000 16,000
Service Data.
--PTC Railroads Conducting 30 railroads......... 11 documents......... 4,000 44,000
Operations at More than 150
MPH with HSR-125 Documents.
236.1009-Procedural Requirements.
--PTC Implementation Plans 30 Railroads......... 30 plans............. 535 16,050
(PTCIP).
--Host Railroads Filing PTCIP 30 Railroads......... 1 PCTIP; 15 RFAs..... 535; 320 5,335
or Request for Amendment
(RFAs).
--Notification of Failure to 30 Railroads......... 30 notifications..... 32 960
File Joint PTCIP.
--Comprehensive List of Issues 30 Railroads......... 30 lists............. 80 2,400
Causing Non-Agreement.
--Conferences to Develop 30 Railroads......... 3 conf. calls........ \1\ 30 2
Mutually Acceptable PCTIP.
--Type Approval............... 30 Railroads......... 10 Type Appr......... 8 80
--PTC Development Plans 30 Railroads......... 20 Ltr. + 20 App. + 5 8; 8; 6,400 32,320
Requesting Type Approval. Plans.

[[Page 36008]]

--PTCIP/PTCDP/PTCSP Plan 30 Railroads......... 1 document........... 8,000 8,000
Contents--Documents
Translated into English.
--Requests for Confidentiality 30 Railroads......... 30 ltrs; 30 docs..... 8; 800 24,240
--Field Test Plans/Independent 30 Railroads......... 150 field tests; 2 800 121,600
Assessments--Req. by FRA. assessments.
--FRA Access: Interviews with 30 Railroads......... 60 interviews........ \1\ 30 30
RR PTC Personnel.
236.1011--PTCIP Requirements-- 7 Interested Groups.. 21 reviews + 60 143; 8 3,483
Review and Public Comments on comments.
PTCIPs, PTCDPs, and PTCSPs.
236.1015--PTCSP Content
Requirements & PTC System
Certification.
--Non-Vital Overlay........... 30 Railroads......... 2 PTCSPs............. 16,000 32,000
--Vital Overlay............... 30 Railroads......... 16 PTCSPs............ 22,400 358,400
--Stand Alone................. 30 Railroads......... 10 PTCSPs............ 32,000 320,000
--Mixed Systems--Conference 30 Railroads......... 3 conferences........ 32 96
with FRA regarding Case/
Analysis.
--Mixed Sys. PTCSPs (incl. 30 Railroads......... 2 PTCSPs............. 28,800 57,600
safety case).
--FRA Request for Additional 30 Railroads......... 15 documents......... 3,200 48,000
PTCSP Data.
--PTCSPs Applying to Replace 30 Railroads......... 15 PTCSPs............ 3,200 48,000
Existing Certified PTC
Systems.
--Non-Quantitative Risk 30 Railroads......... 15 assessments....... 3,200 48,000
Assessments Supplied to FRA.
236.1017--PTCSP Supported by 30 Railroads......... 1 assessment......... 8,000 8,000
Independent Third Party
Assessment.
--Written Requests to FRA to 30 Railroads......... 1 request............ 8 8
Confirm Entity Independence.
--Provision of Additional 30 Railroads......... 1 document........... 160 160
Information After FRA Request.
--Independent Third Party 30 Railroads......... 1 request............ 160 160
Assessment: Waiver Requests.
--RR Request for FRA to Accept 30 Railroads......... 1 request............ 32 32
Foreign Railroad Regulator
Certified Info.
236.1019--Main Line Track
Exceptions.
--Submission of Main Line 30 Railroads......... 30 MTEAs............. 160 4,800
Track Exclusion Addendums
(MTEAs).
--Passenger Terminal 30 Railroads......... 23 MTEAs............. 160 3,680
Exception--MTEAs.
--Limited Operation Exception-- 30 Railroads......... 30 plans............. 160 4,800
Risk Mitigation Plans.
--Temporal Separation 30 Railroads......... 15 procedures........ 160 2,400
Procedures.
236.1021--Discontinuances, 30 Railroads......... 15 RFAs.............. 80 1,200
Material Modifications,
Amendments--Requests to Amend
(RFA) PTCIP, PTCDP or PTCSP.
--Review and Public Comment on 7 Interested Groups.. 7 reviews + 20 3; 16 341
RFA. comments.
236.1023--PTC Errors and 30 Railroads......... 60 notifications..... 32 1,920
Malfunctions--Notifications.
--Notifications of PTC Defect 30 Railroads......... 150 notifications.... 16 2,400
That Decreases Safety.
--Notification Updates of PTC 30 Railroads......... 150 updates.......... 16 2,400
Defect.
--PTC Product Vendor Lists 30 Railroads......... 30 lists............. 8 240
(PTCPVL).
--RR Procedures Upon 30 Railroads......... 30 procedures........ 16 480
Notification of PTC System
Safety-Critical Upgrades,
Rev., Etc.
--Manufacturer's Report of 5 System Suppliers... 5 reports............ 400 2,000
Investigation of PTC Defect.
236.1029--Report of On-Board Lead 30 Railroads......... 960 reports.......... 96 92,160
Locomotive PTC Device Failure.
236.1031--Previously Approved PTC
Systems.
--Request for Expedited 30 Railroads......... 3 REC Letters........ 160 480
Certification (REC) for PTC
System.
--Requests for Grandfathering 30 Railroads......... 3 requests........... 1,600 4,800
on PTCSPs.
236.1035--Field Testing 30 railroads......... 150 field test plans. 800 120,000
Requirements.
236.1037--Records Retention.
--Results of Tests in PTCSP 30 railroads......... 960 records.......... 4 3,840
and PTCDP.
--PTC Service Contractors 30 Railroads......... 9,000 records........ \1\ 30 4,500
Training Records.
--Reports of Safety Relevant 30 Railroads......... 4 reports............ 8 32
Hazards Exceeding Those in
PTCSP and PTCDP.
--Final Report of Resolution 30 Railroads......... 4 final reports...... 160 640
of Inconsistency.
236.1039--Operations & Maintenance 30 railroads......... 30 manuals........... 250 7,500
Manual (OMM): Development.
--Positive Identification of 30 railroads......... 75,000 i.d. 1 75,000
Safety-critical Components. components.
--Designated RR Officers in 30 railroads......... 60 designations...... 2 120
OMM regarding PTC issues.

[[Page 36009]]

236.1041--PTC Training Programs... 30 Railroads......... 30 programs.......... 400 12,000
236.1043--Task Analysis/Basic 30 railroads......... 6 evaluations........ 720 4,320
Requirements: Training
Evaluations.
--Training Records............ 30 railroads......... 350 records.......... \1\ 10 58
236.1045--Training Specific to 30 railroads......... 20 trained employees. 20 400
Office Control Personnel.
236.1047--Training Specific to
Loc. Engineers & Other Operating
Personnel.
--PTC Conductor Training...... 30 railroads......... 5,000 trained 3 15,000
conductors.
----------------------------------------------------------------------------------------------------------------
\1\ In minutes.

All estimates include the time for reviewing instructions; searching
existing data sources; gathering or maintaining the needed data; and
reviewing the information. Pursuant to 44 U.S.C. 3506(c)(2)(B), FRA
solicits comments concerning: Whether these information collection
requirements are necessary for the proper performance of the functions
of FRA, including whether the information has practical utility; the
accuracy of FRA's estimates of the burden of the information collection
requirements; the quality, utility, and clarity of the information to
be collected; and whether the burden of collection of information on
those who are to respond, including through the use of automated
collection techniques or other forms of information technology, may be
minimized. For information or a copy of the paperwork package submitted
to OMB, contact Mr. Robert Brogan, Information Clearance Officer, at
202-493-6292, or Ms. Nakia Jackson at 202-493-6073.
Organizations and individuals desiring to submit comments on the
collection of information requirements should direct them to Mr. Robert
Brogan or Ms. Nakia Jackson, Federal Railroad Administration, 1200 New
Jersey Avenue, SE., 3rd Floor, Washington, DC 20590. Comments may also
be submitted via e-mail to Mr. Brogan or Ms. Jackson at the following
address: [email protected]; [email protected].
OMB is required to make a decision concerning the collection of
information requirements contained in this proposed rule between 30 and
60 days after publication of this document in the Federal Register.
Therefore, a comment to OMB is best assured of having its full effect
if OMB receives it within 30 days of publication. The final rule will
respond to any OMB or public comments on the information collection
requirements contained in this proposal.
FRA is not authorized to impose a penalty on persons for violating
information collection requirements which do not display a current OMB
control number, if required. FRA intends to obtain current OMB control
numbers for any new information collection requirements resulting from
this rulemaking action prior to the effective date of the final rule.
The OMB control number, when assigned, will be announced by separate
notice in the Federal Register.

D. Federalism Implications

This proposed rule has been analyzed in accordance with the
principles and criteria contained in Executive Order 13132,
``Federalism'' (64 FR 43255, Aug. 4, 1999).
As discussed earlier in the preamble, this proposed rule would
provide regulatory guidance and performance standards for the
development, testing, implementation, and use of Positive Train Control
(PTC) systems for railroads mandated by the Railroad Safety Improvement
Act of 2008.
Executive Order 13132 requires FRA to develop an accountable
process to ensure ``meaningful and timely input by State and local
officials in the development of regulatory policies that have
Federalism implications.'' Policies that have ``Federalism
implications'' are defined in the Executive Order to include
regulations that have ``substantial direct effects on the States, on
the relationship between the national government and the States, or on
the distribution of power and responsibilities among the various levels
of government.'' Under Executive Order 13132, the agency may not issue
a regulation with Federalism implications that imposes substantial
direct compliance costs and that is not required by statute, unless the
Federal government provides the funds necessary to pay the direct
compliance costs incurred by State and local governments, or the agency
consults with State and local government officials early in the process
of developing the proposed regulation. Where a regulation has
Federalism implications and preempts State law, the agency seeks to
consult with State and local officials in the process of developing the
regulation.
FRA has determined that this proposed rule would not have
substantial direct effects on the States, on the relationship between
the national government and the States, nor on the distribution of
power and responsibilities among the various levels of government. In
addition, FRA has determined that this proposed rule, which is required
by the Railroad Safety Improvement Act of 2008, would not impose any
direct compliance costs on State and local governments. Therefore, the
consultation and funding requirements of Executive Order 13132 do not
apply.
However, this proposed rule would have preemptive effect. Section
20106 of Title 49 of the United States Code provides that States may
not adopt or continue in effect any law, regulation, or order related
to railroad safety or security that covers the subject matter of a
regulation prescribed or order issued by the Secretary of
Transportation (with respect to railroad safety matters) or the
Secretary of Homeland Security (with respect to railroad security
matters), except when the State law, regulation, or order qualifies
under the local safety or security exception to section 20106. The
intent of Sec. 20106 is to promote national uniformity in railroad
safety and security standards. 49 U.S.C. 20106(a)(1). Thus, subject to
a limited exception for essentially local safety or security hazards,
this proposed rule would establish a uniform Federal safety standard
that must be met, and State requirements covering the same subject
matter would be displaced, whether those State requirements are in the
form of a State law, regulation, or order.
In sum, FRA has analyzed this proposed rule in accordance with the
principles and criteria contained in Executive Order 13132. As
explained above, FRA has determined that this proposed rule has no
Federalism implications, other than the preemption of State laws
covering the subject matter

[[Page 36010]]

of this proposed rule, which occurs by operation of law under 49 U.S.C.
20106 whenever FRA issues a rule or order. Accordingly, FRA has
determined that preparation of a Federalism summary impact statement
for this proposed rule is not required.

E. Environmental Impact

FRA has evaluated this proposed rule in accordance with its
``Procedures for Considering Environmental Impacts'' (``FRA's
Procedures'') (64 FR 28545, May 26, 1999) as required by the National
Environmental Policy Act (42 U.S.C. 4321 et seq.), other environmental
statutes, Executive Orders, and related regulatory requirements. FRA
has determined that this proposed rule is not a major FRA action
(requiring the preparation of an environmental impact statement or
environmental assessment) because it is categorically excluded from
detailed environmental review pursuant to section 4(c)(20) of FRA's
Procedures. In accordance with section 4(c) and (e) of FRA's
Procedures, the agency has further concluded that no extraordinary
circumstances exist with respect to this regulation that might trigger
the need for a more detailed environmental review. As a result, FRA
finds that this proposed rule is not a major Federal action
significantly affecting the quality of the human environment.

F. Unfunded Mandates Reform Act of 1995

The Unfunded Mandates Reform Act of 1995 (Pub. L. 104-4, 2 U.S.C.
1531) requires agencies to prepare a written assessment of the costs,
benefits, and other effects of proposed or final rules that include a
Federal mandate likely to result in the expenditures by State, local or
tribal governments, in the aggregate, or by the private sector, of more
than $100 million annually (adjusted annually for inflation with base
year of 1995). The value equivalent of $100 million in CY 195, adjusted
annually for inflation to CY 2008 levels by the Consumer Price Index
for All Urban Consumers (CPI-U) is $141.3 million. The assessment may
be included in conjunction with other assessments, as it is here.
The proposed rule itself would not create an unfunded mandate in
excess of the threshold amount. The bulk of unfunded mandate for
implementation of PTC is attributable to RSIA08. The effects are
discussed earlier in this document in the Regulatory Impact Analysis.
Any unfunded mandates attributable to the proposed rulemaking would
pertain to the costs of filing paperwork to prove compliance with
RSIA08.

G. Energy Impact

Executive Order 13211 requires Federal agencies to prepare a
Statement of Energy Effects for any ``significant energy action.'' 66
FR 28355 (May 22, 2001). Under the Executive Order, a ``significant
energy action'' is defined as any action by an agency (normally
published in the Federal Register) that promulgates or is expected to
lead to the promulgation of a final rule or regulation, including
notices of inquiry, advance notices of proposed rulemaking, and notices
of proposed rulemaking: (1)(i) That is a significant regulatory action
under Executive Order 12866 or any successor order, and (ii) is likely
to have a significant adverse effect on the supply, distribution, or
use of energy; or (2) that is designated by the Administrator of the
Office of Information and Regulatory Affairs as a significant energy
action. FRA has evaluated this proposed rule in accordance with
Executive Order 13211. FRA has determined that this proposed rule is
not likely to have a significant adverse effect on the supply,
distribution, or use of energy. Consequently, FRA has determined that
this regulatory action is not a ``significant regulatory action''
within the meaning of Executive Order 13211.

H. Privacy Act

FRA wishes to inform all interested parties that anyone is able to
search the electronic form of any written communications and comments
received into any of our dockets by the name of the individual
submitting the document (or signing the document), if submitted on
behalf of an association, business, labor union, etc.). Interested
parties may also review DOT's complete Privacy Act Statement in the
Federal Register published on April 11, 2000 (65 FR 19477) or visit
http://www.regulations.gov.

List of Subjects

49 CFR Part 234

Highway safety, Penalties, Railroad safety, Reporting and
recordkeeping requirements.

49 CFR Part 235

Administrative practice and procedure, Penalties, Railroad safety,
Reporting and recordkeeping requirements.

49 CFR Part 236

Penalties, Positive Train Control, Railroad safety, Reporting and
recordkeeping requirements.

VIII. The Rule

In consideration of the foregoing, FRA proposes to amend chapter
II, subtitle B of title 49, Code of Federal Regulations as follows:

PART 229--[AMENDED]

1. The authority citation for part 229 continues to read as
follows:

Authority: 49 U.S.C. 20102-03, 20107, 20133, 20137-38, 20143,
20701-03, 21301-02, 21304; 28 U.S.C. 2401, note; and 49 CFR 1.49(c),
(m).

2. Section 229.135 is amended by revising paragraphs (b)(3)(xxv)
and (b)(4)(xxi) to read as follows:

Sec. 229.135 Event Recorders.

* * * * *
(b) * * *
(3) * * *
(xxv) Safety-critical train control data routed to the locomotive
engineer's display with which the engineer is required to comply,
specifically including text messages conveying mandatory directives and
maximum authorized speed. The format, content, and proposed duration
for retention of such data shall be specified in the product safety
plan or PTC Safety Plan submitted for the train control system under
subparts H or I, respectively, of part 236 of this chapter, subject to
FRA approval under this paragraph. If it can be calibrated against
other data required by this part, such train control data may, at the
election of the railroad, be retained in a separate certified
crashworthy memory module.
(4) * * *
(xxi) Safety-critical train control data routed to the locomotive
engineer's display with which the engineer is required to comply,
specifically including text messages conveying mandatory directives and
maximum authorized speed. The format, content, and proposed duration
for retention of such data shall be specified in the product safety
plan or PTC Safety Plan submitted for the train control system under
subparts H or I, respectively, of part 236 of this chapter, subject to
FRA approval under this paragraph. If it can be calibrated against
other data required by this part, such train control data may, at the
election of the railroad, be retained in a separate certified
crashworthy memory module.

PART 234--[AMENDED]

3. The authority citation for part 234 continues to read as
follows:

Authority: 49 U.S.C. 20103, 20107; 28 U.S.C. 2461, note; and 49
CFR 1.49.

[[Page 36011]]

4. In Sec. 234.275 revise paragraphs (b)(1), (b)(2), (c), and (f)
to read as follows:

Sec. 234.275 Processor-based systems.

* * * * *
(b) Use of performance standard authorized or required. (1) In lieu
of compliance with the requirements of this subpart, a railroad may
elect to qualify an existing processor-based product under part 236,
subparts H or I, of this chapter.
(2) Highway-rail grade crossing warning systems, subsystems, or
components that are processor-based and that are first placed in
service after June 6, 2005, which contain new or novel technology, or
which provide safety-critical data to a railroad signal or train
control system that is governed by part 236, subpart H or I, of this
chapter, shall also comply with those requirements. New or novel
technology refers to a technology not previously recognized for use as
of March 7, 2005.
* * * * *
(c) Plan justifications. The Product Safety Plan in accordance with
49 CFR 236.903--or a PTC Development Plan (PTCDP) and PTC Safety Plan
(PTCSP) required to be filed in accordance with 49 CFR 236.1011 and
236.1013--must explain how the performance objective sought to be
addressed by each of the particular requiremnts of this subpart is met
by the product, why the objective is not relevant to the product's
design, or how the safety requirements are satisfied using alternative
means. Deviation from those particular requirements is authorized if an
adequate explanation is provided, making reference to relevant elements
of the applicable plan, and if the product satisfies the performance
standard set forth in Sec. 236.909 of this chapter. (See Sec.
236.907(a)(14) of this chapter.)
* * * * *
(f) Software management control for certain systems not subject to
a performance standard. Any processor-based system, subsystem, or
component subject to this part, which is not subject to the
requirements of part 236, subpart H or I, of this chapter but which
provides safety-critical data to a signal or train control system shall
be included in the software management control plan requirements as
specified in Sec. 236.18 of this chapter.

PART 235--[AMENDED]

5. The authority citation for part 235 continues to read as
follows:

Authority: 49 U.S.C. 20103, 20107; 28 U.S.C. 2461, note; and 49
CFR 1.49.

6. In Sec. 235.7, add paragraph (a)(5) to read as follows:

Sec. 235.7 Changes not requiring filing of application.

(a) * * *
(5) Removal of an intermittent automatic train stop system in
conjunction with the implementation of a positive train control system
approved by FRA under subpart I of part 236.
* * * * *

PART 236--[AMENDED]

7. The authority citation for Part 236 is revised to read as
follows:

Authority: 49 U.S.C. 20102-20103, 20107, 20133, 20141, 20157,
20301-20303, 20306, 21301-21302, 21304; 28 U.S.C. 2461, note; and 49
CFR 1.49.
* * * * *
8. Section 236.0 is amended by revising paragraphs (c) through (e)
to read as follows:

Sec. 236.0 Applicability, minimum requirements, and penalties.

* * * * *
(c)(1) Prior to [insert date 24 months from publication of the
final rule in the Federal Register], where a passenger train operates
at a speed of 60 or more miles per hour, or a freight train operates at
a speed of 50 or more miles per hour--
(i) A block signal system complying with the provisions of this
part shall be installed; or
(ii) A manual block system shall be placed permanently in effect
that shall conform to the following conditions:
(A) A train shall not be admitted, except for emergency purposes,
to a block occupied by another train unless both trains are operating
at restricted speed.
(B) A freight train, including a work train, may be authorized to
follow a freight train, including a work train, into a block but the
following train must proceed at restricted speed.
(2) On and after [insert date 24 months from publication of the
final rule in the Federal Register], where a passenger train is
permitted to operate at a speed of 60 or more miles per hour, or a
freight train is permitted to operate at a speed of 50 or more miles
per hour, a block signal system complying with the provisions of this
part shall be installed, unless an FRA approved PTC system meeting the
requirements of this part for the subject speed and other operating
conditions, is installed.
(d)(1) Prior to December 31, 2015, where any train is permitted to
operate at a speed of 80 or more miles per hour, an automatic cab
signal, automatic train stop, or automatic train control system
complying with the provisions of this part shall be installed, unless
an FRA approved PTC system meeting the requirements of this part for
the subject speed and other operating conditions, is installed.
(2) Subpart I of this part sets forth requirements for installation
of PTC systems under conditions specified in that subpart.
(e) Nothing in this section authorizes the discontinuance of a
block signal system, interlocking, traffic control system, automatic
train control or train stop system, cab signal system, or PTC system
without approval by the FRA under part 235 of this title. However, a
railroad may apply for approval of discontinuance or material
modification of a signal or train control system in connection with a
request for approval of a Positive Train Control Development Plan
(PTCDP) or Positive Train Control Safety Plan (PTCSP) as provided in
subpart I of this part.
* * * * *
9. Section 236.909 is amended by adding a new sentence directly
after the first sentence of paragraph (e)(1) and by revising paragraph
(e)(2)(i) to read as follows:

Sec. 236.909 Minimum performance standards.

* * * * *
(e) * * *
(1) * * * The total risk assessment must have a supporting
sensitivity analysis. The analysis must confirm that the risk metrics
of the system are not negatively affected by sensitivity analysis input
parameters including, for example, component failure rates, human
factor error rates, and variations in train traffic affecting exposure.
The sensitivity analysis must document the sensitivity to worst case
failure scenarios. * * *
(2) * * *
(i) In all cases exposure must be expressed as total train miles
traveled per year over the relevant railroad infrastructure.
Consequences must identify the total cost, including fatalities,
injuries, property damage, and other incidental costs, such as
potential consequences of hazardous materials involvement, resulting
from preventable accidents associated with the function(s) performed by
the system.
* * * * *
10. Add a new subpart I to part 236 to read as follows:
Subpart I--Positive Train Control Systems
Sec.
236.1001 Purpose and scope.
236.1003 Definitions.

[[Page 36012]]

236.1005 Requirements for Positive Train Control systems.
236.1006 Equipping locomotives operating in PTC territory.
236.1007 Additional requirements for high-speed service.
236.1009 Procedural requirements.
236.1011 PTCIP content requirements.
236.1013 PTCDP content requirements and Type Approval.
236.1015 PTCSP content requirements and PTC System Certification.
236.1017 Independent third party Verification and Validation.
236.1019 Main line track exceptions.
236.1021 Discontinuances, material modifications, and amendments.
236.1023 Errors and malfunctions.
236.1027 Exclusions.
236.1029 PTC system use and en route failures.
236.1031 Previously approved PTC systems
236.1033 Communications and security requirements.
236.1035 Field testing requirements.
236.1037 Records retention.
236.1039 Operations and Maintenance Manual.
236.1041 Training and qualification program, general.
236.1043 Task analysis and basic requirements.
236.1045 Training specific to office control personnel.
236.1047 Training specific to locomotive engineers and other
operating personnel.
236.1049 Training specific to roadway workers.

Subpart I--Positive Train Control Systems

Sec. 236.1001 Purpose and scope.

(a) This subpart prescribes minimum, performance-based safety
standards for PTC systems required by 49 U.S.C. 20157, this subpart, or
an FRA order including requirements to ensure that the development,
functionality, architecture, installation, implementation, inspection,
testing, operation, maintenance, repair, and modification of those PTC
systems will achieve and maintain an acceptable level of safety. This
subpart also prescribes standards to ensure that personnel working
with, and affected by, safety-critical PTC system related products
receive appropriate training and testing.
(b) Each railroad may prescribe additional or more stringent rules,
and other special instructions, that are not inconsistent with this
subpart.
(c) This subpart does not exempt a railroad from compliance with
any requirement of subpart A through H of this part or parts 233, 234,
and 235 of this chapter, unless:
(1) it is otherwise explicitly excepted by this subpart; or
(2) the applicable PTCSP, as defined under Sec. 236.1003 and
approved by FRA under Sec. 236.1015 provides for such an exception per
Sec. 236.1013.

Sec. 236.1003 Definitions.

(a) Definitions contained in subparts G and H of this part apply
equally to this subpart.
(b) The following definitions apply to terms used only in this
subpart unless otherwise stated:
After-arrival mandatory directive means any mandatory directive
that makes the authority for train movement contingent upon the arrival
of another train.
Associate Administrator means the FRA Associate Administrator for
Railroad Safety and Chief Safety Officer.
Class I railroad means a railroad which in the last year for which
revenues were reported exceeded the threshold established under
regulations of the Surface Transportation Board (49 CFR part 1201.1-1
(2008)).
Cleartext means the un-encrypted text in its original, human
readable, form. It is the input of an encryption or encipher process,
and the output of an decryption or decipher process.
Host railroad means a railroad that has effective operating control
over a segment of track.
Interoperability means the ability of a controlling locomotive to
communicate with and respond to the PTC railroad's positive train
control system, including uninterrupted movements over property
boundaries.
Limited operations means operations on main line track that have
limited or no freight operations and are approved to be excepted from
this subpart's PTC system implementation and operation requirements in
accordance with Sec. 236.1019(c);
Main line means, except as provided in Sec. 236.1019 or where all
trains are limited to restricted speed within a yard or terminal area
or on auxiliary or industry tracks, a segment or route of railroad
tracks:
(1) of a Class I railroad, as documented in current timetables
filed by the Class I railroad with the FRA under Sec. 217.7 of this
title, over which 5,000,000 or more gross tons of railroad traffic is
transported annually; or
(2) used for regularly scheduled intercity or commuter passenger
service, as defined in 49 U.S.C. 24102, or both. Tourist, scenic,
historic, or excursion operations as defined in part 238 of this
chapter are not considered intercity or commuter passenger service for
purposes of this part.
Main line track exclusion addendum (``MTEA'') means the document
submitted under Sec. Sec. 236.1011 and 236.1019 requesting to
designate track as other than main line.
PTC means positive train control as further described in Sec.
236.1005.
PTCDP means a PTC Development Plan as further described in Sec.
236.1013.
PTCIP means a PTC Implementation Plan as required under 49 U.S.C.
20157 and further described in Sec. 236.1011.
PTC railroad means each Class I railroad and each entity providing
regularly scheduled intercity or commuter rail passenger transportation
required to implement or operate a PTC system.
PTCSP means a PTC Safety Plan as further described in Sec.
236.1015.
PTCPVL means a PTC Product Vendor List as further described in
Sec. 236.1023.
PTC System Certification means certification as required under 49
U.S.C. 20157 and further described in Sec. Sec. 236.1009 and 236.1015.
Request for Amendment (``RFA'') means a request for an amendment of
a plan or system made by a PTC railroad in accordance with Sec.
236.1021.
Request for Expedited Certification (``REC'') means, as further
described in Sec. 236.1031, a request by a railroad to receive
expedited consideration for PTC System Certification.
Restricted speed means, Speed, restricted, as defined in subpart G
of this part.
Safe State means a system configuration that cannot cause harm when
the system fails.
Segment of track means any part of the railroad where a train
operates.
Temporal separation means the process or processes in place to
assure that limited passenger and freight operations do not operate on
any segment of shared track during the same period and as further
defined under Sec. 236.1019.
Tenant railroad means a railroad, other than a host railroad,
operating on track upon which a PTC system is required.
Track segment means segment of track.
Type Approval means a number assigned to a particular PTC system
indicating FRA agreement that the PTC system could fulfill the
requirements of this subpart.
Train means one or more locomotives, coupled with or without cars.

Sec. 236.1005 Requirements for Positive Train Control systems.

(a) PTC system requirements. Each PTC system required to be
installed under this subpart shall:
(1) Reliably and functionally prevent:
(i) Train-to-train collisions--including collisions between trains
operating over at-grade crossings of rail lines--where the risk
associated with such collisions

[[Page 36013]]

is unacceptable in accordance with the following table or alternative
arrangements providing an equivalent level of safety as specified in an
FRA approved PTCSP:

----------------------------------------------------------------------------------------------------------------
Crossing type Max speed * Protection required
----------------------------------------------------------------------------------------------------------------
Interlocking--one or more PTC routes <=40 miles per hour.... Interlocking signal arrangement in accordance
intersecting with one or more non- with the requirements of subparts A-G of this
PTC routes. part and PTC enforced stop on PTC routes.
Interlocking--one or more PTC routes >40 miles per hour..... Interlocking signal arrangement in accordance
intersecting with one or more non- with the requirements of subparts A-G of this
PTC routes. part, PTC enforced stop on all PTC routes, and
either the use of other than full PTC
technology that provides positive stop
enforcement or a split-point derail
incorporated into the signal system accompanied
by 20 miles per hour maximum allowable speed on
the approach of any intersecting non-PTC route.
Interlocking--all PTC routes Any speed.............. Interlocking signal arrangements in accordance
intersecting. with the requirements of subparts A-G of this
part, and PTC enforced stop on all routes.
----------------------------------------------------------------------------------------------------------------

(ii) Overspeed derailments, including derailments related to
railroad civil engineering speed restrictions, slow orders, and
excessive speeds over switches and through turnouts;
(iii) Incursions into established work zone limits without first
receiving appropriate authority and verification from the dispatcher or
roadway worker in charge, as applicable and in accordance with part 214
of this chapter; and
(iv) The movement of a train through a main line switch in the
improper position as further described in paragraph (e) of this
section.
(2) Include safety-critical integration of all authorities and
indications of a wayside or cab signal system, or other similar
appliance, method, device, or system of equivalent safety, in a manner
by which the PTC system shall provide associated warning and
enforcement to the extent, and except as, described and justified in
the FRA approved PTCDP or PTCSP, as applicable;
(3) As applicable, perform the additional functions specified in
this subpart;
(4) Provide an appropriate warning or enforcement when:
(i) A derail or switch protecting access to the main line required
by Sec. 236.1007, or otherwise provided for in the applicable PTCSP,
is not in its derailing or protecting position, respectively;
(ii) An operational restriction is issued associated with a
highway-rail grade crossing warning system malfunction as required by
Sec. Sec. 234.105, 234.106, or 234.107;
(iii) An after-arrival mandatory directive has been issued and the
train or trains to be waited on has not yet passed the location of the
receiving train;
(iv) Any movable bridge within the route ahead is not in a position
to allow permissive indication for a train movement pursuant to Sec.
236.312; and
(v) A hazard detector integrated into the PTC system that is
required by paragraph (c) of this section, or otherwise provided for in
the applicable PTCSP, detects an unsafe condition or transmits an
alarm; and
(5) Limit the speed of passenger and freight trains to 59 miles per
hour and 49 miles per hour, respectively, in areas without broken rail
detection or equivalent safeguards.
(b) PTC system installation. (1) After December 31, 2015, a PTC
system certified under Sec. 236.1015 shall be installed by the host
railroad on each:
(i) Main line over which is transported any quantity of poison- or
toxic-by-inhalation (PIH) hazardous materials, as defined in Sec. Sec.
171.8, 173.115 and 173.132 of this title;
(ii) Main line used for regularly provided intercity or commuter
passenger service, except as provided in Sec. 236.1019; and
(iii) Additional line of railroad as required by the applicable
FRA-approved PTCSP, this subpart, or an FRA order requiring
installation of a PTC system.
(2) For the purposes of paragraph (b)(1)(i) of this section, the
information necessary to determine whether a Class I railroad's track
segment shall be equipped with a PTC system shall be determined and
reported as follows:
(i) The traffic density threshold of 5 million gross tons shall be
based upon calendar year 2008 gross tonnage.
(ii) The presence or absence of any quantity of PIH hazardous
materials shall be determined by whether one or more cars containing
such product(s) was transported over the line segment in calendar year
2008.
(3) To the extent increases in freight rail traffic occur
subsequent to calendar year 2008 that might affect the requirement to
install a PTC system on any line not yet equipped, the railroad shall
seek to amend its PTCIP by promptly filing an RFA in accordance with
Sec. 236.1021. The following criteria apply:
(i) To the extent rail traffic exceeds 5 million gross tons in any
year after 2008, the tonnage shall be calculated for the preceding two
calendar years in determining whether a PTCIP or its amendment is
required.
(ii) To the extent PIH traffic is carried on a line segment as a
result of a request for rail service or rerouting warranted under part
172 of this title, and if the line carries in excess of 5 million gross
tons of rail traffic as determined under this paragraph. This does not
apply when temporary rerouting is authorized in accordance with
paragraph (g) of this section.
(iii) Once a railroad is notified by FRA that its RFA filed in
accordance with this paragraph has been approved, the railroad shall
equip the line with the applicable PTC system by December 31, 2015, or
within 24 months, whichever is later.
(4) If a railroad has filed, and FRA has approved, its initial
PTCIP, a railroad may file an RFA to request review of the requirement
to install PTC on a line segment where a PTC system is required, but
has not yet been installed, based upon changes in rail traffic such as
reductions in total traffic volume or cessation of local PIH service.
Any such RFA shall be accompanied by estimated traffic projections for
the next 5 years (e.g., as a result of planned rerouting,
coordinations, location of new business on the line). Where the request
involves prior or planned rerouting of PIH traffic, the railroad must
provide a supporting analysis that takes into consideration the
requirements of subpart I, part 172 of this title, including any
railroad-specific and interline routing impacts. FRA may approve the
RFA if FRA finds that it would be consistent with safety and in the
public interest.
(5) After December 31, 2015, no intercity or commuter rail
passenger service shall continue or commence

[[Page 36014]]

until a PTC system certified under this subpart has been installed and
made operative.
(c) Hazard detectors. (1) All hazard detectors integrated into a
signal or train control system on or after October 16, 2008, shall be
integrated into PTC systems required by this subpart; and their
warnings shall be appropriately and timely enforced as described in the
applicable PTCSP.
(2) The applicable PTCSP may provide for receipt and presentation
to the locomotive engineer and other train crew of warnings from
additional hazard detectors using the PTC data network, onboard
displays, and audible alerts. If the PTCSP so provides, the action to
be taken by the system and by the crew members shall be specified.
(3) The PTCDP (as applicable) and PTCSP for any service described
in Sec. 236.1007 to be conducted above 90 miles per hour shall include
a hazard analysis describing the hazards relevant to the specific
route(s) in question (e.g., potential for track obstruction due to
events such as falling rock or undermining of the track structure due
to high water or displacement of a bridge over navigable waters), the
basis for decisions concerning hazard detectors provided, and the
manner in which such additional hazard detectors will be interfaced
with the PTC system.
(d) Event recorders. (1) Each lead locomotive, as defined in part
229, of a train equipped and operating with a PTC system required by
this subpart must be equipped with an operative event recorder, which
shall:
(i) Record safety-critical train control data routed to the
locomotive engineer's display that the engineer is required to comply
with;
(ii) Specifically include text messages conveying mandatory
directives and maximum authorized speeds; and
(iii) Include the display format, content, and data retention
duration requirements specified in the PTC safety plan submitted and
approved pursuant to this paragraph. If such train control data can be
calibrated against other data required by this part, it may, at the
election of the railroad, be retained in a separate memory module.
(2) Each lead locomotive, as defined in part 229, manufactured and
in service after October 1, 2009, that is equipped and operating with a
PTC system required by this subpart, shall be equipped with an event
recorder memory module meeting the crash hardening requirements of
Sec. 229.135 of this chapter.
(3) Nothing in this subpart excepts compliance with any of the
event recorder requirements contained in Sec. 229.135 of this chapter.
(e) Switch position. The following requirements apply with respect
to determining proper switch position under this section. When a main
line switch position is unknown or improperly aligned for a train's
route in advance of the train's movement, the PTC system will provide
warning of the condition associated with the following enforcement:
(1) A PTC system must enforce restricted speed over any switch:
(i) Where train movements are made with the benefit of the
indications of a wayside or cab signal system or other similar
appliance, method, device, or system of equivalent safety proposed to
FRA and approved by the Associate Administrator in accordance with this
part; and
(ii) Where wayside or cab signal system or other similar appliance,
method, device, or system of equivalent safety requires the train to be
operated at restricted speed.
(2) A PTC system must enforce a positive stop short of any main
line switch, and any switch on a siding where the allowable speed is in
excess of 20 miles per hour, if movement of the train over the switch:
(i) Is made without the benefit of the indications of a wayside or
cab signal system or other similar appliance, method, device, or system
of equivalent safety proposed to FRA and approved by the Associate
Administrator in accordance with this part; or
(ii) Would create an unacceptable risk. Unacceptable risk includes
conditions when traversing the switch, even at low speeds, could result
in direct conflict with the movement of another train (including a
hand-operated crossover between main tracks, a hand-operated crossover
between a main track and an adjoining siding or auxiliary track, or a
hand-operated switch providing access to another subdivision or branch
line, etc.).
(3) A PTC system required by this subpart shall be designed,
installed, and maintained to perform the switch position detection and
enforcement described in paragraphs (e)(1) and (e)(2) of this section,
except as provided for and justified in the applicable, FRA-approved
PTCDP or PTCSP.
(4) The control circuit or electronic equivalent for any movement
authorities over any switches, movable-point frogs, or derails shall be
selected through circuit controller or functionally equivalent device
operated directly by switch points, derail, or by switch locking
mechanism, or through relay or electronic device controlled by such
circuit controller or functionally equivalent device, for each switch,
movable-point frog, or derail in the route governed. Circuits or
electronic equivalent shall be arranged so that any movement
authorities can only be provided when each switch, movable-point frog,
or derail in the route governed is in proper position, and shall be in
accordance with subparts A through G of this part unless it is
otherwise provided in a PTCSP approved under this subpart.
(f) Train-to-train collision. A PTC system shall be considered to
be configured to prevent train-to-train collisions within the meaning
of paragraph (a) of this section if trains are required to be operated
at restricted speed and if the onboard PTC equipment enforces the upper
limits of the railroad's restricted speed rule (15 or 20 miles per
hour). This application applies to:
(1) Operating conditions under which trains are required by signal
indication or operating rule to:
(i) Stop before continuing; or
(ii) Reduce speed to restricted speed and continue at restricted
speed until encountering a more favorable indication or as provided by
operating rule.
(2) Operation of trains within the limits of a joint mandatory
directive.
(g) Temporary rerouting. A train equipped with a PTC system as
required by this subpart may be temporarily rerouted onto a track not
equipped with a PTC system and a train not equipped with a PTC system
may be temporarily rerouted onto a track equipped with a PTC system as
required by this subpart in the following circumstances:
(1) Emergencies. In the event of an emergency--including conditions
such as derailment, flood, fire, tornado, hurricane, or other similar
circumstance outside of the railroad's control--that would prevent
usage of the regularly used track if:
(i) The rerouting is applicable only until the emergency condition
ceases to exist and for no more than 14 consecutive calendar days,
unless otherwise extended by approval of the Associate Administrator;
(ii) The railroad provides written or telephonic notification to
the applicable Regional Administrator of the information listed in
paragraph (i) within one business day of the beginning of the rerouting
made in accordance with this paragraph; and
(iii) The conditions under paragraph (j) are followed.
(2) Planned maintenance. In the event of planned maintenance that
would

[[Page 36015]]

prevent usage of the regularly used track if:
(i) The maintenance period does not exceed 30 days;
(ii) A request is filed with the applicable Regional Administrator
in accordance with paragraph (i) of this section no less than 10
business days prior to the planned rerouting; and
(iii) the conditions contained in paragraph (j) of this section are
followed.
(h) Rerouting requests. (1) For the purposes of paragraph (g)(2) of
this section, the rerouting request shall be self-executing unless the
applicable Regional Administrator responds with a notice disapproving
of the rerouting or providing instructions to allow rerouting. Such
instructions may include providing additional information to the
Regional Administrator or Associate Administrator prior to the
commencement of rerouting. Once the Regional Administrator responds
with a notice under this paragraph, no rerouting may occur until the
Regional Administrator or Associate Administrator provides his or her
approval.
(2) In the event the temporary rerouting described in paragraph
(g)(2) of this section is to exceed 30 consecutive calendar days:
(i) The railroad shall provide a request in accordance with
paragraphs (i) and (j) of this section with the Associate Administrator
no less than 10 business days prior to the planned rerouting; and
(ii) The rerouting contemplated by this paragraph shall not
commence until receipt of approval from the Associate Administrator.
(i) Content of rerouting request. Each notice or request referenced
in paragraph (g) of this section must indicate:
(1) The dates that such temporary rerouting will occur;
(2) The number and types of trains that will be rerouted;
(3) The location of the affected tracks; and
(4) A description of the necessity for the temporary rerouting.
(j) Rerouting conditions. Rerouting of operations under paragraph
(g) of this section may only occur if:
(1) An absolute block is established in advance of each rerouted
train movement; and
(2) Each rerouted train movement shall not exceed 59 miles per hour
for passenger and 49 miles per hour for freight.
(k) Rerouting cessation. The applicable Regional Administrator may
order a railroad to cease any rerouting provided under paragraph (g) or
(h) of this section.

Sec. 236.1006 Equipping locomotives operating in PTC territory.

(a) Except as provided in paragraph (b) of this section, each train
operating on any track segment equipped with a PTC system shall be
controlled by a locomotive equipped with an on-board PTC apparatus that
is fully operative and functioning in accordance with the applicable
PTCSP approved under this subpart.
(b) Exceptions. (1) Prior to December 31, 2015, each train
controlled by a locomotive not equipped with an onboard PTC apparatus
is permitted to operate.
(2) Prior to December 31, 2013, each train controlled by a
locomotive equipped with an onboard PTC apparatus that is not fully
operative is permitted only if:
(i) The subject locomotive failed initialization at the point of
origin for the train or at the location where the locomotive was added
to the train;
(ii) The railroad has included in its FRA approved PTC
Implementation Plan a system for identifying PTC system reliability
exceptions and responding with appropriate remedial actions, the
railroad executes that plan, and the documentation for execution of the
plan is currently available to FRA upon request; and
(iii) The percentage of controlling locomotives operating out of
each railroad's initial terminals after receiving a failed
initialization and over a track segment equipped with a PTC system,
does not during each calendar month exceed:
(A) 20 percent until December 31, 2011;
(B) 15 percent from the end of the period in paragraph (A) to
December 31, 2012; and
(C) 10 percent from the end of the period in paragraph (B) to
December 31, 2013.
(3) A train controlled by a locomotive with an onboard PTC
apparatus that has failed en route is permitted to operate in
accordance with Sec. 236.1029.
(4) A train operated by a Class II or Class III railroad, including
a tourist or excursion railroad, and controlled by a locomotive not
equipped with an onboard PTC apparatus is permitted to operate on a PTC
operated track segment:
(i) That either:
(A) Has no regularly scheduled intercity or passenger rail
passenger transportation traffic; or
(B) Has regularly scheduled intercity or passenger rail passenger
transportation traffic and the applicable PTCIP permits the operation
of a train operated by a Class II or III railroad and controlled by a
locomotive not equipped with an onboard PTC apparatus;
(ii) Where operations are restricted to less than four such
unequipped trains per day, whereas a train conducting a ``turn''
operation (e.g., moving to a point of interchange to drop off or pick
up cars and returning to the track owned by a Class II or III railroad)
is considered two trains for this purpose; and
(iii) Where each movement shall either:
(A) Not exceed 20 miles in length; or
(B) To the extent any movement exceeds 20 miles in length, such
movement is not permitted without the controlling locomotive being
equipped with an onboard PTC system after December 31, 2020, and each
applicable Class II or III railroad shall report to FRA its progress in
equipping each necessary locomotive with an onboard PTC apparatus to
facilitate continuation of the movement. The progress reports shall be
filed not later than December 31, 2017 and, if all necessary
locomotives are not yet equipped, on December 31, 2019.
(c) When a train movement is conducted under the exceptions
described in paragraph (b)(4) of this section, that movement shall be
made in accordance with Sec. 236.1029.

Sec. 236.1007 Additional requirements for high-speed service.

(a) A PTC railroad that conducts a passenger operation at or
greater than 60 miles per hour or a freight operation at or greater
than 50 miles per hour shall have installed a PTC system including or
working in concert with technology that includes all of the safety-
critical functional attributes of a block signal system meeting the
requirements of this part, including appropriate fouling circuits and
broken rail detection (or equivalent safeguards).
(b) In addition to the requirements of paragraph (a), a host
railroad that conducts a freight or passenger operation at more than 90
miles per hour shall:
(1) Have an approved PTCSP establishing that the system was
designed and will be operated to meet the failsafe operation criteria
described in Appendix C to this part; and
(2) Prevent unauthorized or unintended entry onto the main line
from any track not equipped with a PTC system compliant with this
subpart by placement of split-point derails or equivalent means
integrated into the PTC system; and
(3) Comply with Sec. 236.1029(c).

[[Page 36016]]

(c) In addition to the requirements of paragraphs (a) and (b), a
host railroad that conducts a freight or passenger operation at more
than 125 miles per hour shall have an approved PTCSP accompanied by a
document (``HSR-125'') establishing that the system:
(1) Will be operated at a level of safety comparable to that
achieved over the 5-year period prior to the submission of the PTCSP by
other train control systems that perform PTC functions required by this
subpart, and which have been utilized on high-speed rail systems with
similar technical and operational characteristics in the United States
or in foreign service, provided that the use of foreign service data
must be approved by the Associate Administrator before submittal of the
PTCSP; and
(2) Has been designed to detect incursions into the right-of-way,
including incidents involving motor vehicles diverting from adjacent
roads and bridges, where conditions warrant.
(d) In addition to the requirements of paragraphs (a) through (c)
of this section, a host railroad that conducts a freight or passenger
operation at more than 150 miles per hour, which is governed by a Rule
of Particular Applicability, shall have an approved PTCSP accompanied
by a HSR-125 developed as part of an overall system safety plan
approved by the Associate Administrator.

Sec. 236.1009 Procedural requirements.

(a) PTC Implementation Plan (PTCIP). (1) By April 16, 2010, each
host railroad that is required to implement and operate a PTC system in
accordance with Sec. 236.1005(b) shall develop and submit in
accordance with Sec. 236.1011(a) a PTCIP for implementing a PTC system
required under Sec. 236.1005. Filing of the PTCIP shall not exempt the
required filings of a PTCSP, PTCDP, or Type Approval.
(2) After April 16, 2010, a host railroad shall file:
(i) A PTCIP if it becomes a host railroad of a main line track; or
(ii) A request for amendment (``RFA'') of its current and approved
PTCIP in accordance with Sec. 236.1021 if it intends to:
(A) Initiate a new category of service (i.e., passenger or
freight); or
(B) Add, subtract, or otherwise materially modify one or more lines
of railroad for which installation of a PTC system is required.
(3) If the host railroad is a freight railroad, and the subject
trackage would require installation and operation of a PTC system in
accordance with Sec. Sec. 236.1005(b)(2) or (b)(3), then a PTCIP
required to be filed in accordance with this paragraph (a)(1) or (a)(2)
of this section must be jointly filed with each entity providing
regularly scheduled intercity or commuter rail passenger transportation
over that subject trackage. If railroads are unable to jointly file a
PTCIP in accordance with paragraphs (a)(1) and (a)(3) of this section,
then they each shall:
(i) Separately file a PTCIP in accordance with paragraph (a)(1);
(ii) Notify the Associate Administrator that the subject railroads
were unable to agree on a PTCIP to be jointly filed;
(iii) Provide the Associate Administrator with a comprehensive list
of all issues not in agreement between the railroads that would prevent
the subject railroads from jointly filing the PTCIP; and
(iv) Confer with the Associate Administrator to develop and submit
a PTCIP mutually acceptable to all subject railroads.
(b) Type Approval. A host railroad, or one or more system suppliers
and one or more host railroads, shall file prior to or simultaneously
with the filing made in accordance with paragraph (a) of this section:
(1) An unmodified Type Approval previously issued by the Associate
Administrator in accordance with Sec. 236.1013 or Sec. 236.1031(b)
with its associated docket number;
(2) A PTCDP requesting a Type Approval for:
(i) A PTC system that does not have a Type Approval; or
(ii) A PTC system with a previously issued Type Approval that
requires one or more variances;
(3) A PTCSP subject to the conditions set forth in paragraph (c) of
this section, with or without a Type Approval; or
(4) A document attesting that a Type Approval is not necessary
since the host railroad has no territory for which a PTC system is
required under this subpart.
(c) PTCSP and PTC System Certification. The following apply to each
PTCSP and PTC System Certification.
(1) A PTC System Certification for a PTC system may be obtained by
submitting an acceptable PTCSP. If the PTC system is the subject of a
Type Approval, the safety case elements contained in the PTCDP may be
incorporated by reference into the PTCSP, subject to finalization of
the human factors analysis contained in the PTCDP.
(2) Each PTCSP requirement under Sec. 236.1015 shall be supported
by information and analysis sufficient to establish that the
requirements of this subpart have been satisfied.
(3) If the Associate Administrator finds that the PTCSP and
supporting documentation support a finding that the system complies
with this part, the Associate Administrator may approve the PTCSP. If
the Associate Administrator approves the PTCSP, the railroad shall
receive PTC System Certification for the subject PTC system and shall
implement the PTC system according to the PTCSP.
(4) A required PTC system shall not:
(i) Be used in service until it receives from FRA a PTC System
Certification; and
(ii) Receive a PTC System Certification unless FRA receives and
approves an applicable:
(A) PTCIP and PTCSP; or
(B) Request for Expedited Certification (REC) as defined by Sec.
236.1031(a).
(d) Plan contents. (1) No PTCIP shall receive approval unless it
complies with Sec. 236.1011. No railroad shall receive a Type Approval
or PTC System Certification unless the applicable PTCDP or PTCSP,
respectively, comply with Sec. Sec. 236.1013 and 236.1015,
respectively.
(2) All materials filed in accordance with this subpart must be in
the English language, or have been translated into English and attested
as true and correct.
(3) Each filing referenced in this section may include a request
for full or partial confidentiality in accordance with Sec. 209.11 of
this chapter. If confidentiality is requested as to a portion of any
applicable document, then in addition to the filing requirements under
Sec. 209.11 of this chapter, the person filing the document shall also
file a copy of the original unredacted document, marked to indicate
which portions are redacted in the document's confidential version
without obscuring the original document's contents.
(e) Supporting documentation and information. (1) Issuance of a
Type Approval or PTC System Certification is contingent upon FRA's
confidence in the implementation and operation of the subject PTC
system. This confidence may be based on FRA-monitored field testing or
an independent assessment performed in accordance with Sec. 236.1035
or Sec. 236.1017, respectively.
(2) Upon request by FRA, the railroad requesting a Type Approval or
PTC System Certification must engage in field testing or independent
assessment performed in accordance with Sec. 236.1035 or Sec.
236.1017, respectively, to support the assertions made in any of the
plans submitted under this subpart. These assertions include any of the

[[Page 36017]]

plans' content requirements under this subpart.
(f) FRA conditions, reconsiderations, and modifications. (1) As
necessary to ensure safety, FRA may attach special conditions to
approving a PTCIP or issuing a Type Approval or PTC System
Certification.
(2) After granting a Type Approval or PTC System Certification, FRA
may reconsider the Type Approval or PTC System Certification upon
revelation of any of the following factors concerning the contents of
the PTCIP, PTCDP or PTCSP:
(i) Potential error or fraud;
(ii) Potentially invalidated assumptions determined as a result of
in-service experience or one or more unsafe events calling into
question the safety analysis supporting the approval.
(3) During FRA's reconsideration in accordance with this paragraph,
the PTC system may remain in use if otherwise consistent with the
applicable law and regulations and FRA may impose special conditions
for use of the PTC system.
(4) After FRA's reconsideration in accordance with this paragraph,
FRA may:
(i) Dismiss its reconsideration and continue to recognize the
existing FRA approved Type Approval;
(ii) Allow continued operations under such conditions the Associate
Administrator deems necessary to ensure safety; or
(iii) Revoke the Type Approval or PTC System Certification and
direct the railroad to cease operations where PTC systems are required
under this subpart.
(g) FRA access. The Associate Administrator, or that person's
designated representatives, shall be afforded reasonable access to
monitor, test, and inspect processes, procedures, facilities,
documents, records, design and testing materials, artifacts, training
materials and programs, and any other information used in the design,
development, manufacture, test, implementation, and operation of the
system, as well as interview any personnel:
(1) Associated with a PTC system for which a Type Approval or PTC
System Certification has been requested or provided; or
(2) To determine whether a railroad has been in compliance with
this subpart.
(h) Foreign regulatory entity verification. Information that has
been certified under the auspices of a foreign regulatory entity
recognized by the Associate Administrator may, at the Associate
Administrator's sole discretion, be accepted as independently Verified
and Validated and used to support each railroad's development of the
PTCSP.

Sec. 236.1011 PTCIP content requirements.

(a) Contents. A PTCIP filed pursuant to this subpart shall, at a
minimum, describe:
(1) The technology that will be employed;
(2) How the PTC railroad intends to comply with Sec. 236.1009(c);
(3) How the PTC system will provide for interoperability of the
system between the host and all tenant railroads on the lines required
to be equipped with PTC systems under this subpart and:
(i) Include copies of relevant provisions of any agreements,
executed by all applicable railroads, in place to achieve
interoperability;
(ii) List all technologies used to obtain interoperability; and
(iii) Identify any railroads with respect to which interoperability
agreements or compatible technology have not been achieved as of the
time the plan is filed, the practical obstacles that were encountered
that prevented resolution, and the further steps planned to overcome
those obstacles;
(4) How, to the extent practical, the PTC system will be
implemented to address areas of greater risk to the public and railroad
employees before areas of lesser risk;
(5) The sequence and schedule in which line segments will be
equipped and the basis for those decisions, and shall at a minimum
address the following risk factors by line segment:
(i) Segment traffic characteristics such as typical annual
passenger and freight train volume and volume of poison- or toxic-by-
inhalation (PIH or TIH) shipments (loads, residue);
(ii) Segment operational characteristics such as current method of
operation (including presence or absence of a block signal system),
number of tracks, and maximum allowable train speeds, including planned
modifications; and
(iii) Route attributes bearing on risk, including ruling grades and
extreme curvature;
(6) The following information relating to rolling stock:
(i) What rolling stock will be equipped with PTC technology;
(ii) The schedule to equip that rolling stock by December 31, 2015;
and
(iii) Unless the tenant railroad is filing its own PTCIP, the host
railroad's PTCIP shall:
(A) Attest that the host railroad has made a formal written request
to each tenant railroad requesting identification of each rolling stock
to be PTC system equipped and the date each will be equipped; and
(B) Include each tenant railroad's response to the host railroad's
written request made in accordance with paragraph (a)(6)(iii)(A) of
this section;
(7) The number of wayside devices required for each line segment
and the installation schedule to complete wayside equipment
installation by December 31, 2015;
(8) which track segments the railroad considers mainline and non-
mainline track. If the PTCIP includes a MTEA, as defined by Sec.
236.1019, the PTCIP should identify the tracks included in the MTEA as
main line track with a reference to the MTEA; and
(9) to the extent the railroad determines that risk-based
prioritization required by paragraph (a)(4) of this section is not
practical, the basis for this determination; and
(b) Additional Class I railroad PTCIP requirements. Each Class I
railroad shall include:
(1) In its PTCIP a strategy for full deployment of its PTC system,
describing the criteria that it will apply in identifying additional
rail lines on its own network, and rail lines of entities that it
controls or engages in joint operations with, for which full or partial
deployment of PTC technologies is appropriate, beyond those required to
be equipped under this subpart. Such criteria shall include
consideration of the policies established by 49 U.S.C. 20156 (railroad
safety risk reduction program), and regulations issued thereunder, as
well as non-safety business benefits that may accrue.
(2) In the Technology Implementation Plan of its Risk Reduction
Program, when first required to be filed in accordance with 49 U.S.C.
20156 and any regulation promulgated thereunder, a specification of
rail lines selected for full or partial deployment of PTC under the
criteria identified in its PTCIP.
(3) Nothing in this paragraph shall be construed to create an
expectation or requirement than additional rail lines beyond those
required to be equipped by this subpart must be equipped or that such
lines will be equipped during the period of primary implementation
ending December 31, 2015.
(4) As used in this paragraph, ``partial implementation'' of a PTC
system refers to use, pursuant to subpart H of this part, of technology
embedded in PTC systems that does not employ all of the functionalities
required by this subpart.
(c) FRA review. Within 90 days of receipt of a PTCIP, the Associate
Administrator will approve or disapprove of the plan and notify in

[[Page 36018]]

writing the affected railroad or other entity. If the PTCIP is not
approved, the notification will include the plan's deficiencies. Within
30 days of receipt of that notification, the railroad or other entity
that submitted the plan shall correct all deficiencies and resubmit the
plan in accordance with Sec. 236.1009 and paragraph (a) of this
section, as applicable.
(d) Subpart H. A railroad that elects to install a PTC system when
not required to do so may elect to proceed under this subpart or under
subpart H.
(e) Upon receipt of a PTCIP, PTCDP, or PTCSP, FRA posts on its
public Web site notice of receipt and reference to the public docket in
which a copy of the filing has been placed. FRA may consider any public
comment on each document to the extent practicable within the time
allowed by law and without delaying implementation of PTC systems.

Sec. 236.1013 PTCDP content requirements and Type Approval.

(a) For a PTC system to obtain a Type Approval from FRA, the PTCDP
shall be filed in accordance with Sec. 236.1009 and shall include:
(1) A complete description of the PTC system, including a list of
all PTC system components and their physical relationships in the
subsystem or system;
(2) A description of the railroad operation or categories of
operations on which the PTC system is designed to be used, including
train movement density (passenger, freight), operating speeds, track
characteristics, and railroad operating rules;
(3) An operational concepts document, including a list with
complete descriptions of all functions which the PTC system will
perform to enhance or preserve safety;
(4) A document describing the manner in which the PTC architecture
satisfies safety requirements;
(5) A description of the safety assurance concepts that are to be
used for system development, including an explanation of the design
principles and assumptions;
(6) A preliminary human factors analysis, including a complete
description of all human-machine interfaces and the impact of
interoperability requirements on the same;
(7) An analysis of the applicability to the PTC system of the
requirements of subparts A-G of this part that may no longer apply or
are satisfied by the PTC system using an alternative method, and a
complete explanation of the manner in which those requirements are
otherwise fulfilled;
(8) A description of the necessary security measures for the
system;
(9) A description of target safety levels (e.g., MTTHE for major
subsystems as defined in subpart H), including requirements for system
availability and a description of all backup methods of operation and
any critical assumptions associated with the target levels;
(10) A complete description of how the PTC system will enforce
authorities and signal indications;
(11) A description of the deviation required under Sec.
236.1029(c), if applicable; and
(12) A complete description of how the PTC system will appropriate
and timely enforce all integrated hazard detectors in accordance with
Sec. 236.1005(c)(3), if applicable.
(b) If the Associate Administrator finds that the system described
in the PTCDP would satisfy the requirements for PTC systems under this
subpart and that the applicant has made a reasonable showing that a
system built to the stated requirements would achieve the level of
safety mandated for such a system under Sec. 236.1015, the Associate
Administrator may grant a numbered Type Approval for the system.
(c) Each Type Approval shall be valid for a period of 5 years,
subject to automatic and indefinite extension provided that at least
one PTC System Certification using the subject PTC system has been
issued within that period and not revoked.
(d) A PTCSP submitted under this subpart may reference and utilize
in accordance with this subpart any Type Approval previously issued by
the Associate Administrator to any railroad, provided that the
railroad:
(1) Maintains a continually updated PTCPVL pursuant to Sec.
236.1023; and
(2) Provides the applicable licensing information.
(e) A railroad submitting a PTCDP under this subpart must show that
the supplier from which they are procuring the PTC system has
established and can maintain a quality control system for PTC system
design and manufacturing acceptable to the Associate Administrator.
(f) The Associate Administrator may prescribe special conditions,
amendments, and restrictions to any Type Approval as necessary for
safety.

Sec. 236.1015 PTCSP content requirements and PTC System
Certification.

(a) Before placing a PTC system required under this part in
service, the host railroad must submit to FRA a PTCSP and receive a PTC
System Certification. If the Associate Administrator finds that the
PTCSP and supporting documentation support a finding that the system
complies with this part, the Associate Administrator approves the PTCSP
and issues a PTC System Certification. Receipt of a PTC System
Certification affirms that the PTC system has been reviewed and
approved by FRA in accordance with, and meets the requirements of, this
part.
(b) A PTCSP submitted in accordance with this subpart shall:
(1) Include the applicable FRA approved PTCIP and, if applicable,
the PTCDP and Type Approval;
(2)(i) Specifically and rigorously document each variance,
including the significance of each variance between the PTC system and
its applicable operating conditions as described in the applicable
PTCIP and any applicable PTCDP from that as described in the PTCSP, and
attest that are no other such variances; or
(ii) Attest that there are no variances between the PTC system and
its applicable operating conditions as described in the applicable
PTCIP and any applicable PTCDP from that as described in the PTCSP; and
(3) Attest that the system was otherwise built in accordance with
the applicable PTCDP and PTCSP and achieves the level of safety
represented therein.
(c) A PTCSP shall include the same information required for a PTCDP
under Sec. 236.1013(a). If a PTCDP has been filed and approved prior
to filing of the PTCSP, PTCSP may incorporate the PTCDP by reference,
with the exception that a final human factors analysis shall be
provided. The PTCSP shall contain the following additional elements:
(1) A hazard log consisting of a comprehensive description of all
safety-relevant hazards not previously addressed by the vendor to be
addressed during the life cycle of the PTC system, including maximum
threshold limits for each hazard (for unidentified hazards, the
threshold shall be exceeded at one occurrence);
(2) A risk assessment of the as-built PTC system described;
(3) A hazard mitigation analysis, including a complete and
comprehensive description of each hazard and the mitigation techniques
used;
(4) A complete description of the safety assessment and
Verification and Validation processes applied to the PTC system, their
results, and whether these processes address the safety principles
described in Appendix C to this part directly, using other safety
criteria, or not at all;

[[Page 36019]]

(5) A complete description of the railroad's training plan for
railroad and contractor employees and supervisors necessary to ensure
safe and proper installation, implementation, operation, maintenance,
repair, inspection, testing, and modification of the PTC system;
(6) A complete description of the specific procedures and test
equipment necessary to ensure the safe and proper installation,
implementation, operation, maintenance, repair, inspection, testing,
and modification of the PTC system on the railroad and establish
safety-critical hazards are appropriately mitigated. These procedures,
including calibration requirements, shall be consistent with or explain
deviations from the equipment manufacturer's recommendations;
(7) A complete description of any additional warning to be placed
in the Operations and Maintenance Manual in the same manner specified
in Sec. 236.919 and all warning labels to be placed on equipment as
necessary to ensure safety;
(8) A complete description of the configuration or revision control
measures designed to ensure that the railroad or its contractor does
not adversely affect the safety-functional requirements and that
safety-critical hazard mitigation processes are not compromised as a
result of any such change;
(9) A complete description of all initial implementation testing
procedures necessary to establish that safety-functional requirements
are met and safety-critical hazards are appropriately mitigated;
(10) A complete description of all post-implementation testing
(validation) and monitoring procedures, including the intervals
necessary to establish that safety-functional requirements, safety-
critical hazard mitigation processes, and safety-critical tolerances
are not compromised over time, through use, or after maintenance
(adjustment, repair, or replacement) is performed;
(11) A complete description of each record necessary to ensure the
safety of the system that is associated with periodic maintenance,
inspections, tests, adjustments, repairs, or replacements, and the
system's resulting conditions, including records of component failures
resulting in safety-relevant hazards (see Sec. 236.1033);
(12) A safety analysis to determine whether, when the system is in
operation, any risk remains of an unintended incursion into a roadway
work zone due to human error. If the analysis reveals any such risk,
the PTCDP and PTCSP shall describe how that risk will be mitigated;
(13) A more detailed description of any alternative arrangements as
already provided under Sec. 236.1011(a)(10);
(14) A complete description of how the PTC system will enforce
authorities and signal indications, unless already completely provided
for in the PTCDP;
(15) A description of how the PTCSP complies with Sec.
236.1019(e), if applicable;
(16) A description of the deviation required under Sec.
236.1029(c), if applicable and unless already completely provided for
in the PTCDP;
(17) A complete description of how the PTC system will appropriate
and timely enforce all integrated hazard detectors in accordance with
Sec. 236.1005;
(18) An emergency and planned maintenance temporary rerouting plan
indicating how operations on the subject PTC system will take advantage
of the benefits provided under Sec. 236.1005(g)-(k); and
(19) Any alternative arrangements for each rail at-grade crossing
not adhering to the table under Sec. 236.1005(a)(1)(i).
(d) The following additional requirements apply to:
(1) Non-vital overlay. A PTC system proposed as an overlay on the
existing method of operation and not built in accordance with the
safety assurance principles set forth in Appendix C of this part must,
to the satisfaction of the Associate Administrator, be shown to:
(i) Reliably execute the functions set forth in Sec. 236.1005;
(ii) Obtain at least 80 percent reduction of the risk associated
with accidents preventable by the functions set forth in Sec.
236.1005, when all effects of the change associated with the PTC system
are taken into account. The supporting risk assessment shall evaluate
all intended changes in railroad operations coincident with the
introduction of the new system; and
(iii) Maintain a level of safety for each subsequent system
modification that is equal to or greater than the level of safety for
the previous PTC systems.
(2) Vital overlay. A PTC system proposed on a newly constructed
track or as an overlay on the existing method of operation and is built
in accordance with the safety assurance principles set forth in
Appendix C of this part must, to the satisfaction of the Associate
Administrator, be shown to:
(i) Reliably execute the functions set forth in Sec. 236.1005; and
(ii) Have sufficient documentation to demonstrate that the PTC
system, as built, fulfills the safety assurance principles set forth in
Appendix C of this part. The supporting risk assessment may be
abbreviated as that term is used in subpart H of this part.
(3) Stand-alone. A PTC system proposed on a newly constructed
track, an existing track for which no signal system exists, as a
replacement for an existing signal or train control system, or to
otherwise intend to replace or materially modify the existing method of
operation, shall:
(i) Demonstrate to reliably execute the functions required by Sec.
236.1005; and
(ii) Have a PTCSP establishing, with a high degree of confidence,
that the system will not introduce new hazards that have not been
mitigated. The supporting risk assessment shall evaluate all intended
changes in railroad operations in relation to the introduction of the
new system and shall examine in detail the direct and indirect effects
of all changes in the method of operations.
(4) Mixed systems. If a PTC system combining overlay, stand-alone,
vital, or non-vital characteristics is proposed, the railroad shall
confer with the Associate Administrator regarding appropriate
structuring of the safety case and analysis.
(e) When determining whether the PTCSP fulfills the requirements
under paragraph (d) of this section, the Associate Administrator may
consider all available evidence concerning the reliability and
availability of the proposed system and any and all safety consequences
of the proposed changes. In any case where the PTCSP lacks data
regarding safety impacts of the proposed changes, the Associate
Administrator may request the necessary data from the applicant. If the
requested data is not provided, the Associate Administrator may find
that potential hazards could or will arise.
(f) If a PTCSP applies to a system designed to replace an existing
certified PTC system, the PTCSP will be approved provided that the
PTCSP establishes with a high degree of confidence that the new system
will provide a level of safety not less than the level of safety
provided by the system to be replaced.
(g) When reviewing the issue of the potential data errors (for
example, errors arising from data supplied from other business systems
needed to execute the braking algorithm, survey data needed for
location determination, or mandatory directives issued through the
computer-aided dispatching system), the PTCSP must include a careful
identification of each of the risks and a discussion of each applicable
mitigation. In an appropriate case, such as a case in which the
residual risk after mitigation is substantial or the underlying method
of operation will be significantly altered, the Associate

[[Page 36020]]

Administrator may require submission of a quantitative risk assessment
addressing these potential errors.

Sec. 236.1017 Independent third party Verification and Validation.

(a) The PTCSP must be supported by an independent third-party
assessment when the Associate Administrator concludes that it is
necessary based upon the same criteria set forth in Sec. 236.913 of
this chapter, with the exception that consideration of the methodology
used in the risk assessment (Sec. 236.913(g)(2)(vii)) shall apply only
to the extent that a comparative risk assessment was required. To the
extent practicable, FRA makes this determination not later than review
of the PTCIP and the accompanying PTCDP or PTCSP. If an independent
assessment is required, the assessment may apply to the entire system
or a designated portion of the system.
(b) If a PTC system is to undergo an independent assessment in
accordance with this section, it may submit to the Associate
Administrator a written request that FRA confirm whether a particular
entity would be considered an independent third party pursuant to this
section. The request should include supporting information in
accordance with paragraph (c) of this section. FRA may request further
information to make a determination or provide its determination in
writing.
(c) As used in this section, ``independent third party'' means a
technically competent entity responsible to and compensated by the
railroad (or an association on behalf of one or more railroads) that is
independent of the PTC system supplier and vendor. An entity that is
owned or controlled by the supplier or vendor, that is under common
ownership or control with the supplier or vendor, or that is otherwise
involved in the development of the PTC system is not considered
``independent'' within the meaning of this section.
(d) The independent third party assessment must, at a minimum,
consist of the activities and result in the production of documentation
meeting the requirements of Appendix F to this part, unless excepted by
this part or by FRA order or waiver.
(e) Information provided that has been certified under the auspices
of a foreign railroad regulatory entity recognized by the Associate
Administrator may, at the Associate Administrator's discretion, be
accepted as having been independently verified.

Sec. 236.1019 Main line track exceptions.

(a) Scope and procedure. This section pertains exclusively to
exceptions from the rule that trackage over which scheduled intercity
and commuter passenger service is provided is considered main line
track requiring installation of a PTC system. One or more intercity or
commuter passenger railroads, or freight railroads conducting joint
passenger and freight operation over the same segment of track may file
a main line track exclusion addendum (``MTEA'') to its PTCIP requesting
to designate track as not main line subject to the condition that such
trackage may not be trackage otherwise required to be equipped (e.g.,
because of tonnage and PIH traffic) and to the further conditions set
forth in paragraphs (b) and (c) of this section. No track shall be
designated as yard or terminal unless it is identified in a MTEA that
is part of an FRA approved PTCIP.
(b) Passenger terminal exception. FRA will consider an exception in
the case of trackage used exclusively as yard or terminal tracks by or
in support of regularly scheduled intercity or commuter passenger
service where the MTEA describes in detail the physical boundaries of
the trackage in question, its use and characteristics (including track
and signal charts) and all of the following apply:
(1) The maximum authorized speed for all movements is not greater
than 20 miles per hour, and that maximum is enforced by any available
onboard PTC equipment within the confines of the yard or terminal;
(2) Interlocking rules are in effect prohibiting reverse movements
other than on signal indications without dispatcher permission; and
(3) No freight operations are permitted.
(c) Limited operations exception. FRA will consider an exception in
the case of trackage used for limited operations by at least one
passenger railroad subject to at least one of the following conditions:
(1) All trains are limited to restricted speed;
(2) Temporal separation of passenger and other trains is maintained
as provided in paragraph (d) of this section; or
(3) Passenger service is operated under a risk mitigation plan
submitted by all railroads involved in the joint operation and approved
by FRA. The risk mitigation plan must be supported by a risk assessment
establishing that the proposed mitigations will achieve a level of
safety not less than the level of safety that would obtain if the
operations were conducted under paragraph (c)(1) or (c)(2) of this
section.
(d) Temporal separation. As used in this section, temporal
separation means the processes or physical arrangements, or both, in
place to assure that limited passenger and freight operations do not
operate on any segment of shared track during the same period. The use
of exclusive authorities under mandatory directives is not, by itself,
sufficient to establish that temporal separation is achieved.
Procedures to ensure temporal separation shall include verification
checks between passenger and freight and effective physical means to
positively ensure segregation of passenger and freight operations in
accordance with this paragraph.
(e) PTCSP requirement. No PTCSP filed after the approval of a PTCIP
with an MTEA shall be approved by FRA unless it attests that no
changes, except for those included in a FRA approved RFA, have been
made to the information in the PTCIP and MTEA required by paragraph (b)
or (c) of this section.
(f) Designation modifications. If subsequent to approval of its
PTCIP or PTCSP the railroad seeks to modify which track or tracks
should be designated as main line or not main line, it shall request
modification of its PTCIP or PTCSP, as applicable, in accordance with
Sec. 236.1021.

Sec. 236.1021 Discontinuances, material modifications, and
amendments.

(a) No changes, as defined by this section, to a PTC system, PTCIP,
PTCDP, or PTCSP, shall be made unless:
(1) The railroad files a request for amendment (``RFA'') to the
applicable PTCIP, PTCDP, or PTCSP with the Associate Administrator; and
(2) The Associate Administrator approves the RFA.
(b) After approval of a RFA in accordance with paragraph (a) of
this section, the railroad shall immediately adopt and comply with the
amendment.
(c) In lieu of a separate filing under part 235 of this chapter, a
railroad may request approval of a discontinuance or material
modification of a signal or train control system by filing a RFA to its
PTCIP, PTCDP, or PTCSP with the Associate Administrator.
(d) A RFA made in accordance with this section will not be approved
by FRA unless the request includes:
(1) The information listed in Sec. 235.10 of this chapter and the
railroad provides FRA upon request any additional information necessary
to evaluate the RFA (see Sec. 235.12), including:
(2) The proposed modifications;
(3) The reasons for each modification;
(4) The changes to the PTCIP, PTCDP or PTCSP, as applicable;

[[Page 36021]]

(5) Each modification's effect on PTC system safety;
(6) An approximate timetable for filing of the PTCDP, PTCSP, or
both, if the amendment pertains to a PTCIP; and
(7) An explanation of whether each change to the PTCSP is planned
or unplanned.
(A) Unplanned changes that affect the Type Approval's PTCDP require
submission and approval in accordance with Sec. 236.1013 of a new
PTCDP, followed by submission and approval in accordance with Sec.
236.1015 of a new PTCSP for the PTC system.
(B) Unplanned changes that do not affect the Type Approval's PTCDP
require submission and approval of a new PTCSP.
(C) Unplanned changes are changes affecting system safety that have
not been documented in the PTCSP. The impact of unplanned changes on
PTC system safety has not yet been determined.
(D) Planned changes may be implemented after they have undergone
suitable regression testing to demonstrate, to the satisfaction of the
Associate Administrator, they have been correctly implemented and their
implementation does not degrade safety.
(E) Planned changes are changes affecting system safety in the
PTCSP and have been included in all required analysis under Sec.
236.1017. The impact of these changes on the PTC system's safety has
been incorporated as an integral part of the approved PTCSP safety
analysis.
(e) If the RFA includes a request for approval of a discontinuance
or material modification of a signal or train control system, FRA will
publish a notice in the Federal Register of the application and will
invite public comment in accordance with part 211 of this chapter.
(f) When considering the RFA, FRA will review the issue of the
discontinuance or material modification and determine whether granting
the request is in the public interest and consistent with railroad
safety, taking into consideration all changes in the method of
operation and system functionalities, both within normal PTC system
availability and in the case of a system failed state (unavailable),
contemplated in conjunction with installation of the PTC system. The
railroad submitting the RFA must, at FRA's request, perform field
testing in accordance with Sec. 236.1035 or engage in Verification and
Validation in accordance with Sec. 236.1017.
(g) FRA may issue at its discretion a new Type Approval number for
a PTC system modified under this section.
(h) Changes requiring filing of an RFA. Except as provided by
paragraph (i), an RFA shall be filed to request the following:
(1) Discontinuance of a PTC system, or other similar appliance or
device;
(2) Decrease of the PTC system's limits;
(3) Modification of a safety critical element of a PTC system; or
(4) Modification of a PTC system that affects the safety critical
functionality of any other PTC system with which it interoperates.
(i) Discontinuances not requiring the filing of an RFA. It is not
necessary to file an RFA for the following discontinuances:
(1) Removal of a PTC system from track approved for abandonment by
formal proceeding;
(2) Removal of PTC devices used to provide protection against
unusual contingencies such as landslide, burned bridge, high water,
high and wide load, or tunnel protection when the unusual contingency
no longer exists;
(3) Removal of the PTC devices that are used on a movable bridge
that has been permanently closed by the formal approval of another
government agency and is mechanically secured in the closed position
for rail traffic; or
(4) Removal of the PTC system from service for a period not to
exceed six months that is necessitated by catastrophic occurrence such
as derailment, flood, fire, or hurricane.
(j) Changes not requiring the filing of an RFA. When the resultant
change to the PTC system will comply with an approved PTCSP of this
part, it is not necessary to file for approval to decrease the limits
of a system when it involves the:
(1) Decrease of the limits of a PTC system when interlocked
switches, derails, or movable-point frogs are not involved;
(2) Removal of an electric or mechanical lock from hand-operated
switch in a PTC system where train speed over switch does not exceed 20
miles per hour; or
(3) Removal of an electric lock from hand-operated switch in a PTC
system where trains are not permitted to clear the main track at such
switch and the electric lock has not been a part of the conditional
approval of a PTCSP.
(k) Modifications not requiring the filing of an RFA. When the
resultant arrangement will comply with an approved PTCSP of this part,
it is not necessary to file an application for approval of the
following modifications:
(1) A modification that is required to comply with an order of the
Federal Railroad Administration or any section of part 236 of this
title;
(2) Installation of devices used to provide protection against
unusual contingencies such as landslide, burned bridges, high water,
high and wide loads, or dragging equipment;
(3) Elimination of existing track other than a second main track;
(4) Extension or shortening of a passing siding;
(5) A line relocation;
(6) Installation of new track; or
(7) The temporary or permanent arrangement of existing systems
necessitated by highway rail separation construction. Temporary
arrangements shall be removed within six months following completion of
construction.

Sec. 236.1023 Errors and malfunctions.

(a) Except as provided in paragraph (g) of this section, when any
PTC system, subsystem, component, product, or process fails,
malfunctions, or otherwise experiences a defect that decreases, or
eliminates, any safety functionality, its vendor--regardless of whether
any railroad has indicated whether it experienced the same--shall
notify FRA and the affected railroads of the following:
(1) The nature and specificity of the failure, malfunction, or
defect;
(2) The vendor's procedures for responding to the issue until the
failure, malfunction, or defect is cured;
(3) Any corrective action required;
(4) The risk mitigation actions to be taken pending resolution of
the failure cause and issuance of the corrective action; and
(5) The estimated time to correct the failure.
(b) Any railroad implementing or operating a PTC system, subsystem,
component, product, or process that fails, malfunctions, or otherwise
experiences a defect that decreases, or eliminates, any safety or
interoperability functionality, shall:
(1) Notify the applicable vendor and FRA of the failure,
malfunction, or defect that decreased or eliminated the safety
functionality; and
(2) Keep the applicable vendor and FRA apprised on a continual
basis of the status of any and all subsequent failures.
(c) Each railroad implementing a PTC system on its property shall
maintain a PTC Product Vendor List (PTCPVL) continually updated to
include all vendors of each PTC system, subsystem, component, product,
and process currently used in its PTC system. The PTCPVL shall be made
available to FRA upon request and without undue delay.
(d) The railroad shall specify to FRA--and the applicable vendor if

[[Page 36022]]

appropriate--its procedures for action upon notification of a safety
critical upgrade, patch, or revision for the PTC system, subsystem,
component, product, or process, and until the revision has been
installed.
(e) Each notification required by this section shall:
(1) Be made within 7 days after the vendor or railroad discovers
the failure, malfunction, or defect. However, a report that is due on a
Saturday or a Sunday may be delivered on the following Monday and one
that is due on a holiday may be delivered on the next workday;
(2) Be transmitted in a manner and form acceptable to the Associate
Administrator and by the most expeditious method available; and
(3) Include as much available and applicable information as
possible, including:
(i) PTC system name and model;
(ii) Identification of the part, component, or system involved. The
identification must include the part number;
(iii) Nature of the failure, malfunctions, or defects;
(iv) Mitigation to ensure the safety of the crews and public; and
(v) The estimated time to correct the failure.
(f) Whenever any investigation of an accident or service difficulty
report shows that an article is unsafe because of a manufacturing or
design defect, the manufacturer shall, upon request of the Associate
Administrator, report to the Associate Administrator the results of its
investigation and any action taken or proposed by the manufacturer to
correct that defect.
(g) The requirements of this section do not apply to failures,
malfunctions, or defects that:
(1) Are caused by improper maintenance or improper usage; or
(2) Have been previously identified to the FRA, vendor, and
applicable railroads.
(h) Any railroad experiencing a failure of a system resulting in a
more favorable aspect than intended or another condition hazardous to
movement of a train shall comply with the reporting requirements,
including the making of a telephonic report of an accident or incident
under part 233 of this chapter. Filing of one or more reports under
part 233 of this chapter does not exempt a railroad or vendor from the
reporting requirements contained in paragraphs (a) through (e) of this
section.

Sec. 236.1027 Exclusions.

(a) The requirements of this subpart apply to each office
automation system that performs safety-critical functions within, or
affects the safety performance of, the PTC system. For purposes of this
section, ``office automation system'' means any centralized or
distributed computer-based system that directly or indirectly controls
the active movement of trains in a rail network.
(b) Changes or modifications to PTC systems otherwise excluded from
the requirements of this subpart by this section do not exclude those
PTC systems from the requirements of this subpart if the changes or
modifications result in a degradation of safety or a material decrease
in safety-critical functionality.
(c) Primary train control systems cannot be integrated with
locomotive electronic systems unless the complete integrated systems:
(1) Have been shown to be designed on fail safe principles;
(2) Have demonstrated to operate in a fail safe mode;
(3) Have a manual fail safe fallback and override to allow the
locomotive to be brought to a safe stop in the event of any loss of
electronic control; and
(4) Are included in the approved and applicable PTCDP and PTCSP.
(d) PTC systems excluded by this section from the requirements of
this subpart remain subject to subparts A through H of this part as
applicable.

Sec. 236.1029 PTC system use and en route failures.

(a) When any safety-critical PTC system component fails to perform
its intended function, the cause must be determined and the faulty
component adjusted, repaired, or replaced without undue delay. Until
repair of such essential components are completed, a railroad shall
take appropriate action as specified in its PTCSP.
(b) Where a PTC onboard apparatus on a lead locomotive that is
operating in or is to be operated within a PTC system fails or is
otherwise cut-out while en route (i.e., after the train has departed
it's initial terminal), the train may only continue in accordance with
the following:
(1) The train may proceed at restricted speed, or if a block signal
system is in operation according to signal indication at medium speed,
to the next available point where communication of a report can be made
to a designated railroad officer of the host railroad;
(2) Upon completion and communication of the report required in
paragraph (b)(1) of this section, or where immediate electronic report
of said condition is appropriately provided by the PTC system itself, a
train may continue to a point where an absolute block can be
established in advance of the train in accordance with the following:
(i) Where no block signal system is in use, the train may proceed
at restricted speed, or
(ii) Where a block signal system is in operation according to
signal indication, the train may proceed at a speed not to exceed
medium speed.
(3) Upon reaching the location where an absolute block has been
established in advance of the train, as referenced in paragraph (b)(2)
of this section, the train may proceed in accordance with the
following:
(i) Where no block signal system is in use, the train may proceed
at medium speed; however, if the involved train is a passenger train or
a train hauling any amount of PIH material, it may only proceed at a
speed not to exceed 30 miles per hour.
(ii) Where a block signal system is in use, a passenger train may
proceed at a speed not to exceed 59 miles per hour and a freight train
may proceed at a speed not to exceed 49 miles per hour.
(iii) Except as provided in paragraph (c), where a cab signal
system with an automatic train control system is in operation, the
train may proceed at a speed not to exceed 79 miles per hour.
(c) In order for a PTC train that operates at a speed above 90
miles per hour to deviate from the operating limitations contained in
paragraph (b) of this section, the deviation must be described and
justified in the FRA approved PTCDP or PTCSP, or the Order of
Particular Applicability, as applicable.
(d) Each railroad shall comply with all provisions in the
applicable PTCDP and PTCSP for each PTC system it uses and shall
operate within the scope of initial operational assumptions and
predefined changes identified.
(e) The normal functioning of any safety-critical PTC system must
not be interfered with in testing or otherwise without first taking
measures to provide for the safe movement of trains, locomotives,
roadway workers, and on-track equipment that depend on the normal
functioning of the system.
(f) The PTC system's onboard apparatus shall be so arranged that
each member of the crew assigned to perform duties in the locomotive
can view a PTC display and execute any functions necessary to that crew
member's duties. The locomotive engineer shall not be required to
perform functions related to the PTC system while the train is moving
that have the potential to distract the locomotive engineer from
performance of other safety-critical duties.

[[Page 36023]]

Sec. 236.1031 Previously approved PTC systems.

(a) Any PTC system fully implemented and operational prior to
[insert effective date of final rule], may receive PTC System
Certification if the applicable PTC railroad, or one or more system
suppliers and one or more PTC railroads, submits a Request for
Expedited Certification (REC) letter to the Associate Administrator.
The REC letter must do one of the following:
(1) Reference a product safety plan (PSP) recognized or approved by
FRA under subpart H of this part and include a document fulfilling the
requirements under Sec. Sec. 236.1011 and 236.1013 not already
included in the PSP;
(2) Attest that the PTC system has been approved by FRA and in
operation for at least 5 years and has already received an assessment
of Verification and Validation from an independent third party under
part 236 or a waiver supporting such operation; or
(3) Attest that the PTC railroad has implemented and is operating a
PTC system required by a FRA order issued prior to [insert effective
date of final rule].
(b) If a REC letter conforms to paragraph (a)(1) of this section,
the Associate Administrator, at his or her sole discretion, may also
issue a new Type Approval for the PTC system.
(c) In order to receive a Type Approval or PTC System Certification
under paragraph (a) or (b) of this section, the PTC system must be
shown to reliably execute the functionalities required by Sec. Sec.
236.1005 and 236.1007 and otherwise conform to this subpart.
(d) Previous approval or recognition of a train control system,
together with an established service history, may, at the request of
the PTC railroad, and consistent with available safety data, be
credited toward satisfaction of the safety case requirements set forth
in this part for the PTCSP with respect to all functionalities and
implementations contemplated by the approval or recognition.
(e) To the extent that the PTC system proposed for implementation
under this subpart is different in significant detail from the system
previously approved or recognized, the changes shall be fully analyzed
in the PTCDP or PTCSP as would be the case absent prior approval or
recognition.
(f) As used in this section--
(1) Approved refers to approval of a Product Safety Plan under
subpart H of this part.
(2) Recognized refers to official action permitting a system to be
implemented for control of train operations under an order or waiver,
after review of safety case documentation for the implementation.
(g) Upon receipt of a REC, FRA will consider all safety case
information to the extent feasible and appropriate, given the specific
facts before the agency. Nothing in this section limits re-use of any
applicable safety case information by a party other than the party
receiving:
(1) A prior approval or recognition referred to in this section; or
(2) A Type Approval or PTC System Certification under this subpart.

Sec. 236.1033 Communications and security requirements.

(a) All wireless communications between the office, wayside, and
onboard components in a PTC system shall provide cryptographic message
integrity and authentication.
(b) Cryptographic keys required under paragraph (a) shall:
(1) Use an algorithm approved by the National Institute of
Standards (NIST) or a similarly recognized and FRA approved standards
body;
(2) Be distributed using manual or automated methods, or a
combination of both; and
(3) Be revoked:
(i) If compromised by unauthorized disclosure of the cleartext key;
or
(ii) When the key algorithm reaches its lifespan as defined by the
standards body responsible for approval of the algorithm.
(c) The cleartext form of the cryptographic keys shall be protected
from unauthorized disclosure, modification, or substitution, except
during key entry when the cleartext keys and key components may be
temporarily displayed to allow visual verification. When encrypted keys
or key components are entered, the cryptographically protected
cleartext key or key components shall not be displayed.
(d) Access to cleartext keys shall be protected by a tamper
resistant mechanism.
(e) Each railroad electing to also provide cryptographic message
confidentiality shall:
(1) Comply with the same requirements for message integrity and
authentication under this section; and
(2) Only use keys meeting or exceeding the security strength
required to protect the data as defined in the railroad's PTCSP and
required under Sec. 236.1017(a)(8).
(f) Each railroad, or its vendor, shall have a prioritized service
restoration and mitigation plan for scheduled and unscheduled
interruptions of service. This plan shall be included in the PTCDP or
PTCSP as required by Sec. Sec. 236.1013 or 236.1015, as applicable,
and made available to FRA upon request, without undue delay, for
restoration of communication services that support PTC system services.
(g) Each railroad may elect to impose more restrictive requirements
than those in this section, consistent with interoperability
requirements specified in the PTCSP for the system.

Sec. 236.1035 Field testing requirements.

(a) Before any field testing of an uncertified PTC system, or a
product of an uncertified PTC system, or any regression testing of a
certified PTC system is conducted on the general rail system, the
railroad requesting the testing must provide:
(1) A complete description of the PTC system;
(2) An operational concepts document;
(3) A complete description of the specific test procedures,
including the measures that will be taken to protect trains and on-
track equipment;
(4) An analysis of the applicability of the requirements of
subparts A-G of this part to the PTC system that will not apply during
testing;
(5) The date the proposed testing shall begin;
(6) The test locations; and
(7) The effect on the current method of the PTC system under test
operation.
(b) FRA may impose additional testing conditions that it believes
may be necessary for the safety of train operations.
(c) Relief from regulations other than from subparts A-G of this
part that the railroad believes are necessary to support the field
testing, must be requested in accordance with part 211 of this title.

Sec. 236.1037 Records retention.

(a) Each railroad with a PTC system required to be installed under
this subpart shall maintain at a designated office on the railroad:
(1) A current copy of each FRA approved Type Approval, if any,
PTCDP, and PTCSP that it holds;
(2) Adequate documentation to demonstrate that the PTCSP and PTCDP
meet the safety requirements of this subpart, including the risk
assessment;
(3) An Operations and Maintenance Manual, pursuant to Sec.
236.1039; and
(4) Training and testing records pursuant to Sec. 236.1043(b).
(b) Results of inspections and tests specified in the PTCSP and
PTCDP must be recorded pursuant to Sec. 236.110.
(c) Each contractor providing services relating to the testing,
maintenance, or

[[Page 36024]]

operation of a PTC system required to be installed under this subpart
shall maintain at a designated office training records required under
Sec. 236.1039(b).
(d) After the PTC system is placed in service, the railroad shall
maintain a database of all safety-relevant hazards as set forth in the
PTCSP and PTCDP and those that had not been previously identified in
either document. If the frequency of the safety-relevant hazards
exceeds the threshold set forth in either of these documents, then the
railroad shall:
(1) Report the inconsistency in writing by mail, facsimile, e-mail,
or hand delivery to the Director, Office of Safety Assurance and
Compliance, FRA, 1200 New Jersey Ave., SE., Mail Stop 25, Washington,
DC 20590, within 15 days of discovery. Documents that are hand
delivered must not be enclosed in an envelope;
(2) Take prompt countermeasures to reduce the frequency of each
safety-relevant hazard to below the threshold set forth in the PTCSP
and PTCDP; and
(3) Provide a final report when the inconsistency is resolved to
the FRA Director, Office of Safety Assurance and Compliance, on the
results of the analysis and countermeasures taken to reduce the
frequency of the safety-relevant hazard(s) below the threshold set
forth in the PTCSP and PTCDP.

Sec. 236.1039 Operations and Maintenance Manual.

(a) The railroad shall catalog and maintain all documents as
specified in the PTCDP and PTCSP for the installation, maintenance,
repair, modification, inspection, and testing of the PTC system and
have them in one Operations and Maintenance Manual, readily available
to persons required to perform such tasks and for inspection by FRA and
FRA-certified State inspectors.
(b) Plans required for proper maintenance, repair, inspection, and
testing of safety-critical PTC systems must be adequate in detail and
must be made available for inspection by FRA and FRA-certified State
inspectors where such PTC systems are deployed or maintained. They must
identify all software versions, revisions, and revision dates. Plans
must be legible and correct.
(c) Hardware, software, and firmware revisions must be documented
in the Operations and Maintenance Manual according to the railroad's
configuration management control plan and any additional configuration/
revision control measures specified in the PTCDP and PTCSP.
(d) Safety-critical components, including spare equipment, must be
positively identified, handled, replaced, and repaired in accordance
with the procedures specified in the PTCDP and PTCSP.
(e) Each railroad shall designate in its Operations and Maintenance
Manual an appropriate railroad officer responsible for issues relating
to scheduled interruptions of service contemplated by Sec. 236.1029.

Sec. 236.1041 Training and qualification program, general.

(a) Training program for PTC personnel. Employers shall establish
and implement training and qualification programs for PTC systems
subject to this subpart. These programs must meet the minimum
requirements set forth in the PTCDP and PTCSP in Sec. Sec. 236.1039
through 236.1045 as appropriate, for the following personnel:
(1) Persons whose duties include installing, maintaining,
repairing, modifying, inspecting, and testing safety-critical elements
of the railroad's PTC systems, including central office, wayside, or
onboard subsystems;
(2) Persons who dispatch train operations (issue or communicate any
mandatory directive that is executed or enforced, or is intended to be
executed or enforced, by a train control system subject to this
subpart);
(3) Persons who operate trains or serve as a train or engine crew
member subject to instruction and testing under part 217 of this
chapter, on a train operating in territory where a train control system
subject to this subpart is in use;
(4) Roadway workers whose duties require them to know and
understand how a train control system affects their safety and how to
avoid interfering with its proper functioning; and
(5) The direct supervisors of persons listed in paragraphs (a)(1)
through (a)(4) of this section.
(b) Competencies. The employer's program must provide training for
persons who perform the functions described in paragraph (a) of this
section to ensure that they have the necessary knowledge and skills to
effectively complete their duties related to operation and maintenance
of the PTC system.

Sec. 236.1043 Task analysis and basic requirements.

(a) Training structure and delivery. As part of the program
required by Sec. 236.1041, the employer shall, at a minimum:
(1) Identify the specific goals of the training program with regard
to the target population (craft, experience level, scope of work,
etc.), task(s), and desired success rate;
(2) Based on a formal task analysis, identify the installation,
maintenance, repair, modification, inspection, testing, and operating
tasks that must be performed on a railroad's PTC systems. This includes
the development of failure scenarios and the actions expected under
such scenarios;
(3) Develop written procedures for the performance of the tasks
identified;
(4) Identify the additional knowledge, skills, and abilities above
those required for basic job performance necessary to perform each
task;
(5) Develop a training and evaluation curriculum that includes
classroom, simulator, computer-based, hands-on, or other formally
structured training designed to impart the knowledge, skills, and
abilities identified as necessary to perform each task;
(6) Prior to assignment of related tasks, require all persons
mentioned in Sec. 236.1041(a) to successfully complete a training
curriculum and pass an examination that covers the PTC system and
appropriate rules and tasks for which they are responsible (however,
such persons may perform such tasks under the direct onsite supervision
of a qualified person prior to completing such training and passing the
examination);
(7) Require periodic refresher training and evaluation at intervals
specified in the PTCDP and PTCSP that includes classroom, simulator,
computer-based, hands-on, or other formally structured training and
testing, except with respect to basic skills for which proficiency is
known to remain high as a result of frequent repetition of the task;
and
(8) Conduct regular and periodic evaluations of the effectiveness
of the training program specified in Sec. 236.1041(a)(1) verifying the
adequacy of the training material and its validity with respect to
current railroads PTC systems and operations.
(b) Training records. Employers shall retain records which
designate persons who are qualified under this section until new
designations are recorded or for at least one year after such persons
leave applicable service. These records shall be kept in a designated
location and be available for inspection and replication by FRA and
FRA-certified State inspectors.

Sec. 236.1045 Training specific to office control personnel.

(a) Any person responsible for issuing or communicating mandatory
directives in territory where PTC systems are or

[[Page 36025]]

will be in use must be trained in the following areas, as applicable:
(1) Instructions concerning the interface between the computer-
aided dispatching system and the train control system, with respect to
the safe movement of trains and other on-track equipment;
(2) Railroad operating rules applicable to the train control
system, including provision for movement and protection of roadway
workers, unequipped trains, trains with failed or cut-out train control
onboard systems, and other on-track equipment; and
(3) Instructions concerning control of trains and other on-track
equipment in case the train control system fails, including periodic
practical exercises or simulations, and operational testing under part
217 of this chapter to ensure the continued capability of the personnel
to provide for safe operations under the alternative method of
operation.
(b) [Reserved]

Sec. 236.1047 Training specific to locomotive engineers and other
operating personnel.

(a) Operating personnel. Training provided under this subpart for
any locomotive engineer or other person who participates in the
operation of a train in train control territory must be defined in the
PTCDP as well as the PTCSP. The following elements must be addressed:
(1) Familiarization with train control equipment onboard the
locomotive and the functioning of that equipment as part of the system
and in relation to other onboard systems under that person's control;
(2) Any actions required of the onboard personnel to enable, or
enter data to, the system, such as consist data, and the role of that
function in the safe operation of the train;
(3) Sequencing of interventions by the system, including pre-
enforcement notification, enforcement notification, penalty application
initiation and post-penalty application procedures;
(4) Railroad operating rules and testing (part 217) applicable to
the train control system, including provisions for movement and
protection of any unequipped trains, or trains with failed or cut-out
train control onboard systems and other on-track equipment;
(5) Means to detect deviations from proper functioning of onboard
train control equipment and instructions regarding the actions to be
taken with respect to control of the train and notification of
designated railroad personnel; and
(6) Information needed to prevent unintentional interference with
the proper functioning of onboard train control equipment.
(b) Locomotive engineer training. Training required under this
subpart for a locomotive engineer, together with required records, must
be integrated into the program of training required by part 240 of this
chapter.
(c) Full automatic operation. The following special requirements
apply in the event a train control system is used to effect full
automatic operation of the train:
(1) The PTCDP and PTCSP must identify all safety hazards to be
mitigated by the locomotive engineer.
(2) The PTCDP and PTCSP must address and describe the training
required with provisions for the maintenance of skills proficiency. As
a minimum, the training program must:
(i) As described in Sec. 236.1047(a)(2), develop failure scenarios
which incorporate the safety hazards identified in the PTCDP and PTCSP
including the return of train operations to a fully manual mode;
(ii) Provide training, consistent with Sec. 236.1047(a), for safe
train operations under all failure scenarios and identified safety
hazards that affect train operations;
(iii) Provide training, consistent with Sec. 236.1047(a), for safe
train operations under manual control; and
(iv) Consistent with Sec. 236.1047(a), ensure maintenance of
manual train operating skills by requiring manual starting and stopping
of the train for an appropriate number of trips and by one or more of
the following methods:
(A) Manual operation of a train for a 4-hour work period;
(B) Simulated manual operation of a train for a minimum of 4 hours
in a Type I simulator as required; or
(C) Other means as determined following consultation between the
railroad and designated representatives of the affected employees and
approved by FRA. The PTCDP and PTCSP must designate the appropriate
frequency when manual operation, starting, and stopping must be
conducted, and the appropriate frequency of simulated manual operation.
(d) Conductor training. Training required under this subpart for a
conductor, together with required records, must be integrated into the
program of training required under this chapter.

Sec. 236.1049 Training specific to roadway workers.

(a) Roadway worker training. Training required under this subpart
for a roadway worker must be integrated into the program of instruction
required under part 214, subpart C of this chapter (``Roadway Worker
Protection''), consistent with task analysis requirements of Sec.
236.1039. This training must provide instruction for roadway workers
who provide protection for themselves or roadway work groups.
(b) Training subject areas. (1) Instruction for roadway workers
must ensure an understanding of the role of processor-based signal and
train control equipment in establishing protection for roadway workers
and their equipment.
(2) Instruction for all roadway workers working in territories
where PTC is required under this subpart must ensure recognition of
processor-based signal and train control equipment on the wayside and
an understanding of how to avoid interference with its proper
functioning.
(3) Instructions concerning the recognition of system failures and
the provision of alternative methods of on-track safety in case the
train control system fails, including periodic practical exercises or
simulations and operational testing under part 217 of this chapter to
ensure the continued capability of roadway workers to be free from the
danger of being struck by a moving train or other on-track equipment.
11. Revise Appendix B to part 236 to read as follows:

Appendix B to Part 236--Risk Assessment Criteria

The safety-critical performance of each product for which risk
assessment is required under this part must be assessed in
accordance with the following minimum criteria or other criteria if
demonstrated to the Associate Administrator for Safety to be equally
suitable:
(a) How are risk metrics to be expressed? The risk metric for
the proposed product must describe with a high degree of confidence
the accumulated risk of a train control system that operates over
the designated life-cycle of the product. Each risk metric for the
proposed product must be expressed with an upper bound, as estimated
with a sensitivity analysis, and the risk value selected must be
demonstrated to have a high degree of confidence.
(b) How does the risk assessment handle interaction risks for
interconnected subsystems/components? The risk assessment of each
safety-critical system (product) must account not only for the risks
associated with each subsystem or component, but also for the risks
associated with interactions (interfaces) between such subsystems.
(c) What is the main principle in computing risk for the
previous and current conditions? The risk for the previous condition
must be computed using the same metrics as for the new system being
proposed. A full risk assessment must

[[Page 36026]]

consider the entire railroad environment where the product is being
applied, and show all aspects of the previous condition that are
affected by the installation of the product, considering all faults,
operating errors, exposure scenarios, and consequences that are
related as described in this part. For the full risk assessment, the
total societal cost of the potential numbers of accidents assessed
for both previous and new system conditions must be computed for
comparison. An abbreviated risk assessment must, as a minimum,
clearly compute the MTTHE for all of the hazardous events identified
for both previous and current conditions. The comparison between
MTTHE for both conditions is to determine whether the product
implementation meets the safety criteria as required by Subpart H or
Subpart I as applicable.
(d) What major system characteristics must be included when
relevant to risk assessment? Each risk calculation must consider the
total signaling and train control system and method of operation, as
subjected to a list of hazards to be mitigated by the signaling and
train control system. The methodology requirements must include the
following major characteristics, when they are relevant to the
product being considered:
(1) Track plan infrastructure, switches, rail crossings at grade
and highway-rail grade crossings as applicable;
(2) Train movement density for freight, work, and passenger
trains where applicable and computed over a time span of not less
than 12 months;
(3) Train movement operational rules, as enforced by the
dispatcher, roadway worker/Employee in Charge, and train crew
behaviors;
(4) Wayside subsystems and components;
(5) Onboard subsystems and components;
(6) Consist contents such as hazardous material, oversize loads;
and
(7) Operating speeds if the provisions of Part 236 cite
additional requirements for certain type of train control systems to
be used at such speeds for freight and passenger trains.
(e) What other relevant parameters must be determined for the
subsystems and components? In order to derive the frequency of
hazardous events (or MTTHE) applicable for a product, subsystem or
component included in the risk assessment, the railroad may use
various techniques, such as reliability and availability
calculations for subsystems and components, Fault Tree Analysis
(FTA) of the subsystems, and results of the application of safety
design principles as noted in Appendix C. Such failure frequency is
to be derived for both fail-safe and non-fail-safe subsystems or
components. The lower bounds of the MTTF or MTBF determined from the
system sensitivity analysis, which account for all necessary and
well justified assumptions, may be used to represent the estimate of
MTTHE for the associated non-fail-safe subsystem or component in the
risk assessment.
(f) How are processor-based subsystems/components assessed? (1)
An MTTHE value must be calculated for each processor-based subsystem
or component, or both, indicating the safety-critical behavior of
the integrated hardware/software subsystem or component, or both.
The human factor impact must be included in the assessment, whenever
applicable, to provide the integrated MTTHE value. The MTTHE
calculation must consider the rates of failures caused by permanent,
transient, and intermittent faults accounting for the fault coverage
of the integrated hardware/software subsystem or component, phased-
interval maintenance, and restoration of the detected failures.
(2) Software fault/failure analysis must be based on the proper
assessment of the design and implementation of the application code,
its operating/executive program, and associated device drivers,
historical performance data, analytical methods and experimental
safety-critical performance testing performed on the subsystem or
component. The software assessment process must demonstrate through
repeatable predictive results that all software defects have been
identified and corrected by process with a high degree of
confidence.
(g) How are non-processor-based subsystems/components assessed?
(1) The safety-critical behavior of all non-processor-based
components, which are part of a processor-based system or subsystem,
must be quantified with an MTTHE metric. The MTTHE assessment
methodology must consider failures caused by permanent, transient,
and intermittent faults, phase-interval maintenance and restoration
of operation after failures and the effect of fault coverage of each
non-processor-based subsystem or component.
(2) MTTHE compliance verification and validation must be based
on the assessment of the design for adequacy by a documented
verification and validation process, historical performance data,
analytical methods and experimental safety-critical performance
testing performed on the subsystem or component. The non-processor-
based quantification compliance must be demonstrated to have a high
degree of confidence.
(h) What assumptions must be documented for risk assessment? (1)
The railroad shall document any assumptions regarding the derivation
of risk metrics used. For example, for the full risk assessment, all
assumptions made about each value of the parameters used in the
calculation of total cost of accidents should be documented. For
abbreviated risk assessment, all assumptions made for MTTHE
derivation using existing reliability and availability data on the
current system components should be documented. The railroad shall
document these assumptions in such a form as to permit later
automated comparisons with in-service experience.
(2) The railroad shall document any assumptions regarding human
performance. The documentation shall be in such a form as to
facilitate later comparisons with in-service experience.
(3) The railroad shall document any assumptions regarding
software defects. These assumptions shall be in a form which permits
the railroad to project the likelihood of detecting an in-service
software defect. These assumptions shall be documented in such a
form as to permit later automated comparisons with in-service
experience.
(4) The railroad shall document all of the identified safety-
critical fault paths to a mishap as predicted by the safety analysis
methodology. The documentation shall be in such a form as to
facilitate later comparisons with in-service faults.

12. Revise Appendix C to read as follows:

Appendix C to Part 236--Safety Assurance Criteria and Processes

(a) What is the purpose of this appendix? This appendix provides
safety criteria and processes that the designer must use to develop
and validate the product that meets safety requirements of this
part. FRA uses the criteria and processes set forth in this appendix
to evaluate the validity of safety targets and the results of system
safety analyses provided in the RSPP, PSP, PTCIP, PTCDP, and PTCSP
documents as appropriate. An analysis performed under this appendix
must:
(1) Address each of the safety principles of paragraph (b) of
this appendix, or explain why they are not relevant, and
(2) Employ a validation and verification process pursuant to
paragraph (c) of this appendix.
(b) What safety principles must be followed during product
development? The designer shall address each of the following safety
considerations principles when designing and demonstrating the
safety of products covered by subpart H or I of this part. In the
event that any of these principles are not followed, the PSP or
PTCDP or PTCSP shall state both the reason(s) for departure and the
alternative(s) utilized to mitigate or eliminate the hazards
associated with the design principle not followed.
(1) System safety under normal operating conditions. The system
(all its elements including hardware and software) must be designed
to assure safe operation with no hazardous events under normal
anticipated operating conditions with proper inputs and within the
expected range of environmental conditions. All safety-critical
functions must be performed properly under these normal conditions.
Absence of specific operator actions or procedures will not prevent
the system from operating safely. The designer must identify and
categorize all hazards that may lead to unsafe system operation.
Hazards categorized as unacceptable or undesirable, which is
determined by hazard analysis, must be eliminated by design. Those
undesirable hazards that cannot be eliminated should be mitigated to
the acceptable level as required by this part.
(2) System safety under failures.
(i) It must be shown how the product is designed to eliminate or
mitigate or eliminate unsafe systematic failures--those conditions
which can be attributed to human error that could occur at various
stages throughout product development. This includes unsafe errors
in the software due to human error in the software specification,
design or coding phases, or both; human errors that could impact
hardware design; unsafe conditions that could occur because of an
improperly designed human-machine interface; installation and
maintenance errors; and errors associated with making modifications.

[[Page 36027]]

(ii) The product must be shown to operate safely under
conditions of random hardware failure. This includes single as well
as multiple hardware failures, particularly in instances where one
or more failures could occur, remain undetected (latent) and react
in combination with a subsequent failure at a later time to cause an
unsafe operating situation. In instances involving a latent failure,
a subsequent failure is similar to there being a single failure. In
the event of a transient failure, and if so designed, the system
should restart itself if it is safe to do so. Frequency of attempted
restarts must be considered in the hazard analysis required by Sec.
236.907(a)(8).
(iii) There shall be no single point failures in the product
that can result in hazards categorized as unacceptable or
undesirable. Occurrence of credible single point failures that can
result in hazards must be detected and the product must achieve a
known safe state before falsely activating any physical appliance.
(iv) If one non-self-revealing failure combined with a second
failure can cause a hazard that is categorized as unacceptable or
undesirable, then the second failure must be detected and the
product must achieve a known safe state before falsely activating
any physical appliance.
(v) Another concern of multiple failures involves common mode
failures in which two or more subsystems or components intended to
compensate one another to perform the same function all fail by the
same mode and result in unsafe conditions. This is of particular
concern in instances in which two or more elements (hardware or
software, or both) are used in combination to ensure safety. If a
common mode failure exists, then any analysis performed under this
appendix cannot rely on the assumption that failures are
independent. Examples include: The use of redundancy in which two or
more elements perform a given function in parallel and when one
(hardware or software) element checks/monitors another element (of
hardware or software) to help ensure its safe operation. Common mode
failure relates to independence, which must be ensured in these
instances. When dealing with the effects of hardware failure, the
designer shall address the effects of the failure not only on other
hardware, but also on the execution of the software, since hardware
failures can greatly affect how the software operates.
(3) Closed loop principle. System design adhering to the closed
loop principle requires that all conditions necessary for the
existence of any permissive state or action be verified to be
present before the permissive state or action can be initiated.
Likewise the requisite conditions shall be verified to be
continuously present for the permissive state or action to be
maintained. This is in contrast to allowing a permissive state or
action to be initiated or maintained in the absence of detected
failures. In addition, closed loop design requires that failure to
perform a logical operation, or absence of a logical input, output
or decision shall not cause an unsafe condition, i.e., system safety
does not depend upon the occurrence of an action or logical
decision.
(4) Safety assurance concepts. The product design must include
one or more of the following Safety Assurance Concepts as described
in IEEE-1483 standard to ensure that failures are detected and the
product is placed in a safe state. One or more different principles
may be applied to each individual subsystem or component, depending
on the safety design objectives of that part of the product.
(i) Design diversity and self-checking concept. This concept
requires that all critical functions be performed in diverse ways,
using diverse software operations and/or diverse hardware channels,
and that critical hardware be tested with Self-Checking routines.
Permissive outputs are allowed only if the results of the diverse
operations correspond, and the Self-Checking process reveals no
failures in either execution of software or in any monitored input
or output hardware. If the diverse operations do not agree or if the
checking reveals critical failures, safety-critical functions and
outputs must default to a known safe state.
(ii) Checked redundancy concept. The Checked Redundancy concept
requires implementation of two or more identical, independent
hardware units, each executing identical software and performing
identical functions. A means is to be provided to periodically
compare vital parameters and results of the independent redundant
units, requiring agreement of all compared parameters to assert or
maintain a permissive output. If the units do not agree, safety-
critical functions and outputs must default to a known safe state.
(iii) N-version programming concept. This concept requires a
processor-based product to use at least two software programs
performing identical functions and executing concurrently in a
cycle. The software programs must be written by independent teams,
using different tools. The multiple independently written software
programs comprise a redundant system, and may be executed either on
separate hardware units (which may or may not be identical) or
within one hardware unit. A means is to be provided to compare the
results and output states of the multiple redundant software
systems. If the system results do not agree, then the safety-
critical functions and outputs must default to a known safe state.
(iv) Numerical assurance concept. This concept requires that the
state of each vital parameter of the product or system be uniquely
represented by a large encoded numerical value, such that permissive
results are calculated by pseudo-randomly combining the
representative numerical values of each of the critical constituent
parameters of a permissive decision. Vital algorithms must be
entirely represented by data structures containing numerical values
with verified characteristics, and no vital decisions are to be made
in the executing software, only by the numerical representations
themselves. In the event of critical failures, the safety-critical
functions and outputs must default to a known safe state.
(v) Intrinsic fail-safe design concept. Intrinsically fail-safe
hardware circuits or systems are those that employ discrete
mechanical and/or electrical components. The fail-safe operation for
a product or subsystem designed using this principle concept
requires a verification that the effect of every relevant failure
mode of each component, and relevant combinations of component
failure modes, be considered, analyzed, and documented. This is
typically performed by a comprehensive failure modes and effects
analysis (FMEA) which must show no residual unmitigated failures. In
the event of critical failures, the safety-critical functions and
outputs must default to a known safe state.
(5) Human factor engineering principle. The product design must
sufficiently incorporate human factors engineering that is
appropriate to the complexity of the product; the educational,
mental, and physical capabilities of the intended operators and
maintainers; the degree of required human interaction with the
component; and the environment in which the product will be used.
(6) System safety under external influences. The product must be
shown to operate safely when subjected to different external
influences, including:
(i) Electrical influences such as power supply anomalies/
transients, abnormal/improper input conditions (e.g., outside of
normal range inputs relative to amplitude and frequency, unusual
combinations of inputs) including those related to a human operator,
and others such as electromagnetic interference or electrostatic
discharges, or both;
(ii) Mechanical influences such as vibration and shock; and
(iii) Climatic conditions such as temperature and humidity.
(7) System safety after modifications. Safety must be ensured
following modifications to the hardware or software, or both. All or
some of the concerns identified in this paragraph may be applicable
depending upon the nature and extent of the modifications. Such
modifications must follow all of the concept, design, implementation
and test processes and principles as documented in the PSP for the
original product. Regression testing must be comprehensive and
documented to include all scenarios which are affected by the change
made, and the operating modes of the changed product during normal
and failure state (fallback) operation.
(c) What standards are acceptable for verification and
validation? (1) The standards employed for verification or
validation, or both, of products subject to this subpart must be
sufficient to support achievement of the applicable requirements of
subpart H and subpart I of this part.
(2) U.S. Department of Defense Military Standard (MIL-STD) 882C,
``System Safety Program Requirements'' (January 19, 1993), is
recognized as providing appropriate risk analysis processes for
incorporation into verification and validation standards.
(3) The following standards designed for application to
processor-based signal and train control systems are recognized as
acceptable with respect to applicable elements of safety analysis
required by subpart H and subpart I of this part. The latest
versions of the standards listed below should be used unless
otherwise provided.

[[Page 36028]]

(i) IEEE standards as follows:
(A) IEEE 1483-2000, Standard for the Verification of Vital
Functions in Processor-Based Systems Used in Rail Transit Control.
(B) IEEE 1474.2-2003, Standard for user interface requirements
in communications based train control (CBTC) systems.
(C) IEEE 1474.1-2004, Standard for Communications-Based Train
Control (CBTC) Performance and Functional Requirements.
(ii) CENELEC Standards as follows:
(A) EN50129: 2003, Railway Applications: Communications,
Signaling, and Processing Systems-Safety Related Electronic Systems
for Signaling; and
(B) EN50155:2001/A1:2002, Railway Applications: Electronic
Equipment Used in Rolling Stock.
(iii) ATCS Specification 200 Communications Systems
Architecture.
(iv) ATCS Specification 250 Message Formats.
(v) AREMA 2009 Communications and Signal Manual of Recommended
Practices, Part 16, Part 17, 21, and 23.
(vi) Safety of High Speed Ground Transportation Systems.
Analytical Methodology for Safety Validation of Computer Controlled
Subsystems. Volume II: Development of a Safety Validation
Methodology. Final Report September 1995. Author: Jonathan F.
Luedeke, Battelle. DOT/FRA/ORD-95/10.2.
(vii) IEC 61508 (International Electrotechnical Commission),
Functional Safety of Electrical/Electronic/Programmable/Electronic
Safety (E/E/P/ES) Related Systems, Parts 1-7 as follows:
(A) IEC 61508-1 (1998-12) Part 1: General requirements and IEC
61508-1 Corr. (1999-05) Corrigendum 1-Part 1: General Requirements.
(B) IEC 61508-2 (2000-05) Part 2: Requirements for electrical/
electronic/programmable electronic safety-related systems.
(C) IEC 61508-3 (1998-12) Part 3: Software requirements and IEC
61508-3 Corr.1 (1999-04) Corrigendum 1-Part3: Software requirements.
(D) IEC 61508-4 (1998-12) Part 4: Definitions and abbreviations
and IEC 61508-4 Corr.1 (1999-04) Corrigendum 1-Part 4: Definitions
and abbreviations.
(E) IEC 61508-5 (1998-12) Part 5: Examples of methods for the
determination of safety integrity levels and IEC 61508-5 Corr.1
(1999-04) Corrigendum 1 Part 5: Examples of methods for
determination of safety integrity levels.
(F) IEC 61508-6 (2000-04) Part 6: Guidelines on the applications
of IEC 61508-2 and -3.
(G) IEC 61508-7 (2000-03) Part 7: Overview of techniques and
measures.
(H) IEC62278: 2002, Railway Applications: Specification and
Demonstration of Reliability, Availability, Maintainability and
Safety (RAMS);
(I) IEC62279: 2002 Railway Applications: Software for Railway
Control and Protection Systems;
(4) Use of unpublished standards, including proprietary
standards, is authorized to the extent that such standards are shown
to achieve the requirements of this part. However, any such
standards shall be available for inspection and replication by FRA
and for public examination in any public proceeding before the FRA
to which they are relevant.

13. A new Appendix F to part 236 is added to read as follows:

Appendix F to Part 236--Requirements of Mandatory Independent Third-
Party Assessment of PTC System Safety Verification and Validation

(a) This appendix provides minimum requirements for mandatory
independent third-party assessment of PTC system safety verification
and validation pursuant to subpart H or I of this part. The goal of
this assessment is to provide an independent evaluation of the PTC
system manufacturer's utilization of safety design practices during
the PTC system's development and testing phases, as required by the
applicable PSP, PTCDP, and PTCSP, the applicable requirements of
subpart H or I of this part, and any other previously agreed-upon
controlling documents or standards.
(b) The supplier may request advice and assistance of the
independent third-party reviewer concerning the actions identified
in paragraphs (c) through (g) of this appendix. However, the
reviewer should not engage in design efforts in order to preserve
the reviewer's independence and maintain the supplier's proprietary
right to the PTC system.
(c) The supplier shall provide the reviewer access to any and
all documentation that the reviewer requests and attendance at any
design review or walkthrough that the reviewer determines as
necessary to complete and accomplish the third party assessment. The
reviewer may be accompanied by representatives of FRA as necessary,
in FRA's judgment, for FRA to monitor the assessment.
(d) The reviewer shall evaluate with respect to safety and
comment on the adequacy of the processes which the supplier applies
to the design and development of the PTC system. At a minimum, the
reviewer shall compare the supplier processes with acceptable
methodology and employ any other such tests or comparisons if they
have been agreed to previously with FRA. Based on these analyses,
the reviewer shall identify and document any significant safety
vulnerabilities which are not adequately mitigated by the supplier's
(or user's) processes. Finally, the reviewer shall evaluate the
adequacy of the railroad's applicable PSP or PTCSP, and any other
documents pertinent to the PTC system being assessed.
(e) The reviewer shall analyze the Preliminary Hazard Analysis
(PHA) for comprehensiveness and compliance with industry, national,
or international standards.
(f) The reviewer shall analyze all Fault Tree Analyses (FTA),
Failure Mode and Effects Criticality Analysis (FMECA), and other
hazard analyses for completeness, correctness, and compliance with
industry, national, or international standards.
(g) The reviewer shall randomly select various safety-critical
software modules, as well as safety-critical hardware components if
required by FRA for audit to verify whether the vendors and
industry, national, or international standards were followed. The
number of modules audited must be determined as a representative
number sufficient to provide confidence that all unaudited modules
were developed in compliance industry, national, or international
standards
(h) The reviewer shall evaluate and comment on the plan for
installation and test procedures of the PTC system for revenue
service.
(i) The reviewer shall prepare a final report of the assessment.
The report shall be submitted to the railroad prior to the
commencement of installation testing and contain at least the
following information:
(1) Reviewer's evaluation of the adequacy of the PSP or PTCSP
including the supplier's MTTHE and risk estimates for the PTC
system, and the supplier's confidence interval in these estimates;
(2) PTC system vulnerabilities, potentially hazardous failure
modes, or potentially hazardous operating circumstances which the
reviewer felt were not adequately identified, tracked or mitigated;
(3) A clear statement of position for all parties involved for
each PTC system vulnerability cited by the reviewer;
(4) Identification of any documentation or information sought by
the reviewer that was denied, incomplete, or inadequate;
(5) A listing of each applicable vendor, industry, national or
international standard, process, or procedure which was not properly
followed;
(6) Identification of the hardware and software verification and
validation procedures for the PTC system's safety-critical
applications, and the reviewer's evaluation of the adequacy of these
procedures;
(7) Methods employed by PTC system manufacturer to develop
safety-critical software, such as use of structured language, code
checks, modularity, or other similar generally acceptable
techniques; and
(8) If directed by FRA, methods employed by PTC system
manufacturer to develop safety-critical hardware.

Karen J. Rae,
Deputy Administrator.
[FR Doc. E9-17184 Filed 7-15-09; 4:15 pm]
BILLING CODE 4910-06-P